Data Protection: Case Note on Scottish National Party v The Information Commissioner
My case note on the Information Tribunal's decision of 15 May 2006 in Scottish National Party v The Information Commissioner is the first update to my IP/IT-Update website since 3 May 2006 and indeed my first entirely new contribution to that site for yonks. The case is interesting and important for several reasons which I set out in the note. It may well have an impact far beyond our shores and indeed far beyond its subject matter.
Readers who are not au fait with English (or Scottish or Northern Irish) data protection law may be interested to know that we have had data protection legislation in this country since 1984. We were by no means the first country to have such legislation. Sweden has had a Data Protection Act since 1973 and Austria since 1978. One of the reasons why Parliament enacted data protection legislation here was an early decision of the Swedish Data Inspection Board which prevented the Swedish subsidiary of a German multinational from transmitting data on its Swedish employees to its personnel department in Germany because Germany did not at that time regulate the use and storage of personal data. Later, Germany did enact such legislation and the German Data Protection Commissioner blocked a similar transfer of data from Germany to the UK. Data protection in those days was seen very much as a trade issue and the subject was often referred to as trans-border data flow.
Our first Data Protection Act of 1984 established a Data Protection Registrar in Wilmslow (a fairly posh suburb of Manchester though locals insist that it is actually live in Cheshire because it sounds more "county") not far from where I was born and a Data Protection Tribunal to hear appeals against the Registrar's decision. That Act required everyone who processed personal data in the United Kingdom to register with the Data Protection Registrar and anyone who failed to do so was barred from holding or processing such data. The Act contained massive loopholes through which folk could and did drive pantechnicons never mind coaches and horses. For a start, word processing was excluded from the definition of processing so you could avoid the impact of the Act altogether by keeping all records in word processing files. Much of what the state did was also excluded. Save for CPD course organizers, not a lot of people took any notice of the Act. I held myself out at that time as a bit of an expert on the subject as I had contributed the first chapters on data protection to both the Encyclopedia of Forms and Precedents and Atkin's Court Forms. The reason I did that was to get away from evicting old ladies from their council flats, scrapping over wills or settling terms and conditions for scaffolding hire companies, which is all there was for juniors of the Chancery bar at that time.
Data protection began to be taken more seriously after the Data Protection Act 1998 was enacted. This closed most of the loopholes as I explained at the time in my guide "The New Data Protection Act". The Registrar's title changed from "Registrar" to "Commissioner" and the Act gave her - it was Elizabeth France at the time - extensive powers to promote good information handling policy. In the exercise of those powers Mrs France provided guidance on statutory restrictions on "direct marketing" in 1999 which concluded that they
"applied not just to the offer for sale of goods or services, but also the promotion of an organization's aims and ideals. This would include a charity or a political party making an appeal for funds or support and, for example, an organization whose campaign is designed to encourage individuals to write to their MP on a particular matter or to attend a public meeting or rally."
The Data Protection Commissioner became really grand and indeed really busy after the Freedom of Information Act 2000 was passed which not only changed Mrs F's title to "Information Commissioner" (much more Cheshire than "Data Protection") but also gave her power to enquire into the carryings on of central and local government and other public entities. Also, as a result of those additional responsibilities, the tribunal (now renamed "the Information Tribunal") also got busy. A quick shufty at its list of decisions shows that it has heard more freedom of information cases in the last year or so than data protection over the previous 20.
The SNP case was about whether reg 19 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 applies to automated telephone canvassing by political parties. I have to say that I am glad that it does because I am already fed to the back teeth with being bombarded with a cheery, female American voice inviting me to waste my hard earned on a trip to say Florida and reminding me of my right to take kids out of school for such an indulgence during term and can think of nothing worse than being distracted from my lawful business than say the disembodied voice of Ms Hazel Blears - as you can see from that lady's voting record on ID cards, Iraq, student loans and anti "terrorism", there is hardly anybody in the House of Commons from whom I would less like to hear.
Finally, I have to say that it is good to be back on this blog. I have had my hands full over the last few weeks fighting Microsoft in a case which is now reported on BAILII and which someone who was not involved as counsel will discuss in another post. I still have a backlog of other work to do but I also have a massive backlog of contributions from folk around the world to post. Keep watching this space chums.
Readers who are not au fait with English (or Scottish or Northern Irish) data protection law may be interested to know that we have had data protection legislation in this country since 1984. We were by no means the first country to have such legislation. Sweden has had a Data Protection Act since 1973 and Austria since 1978. One of the reasons why Parliament enacted data protection legislation here was an early decision of the Swedish Data Inspection Board which prevented the Swedish subsidiary of a German multinational from transmitting data on its Swedish employees to its personnel department in Germany because Germany did not at that time regulate the use and storage of personal data. Later, Germany did enact such legislation and the German Data Protection Commissioner blocked a similar transfer of data from Germany to the UK. Data protection in those days was seen very much as a trade issue and the subject was often referred to as trans-border data flow.
Our first Data Protection Act of 1984 established a Data Protection Registrar in Wilmslow (a fairly posh suburb of Manchester though locals insist that it is actually live in Cheshire because it sounds more "county") not far from where I was born and a Data Protection Tribunal to hear appeals against the Registrar's decision. That Act required everyone who processed personal data in the United Kingdom to register with the Data Protection Registrar and anyone who failed to do so was barred from holding or processing such data. The Act contained massive loopholes through which folk could and did drive pantechnicons never mind coaches and horses. For a start, word processing was excluded from the definition of processing so you could avoid the impact of the Act altogether by keeping all records in word processing files. Much of what the state did was also excluded. Save for CPD course organizers, not a lot of people took any notice of the Act. I held myself out at that time as a bit of an expert on the subject as I had contributed the first chapters on data protection to both the Encyclopedia of Forms and Precedents and Atkin's Court Forms. The reason I did that was to get away from evicting old ladies from their council flats, scrapping over wills or settling terms and conditions for scaffolding hire companies, which is all there was for juniors of the Chancery bar at that time.
Data protection began to be taken more seriously after the Data Protection Act 1998 was enacted. This closed most of the loopholes as I explained at the time in my guide "The New Data Protection Act". The Registrar's title changed from "Registrar" to "Commissioner" and the Act gave her - it was Elizabeth France at the time - extensive powers to promote good information handling policy. In the exercise of those powers Mrs France provided guidance on statutory restrictions on "direct marketing" in 1999 which concluded that they
"applied not just to the offer for sale of goods or services, but also the promotion of an organization's aims and ideals. This would include a charity or a political party making an appeal for funds or support and, for example, an organization whose campaign is designed to encourage individuals to write to their MP on a particular matter or to attend a public meeting or rally."
The Data Protection Commissioner became really grand and indeed really busy after the Freedom of Information Act 2000 was passed which not only changed Mrs F's title to "Information Commissioner" (much more Cheshire than "Data Protection") but also gave her power to enquire into the carryings on of central and local government and other public entities. Also, as a result of those additional responsibilities, the tribunal (now renamed "the Information Tribunal") also got busy. A quick shufty at its list of decisions shows that it has heard more freedom of information cases in the last year or so than data protection over the previous 20.
The SNP case was about whether reg 19 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 applies to automated telephone canvassing by political parties. I have to say that I am glad that it does because I am already fed to the back teeth with being bombarded with a cheery, female American voice inviting me to waste my hard earned on a trip to say Florida and reminding me of my right to take kids out of school for such an indulgence during term and can think of nothing worse than being distracted from my lawful business than say the disembodied voice of Ms Hazel Blears - as you can see from that lady's voting record on ID cards, Iraq, student loans and anti "terrorism", there is hardly anybody in the House of Commons from whom I would less like to hear.
Finally, I have to say that it is good to be back on this blog. I have had my hands full over the last few weeks fighting Microsoft in a case which is now reported on BAILII and which someone who was not involved as counsel will discuss in another post. I still have a backlog of other work to do but I also have a massive backlog of contributions from folk around the world to post. Keep watching this space chums.
Comments