Meanwhile, decisions for cases under the old law are published and affect decision making. Despite a focus on the DPA, Freedom of Information Act (FOIA) requests continue to be made and require consideration by your information team.
In this round up we have pulled together the highlights that those dealing with information law in the public sector should be aware of.
The ICO has written a blog about the increase in use of CCTV cameras inside licenced taxis. The ICO highlights a concern with systems that run all the time, including when the driver is using the vehicle privately.
The ICO recommends that authorities consider whether less privacy intrusive methods can be used to achieve the same aims. It reminds councils that Data Protection Impact Assessments (DPIAs) must be carried out prior to the roll-out of any intrusive surveillance system. If you conclude that the system is required, you should remember to implement the project taking account of the 'privacy by design' principles, for example, not collecting more personal data than required. We suggest you document each of these stages to ensure that you can justify your position.
If you find the ICO's DPIA tricky to follow, VWV has designed a template with our clients and their projects in mind.
This case concerned a subject access request made to the General Medical Council. A patient had requested a copy of the report about his doctor's (Dr B) treatment of him. The complicating factor was that the patient's personal data was intertwined with that of Dr B, who did not consent to the disclosure. This meant that the GMC had to carry out a balancing exercise to decide whether it was reasonable to disclose the report to the patient without Dr B's consent.
Decided under DPA '98, this case, misleadingly, is now of limited application to those working with doctors. This is because the DPA '18 states that it is reasonable to share information about a health professional, in a mixed data situation, when they have compiled or contributed to the care or treatment of the data subject. There is a similar provision regarding education and social care workers.
For other situations, the case helpfully concludes that in 'mixed data' cases, data controllers have a wide margin of discretion when carrying out the balancing exercise. There is only a presumption in favour of withholding the personal data if the interests of the requester and the other person are equally balanced when carrying out the balancing exercise. It was concluded that the High Court was incorrect to find that the starting point is a presumption in favour of withholding the information.
For a more thorough examination of the case, see our summary.
The Independent Inquiry into Child Sexual abuse was fined £200,000 in July (under DPA '98) after sending a bulk email to participants of the inquiry that mistakenly put email addresses into the 'to' line of the email rather than using 'bcc'. The email addresses of the participants were revealed to others and people could be identified as potential victims of child sexual abuse.
This case highlights the importance of protocols for sending bulk emails. If your organisation does not already have rules in place for sending emails to multiple recipients, you should consider putting some in place. This could be done by using specialist software for mail-outs, only allowing certain individuals to send large mail-outs, or a buddy system for checking contents and security.
A recent Tribunal case provides guidance when assessing whether to use FOIA or the Environmental Information Regulations (EIR) when requested information includes environmental information as well as other information. In Information Commissioner v Department for Transport & Hastings, Judge Wilkeley provided a test, which (in summary) advises public bodies to:
Another recent Tribunal decision considered Cambridge University's approach to calculating the s12 exemption time and cost limits exemption. The decision reinforces that:
Labelling a request 'vexatious' is always a difficult decision, and one which can cause an emotional reaction in the recipient. However, in some cases this is entirely appropriate, and the Tribunal recently considered one of those cases, where there had been a considerable history of engagement, culminating in over 50 FOIA requests.
In correspondence, the requestor had compared the authority to Nazis and made allegations of corruption against those working there, and continued to make requests after individual points had been dealt with. The Tribunal repeated the key elements from the Dransfield case, and reiterated that public authorities should: