Tom Hickman: Data Over-Protection

When my central heating boiler stopped working the other day I was expecting exorbitant costs, cold nights huddled around a hot water bottle and possibly a few hours holding on the phone to British Gas. I was not expecting an encounter with the Data Protection Act.

It happened when I was arranging an appointment with a gas boiler ‘engineer’. I was asked for my mobile telephone number so that the engineer could call me if he couldn’t find the house. I duly supplied it. At the conclusion of the call I asked the woman from British Gas if she could read my mobile telephone number back to me to check she had written it down right. “I am sorry” she replied “we can’t give out mobile telephone numbers because of data protection”. I pointed out that I had just given the number to her, but no amount of reason would prevail. The most she would do was read back the last three numbers.

This is by no means my only experience of the irrational effects of data protection laws. Many readers of this blog will have similar tales. But such experiences must not be dismissed as lighthearted examples of corporate idiocy. They are symptoms of a genuine underlying problem that can have consequences far more serious than a boiler engineer failing to turn up for an appointment.

The British Government no less than British Gas is apt to invoke data protection as a reason for not supplying information in obviously sensible circumstances. When the All Party Parliamentary Group on Extraordinary Rendition requested data about the transfer of British-captured insurgents from British forces to Afghan authorities and third nations (but not the names of the individuals concerned), as part of a project to review compliance with diplomatic assurances, the Group was met with a refusal based on the Data Protection Act. The refusal was particularly unfortunate given that the request was made to further the interests of the individuals on whose behalf the British government was invoking data protection concerns.

Yet more extraordinary was that until the morning of a hearing before the Upper Tribunal the Ministry of Defence was asserting that disclosure could not be made without the ‘explicit consent’ of each individual detainee or former detainee because the information sought was ‘sensitive personal data’ on the ground that it would be possible to infer the religious beliefs of those captured from the information: they would almost certainly be Muslim.

Then there is the case of Mr Rahmatullah. Mr Rahmatullah was captured by British forces in Iraq and handed-over to the Americans before being unlawfully rendered to Bagram airbase detention facility, where he remains. The legal charity Reprieve sought to identify him after it was discovered a British captured detainee was held at Bagram, in order to commence habeas corpus proceedings in the US. But the UK Government refused to provide his name or details because, in the absence of him having given his consent, it would breach his rights under the Data Protection Act. And so he languished in incommunicado detention. Fortunately his identity was eventually worked-out by a combination of luck and good detective work by Reprieve. [1]

Even when cases do get on foot, data protection can rear its head to make rights enforcement more difficult. It is recurring problem in litigation against both public authorities and companies that disclosable material will be redacted on ‘data protection grounds’. Moreover, in Smith [2008] EWHC 694 (Admin), Collins J depreciated the practice of public authorities in inquest proceedings to “routinely redact” the names of “any person” shown in documents which “makes it very difficult and sometimes impossible for interested parties to make preparations to deal with the evidence of a particular witness or to understand how that witness fits in to the whole picture.” He went on to note that such redaction is “taken to absurd lengths” such as by the redaction of correspondence with the family or their representatives.

The reasons for this state of affairs are more complicated than that the data protection laws are too tightly drawn. The problems also stem from the fact that the law itself is Byzantine.

Lawyers are accustomed to experiencing a sinking feeling when data protection rears its head in a case; and the first strategy is usually to try and find a way of not having to address it. The Data Protection Act is one of the most poorly drafted pieces of legislation on the statute book. It has tied the UK Courts up in knots. The consequence of the House of Lords’ judgment in Common Services Agency v IC [2008] UKHL 47, for example, is that the disclosure of information about individuals under the Freedom of Information Act constitutes processing personal data and is prima facie unlawful even if the documents are redacted so that no individual is identifiable from the information disclosed (the reason for this being that the disclosing public authority could—obviously—identify the persons from the disclosed redacted material by matching it up with the original material, which in fairness to the House of Lord is, literally, what the legislation says).

In the All Party Parliamentary Group on Extraordinary Rendition case ([2011] UKUT 153) the Upper Tribunal simply refused to follow the majority of the House of Lords in Common Services Agency on the basis that it just couldn’t possibly be right and it wasn’t absolutely on point. In a subsequent case, the High Court preferred to give such close scrutiny to the leading speech in the House of Lords that it was found to mean precisely the opposite of what it actually says: R (Dept of Health) v IC [2011] EWHC 1430 (Admin). These cases prompt one to reflect that if our highest Courts cannot make head or tail of the data protection laws then the British Government and British Gas ought perhaps to be more lightly censured.

Another problem is that the exceptions permitting processing of personal data are open-textured so that organizations cannot be sure when they are on the right side of the line. Taken together with the risk of criminal sanctions (which always leads to robust corporate compliance) and one has a recipe for irrationality and over-protection.

Let us not forget that data protection laws are supposed to enhance our human rights. They are presented as bulwarks against the surveillance society, by which I mean the ever-greater ability of companies and governments to monitor and analyse information about us.

Such is the status of data protection that the Lisbon Treaty elevated the right of data protection in the EU to the status of treaty right embedded in the EU Charter of Fundamental Rights and Freedoms.

It is thus a perverse effect of data protection laws that they often have opposite effects: negating freedom of information and reducing accountable government.

The EU Commission is currently re-drafting EU data protection laws with the aim of increasing the protection currently afforded to personal data. The restrictions on lawful processing (including disclosure) will become even more tightly framed.

It is proposed to narrow further Article 7(f) of the Data Protection Directive allowing disclosure where “necessary” for the “legitimate the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed” by removing reference to third parties (such as the All Party Parliamentary Group on Extraordinary Rendition or Reprieve). Restrictions are also proposed to the provision allowing processing in the public interest, which will only be lawful where the controller is exercising functions prescribed in legislation (draft Regulation Article 6(1)(e), (f), (3)). The exception relating to disclosure “necessary” to protection the “vital interests” of the data subject is retained but this has been interpreted very narrowly to mean life and death situations such as use of medical records after a life-threatening accident. It is not given any wider compass in the proposals. The upshot will be that work of human rights groups and human rights lawyers working to protect the interests of data subjects will be made even more difficult.

The Information Commissioner has drawn attention to some of these problems in its initial analysis of the Commission’s proposals (February 2012). The IC has stated that the terms of the draft Regulation may, “stand in the way of processing that is desirable, unobjectionable and helpful to citizens.” And the IC has called for “explicit recognition in the Regulation that processing may take place where it is clearly in the data subject’s interests and does not override his or her fundamental rights and freedoms.” It is to be hoped that such well-founded criticisms will be addressed.

In the current climate of concern about the surveillance society it is important to appreciate that the side effects of the over protection of personal data are not confined to farcical exchanges with public utilities companies: data over-protection can undermine the effective protection of human rights.

Tom Hickman is a barrister at Blackstone Chambers.

[1] http://www.reprieve.org.uk/press/2011_06_22_Fox_Hague_Yunus/. Presently the subject of habeas corpus proceedings: R (Rahmatullah) v SSFCA [2012] EWCA Civ 182 on appeal to the Supreme Court. The detective work is described in a witness statement of Clive Stafford-Smith dated 14/04/10

4Comments

Add yours

1

Alan Robertson on March 10, 2012 at 3:16 pm

Don’t know what you are complaining about. Seems quite sensible to me. There are many people trying to obtain information on others. Its not for people who hold the information to decide whether your intentions are benign or not.
2

Tim Turner (@tim2040) on March 11, 2012 at 8:34 am

I work with the Data Protection Act every day, and I don’t agree that the fault is with the Act. There is nothing in the DPA that is so confusing that would justify the wilfully wrong-headed approach that often causes the DPA to be invoked. Public and private sector organisations do not trust their staff, so give them clunky, unhelpful policies and no discretion. Hence your experience with British Gas. Explicit consent is one of the conditions for processing personal data, but it is not the only one. The IC’s concern about the loss of the ‘legitimate interest’ category ignores the fact that the private sector often use that element as a justification for all kinds of processing done without consent, – why should private companies be allowed to do things with a person’s data without permission, unless it’s to investigate fraud or fulfil a contract (for which other conditions will remain in place)?
3

David Erdos on March 11, 2012 at 1:06 pm

I think this post makes some excellent and well-timed points. Its key virtue is to highlight a debate which is very rarely had, namely, the really pressing need to reconcile the the protection of personal information with other fundamental interests including freedom of speech, of inquiry, association and information. Certainly there are many other examples to give of the way in which data protection laws have had effects which work against the exercise of other fundamental rights. For example, in my own work I have explored how the fact and manner in which UK Universities have felt compelled to apply the labyrinthine “research” provisions of the Act (as opposed to the far more liberal ones for “journalism, literature and art”) has led to academics in the social sciences and humanities being denied permission to carry out crucial work for their books and articles which by, for example, looking into issues such as the misue of power or corrupation are justifiably covert, identifiable and/or critical. Given that such methodologies are often resorted to by the Press (often with far too little of a public interest rationale) the irony is that these sometimes savage restrictions are literally turning freedom of expression and inquiry “on its head”. As Tom Hickman notes, the time to make data protection truly “fit for purpose” is now. Ensuring such a reconciliation is not only in the interests of other fundamental freedoms but is in the interests of data protection itself. With the spread of ever more instrusive modern technology, such law has never been so necessary. But to my mind it will only be taken serious as a body of law when the stipulations it sets out are legible to all concerned and make principled sense.
4

RM on March 25, 2012 at 10:57 pm

Have any of those who have commented tried personally to purse an FOI application through the system?

One core issue is that the Data Protection Commissioner and the Freedom of Information Commissioner is one and the same person wearing two different hats. Try making an FOI application to the ICO, for the publication of data held by the ICO, and then appealing their internally reviewed decision to refuse the application to the Information Commissioner now wearing his second hat. Byzantine is not the word for it.

Thank goodness for the Lower and Upper Tiers of the Information Tribunal, where one can take one’s appeal free of charge, without the costly help of any scurvy lawyers.