I should (not) Coco? EIRs and common law of confidence

Has the Information Tribunal once again followed too slavishly the principles of a 44-year-old expression of the doctrine of common law confidentiality?

In 2008 the then Information Tribunal held that the Home Office had not been entitled to rely on exemptions in the Freedom of Information Act 2000 (FOIA) when dealing with a request from the British Union of Anti-Vivisectionists (BUAV). Specifically, the Tribunal held that some of the information in question did not attract the protection of the common law of confidence (which, for complex reasons was invoked through the interplay of section 24 of the Animals (Scientific Procedures) Act 1986, and section 44 of FOIA, rather than section 41 FOIA, which deals in explicit terms with confidential information). The Tribunal relied heavily in its analysis of the law of confidence on the principles in the landmark case of Coco v AN Clark (Engineers) Ltd (1968) FSR 415 Ch D. On appeal to the High Court, Mr Justice Eady was critical of this reliance, pointing out that there had been significant developments in the law since Coco v Clark:

The Tribunal rather proceeded on the assumption that “the law of confidence” was to be found only in the principles explained by Sir Robert Megarry in Coco v Clark. It assumed that this authority provided an exclusive definition such that, whenever the phrase “in confidence” was to be found in a statute, the legislature must be taken to have had those principles in mind. With respect, however, this does not seem to me to be necessarily the case. Much will depend on context.

It is clear, for example, that the law of confidence is not confined to the principles governing the circumstances in which an equitable duty of confidence will arise; nor to the specialist field of commercial secrets. An obligation of confidence can arise by reason of an agreement, express or implied, and presumably also by the imposition of a statutory duty. (Secretary of State for the Home Office v BUAV & Anor [2008] EWHC 892 (QB))

…

It is thus important to bear in mind, for the present case, the broad principle, stated by Buxton LJ in McKennitt at [11], that ” … in order to find the rules of the English law of breach of confidence we now have to look in the jurisprudence of articles 8 and 10″. The Tribunal did not address these developments at all and thus proceeded on an incomplete understanding of the present law.

(emphasis added)

It is somewhat surprising, therefore, to read the recent judgment of a differently consituted First-Tier Tribunal (Information Rights), considering the extent to which environmental information was exempt from disclosure under regulation 12(5)(e) of the Environmental Information Regulations 2004 (EIR). Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The case – Jones (on behalf of Swansea Friends of the Earth) v IC & Environment Agency  – involved a request for information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea. It was common ground that the request for enviromental information, and that it was commercial in nature, so the main question which fell to be decided by the Tribunal was whether the information was

subject to a duty of confidence provided by law because the information was created and provided in circumstances giving rise to an obligation of confidence

At paragraph 35 of its judgment, the Tribunal says

The well-established test in Coco v Clark is that, apart from contract, for a common law breach of confidence claim to succeed, three elements must be
present:
(a) the information itself must “have the necessary quality of confidence about it;
(b) the information must have been imparted in circumstances importing an obligation of confidence; and
(c) there must be an unauthorised use of that information, to the detriment of the party communicating it.

(emphasis added)

With respect, the Tribunal here appears to have had no regard to Eady J’s dicta, and the many recent authorities he cited, in Home Office v BUAV.

Accordingly, the Tribunal went on hold (para 36) that it

[did] not see that it can be said that the [financial guarantee arrangement] information was imparted in circumstances importing an obligation of confidence…[because] the information came into existence through a process of negotiation between the parties

The Tribunal drew support for this from the findings of a (differently-constituted) tribunal in a case concerning the analagous (but differently-worded) section 41 exemption in FOIA concerning confidential information:

We recognise that section 41 refers more explicitly to information being “obtained” by the public authority from any other person. That is not the language of regulation 12(5)(e). However, we consider that the same element is imported by the incorporation of the common law test of breach of confidence into regulation 12(5)(e) of the EIR. In short, we find that the second element of the test in Coco v Clark has not been met and the information is not subject to a duty of confidence provided by law. (para 38)

This extension of the FOIA confidentiality principles into the EIR is controversial in itself. It becomes even more so when compared with a previous Tribunal decision on regulation 12(5)(e). In South Gloucestershire CC v IC & Bovis Homes (EA/2009/32) the more restrictive language of section 41 FOIA was explicitly contrasted with that of regulation 12(5)(e). The Tribunal held there that the Council’s own information could attract the protection of the law of confidence, without the necessity of its having been provided by a third party. See this helpful article by Practical Law Company for further on this, and for reference to the rather regrettable fact that South Gloucestershire v IC & Bovis Homes was not mentioned by the Tribunal in the instant case.

The slavish adherence to the Coco v Clark principles also risks – as Eady J alluded to when citing Buxton LJ -  overlooking the significance of the jurisprudence of the European Convention on Human Rights as it applies to confidential information. In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council & Ors [2010] EWCA Civ 1214 the Court of Appeal considered, in a case under the Audit Commission Act 1998 (ACA), whether commercially confidential information could constitute a “possession” protected by article 1 of the First Protocol of the Convention, and, potentially, by extension, Article 8. Lord Justice Rix said

 I can see no reason, in the light of the Strasbourg jurisprudence which does exist, why valuable commercial confidential information, such as the evidence in this case demonstrates is in question here, particularly with respect to the second disputed documents, cannot fall within the concept of “possessions”

…

I am not entirely convinced that English common law has always regarded the preservation of confidential information as a fundamental human right, although I accept that it has been recognised and accepted by our common law. Nevertheless, in the light of at least article 1 of the first protocol, it can now be seen that it is a species of “possessions”, with which the state cannot interfere without justification

Disclosure of information under a regime such as the EIR (or FOIA) is different to the potential unfettered disclosure proposed under the ACA, and the public interest provisions might provide the “justification” for state interference discussed by Rix LJ. Nonetheless, it seems surprising to say the least that Jones v IC & Environment Agency proceeded without reference to any of the more recent authorities of confidentiality.

It is notable that Jones v IC & Environment Agency was determined on the papers, without the benefit of oral argument. It would greatly assist both public authorities, and the commercial organisations with whom they interact, if these points were fully argued, and a reasonably definitive position laid down, by an appellate court.

 

Equifax in breach of DPA and common law duties

An interesting case has been heard in the High Court, before His Honour Judge Anthony Thornton QC, in which the claimant succeeded in showing breach of the Data Protection Act 1998 (DPA), as well as common law breach of a duty of care, on the part of the Credit Reference Agency Equifax. He also succeeded in showing this caused damage, because he was unable to access personal and company banking services.

Mr Smeaton, the claimant, had for complex and unusual reasons, been subject to a bankruptcy order which was made on 1 March 2001, but almost immediately stayed, on 10 March 2001, and rescinded on 22 May 2002.

Despite this, the records kept by Equifax relating to Mr Smeaton wrongly showed that between 12 March 2001 and 17 July 2006 he was subject to the bankruptcy order. In June and August 2006 Mr Smeaton had, on his own behalf and on behalf of his company, Ability Records Ltd, made applications to Nat West Bank for account and overdraft facilities. These applications were refused by Nat West, having consulted Mr Smeaton’s credit file held by Equifax.

The judge held that Equifax had never reviewed its procedures for recording and reviewing the accuracy of bankruptcy information: it relied entirely on information provided by consumers (or placed in the London Gazette by consumers) before reviewing or amending entries (and Mr Smeaton was heavily dyslexic and not aware of the existence of Equifax and other credit reference agencies, nor their procedures). Although Equifax had argued that it was “wholly impracticable to undertake the checks that would be necessary if it was to itself ascertain when a bankruptcy order was discharged or otherwise brought to an end or stayed”, it had failed to distinguish between the (very large) number of bankruptcies that were eventually discharged, and (the relatively tiny number of) those which were subject to annulment, rescission or stay:

Equifax should have considered whether it was possible to find a quick, reliable and cheap way of being informed of annulment, rescission and stay orders which did not rely exclusively on consumers drawing such orders to its attention

Equifax (as data controller) were in breach of the fourth data protection principle in part 1 of Schedule 1 of the DPA, which states that

Personal data shall be accurate and, where necessary, kept up to date

Although there is a proviso (at part II of Schedule 1) which says that a contravention of the fourth principle will not take place if the data controller has taken reasonable steps to ensure the accuracy of the data, Equifax’s failure to have considered a way of being informed of annulment, rescission or stay meant that they could not rely on this.

The judge held also that because of the liability imposed on Equifax by the DPA, it also assumed a duty to act with reasonable skill and care at common law, and it had acted in breach of that duty.

Finally, the judge held that it was

inescapable that the [bank] applications were refused on the sole ground of Mr Smeaton’s bankruptcy entry on his credit file

and that therefore his failure to obtain funding was

as a direct result of Equifax’s breach of the data protection principles and, in particular, as a direct result of its retaining on Mr Smeaton’s credit file details of his undischarged bankruptcy order between 12 March 2001 and 17 July 2006

Mr Smeaton claims that the result of this was that

His life descended into a tragic mixture of homelessness, living in a car on the streets, mental breakdown, impecuniosity and a consequent inability to progress his business affairs as a direct result of the enormous shock on discovering that he had had an adverse credit record for the last five years and that the bank on which he had pinned so much hope in providing Ability with the necessary step up to obtain the SFLGS, itself an essential feature of its business plan, prevented him from taking anything other than relatively modest steps to further that plan for many months

However, the trial on causation and damages will be heard separately at a later date. This is a claim based on section 13 of the DPA, which provides that

An individual who suffers damage [and distress if it arises from that damage] by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage

It is worth noting that since 2008 an electronic version of the Individual Insolvency Register has been provided to Equifax under s subscription arrangement between them and the Insolvency Service. As the judge said

Due to advances in the electronic processing of credit data and to legislative changes in the insolvency legislation concerning personal bankruptcies, it is very unlikely that the highly unusual facts of this case will ever re-occur in the future

However, it is not particularly common for a section 13 claim under DPA to succeed, especially given the difficulty of proving damage (see Johnson v Medical Defence Union [2007] EWCA Civ 262 for an example of the difficulty in making a successful claim) so this a case data protection practitioners should continue to keep an eye on.

Will NHS appeal ICO fine? Let’s hope so.

The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after

patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

 The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”

 All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.

 What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.

 Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.

 Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.

On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago

 what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”

Perhaps we have indeed now arrived at that point.

How to overlook an FOI request

Is it realistic or helpful for the law to be that any written request for information should fall under FOI?

On 23 April I noticed that an appeal to the First Tier Tribunal (Information Rights) had been made by Ryanair regarding a Freedom of Information Act 2000 (FOIA) matter, also involving the Office of Fair Trading (OFT). The Information Commissioner (ICO) Decision Notice in question has the reference number FS50391208.  Knowing that Ryanair are sometimes a rather controversial outfit (although one acknowledges a lot of the controversy might actually be self-serving) I was interested to read the Decision Notice in question. The Tribunal’s website is rather basic, and the list of current appeals is uploaded only as a PDF document. This means that to read the Decision Notice in question one has to search for it elsewhere. However FS50391208 was, and is, nowhere to be found (unless my search skills have let me down).

This is a bit odd: a Decision Notice is a public document which the ICO issues when an application is made to him for a decision as to whether  “a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements [of FOIA]” (section 50, FOIA). I say “public” but as far as I know the open publication of Decision Notices is at the discretion of the ICO – nonetheless, it is clearly his standard custom to do this. So, any Decision Notice, especially one appealed by a company such as Ryanair, which is not published, might attract interest (bear in mind that Ryanair will have made request in question, and the OFT is the public authority involved). It is, of course, possible that an error has occurred: for instance, the Tribunal might have published the wrong reference number (although a search on the ICO’s site doesn’t throw up any Ryanair Decision Notices), or someone might just have omitted to upload the Notice.

Accordingly, I sent a tweet to the ICO’s twitter account

Hi @ICOnews DN FS50391208 (OFT) which Ryanair are appealing does not appear to be on your website. Can we see it pls?

I didn’t receive any reply, so, a few days later, sent another

Hi @ICOnews – I asked this q the other day https://twitter.com/bainesy1969/status/194375116493291520 Any answer pls? It wd qualify as FOI request after all

I still haven’t received a reply. Perhaps my little emoticon made the tweet not seem serious? By my calculation the ICO’s twenty working days to respond is up tomorrow, so I thought I’d blog this today, lest the lovely ICO people I met at last week’s PDP conference think I’ve just waited until the time is up before reminding them (again).

The ICO has said that FOI requests made by twitter are valid requests, and I’ve previously blogged about this. But it does make me wonder how realistic it is for a public authority (especially a large one, which, with all due respect, the ICO is not) to be expected to monitor all information channels in case a request for information is made (which doesn’t even need to mention FOI, of course).  The Irish Freedom of Information Act 1997 requires requesters to state that the request is made under the Act. Although that would not really help the ICO in my example here, it would avoid the situation where an FOI request is lost among reams of correspondence on a related matter. I don’t think an amendment of FOIA to this effect has been proposed in the UK, but I’m starting to think it might be a good idea.

This isn’t the most pressing issue facing FOI, and light touch regulation should mean that no one loses too much sleep if a request is inadvertently overlooked, but it is a subject which keeps nagging at me.

I rather suspect I’ve previously advocated against requiring requesters to invoke FOI in a response, and I reserve my right to change my mind again. As Lawrence Serewicz said in his inspiring talk at that PDP Conference, he has very strong opinions, but he holds them very weakly. I like to think I’m the same.

MPs and Data Protection offences, part two.

In which I follow up a previous post, ask the ICO what action he is taking and consider the implications for ICO funding under proposed amendment of data protectionlaws

In a previous post I pointed out that 22 MPs who had been identified in October 2011 as not having registered with the Information Commissioner (ICO) were still showing as not being registered. As I said, failure to register in circumstances where there should be a registration constitutes a criminal offence under section 21 of the Data Protection Act 1998. The blog post got some interest, so I thought I should follow it up with this request to the ICO under the Freedom of Information Act 2000. The request can be seen on the excellent whatdotheyknow.com but I thought it would be useful to post a copy here:

Dear Information Commissioner’s Office

In October last year you disclosed to another requester a list of
46 MPs who had not renewed their section 18 DPA registration with
your office. You explained some of the procedure for enforcing the
statutory requirement to register, and explained that

“Prosecution is usually the last resort when all else fails and we
do give ample opportunity for the data controller to register. The
legal team are not currently considering any MPs for prosecution.”

It appears, from a check of your register that, currently, 22 of
those same MPs have still not registered, more than seven months
later. These are

Z1243695
NIGEL EVANS MP
Z1434043
GAVIN BARWELL
Z1939110
EDWARD LEIGH MP
Z9286519
KHALID MAHMOOD MP
Z1993957
JAMES CLAPPISON MP
Z1102604
ANGUS ROBERTSON MP
Z9256111
JIM SHANNON
Z927838X
DAVID SIMPSON
Z1577500
DAVID BURROWES
Z1538835
PAT DOHERTY MP MLA
Z2134863
MARGARET CURRAN
Z2241138
RACHEL REEVES MP
Z2241519
NIGEL ADAMS
Z2247846
STUART ANDREW
Z9938280
SHAILESH VARA MP
Z2342005
TRISTRAM HUNT
Z1893869
PAUL BERESFORD
Z1903198
CHRISTOPHER CHOPE MP
Z2378834
JESSICA LEE
Z8752516
ERIC JOYCE MP
Z2343491
ZAC GOLDSMITH MP
Z1728512
ADAM HOLLOWAY

I note that in several instances these MPs appear not to have
renewed their notification for over a year.

Please inform me, under the Freedom of Information Act 2000

1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you
normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed).

I acknowledge that the online register does not guarantee to be
up-to-date.

As my previous post said, enforcement of this provision of the DPA does not appear to have stopped: I have seen no announcement to suggest this, and it would be odd, to say the least, if the ICO decided to turn a blind eye to one of the clear offences in the DPA. What would make it particularly odd is the fact that registration represents a huge revenue stream for the ICO, and the more data controllers who register, the greater the income. A fee is levied against a data controller when they register, which amounts to either £35 or £500, depending on the size of the organisation. The last set of accounts show that the income to the ICO from this stream was just short of £15 million.

Clearly it is in the ICO’s interest to enforce this requirement. A failure to enforce, or a perceived failure to enforce could lead to data controllers deciding it’s worth taking a risk by not registering, to save an annual £35 or £500 (they know they would get at least two reminders as it is).

Finally, I note that under amendments to the statutory scheme which will follow the enactment of a new European data protection Regulation, this requirement to register will probably be removed. I presume someone has thought about the effect this will have on the funding of the ICO? £15 million is a hell of a lot to lose, and, the office is underfunded as it is.

Godwin’s Law and Data Protection (or, Let’s Be Careful Out There)

A data protection officer I know has been having a bit of a hard time lately from his managers for questioning their relentless push to encourage greater sharing of information between their public sector organisation and other public sector bodies. My friend has been accused of not being a “can-do” person. In defence of his managers, they are being pushed themselves: despite the Conservative party’s pre-election pledge to “scale back the database state” and the Lib Dems’ commitments not to harvest unneccesary information about people’s private lives, data-sharing is being vigorously promoted.

Sometimes it’s important to share data. I blogged only yesterday about a situation where (if it’s true) a failure to share data possibly had tragic consequences. Similarly I remember once, when I worked in a mental health clinic, how two police officers came in and asked if we knew the whereabouts of one of our regular patients: I had been warned that some police officers would try to trick us into revealing information about our patients, but I knew that this patient was highly vulnerable and unstable and the officers apparently had good reason to know the information. I exercised a discretion that I still wonder about today to disclose that personal data. It was a judgement call, and sometimes you get them wrong -  I hope I didn’t then.

However, it is surely not uncontroversial to say that there are risks in excessive data-sharing. Paul Bernal has blogged today, prompted by the worrying success of the neo-Nazi Golden Dawn movement in last week’s Greek elections, about the importance of recognising what are the current, and historical, implications of surveillance of citizens by the state. “Surveillance” can take many forms – sometimes it’s video recording of people, or retention of their DNA. Sometimes it’s not even the state doing it, but citizens themselves: I recently wrote a rather crude post (which I need to re-visit) questioning whether it was a good idea to have hyper-local media collating and publishing information about people appearing in magistrates’ courts.

Sometimes, as well, it can take the form of creeping databases.  Thus, hypothetically, the state is able to collate the following: person W, who is Jewish, knows person X, who is a trade unionist, who has been known to associate with person Y, who is disabled and has twice been accused of crime Z. The state thinks this is useful data. It might be, but equally it might be excessive, or unnecessarily gathered, or retained too long.

In a modern, liberal, state, none of the identifiying features in my hypothetical example should really raise an eyebrow. In a non-liberal state, however, similar information that has possibly been innocently, or naively, collated, can be misused in horrendous ways: so, in 1940s Holland, municipal registers were used by the Nazis to identify and persecute Jews, trade union membership lists used to persecute organised labour and public health and crime records used to persecute the disabled and criminals.

Maybe I’ve godwinned myself and my own blog, but one cannot avoid the fact that modern digital communication and storage are tremendously powerful – unimaginably so compared to even ten years ago, let alone 70 years. Data-sharing can have enormous and beneficial implications, but we need to exercise caution. We mustn’t amass personal data just because we can. We mustn’t use that data for purposes which were not envisaged when we gathered it. And we mustn’t retain that data just because we can’t be bothered to think what to do with it after its usefulness has passed.

As it happens, all the foregoing  principles are actually enshrined in the statutory Principles in the Data Protection Act 1998. That Act gave domestic effect to an EC Directive, which in part had its genesis in the European Convention on Human Rights. That Convention – in turn – had its genesis in the lessons learned after a fascist party gained support in Europe, and then ultimately took power in a fractured and devastated country.

 

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.