Court Martial, Criminal Justice, Criminal Law, Military Justice, Random, Service Law

The Case of Marine A

Yesterday the Court Martial Appeal Court (which, as the name suggests, hears appeals from Courts Martial) refused an application for bail by Alexander Blackman (more popularly known as ‘Marine A’) pending his appeal against his conviction for Murder.  There was, predictably, an almighty uproar by people and equally predictably, the uproar appears to be coming from people with scant knowledge of the facts (or a complete lack of interest in the facts).  Before looking at the decision of the Court Martial Appeal court, it might be worthwhile recapping, briefly, how we have arrived at this situation.

‘Marine A’ served with the Royal Marines and was deployed to Afghanistan.  On 15 September 2011 insurgents attacked a compound that was occupied by the Royal Marines.  A helicopter was called in to assist with the fire fight that had ensued.  One of the insurgents was located in open ground and the helicopter opened fire on that particular insurgent.  A unit was tasked to undertake an assessment of the damage from the battle and that unit was under the command of ‘Marine A’.

Each of the three armed forces in the UK has their own police force – The Royal Military Police (Army), the Royal Navy Police (the Navy) and the Royal Air Force Police (the RAF).  About 12 months later the “Military Police” (phrase used in the Court Martial Appeal Court’s judgment) were undertaking an investigation into unrelated matters but found video recordings of the incident in Afghanistan on 15 September 2011.  It is understood that in the video footage ‘Marine A’ is heard to admit that he had broken the Geneva Convention when killing an insurgent.  That discovery by the RMP resulted in ‘Marine A’ together with others being charged with Murder.  The matter was tried before a Court Martial and in November 2013 ‘Marine A’ was convicted of Murder.

The Court Martial is a military court which has its current basis in the Armed Forces Act 2006.  It hears cases against service personnel form all three of the services.  Proceedings are presided over by a Judge (who is called a “Judge Advocate”) and there is a Board consisting of between three and seven officers and warrant officers (who take the place of the jury); the size of the Board depends upon the seriousness of the charge(s).  The Court Martial may try any offence against service law (section 50(1), Armed Forces Act 2006), which includes all criminal offences under the law of England and Wales (see Section 42 of the Armed Forces Act 2006).  The Court Martial operates much like the Crown Court (although there are notable differences) and matters of law are determined by the Judge Advocate while matters of fact (including innocence and guilt) are a matter for the Board.  Matters are prosecuted before a Court Martial by the Service Prosecuting Authority.  The SPA an independent tri-service body which is staffed by qualified lawyers who are drawn on secondment from the Legal Branches of the Army, Navy and RAF (all of whom are commissioned officers in their respective service).  The SPA is independent from the chain of command and operates along similar lines to the Crown Prosecution Service.  The SPA is under the superintendence of the Attorney General of England and Wales to mark its complete independence from the Chain of Command.

Following upon ‘Marine A’s’ conviction for Murder he unsuccessfully appealed his conviction to the Court Martial Appeal Court.  Thereafter an application was made to the Criminal Cases Review Commission which has subsequently made a reference back to the Court Martial Appeal Court.  For completeness, the judges who sit in the Court Martial Appeal Court are those set out in Section 2 of the Courts-Martial (Appeals) Act 1968 and include the judges of the Court of Appeal of England and Wales, such of the Lords Commissioners of Justiciary as the Lord Justice General may from time to time nominate for the purpose, and such of the judges of Her Majesty’s Supreme Court of Judicature of Northern Ireland as the Lord Chief Justice of Northern Ireland may from time to time nominate for the purpose.

The Judgment of the Court Martial Appeal Court discloses very limited details about the nature of the appeal before it; however, it would appear that Blackman’s lawyers are arguing that new psychiatric evidence produced renders the conviction for murder unsafe.  In terms of a disposal the Appellant is seeking, it is that his conviction for murder be quashed and either substituted with a conviction for Manslaughter or a fresh trial ordered.  In essence, the Appellant is not arguing that he is wholly innocent – he is arguing that he was criminally responsible for the death of the insurgent but that his responsibility was diminished and therefore he is guilty of Manslaughter rather than Murder.  The Prosecution do not accept this and maintain that the conviction for Murder is the correct conviction.

In short, what we had is a person who served in the armed forces, who was investigated by members of the armed forces, prosecuted by members of the armed forces (acting independently from the Chain of Command) and thereafter convicted of murder by members of the armed forces seeking Bail pending an appeal in which he hopes his conviction for Murder will be substituted with a conviction for manslaughter.  When assessing the case of Marine A it is my view that we must do so with that short summary in mind.

In terms of Bail, the prosecution was neutral on the matter.  As we know, the Court Martial Appeal Court refused bail.  The test for bail, rightly and sensibly, for a person who stands convicted of a crime is entirely different to that of a person who is yet to stand trial.  The presumption of innocence does not apply following conviction.  The test that the Court Martial Appeal Court applied is set out in Paragraph 18 of its judgment.  It is a very high test, as would be expected.  It is exactly the same test that would be applied to someone convicted in the Crown Court of Murder who was seeking bail from the Court of Appeal pending an appeal.

The Court Martial Appeal court determined that Marine A’s case did not meet the high test for bail to be granted and so Bail was refused.  I’m not an English lawyer and it is English criminal law that is applied by the Armed Forces Act 2006; however, I would have thought that those acting for the Appellant would have advised him on his prospects of success in his application for Bail and I suspect that neither he nor his legal representatives were surprised when Bail was refused.

The Court Martial Appeal Court appears though to be moving at breakneck speed in hearing the appeal.  The Criminal Cases Review Commission made the reference earlier this month and the Court is currently looking to have a hearing fixed for January or February 2017.  In an attempt to speed matters up the Court has severed the Appellant’s grounds of appeal and will deal initially with the primary ground of appeal (that being the one arising out of the new psychiatric evidence).  If the Appellant is successful on that ground the remaining grounds are irrelevant, if he is unsuccessful the Court Martial Appeal Court will hold a further hearing on those grounds of appeal.

While it may have been disappointing for the family, friends and supporters of ‘Marine A’ that his application for Bail was refused; it is important that the decision is seen in its context.  Furthermore, even if Marine A is successful in his appeal there is no guarantee that he will be immediately released from prison.  If his conviction for Murder is quashed and replaced with one for Manslaughter the sentence will also need to be substituted; it may well be that Marine A will need to serve further time in custody.

Legal System, Politics, UK Constitution

Brexit, Article 50 and the Supreme Court

On Monday some of the country’s most senior lawyers will gather in the Supreme Court and appear before the country’s 11 most senior judges.  The case calling before the Supreme Court is the appeal by the Secretary of State for Exiting the European Union against the decision of the Divisional Court in Miller v The Secretary of State for the European Union.  The case has come to be known as “the Article 50 case” and “the Brexit case” by many.  So much has been written on the subject already and by people who are far more expert than me; however, I thought I would throw my twopence in anyway.  In this post I will not express any view as to the merits of the Secretary of State’s case, nor of the Respondent’s case nor that of the interveners and other interested parties.

There has been a lot of sensationalist nonsense published and said about this case.  The issue before the Court is a very narrow point of law; however, it is not a difficult point of law to understand.  It is also an extremely important point of law and the narrowness and simplicity of it should not take anything away from its importance.  The issue for the court is whether the Secretary of State has a prerogative power to trigger Article 50.  The case is not about whether the UK can leave the EU nor is it about whether the UK should leave the EU.  The case is about the process of leaving the EU.

During the Referendum the Government said that it will give effect to the result of the referendum.  The result of the referendum was that those who voted to leave the EU outnumbered those who voted to remain.  It was a narrow result (despite what some might say), but the referendum was held on a simple majority basis.  One side only needed to win by one vote to win the referendum.  The result of this case does not affect the Government’s pledge to give effect to the result of the referendum; it is about how the Government gives effect to the result of the referendum.  It is a question of process and procedure.

In our democracy, the Executive (which is HM’s Government) gets its power primarily from two sources.  The first is from prerogative powers.  These are the remnants of the Monarch’s absolute power and authority.  These prerogative powers have, over the course of centuries, become constrained through the actions of Parliament.  In our system, Parliament is supreme; Parliament is sovereign and it can act to constrain the power of the Executive if it so elects.

The second source from which the Executive derives its power is from Parliament.  Through legislation, Parliament delegates some of its authority to the Executive.  This is where the power of the Government to make secondary legislation comes from.  This delegated authority is rarely absolute.  In the primary legislation delegating the authority (“the enabling legislation”), Parliament will set out the boundaries of the Executive’s authority.  That is how the courts are able to over-turn secondary legislation on social security benefits (for example) – it is because the secondary legislation steps beyond the powers delegated to Ministers by Parliament.  Ministers must either go back to Parliament to get the power needed to do what it is that they wanted to do or to get Parliament to enact the scheme that the Executive wants to enact.

This is in essence the separation of powers.  It is important that in any democracy that the power is shared between the Executive, Legislature and Judiciary.  Parliament is sovereign and is kept accountable by the electorate.  We do not send delegates to Parliament, but rather we send representatives.  What this means is that for the time our MP is sitting in Parliament we ask them to take decisions on our behalf.  As part of the process of an MP deciding how they are going to vote on a particular issue, they will inevitably consider the views of their constituents; however, their constituents cannot instruct the MP to vote in a specific way.  What the electorate can do if they are unhappy with the decisions that their representative takes on their behalf, is to elect a different representative to send to Parliament at the next election.

That brings us onto the question of referendums and their legal status.  As has already been discussed, Parliament is both supreme and sovereign in our democratic system.  It cannot be instructed by the electorate to act in a particular way; therefore, the referendum is simply advice to Parliament and to the Executive.  It would have been entirely possible for the face of the referendum legislation to have included the effect of the result.  The Act could have said that if the result was in favour of leave, that the Secretary of State shall give notice to the European Union of the UK’s intention to leave the European Union.  Such a step would have given the Secretary of State a clear statutory power to trigger Article 50; there could have been no litigation as to whether the Secretary of State had the power to trigger Article 50 or not.  This is what happened with the AV referendum in 2011; Parliament set out within the legislation the effect of a “yes” vote and the effect of a “no” vote.  In this case, Parliament did not do that and so there is no clear statutory power; thus the Government needs to try and rely on the prerogative power.

The effect that all of this has on the appeal in the Supreme Court next week is that the Court is determining the scope of the Executive’s power.  As already discussed, the Executive is subordinate to Parliament.  Government policy is not law.  The Government’s policy on the European Union is to leave the European Union.  It can only give effect to that policy within the constraints of its power.  If it doesn’t have the necessary power then it needs to get it from Parliament.

There have been complaints about the legal system treating the referendum vote as “a footnote”; in terms of the law that is all it is.  It is irrelevant for determining the legal question before the Court.  The prerogative power is, as discussed above, the remnants of the Monarch’s absolute authority.  If the prerogative gives the Executive the power to leave the European Union, then that would hold true irrespective of the result of the referendum (and even irrespective of whether there was a referendum at all).  What it would mean is that the Government could trigger Article 50 and bring the UK out of the European Union had the country expressed a view to remain in the European Union; it could even have done so without a referendum at all.  The prerogative is not about whether the Government has a popular mandate, or an instruction from the electorate to do something.  The prerogative is absolute, un-checked power in the hands of the 20 or so people who are members of the Cabinet to do as they please.  That, if you ask me, is the affront to democracy (but is really outside of the scope of this blog post).  So, because the prerogative is the absolute power of the Executive, the fact that there has been a referendum and the fact that the result of that referendum was an expression of a wish to leave the EU is an irrelevance for the court.

The Courts are there to decide questions of law.  The question as to whether the UK leaves the EU is a political one.  If the Supreme Court upholds the Divisional Court’s decision, the question of what Parliament will do is a political one also.  The Court cannot consider whether the UK should leave the EU, nor can it speculate as to how Parliament might act on the question.  It cannot, when deciding the case, pay any attention to how Parliament might act.  If you are fearful that Parliament might try to block Brexit then that is a matter to take up with your MP, not the Justices of the Supreme Court.

So, in short, the question before the Court is simply does the Secretary of State have the power to trigger Article 50 deriving from the prerogative powers.  If the answer to that is no, then it will be down to Parliament to give the Secretary of State that power.  How that plays out is a purely political matter.  The Supreme Court deciding that the Secretary of State does not have the power to trigger Article 50 says nothing to those voted vote leave or remain; it does not nullify or void the result (or anything close to that).  Conflating the political and legal issues is disingenuous and extremely dangerous.

Access to Justice, Civil Law, Environmental Information, FOIA, FOISA, Freedom of Information, Information Rights, Legal System, Scots Law

Court Fees, Access to Justice and Freedom of Information

On Monday new tables of fees enter into force for the Sheriff Courts and Court of Session in Scotland.  The new table of fees is necessary because of the new Simple Procedure that is coming into force next week to replace the Small Claim procedure and to partially replace the Summary Cause procedure in the Sheriff Court.  It would appear that the Scottish Government has used this opportunity to increase some other fees as well.

The other increases are part of the Scottish Government’s aim to get “full cost recovery” in the civil courts; that is, that so far as is possible those who litigate in Scotland’s civil courts fully fund the cost of running those civil courts.  I have grave misgivings about such a policy for access to justice (and I am not alone in that view).  This blog has, in recent times, moved more towards the field of Information Law and to that extent, I am going to look at these latest court fee rises in the context of Freedom of Information appeals.

In Scotland, under the Freedom of Information (Scotland) Act 2002, if a person is dissatisfied with how a public authority has handled a FOI request they can make an application to the Scottish Information Commissioner (SIC).  The SIC has the power under the 2002 Act to make a decision as to whether the public authority has complied with the Act, and if not, she has the power to state what steps the public authority must take in order to comply with the act (including to order that the public authority release information to the requester).  If a requester or public authority is unhappy with the Commissioner’s decision there lies a right of appeal (on a point of law) to the Court of Session.

The Scottish appeals procedure differs vastly from the appeals procedure under the UK Freedom of Information Act, where a right of appeal (on both fact and law) exists to a specialist First-Tier Tribunal and then on to the Upper Tribunal and the Courts (on a point of law only).  There is currently no charge for lodging an appeal with the First-Tier Tribunal, nor for any step of process or a hearing.  That is not the case in Scotland.

Unless the party bringing the appeal is in receipt of Civil Legal Aid, there are court fees to be paid.  The appeals are also dealt with under Chapter 41 of the Rules of the Court of Session and go straight to the Inner House.  For those who are unfamiliar with the Scottish court structure, the Court of Session is split into two “houses”.  The Outer House hears cases at first instance and is usually presided over by a single Senator of the College of Justice; while the Inner House is the appellate court and hears appeals from the Outer House as well as other courts, tribunals and regulators (such as the Sheriff Appeal Court and the Scottish Information Commissioner).  Appeals from the Inner House are (with permission) to the UK Supreme Court; the Inner House is therefore Scotland’s supreme Civil Appellate court.  In the Inner House, at least three of Scotland’s most senior judges will sit to hear the appeal.

On 28 November, the Court Fees (Miscellaneous Amendment) (Scotland) Order 2016 shall enter into force.  Schedule 1 to that Order sets out a new table of fees in the Court of Session.  Paragraph 1 in Section B of the Table sets a new fee for lodging an “Appeal, application for leave or permission to appeal, summons, or other writ or step by which any cause or proceeding, other than a family action, is originated in either the Inner or Outer House (to include signeting in normal office hours)”.  The new fee is set at £300, up from £214.  So, in order to lodge your appeal against a decision of the SIC the Appellant (whether an individual or public authority) needs to stump up £300.  The Respondent (who is the SIC) will also have to pay £300 (again, up from £214) to lodge their Answers to the Appeal.

There may be other fees to pay along the way, depending on the procedure that ends up taking place; however, when it gets to the hearing of the appeal, the costs start to mount up significantly.  Each party (appellant and respondent) will be required to pay £500 (up from £239) per 30 minutes (or part thereof).  Therefore, a hearing that lasts a full court day (roughly 5-6 hours) will result in a court fee of between £5,000 and £6,000; and that is before solicitors’ fees and the fees of Counsel are added.  This is an astronomical figure.  It is not paid by anyone in receipt of legal aid (and legal aid is available for FOI matters in Scotland), but you do not have to be very well off not to qualify for legal aid.

This represents a significant barrier to accessing justice.  These are sums of money that most middle earners will struggle to get their hands on, even if they attempt the appeal as a party litigant (which given the complexity and sometimes archaic nature of the Court of Session Rules is no easy task).  When it comes to the question of FOI, it only strengthens my belief that appeals against decisions of the SIC should be to a lower court or tribunal in the first instance.

There is a much more fundamental point however; the civil courts should be accessible to everyone.  The level that court fees are rising to (and they are going to continue to rise over the next few years as the Government moves towards “full cost recovery”) presents a very real barrier to justice.  The Scottish Government accepted that fees represent a barrier to justice in respect of the Employment Tribunal fees set by the UK Government (and has pledged to abolish them when the power to do so comes to the Scottish Parliament in the near future).  However, the Government seems happy to continue with a policy of full cost recovery (that was, admittedly, started under the Labour/Liberal Democrat Administration that left office in May 2007).  It is a flawed policy that will place a very real barrier to the courts for very many people.  That, is a tragedy for justice and for democracy.

Constitutional Law, Devolution, Public Law, UK Constitution

The Scottish Parliament and #indyref2

With Nicola Sturgeon announcing today at the Scottish National Party’s conference that the Scottish Government would be beginning a consultation on an Independence Referendum Bill next week, the inevitable discussion as to whether the Scottish Parliament has the power to legislate for a referendum on the question of Scottish Independence has arisen once again.  On one side there are (largely) independence supporting individuals who state categorically that the Scottish Parliament does have the power to legislate; meanwhile, on the other there are (largely) union supporting individuals who state categorically that the Scottish Parliament does not have the power to legislate.  In my view, both groups are wrong to be so sure in their view:  the situation is not altogether clear.

The Scottish Parliament is not equivalent to the UK Parliament.  It is not sovereign nor is it supreme.  The Scottish Parliament is a creature of statute; it was established by virtue of Section 1(1) of the Scotland Act 1998.  Its powers are set out within that Act, as amended by the two subsequent Scotland Acts of 2012 and 2016.  The supreme and sovereign UK Parliament has established a body with the power to make legislation applicable to Scotland.  The Scotland Act 1998 did not spell out specifically what the Scottish Parliament was able to legislate on, rather it stipulates what the Scottish Parliament cannot legislate on – these areas are set out in Schedule 5 to the Scotland Act 1998 and are known as “reserved matters”.  In respect of these matters the UK Parliament has the sole right to legislate.  On all other areas, the Scottish Parliament may legislate; however the UK Parliament retains the right to legislate on these devolved areas (but will not normally do so without the consent of the Scottish Parliament).

In assessing this question, it is important to look at the language adopted by the UK Parliament within the Scotland Act 1998.  Section 29 of the Scotland Act 1998 makes provision for the legislative competence of the Scottish Parliament.  It begins, in subsection (1), by providing that “an Act of the Scottish Parliament is not law so far as any provision of the Act is outside the legislative competence of the Parliament.”  This is quite clear: where the Scottish Parliament legislates beyond its competence the Act (or the parts thereof that are outside of the Scottish Parliament’s legislative competence) have no legal effect.  Subsection (2) then goes on to list the circumstances in which legislation enacted by the Scottish Parliament would be outside of its legislative competence, the second of which is where “it relates to a reserved matter.”

That all seems pretty clear, any legislation that relates to a reserved matter is outside of the legislative competence of the Scottish Parliament.  As mentioned earlier in this post, the reserved matters are set out in Schedule 5 to the Scotland Act 1998.  Right at the beginning of Schedule 5 to the Scotland Act 1998, under the heading “The Constitution”, there appears the words “the Union of the Kingdoms of Scotland and England”.  Again, this all seems fairly clear: the Scottish Parliament cannot make legislation that relates to the Union of the Kingdoms of Scotland and England.  The Scottish Parliament could not, for example, pass a “Great Repeal Act” of its own with the effect of dissolving the Union between Scotland and England.  So, surely that’s an end of matter?  A Bill to hold a referendum on Scottish independence clearly relates to the reserved matter of the Union of Scotland and England?  Well, it’s not quite that simple.

Section 29 doesn’t just contain two subsections; it contains a total of 5.  The third subsection is one of importance here.  Subsection (3) provides that, subject to subsection (4), when determining whether an Act of the Scottish Parliament relates to a reserved matter, consideration should be given “to the purpose of the provision, having regard (among other things) to its effect in all the circumstances.”  It is this subsection that makes things a little more interesting.  Whether a referendum bill was beyond the scope of the Scottish Parliament’s legislative competence would depend, inter alia, upon (i) the purpose of the Bill and (ii) its “effect in all of the circumstances”.

At this juncture we need to consider referendums and their place within the UK’s constitutional framework.  This is an issue upon which the current Judicial Reviews before the High Court in London on the triggering of Article 50 of the Lisbon Treaty following the EU Referendum partly revolve.

The UK has long been recognised as a representative democracy.  The doctrine of Parliamentary supremacy means that Parliament is supreme – nothing and nobody can bind Parliament; one Parliament cannot even bind another.  What one Parliament legislates for today can be repealed by a future Parliament if that is what is within the will of the Parliament that acts to repeal a piece of legislation.  What some argue, therefore, is that referendums do not bind Parliament – indeed, they cannot bind Parliament.  This is where the argument that referendums are merely advisory come from.  This argument essentially reduces referendums to glorified national opinion polls.  They have no effect beyond telling Parliament (and the Government) what the view of the electorate is on the specific question posed at the specific date on which the referendum was held.  You may argue that this not very democratic, but that is beyond the scope of this post.

If the argument that Referendums were merely advisory and were for all intents and purposes glorified national opinion polls is correct, then it can be argued (with some force) that a Bill to enable a referendum on the question of Scottish independence is not beyond the scope of the Scottish Parliament’s legislative competence.  All that Bill would do is enable a national opinion poll to take place – it would not bind the anybody to do anything.  It would certainly not bring about the end of the union between Scotland and England.  Applying section 29(3), it could be argued that the purpose of the Bill is not to bring about the end of the Union, but rather to find out – on a national scale – what the view of the people of Scotland is on the question of Scottish independence (and only on the date upon which the referendum is held).

However, politics comes into play and this could have an impact upon what effect of the Referendum Bill has “in all the circumstances”.  Let us imagine, for a moment, that the Bill is passed and not challenged before the Courts.  The vote happens and there is a majority vote in favour of Scottish independence with a substantial turnout of the eligible electorate.  This would, in practical terms, be something that could not realistically (or politically) be ignored.  The United Kingdom is a union of four separate and distinct countries:  England, Northern Ireland, Scotland and Wales.  It would be hard for the United Kingdom, internationally, to ignore a vote by one of the constituent parts of the United Kingdom to leave that union.  A failure to give effect to it might well lead to international condemnation, pressure and sanction upon and against the United Kingdom.  In short, even if Referendums are merely advisory, the effect of a “yes” vote to independence, at a political level, would mean that Scotland would have to leave the Union and become independent.  The effect “in all the circumstances” here would be to bring about the end of the union between Scotland and England.  This argument, like the first, has some force to it.

The two arguments are quite finely balanced.  The courts could take the view that constitutionally, whatever the political ramifications, referendums are merely advisory and therefore a referendum result in favour of Scottish independence would be binding upon nobody.  Equally, the court could take a look at the words “in all the circumstances” and conclude that the political ramifications are relevant in determining what the effect of a Scottish Referendum Act would be.

As noted above, the EU Referendum Judicial Reviews could be important in determining the question of the Scottish Parliament’s legislative competence to hold a referendum.  If the High Court (and subsequently the Supreme Court) was to determine that the referendum decision on 23 June 2016 did not amount to a “decision” at all because it was effectively nothing more than an opinion poll, then that would lend significant weight to the view that the Scottish Parliament does have the competence to legislate for a second independence referendum.  However, if the High Court were to determine that the EU referendum did amount to more than a glorified opinion poll, then that would lend significant weight to the view that the Scottish Parliament does not have the competence to legislate for a second independence referendum.

This post has, I accept, vastly oversimplified issues that would inevitably take days to argue before the Courts; however, it is quite long enough.  There is absolutely no way that it would be possible to get into the fine details of the issue on a blog – indeed, there are probably several PhD theses in this seemingly simple question.  However, it does (I believe) result in the conclusion that, at this stage, it is impossible to be wholly certain one way or the other, as to whether the Scottish Parliament does (or does not) have the power to legislate for a second independence referendum.  However, one thing can be certain: a referendum bill passed by the Scottish Parliament without there being a further Section 30 Order will be challenged in the courts.

Data Protection, Direct Marketing, EU Law, Information Law, Information Rights, Politics, Privacy, Privacy and Electronic Communications Regulations

Don’t throw stones in glass houses

Today the Scottish National Party (SNP) launched a brand new website with the aim of gauging public support for a second referendum on Scottish independence.  Of course Scotland had a referendum on this issue a little under two years ago where those who voted did so 55% – 45% in favour of Scotland remaining part of the United Kingdom.  In May the Scottish people went to the polls to elect the Scottish Parliament; the Scottish Conservative Party fought that election on a strong pro-union message and had its best electoral success in Scotland in many decades.  They pushed Scottish Labour (who the criticisms in this blog equally apply to) into third place to become the official opposition in the Scottish Parliament to the SNP Government (which, incidentally lost its overall majority and is governing, once again, as a minority government).

This afternoon I had a look at the SNP’s new website and immediately spotted some problems with it.  The National Survey website unsurprisingly has a survey for people to complete.  It asks a number of questions such as how people voted in the 2014 independence referendum and in June’s EU referendum.  It also asks for the name and postcode of the person completing the survey as well as whether or not they have children or grandchildren who are under the age of 18 years, all fields which are mandatory.  The website does have a data protection and privacy policy, which is very brief.  The following screenshot was taken from the National Survey website this afternoon:

surveydp

The policy is extremely short, but the key aspect of the policy for the present purposes is “The SNP may…contact you about issues you may find of interest using any details you have supplied.  You can opt out of some or all contact by writing to us.”  I shall return to why this is the key aspect in a moment, but for now it’s on with the story.

The Scottish Conservative Party has apparently taken legal advice on the SNP’s National Survey website and written to both the Electoral Commission and the Information Commissioner; the former being irrelevant for present purposes.  The Scottish Conservatives state that they considered that the SNP’s website breaches the Data Protection Act 1998 (it does, but more on that in a moment).  However, while they are considering the SNP’s National Survey website they might wish to consider their own website.

Unlike the SNP’s National Survey website, the Scottish Conservatives website has a lengthy data protection and privacy policy, but I have taken a screenshot of the relevant bit:

toriespp

The relevant part for present purposes is the bit that reads “[b]y entering your contact details you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send or using the contact details at the top of this privacy notice.”

There are problems with both the Privacy Notices above, and they are in fact the same problem.  I will come onto the breaches of the Data Protection Act 1998 in a moment; however, I initially want to discuss the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Both the above privacy notices envisage sending information to those who have provided their E-mail address about campaigns that the respective political parties are engaging in.  These E-mails will essentially be promoting the aims of the respective political party, either generally or in respect of a specific area of policy.  These E-mails will be sent directly to an individual; that makes them direct marketing communications.  The law is very strict on when it is legal to send such communications.  The relevant regulation is Regulation 22, which covers direct marketing by electronic mail.  Regulation 22(2) requires (except in a very limited set of circumstances, not relevant here) that there individuals must give consent to receive such marketing.

The Scottish Conservatives’ privacy policy certainly seems to suggest that they have consent, but in reality they do not.  This is because the consent is actually defined in the 1995 Data Protection Directive and that definition is applicable to the PECR; their privacy policy doesn’t meet that definition.  The definition of consent in the 1995 Data Protection Directive is to be found in Article 2 and is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”  Consent achieved in the way the SNP and Scottish Conservatives have approached is not “freely given specific and informed”.  Individuals have not positively expressed a desire to receive general communications about the party or its campaigns; they’ve simply filled in a survey expressing their views on the matters asked about in the survey.  In the case of the specific example of the SNP’s National Survey website the privacy policy isn’t visible at the time the personal data is collected; it cannot therefore be said to be an informed expression of the data subject’s wishes.  The Conservatives (both at a UK and Scottish level) have been guilty of this too.

Essentially what this means is that any E-mail communication sent by either the Scottish Conservatives or the SNP that amounts to direct marketing (which is likely to be every e-mail) in reliance upon the consent obtained through their respective privacy policies is unlawful.

Now, to the Data Protection Act issues.  A data controller (which any political party will be) must only process personal data fairly and lawfully (first data protection principle).  For the processing to be lawful a schedule 2 condition must be satisfied (and in the case of sensitive personal data, a schedule 3 condition as well).  One of the conditions in Schedules 2 and 3 is essentially processing to which the data subject has consented; however, neither the SNP nor the Scottish Conservatives can wholly rely on consent because they simply do not have that data controllers consent.  They wouldn’t be able to satisfy any of the other schedule 2 or 3 conditions to legitimise their sending of direct marketing e-mail communications; they would therefore also breach the first data protection principle when sending those E-mails.

Collecting personal data is also a processing activity.  In the case of the SNP’s National survey they are not collecting the personal data fairly.  While they do have their privacy policy (which is quite frankly a sorry excuse for one) it is not prominent on the actual survey itself; people are not told at the time their personal data is collected exactly how the SNP will make use of it.  You can navigate to the privacy police from the survey page, but the link to the policy is in extremely small text at the very foot of the page (so much so that I initially had difficulty in locating its existence at all).

Turning once again to the Scottish Conservatives, they are currently running a petition on their website against the having a second referendum on Scottish independence.  They continue to rely on implied consent for general communications about the Scottish conservative Party and are arguably collecting personal data unfairly as well.  While the link to their data collection and use policy is clearer, it comes after the “sign up” button and still requires individuals to navigate away from the page that they are no in order to see exactly how their personal data is going to be used by the Scottish Conservatives.

One other issue with the SNP’s National Survey website relates to the third data protection principle which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”  All of the fields are mandatory and it is unclear as to why information such as the number of children or grandchildren you have under the age of 18 or indeed what your name or E-mail has to do with gauging support for a second independence referendum.  This is simply an exercise in gathering personal data and that should be made clear from the website and the survey (otherwise it will only add to the breaches of the first data protection principle).  Those fields should, as a very minimum, be made optional.

To conclude, while the Scottish Conservatives have raised legitimate and valid criticisms of the SNP’s National Survey website, they would do well to remember that people in glass houses ought not to throw stones.

 

Data Protection, Information Commissioner, Information Law, Information Rights

Procedures, Training and Data Protection

On Thursday last week the Information Commissioner’s Office published a Monetary Penalty Notice that it had served upon a GP Surgery in England for breaches of the Data Protection Act 1998.  The Notice cited the all too familiar seventh data protection principle.  This data protection principle broadly requires a data controller to have in place adequate technical and organisational measures to protect personal data.  It is the data protection principle which features in almost all of the Information Commissioner’s enforcement in relation to the Data Protection Act.

The Monetary Penalty Notice served on the GP Practice arose out of the practice’s handling of a Subject Access Request which it had received.  The request was received in respect of a child patient from one of the patient’s parents (the child’s father).  The child’s parents had separated sometime before and that separation had not been amicable.  The child’s mother had moved and did not want the father knowing where she was currently living.  The mother’s new address was contained within the child’s medical records.

The practice handled the Subject Access request and sent the father everything that was contained within the child’s medical records.  These records were subsequently lodged in court as part of ongoing court proceedings between the parents.  The records were then forwarded onto the mother who discovered that her personal data had been disclosed to the father in response to the subject access request concerning the child as well as personal data relating to another child not related to the father and other personal information that should not have been disclosed to the child’s father.

The Monetary Penalty Notice records that there had been no training given in respect of the handling of Subject Access Requests and that there were no procedures within the practice for the handling of these requests.  In this case the disclosure was not checked before it was sent out to ensure that there was nothing within the records that ought to be excluded.

The handling of Subject Access Requests are not straight forward.  It is not simply a matter of printing out all of the records held and posting them or downloading them and E-mailing them to the data subject.  The information has to be carefully gone through to identify any third party personal data so that decisions can be taken about whether or not that third party personal data can or should be disclosed.  Furthermore, there are a range of exemptions that can be applied to information that is held – some of which may well apply to medical records – which enable the data controller to refuse to provide that information in response to a Subject Access Request.  That is in addition to the other (often forgotten) rights contained in Section 7 of the Data Protection Act 1998.

Given the complexity of handling such requests it is important that there are proper procedures in place as to how such requests should be handled.  This should cover everything from the recording of the request having come in through to identifying the data subject’s personal data, considering it for disclosure, compiling the disclosure, checking and recording that the response has been sent (and everything else not mentioned in that list).

It’s not just a case of having in place a procedure; everyone who is involved in the process needs to have training appropriate to the functions that they are performing.  Those who are responsible for identifying what should be disclosed should have proper training to enable them to identify third party information as well as the information which could potentially be withheld.  That training must also be regular to ensure that persons involved in the process are kept up-to-date with the procedures and any changes in the relevant law – regular training is especially important for people who rarely handle Subject Access Requests.

Having in place good quality, detailed procedures together with a comprehensive training programme can substantially reduce the risk of experiencing a data breach.  If things do go wrong, having in place good quality, detailed procedures (compliance with which is being regularly monitored) and a comprehensive training programme can substantially mitigate any regulatory action taken by the Information Commissioner.

Constitutional Law, Devolution, EU Law, International Law, Legal System, Politics, Public Law, Scots Law

Can the Scottish Parliament block ‘Brexit’?

There has been some suggestion in the days since the EU Referendum, in which a sizable majority of Scottish voters voted to stay while a smaller majority of voters across the UK as a whole voted to leave, that the Scottish Parliament can in some way block the UK’s exit from the European Union.  That suggestion is, in my view, wrong; the Scottish Parliament cannot block the UK’s exit from the European Union.

Since Devolution there has been a convention operating whereby it has been understood that Westminster would not exercise its power as the sovereign and supreme legislative body for the United Kingdom to legislate in an area for which competence over has been devolved to the Scottish Parliament, without first obtaining the consent of the Scottish Parliament.  This convention is known as the Sewel convention.

Following the 2014 referendum on whether Scotland should become an independent country, a Commission was established by the UK Government to look at the Scottish devolution settlement.  That Commission, the Smith Commission, recommended that the Sewel convention was given legislative force.  Section 2 of the Scotland Act 2016 amends Section 28 of the Scotland Act 1998, which confirms in subsection (7) that Westminster can still legislate on areas of devolved competence, to add a subsection (8) which gives effect to that recommendation.  Section 28(8) provides that “it is recognised that the Parliament of the United Kingdom will not normally legislate with regard to devolved matters without the consent of the Scottish Parliament.”

What this means is that Westminster will not normally legislate on a devolved area without first obtaining the consent of the Scottish Parliament.  However, it can still legislate on an area of devolved competence without the consent of the Scottish Parliament (for example, in a time of emergency and where it wouldn’t be practical to obtain the Scottish Parliament’s consent).

What relevance does this have to blocking the UK’s exit from the European Union?  It would appear to me to be of no relevance whatsoever.  Firstly, we are not in a situation where the UK Parliament is going to be legislating.  The UK’s withdrawal from the EU is an exercise by the Executive of the prerogative power to conduct foreign affairs.  The Executive might well seek a vote in the UK Parliament on exercising the prerogative power (in the same way that appears to be becoming convention with the prerogative power to declare war), but that is not a legislative act by the UK Parliament.  Secondly, the United Kingdom’s relationship with the European Union is a specifically reserved matter in Schedule 5 to the Scotland Act 1998.  We are not, therefore, dealing with a devolved matter; we are dealing with a reserved matter.  Section 28(8) of the Scotland Act 1998 only relates to devolved matters.

It might be the case that, when the UK Parliament comes to give legislative effect to whatever relationship the UK is to have with the EU in the future, the Scottish Parliament may be able to invoke Section 28(8) of the Scotland Act 1998.  If that legislation were to affect a devolved area the Scottish Parliament could very well refuse to consent to the legislation; however, that would not necessarily equate to it being blocked.  The UK Parliament might have to rely on the word “normally in section 28(8) to legislate anyway so as to give effect to, what will be by then, the UK’s international law obligations.

The Scottish Parliament is still free to debate and vote on any issues that it chooses to do so.  We could therefore see in the coming days or weeks a debate and vote in the Scottish Parliament on whether the Parliament agrees with the UK’s withdrawal from the European Union.  However, it cannot invoke what is now Section 28(8) of the Scotland Act 1998 in relation to this issue.  Moreover, even it if it could invoke Section 28(8) of the Scotland Act 1998, that would not necessarily have the effect of blocking the action it refused to give consent to.

Random

Gas Distribution Companies and the EIRs

The Environmental Information Regulations 2004 provide for important rights of access to environmental information that is held by or on behalf of public authorities in the United Kingdom (except Scottish public authorities, to which the Environmental Information (Scotland) Regulations 2004) apply.  The Regulations were introduced to give effect to a European Directive on access to environmental information, the Directive and Regulations are ultimately based upon the Aarhus Convention on access to environmental information.

The Environmental Information Regulations 2004 have a much wider application than the Freedom of Information Act 2000 does by virtue of the much wider definition of public authority in the Convention (and as a consequence the Directive and Regulations).  The leading case on the question as to exactly who is a public authority is Fish Legal & Emily Shirley v the Information Commissioner and Others which is a decision of the Grand Chamber of the Court of Justice of the European Union.  This decision has been given domestic application by the Upper Tribunal in a number of appeals, including the Fish Legal case (the Upper Tribunal having been the source of the reference to the court of Justice of the European Union).

In light of this decision I considered that the utilities companies were likely to be caught by the definition of a public authority. I therefore wrote to Northern Gas Networks Limited in December 2015 requesting information from them in respect of gas escapes.  Northern Gas Networks Limited is one of a number of gas distribution companies in the United Kingdom responsible for the gas distribution network in a given geographical area; in the case of Northern Gas Networks, they have responsible for the gas distribution network in the North of England.  The gas distribution companies are responsible for the distribution (but not the supply of) gas to domestic and commercial premises.  They are responsible for the physical network (i.e. the pipes, gas meters etc).

The Gas Act 1986 gives the gas distribution companies a range of powers that are not ordinarily available to private individuals or businesses.  For example, the gas distribution companies have the power (subject to authority from the Secretary of State) to compulsorily purchase land that is required by them to maintain the gas distribution network.  The Gas Act also gives the gas distribution companies the power to enter land or premises to inspect gas equipment and fittings on a safety basis and for the purposes of performing other duties.  They also have the power to lay pipes within streets, including the power to break up streets.

The “Special Powers” test derives from the Fish Legal cases; they are rights which are not normally available to private bodies or individuals – even where they are qualified (for example, by needing a warrant from the court or the authority of the Secretary of State). Clearly, the powers available to gas distribution companies under the Gas Act are just that:  they are powers not normally available to private individuals.

Northern Gas Networks did not respond to the request for information, nor to representations made pursuant to Regulation 11 of the Environmental Information Regulations 2004.  I wrote to the Information Commissioner to make an application for a decision pursuant to section 50 of the Freedom of Information Act 2000 (which applies to the Environmental Information Regulations by virtue of Regulation 18).

Northern Gas Networks maintained that it was not a public authority for the purposes of the Environmental Information Regulations 2004; however, the Commissioner considered the matter in light of Fish Legal and decided that Northern Gas Networks is a public authority for the purposes of the Environmental Information Regulations 2004. The Commissioner’s decision can be read here.

It follows from this decision that the other gas distribution companies in the United Kingdom are also public authorities for the purposes of the Environmental Information Regulations 2004. Those companies are:  SGN (Scotland & South East England); National Grid (Midlands and North West England) and Wales & West Utilities (Wales and South West England).

Electricity Distribution

The electricity distribution system is split-up in a similar fashion with electricity distribution companies responsible for the distribution (but not the supply of) electricity around the network in the United Kingdom. Those companies have similar powers to the gas distribution companies in respect of the distribution of electricity and it is therefore likely that they would also be public authorities for the purposes of the Environmental Information Regulations 2004.

The electricity distribution companies are: SSE Power Distribution (North of Scotland and Southern England); SP Energy Networks (Central Scotland, Southern Scotland, East Midlands, West Midlands, South Wales & South West England); Northern Powergrid (North East England and Yorkshire); Electricity North West (North West England); UK Power Networks (Eastern England, London, South East England) and Northern Ireland Electricity (Northern Ireland).

Scotland

Although, as set out at the beginning of this post, Scotland has separate access to environmental information regulations it is my view that the UK Regulations would apply to both the gas and electricity distribution companies in Scotland. This is because the distribution of gas and electricity is a matter reserved to Westminster and continues to be the responsibility of the Secretary of State for Energy and Climate Change and regulation is the responsibility of OFGEM.

Appeal

The Decision Notice was only issued last week and it therefore follows that Northern Gas Networks could yet appeal the Commissioner’s decision to the First-Tier Tribunal (Information Rights).

Data Protection, Direct Marketing, English Law, Information Law, Information Rights, Legal System, Politics, Privacy, Privacy and Electronic Communications Regulations, Scots Law, UK Constitution

Data Protection and the #EUref

Data Protection is not an area that people generally get especially excited about, but the rights contained in the Data Protection Act 1998 (“the DPA”) are important.  They enable individuals to find out (mostly) what information companies and organisations hold about them, where they got it from, what they do with it, who they give it to and what it says.  It also enables people to take a degree of control over what companies and organisations do with that information; including the ability to prevent a company from using their information for marketing purposes, forcing them to correct inaccurate information and forcing them to stop “processing” their information where the processing causes substantial damage or distress that is unwarranted.

The DPA implements an EU Directive into domestic law.  Data Protection law in the UK has its roots in European law.  However, it’s not just the DPA that has its roots in European law; the connected Privacy and Electronic Communications Regulations 2003 (the full name of which is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003) also implement European law into domestic law.  These Regulations relate to the use of personal data and are the regulatory regime that governs the use of electronic communications (such as E-mail, phone and text) to market directly to individuals.  These are the regulations which help deal with those annoying and unsolicited PPI and accident claims telephone calls.

In 2018 the Directive that underpins the DPA is being replaced with a new EU Regulation on Data Protection and the Directive underpinning the 2003 Regulations is currently being reviewed in light of the new EU Data Protection Regulation (the European Commission is consulting on this issue until 5 July 2016).

The DPA replaced the Data Protection Act 1984.  The 1984 Act was introduced to give protection to individuals in relation to the automatic processing of their personal data and was based upon the Council of Europe’s (the same Council of Europe behind the European Convention on Human Rights and Fundamental Freedoms) 1981 Convention for the protection of individuals with regard to automatic processing of personal data.

Now that there has been a brief account in respect of the history of Data Protection law in the United Kingdom, it is possible to thrust into the main purpose of this article; that is to consider Data Protection in the context of the EU Referendum.

If the UK votes to remain in the European Union then in May 2018 the United Kingdom will have to comply with the General Data Protection Regulation (which, being a Regulation, will have direct effect regardless as to whether the UK Parliament enacts a new Data Protection Act or not) together with the associated Directives; including whatever eventually replaces the 2002 e-Privacy Directive.  The associated Directives, together with some of the fudges in the new Regulation, will likely mean that there will be a new Data Protection Act to replace the current Act (probably towards the end of 2017).

If the UK votes to leave the European Union what happens is a bit more uncertain.  A vote to leave the EU will not mean that there is a complete end to the UK’s relationship with the EU, and that will have an impact on Data Protection.

The first thing to note is that a vote to leave will not mean an instantaneous split.  There currently isn’t really a process for an EU Member State to leave the Union so some time will be spent working out how that happens and there will inevitably be a time spent negotiating a new relationship with the EU; whether that is inside of or outside of the EEA.  It seems quite likely that we will still be in the EU come May 2018, which might mean that the GDPR will automatically apply – but that is entirely dependent upon what happens in terms of negotiations between the vote to leave and May 2018.

If the United Kingdom simply becomes part of the EEA then the result, insofar as Data Protection is concerned, will be identical to a vote to remain; the GDPR applies to the EEA countries (presently being Iceland, Liechtenstein and Norway) as well as to EU Member States.

If the United Kingdom leaves the EU and doesn’t join the EEA there will be bit more freedom in respect of Data Protection.  However, the requirement for Data Controllers within EU Member States not to transfer personal data to a country outside of the EU/EEA, unless there is an adequate level of protection for personal data, will mean that we will continue to have some form of Data Protection law.

It is possible that the UK could meet the adequate level of protection requirement with rights that are substantially lower than those afforded by the DGPR (when it enters into force) and so the UK’s Data Protection law will not necessarily be all that similar to the GDPR – especially if the government of the day is one that favours light-touch regulation and a lack of “red tape”.  That means that even if the UK is forced to comply with the GDPR initially, Data Protection law in the UK could change dramatically to something that affords much less protection than the GDPR.  What the law will look like though will not only depend upon the ideals of the government of the day, but what they think would be politically acceptable; over the last 30 or so years people have become much more wary about what governments, public agencies and businesses do with their personal data; so while the political will might be to substantially lower the level of protection afforded to individual’s personal data, the public will might not let them go quite as far as they wish!

In short, the future of Data Protection law in the UK will be very much influenced by the result of the Referendum and the eventual relationship with the EU in the event of a vote to leave.

Data Protection, Information Law, Information Rights

Another day, another DPP7 breach and another Monetary Penalty

Section 2 of the Data Protection Act 1998 stipulates that information concerning a person’s health (mental or physical) is sensitive personal data.  This means that a person’s health information attracts a higher level of protection under the Data Protection Act 1998; the damage and distress that can result from the inappropriate disclosure or processing of a person’s health information can be significant.  People can experience bullying, harassment and/or discrimination as a consequence of mental or physical health conditions.  Some health conditions, mental or physical, can attract far more discrimination than others do.  HIV is, sadly, a health condition that still attracts a certain amount of discrimination and prejudice in the UK today.  With that in mind, an NHS Trust sending out its E-mail newsletter to users of its HIV sexual health services, with all of the recipients E-mail addresses visible to every other recipient, is likely to result in the said NHS Trust being in more than a bit of bother with the Information Commissioner’s Office.  That’s exactly what happened to one NHS Trust in London.

The Information Commissioner has served  a Monetary Penalty Notice in the amount of £180,000 on Chelsea and Westminster Hospital NHS Foundation Trust after a member of staff E-mailed out a Newsletter to users of 56 Dean Street with all 781 recipient’s E-mail addresses being visible to all of the recipients.

56 Dean Street is a Soho based sexual health clinic which provides sexual health services to patients, including patients who are HIV positive.  The clinic had developed a service whereby patients with HIV were able to receive results and to make appointments and enquiries online.  They, together with a small number of patients who were not HIV positive, received newsletters from the clinic.  Some of the E-mail addresses included the full name of the patient whose E-mail address it was.  In September 2015, a member of staff sending out one of the clinic’s newsletters sent the E-mail with all of the recipient’s E-mail addresses in the “to” field, rather than the “bcc” field.  This meant that each recipient was able to see the E-mail addresses of all other recipients.

This was not the first time that a member of the Trust’s staff had done this in respect of E-mail addresses of HIV Patients.  The Monetary Penalty Notice served on the Trust records a similar incident that occurred in March 2010.  In that incident, a Pharmacist sent out a questionnaire to 17 patients receiving treatment for HIV about their treatment.  The E-mail addresses of all recipients were included in the “to” field, rather than the ‘bcc’ field; meaning that they were visible to all recipients.  The Monetary Penalty Notice records that remedial steps were put into place by the Trust following that breach, it doesn’t state what they were; however, it does record that there was no training given to staff to remind them to check the group E-mail addresses were being placed in the correct field, nor had they replaced the E-mail account being used with one that would enable separate E-mails to be sent to each address on the mailing list.

The Monetary Penalty Notice records that subscribers were not told that their E-mail addresses would be used to send Newsletters to other patients by way of a bulk E-mail and also notes that one of the subscribers should have been removed from the list following their relocation to Essex.

The Commissioner found that the Trust had breached the seventh Data Protection Principle, which relates to having appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of personal data as well as against the accidental loss or destruction of, or damage to, personal data.  The Commissioner considered that the Trust had failed to comply with the seventh data protection principle by not using an E-mail account that enabled separate E-mails to be sent to each recipient, and also by failing to provide adequate training to staff to ensure that E-mail addresses were being placed in the correct field.

The Commissioner was satisfied that the Trust was responsible for the breach.  The Commissioner was also satisfied that the Trust had not intended to breach the seventh data protection principle.  However, the Commissioner was satisfied that the breach that had occurred was reasonably foreseeable and that the Trust should have therefore taken steps to prevent the breach from occurring.

Once again a breach of the seventh Data Protection Principle has resulted in enforcement action being taken by the Information Commissioner.  The Information Commissioner’s enforcement action in respect of Data Protection breaches has almost exclusively centred on breaches of the seventh Data Protection Principle.  Each time enforcement action is taken it carries with it national publicity.  Therefore, Data Controllers ought to be well aware that failures to have in place adequate internal processes and security measures to protect personal data, especially where that Data Controller is also a public authority, are extremely likely to result in enforcement action being taken by the Information Commissioner – and that is aside from the reputational damage that inevitably comes with security breaches around personal data.

It is important that Data Controllers ensure that they have in place adequate policies and procedures as well as software and other technical measures (such as password protection and encryption) to protect against all reasonably foreseeable data breaches.  That requires organisations to review the personal data that they hold, together with the ways in which they process that personal data, to identify vulnerabilities in respect of the security of personal data that they hold.  The results of getting it wrong can be substantial, both financially and reputational.

The current maximum financial penalty available to the Information Commissioner is capped at £500,000; however, when the new Data Protection regulation enters into force in May 2018 (subject to the results of the EU referendum next month) the maximum financial penalty for such breaches will increase to 4% of net global turnover of €20 million and so the financial consequences of getting it wrong could be even greater in two years time than what they currently are.

When a Data Controller processes personal data they are being trusted with that data by the Data Subject.  Some Data Controllers are entrusted with some of the most sensitive personal data about an individual, perhaps things that only a few other trusted people know; that level of trust can be huge.  It’s not the sort of information that should just be left lying around; it needs to be kept safely and securely and be processed in a way that is appropriate for its nature; especially when the information in question is (rightly) defined as sensitive personal data.