Sunday, October 12, 2008

Additions to the Casebook!

Some latest cases and updates that will need to be included in my casebook on data protection:

1) The Criminal Justice and Immigration Act 2008 received the RA on 8 May 2008. Some of the main provisions worth noting and commenting is ss 77-78 CJIA and s 144 which amends the UK DPA 1998 by adding s 55 A to increase the ICO's powers to impose monetary penalties (ie. the ICO has the power to serve monetary penalty notices to organisations for breach of the UK DPA 1998).

2) Roberts v Nottinghamshire Healthcare NHS Trust
[2008] EWHC 1934

In brief, this case hinged on whether the Trust was in breach of its obligations under the DPA 1998 by refusing R access to a report prepared on him by the Trust employer on the grounds that this was exempt from disclosure. Art. 13 of the Data Protection Directive 95/46/EC on exemptions and Recitals 42 and 43 of the Directive were considered in the judgment. Reference was made to the case of Durant and Auld LJ's judgment:
A number of general points can be made about the court's role under section 7(9). First, its role is to review the decision of the data controller rather than to act as primary decision maker. In Durant v Financial Services Authority [2003] EWCA Civ. 1746; [2004] IP & T 814 Auld LJ said at [60]:

    "Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to "second guess" decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act."

    And then, after referring to the Data Protection Directive and to Article 8 of the European Convention on Human Rights, Auld LJ continued at [60]:

    "Under both international legal codes, it is for the Member State to justify, subject to a margin of national discretion, any provisions enabling refusal of disclosure in terms of necessity and proportionality, and similarly, data controllers should have those notions in mind when considering under section 7(4)-(6) whether to refuse access on that account. So also should courts on application by way review of any such decision under section 7(9). But it does not follow that the courts should assume, if and when such a question reaches them, the role of primary decision-maker on the merits."

    Secondly, the court must determine, with the benefit of sight of the data, whether the data controller has appropriately concluded that one of the exemptions provided for under the Act or an Order applies. The burden of proof is on the data controller, to the civil standard. Given the right involved, however, the court will approach the matter with a heightened sense of what is at stake, what has been described in other contexts as "anxious scrutiny". Auld LJ's judgment is helpful in indicating how that issue is to be approached, "in terms of necessity and proportionality". Necessity as a test originates in the directive, as can be seen from recital 43. Proportionality as an approach no doubt derives from the relevance of the European Convention on Human Rights to the issue. The twin requirements of necessity and proportionality constrain the data controller in any decision to refuse release of the data. In the light of all of this the court then reviews the decision of the data controller. It is not a decision on the merits but a consideration of whether the data controller's decision is flawed on public law grounds whether, for example, irrelevant matters have been taken into account or the decision not to release is such that no reasonable data controller would have arrived at that conclusion.

    The court denied the application to disclose the report on the following grounds:

In light of the very serious concerns and unusual circumstances in this case I have exercised my duty of "anxious scrutiny" to determine whether the defendant has complied with its obligations under the Data Protection Act 1998. In my judgment the defendant has clear and compelling reasons based on cogent evidence to support its decision not to release the report. Moreover, I have been persuaded that disclosure of the reasons for this conclusion are not appropriate in this case. As to what I have described as the half-way house, disclosure to the claimant's legal representatives but not the claimant, in my judgment the court has no power to order it. There is no such power in the Data Protection Act 1998. The other grounds which were advanced as a basis for that power are besides the point once it is recognised that, absent specific authorisation, legal representatives cannot keep relevant information or knowledge from a client. In this case the claimant has agreed to abide by the half-way house but that is no ground for the exercise of any discretion on my part to order disclosure of the report, given the statutory position and my conclusion that no injustice is caused to the claimant by not doing so.

No comments: