Monday, February 26, 2018

Proposed immigration exemption in UK Data Protection Bill

Having co-signed an Open Rights Group coordinated letter to EU Commissioners Frans Timmermans, Věra Jourová, and Tiina Astola about the proposed immigration exemption in UK Data Protection Bill, I have now written to my local MP, Layla Moran, on the matter. Copies of both communications below.

Dear Layla,

The UK government are proposing to incorporate an unconscionable clause in the Data Protection Bill, currently going through parliament, relating to immigrants. The immigration exemption provision removes individuals’ right to data protection if it is likely to prejudice “effective immigration control”. This will remove the right of individuals to receive information from a subject access request: a core mechanism in any immigration dispute.

According to the Chief Inspector of Borders and Immigration 10% of immigration dispute cases involved administrative errors, errors that can throw people’s lives into disarray. The Guardian is one of the few mainstream media outlets making any effort to report on the devastating impact of the government’s destructive approach to immigration and has covered stories of numerous people who have been in the UK for, in some cases, decades being deported or threatened with deportation. Some of these have been able to challenge the bureaucratic brutality of Home Office mistakes affecting them. If the proposed immigration exemption clause passes into law in the new data protection legislation it will callously derail the capacity of future victims of Home Office errors to defend themselves.

Along with a number of other concerned academics I have co-signed a letter, co-ordinated by the Open Rights Group, to EU commissioners, Frans Timmermans, Věra Jourová, and Tiina Astola asking that they intercede with the UK government on this matter. Copies have also been sent to Guy Verhofstadt, chief Brexit representative of the European Parliament, and the European Data Protection Supervisor,  Giovanni Buttarelli. I include a full copy of the letter below. It is also available at

The immigration exemption does not belong in the Data Protection Bill. Please use your voice in Parliament to encourage your fellow MPs to ensure it is removed from the Bill.


Ray Corrigan

Concern over United Kingdom’s proposed ‘immigration exemptions’ from Data Protection Bill
Dear Frans Timmermans, Věra Jourová, and Tiina Astola
We, the undersigned, write to express our concern regarding the UK Government’s incorporation of the General Data Protection Regulation into domestic law. Setting aside other areas of concern, the UK’s Data Protection Bill proposes an exemption that would remove individuals’ fundamental right to data protection if it is likely to prejudice “effective immigration control”.
This proposed exemption (‘the immigration exemptions’) will remove the right of individuals to receive information from a subject access request: a core mechanism in any immigration dispute. Further restrictions would remove the government’s responsibility to process an individual’s data in accordance with the principles of data protection including lawful, fair and transparent processing. The exemption would allow data to be shared across UK government institutions without accountability or opportunity for recourse.
The immigration exemptions would potentially leave EU citizens applying for residency post- Brexit without access to their personal data at the most crucial time. As a result, decisions taken about a person’s right to remain which may be based on incorrect information would not be rectified, because individuals would be unable to see that the personal data held is incorrect.
EU citizens could be mistakenly forced to leave the United Kingdom as a result of the immigration exemptions.
Further, the proposed immigration exemptions would appear to violate both the General Data Protection Regulation and the Charter of Fundamental Rights:
- The General Data Protection Regulation Article 23(1) stipulates that any restrictions underthe clause must “respect the essence of the fundamental rights and freedoms and [must be] a necessary and proportionate measure in a democratic society...”.
- Under Article 8 of the Charter of Fundamental Rights every individual in the European Union is entitled to the protection of personal data concerning him or her. This includes the right of access to data which has been collected concerning him or her, and the right to have it rectified.
The blanket immigration exemptions go beyond the necessity and proportionality of restrictions under Article 23 of the GDPR and directly interfere with an individual’s right of access to data, and for their data to be processed fairly under Article 8 of the Charter of Fundamental Rights.
We are concerned about the potential impact the immigration exemptions will have on the United Kingdom’s adequacy when it leaves the European Union. The judgment by the Court of Justice of the European Union in Maximillian Schrems v. Data Protection Commissioner C- 362/14, lays out at para 74 in no uncertain terms, that the practical requirement for adequacy requires:
“ essentially equivalent to that guaranteed within the European Union.”
And at para. 95:
“Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.”
Each of you represent an institution which holds a mandate to protect the interests of EU citizens and uphold the Charter of Fundamental Rights. That mandate includes the respect of these rights by member states.
We believe these proposed exemptions are particularly significant to all EU citizens currently resident in the United Kingdom in maintaining the protection of rights guaranteed to them in the Charter of Fundamental Rights.
We call on you:
- to communicate to the United Kingdom that the immigration exemptions must be removed to secure the compatibility with the essence of the fundamental right to data protection, and the Charter of Fundamental Rights; and
- to examine the exemptions impact on EU citizens’ ability to enforce their residency rights after Brexit under the agreements currently being brokered.
Yours sincerely,
Douwe Korff, Emeritus Professor of International Law, London Metropolitan University and Associate, Oxford Martin School of the University of Oxford
Judith Rauhofer, Lecturer in IT Law, University of Edinburgh
Dr Andrew A. Adams, Deputy Director, Centre for Business Information Ethics, Meiji University, Tokyo, Japan
Anna Fielder, Trustee and Chair Emeritus, Privacy International
Mike O’Neill, Director, Baycloud Systems, The Oxford Centre for Innovation
Marie Georges, Independent expert and member of the FREE Group
Prof Andy Phippen, University of Plymouth
Dr Reuben Binns, Department of Computer Science, University of Oxford
Dr Robin Callender Smith, Professor of Media Law, QMUL Information Rights Judge and former Immigration Judge
Dr Paul Bernal, Senior Lecturer in IT, IP and Media Law, University of East Anglia Law School Milena Popova, Digital Cultures Research Centre, UWE Bristol
Dr. Maureen O. Mapp, Lecturer and Module leader for Cyberlaw, University of Birmingham Law School
Dr Duncan Campbell, Visiting Senior Fellow (Law and Sociology), University of Sussex
Dr. Nicholas J. Gervassis, Lecturer in Law, University of Plymouth
Damian Tambini, Associate Professor, London School of Economics
Dr Sally Broughton Micova, Lecturer in Communications Policy and Politics, University of East Anglia
Vian Bakir, Professor in Political Community and Journalism, Bangor University
Ray Corrigan, Senior Lecturer, Science Technology Engineering & Mathematics Faculty, The Open University
Lilian Edwards, Professor of E-Governance, Law School, Strathclyde University Marian Petre, Professor of Computing, The Open University
Blaine Price, Professor of Computing, The Open University
Andrew McStay, Professor of Digital Life, Bangor University
Marian Petre, Professor of Computing, The Open University
Milena Popova, Digital Cultures Research Centre, UWE Bristol
Note: This letter was sent in copy to Guy Verhofstadt, chief Brexit representative of the European Parliament, and the European Data Protection Supervisor 

Update: In the quickest response I have ever had from an MP, Layla Moran says:

Dear Ray Corrigan,

Thank you for taking the time to email me. In short, I absolutely share your concerns and I am planning on speaking out against them when the Data Protection Bill comes before MPs in a fortnight’s time. I know my Lib Dem colleagues are also in favour of removing this clause.

With best wishes, Layla

Layla Moran MP
Liberal Democrat Member of Parliament for Oxford West and Abingdon

Wednesday, November 29, 2017

Normality and one of the big questions of our age

The Open University's Professor Blaine Price gave his inaugural lecture, Am I Normal, at the OU's Berrill Theatre last night, Tuesday, 28 November.

Recommended watching and listening, it spanned the gamut from the core value of academic collegiality - Blaine repeatedly credited a whole series of named colleagues with the foundations of his successes - to mobile technologies, lifelogging, privacy, health care and what constitutes normality in the data that modern technology generates about us. His answer on the normality spectrum was our normal is unique to us.

Given the rampant, sloganeering, destructive, selfish managerialism wreaking havoc in the academy these days, I was cheered by his attention to the power of collaboration, goodwill, mutual support, respect, recognition and the vocation of working in the public interest.

Amongst the most interesting projects Blaine spoke about were the pioneering pilot studies of joint replacement patients and the monitoring and management of diabetics, through the use of wearable and mobile technologies.

The joint replacement case is a 35 patient study of pre and post operative care and monitoring of pain levels, in association with orthopaedic surgeon, Oliver Pearce, at Milton Keynes hospital.

It's just a pilot study at the moment but the question arises as to how and when to expand such a study to 3,500 or 35,000 or more patients, whilst maintaining respect for and protection of patient confidentiality.

It's a non trivial issue.

There have been a whole series of scandalous examples of mismanagement of patient data in the NHS in the current millennium. Hospital Episode Statistics (HES) processes over 125 million admitted patient, outpatient and accident and emergency records each year. The whole shebang - all patient records since about 1999 - was handed over to a large consultancy firm, PA Consulting, who loaded the data on Google servers outside the UK. The data came on 27 DVDs, took weeks to upload but was easier to play with on Google.  The Blair government's multi billion pound IT disaster, the National Programme for IT in the NHS (NPfIT), is littered with data management blunders.  Cambridge Professor, Ross Anderson, has described the Hospital Episode Statistics data warehouse (which in addition to PA Consulting has been sold to over 1000 economic agents) and the horrendous programme as residing in the 7th circle of hell, as far as lack of respect for medical confidentiality and privacy is concerned. More recently still, the Information Commissioner reprimanded those behind the Royal Free Hospital Trust - Google DeepMind trial which failed to comply with data protection law.

Which all leads us to one of the fundamental questions of our age: should we and if so how do we facilitate the ethical, controlled, secure collection, processing, analysis, sharing, storage, dissemination and use of big data  (such as healthcare data) and the lessons it may have to teach us, in the public interest whilst maintaining/preserving/protecting/enhancing one of the key foundation stones of our humanity and a balanced healthy society, personal and collective privacy?

I'm not sure there are any answers to this, certainly none of the easy variety, though, I again recommend the Nuffield Council on Bioethics report, The collection, linking and use of data in biomedical research and health care:ethical issues. Ross Anderson, who was one of the authors, sums it up neatly:
As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically? We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.
It's one really helpful collection of principles to bare in mind when thinking about this stuff. But it is just a start and given the rapacious MEGACORP - pick your favorite from Big Tech to Big Pharma to Big Finance & Insurance etc - re-energised corporate feeding frenzy already in play but likely to descend with renewed vigor on the NHS post Brexit, we really should have, long since, been getting our principled legal, ethical, architectural, social, environmental and economic defenses in place.

In the public interest.

Wednesday, October 11, 2017

Open Letter: Withdraw The National Health Service (Charges to Overseas Visitors) (Amendment) Regulations 2017

While I'm on the subject of unnecessary, damaging and costly processes in public services, may I draw your attention to -

This open letter to Secretary of State for Health, Jeremy Hunt, which should be widely circulated. So I hope the more than 1,000 signatories do not mind me publishing it in full here.

It was coordinated by

Doctors of the World@DOTW_UK

Asylum Matters, @AsylumMatters

Freedom from Torture, @FreefromTorture 

National AIDS Trust, @NAT_AIDS_Trust

The Immigration Law Practitioners Association, @ILPAimmigration

Amongst others.


Sir David Nicholson, who was the chief executive of NHS England from 2011 to 2014, is among 1,000 signatories.

Monday, October 09, 2017

Forming opinion

Another circular today about a new process which involves the completion of a complex form to get basic things done. It reminded me something I wrote about 18 months ago but didn't publish here at the time.

The generic process I refer to is the type that when asking part of your organisation to do one of the jobs they exist to do, draws the response -
"We have a new process for dealing with communications with our department. In order to deal with your request we require you to complete the new process change form, so that xxx can pick up this change and so it’s clear what changes are needed."
You mean like the details I've just sent which you have copied to xxx in the email you responded with asking me to fill in your form... a form which, when you click on the supplied link, is not designed for the circumstances.

The thing about these processes is that they are completely inviolable and immune from critical scrutiny. Budgets must be managed. Accountability and transparency are sacrosanct. The new process is essential and nobody ever considers doing a cost benefit analysis of it.

We have hundreds of thousands, probably millions of these processes in education, the NHS, social services, the criminal justice system and all other public services.

The question that is never asked is how much specifically do the processes we choose to use to "manage" budgets cost? How much will it cost the organisation, in staff time and other resources, for a member of staff to fill out and submit another complex form, requesting some administrative silo engages in its routine activities? How much will it cost to have it processed, considered by the department, a decision made and returned to the form filler? Plus costs of subsequent clarifications or queries or rejections of requests etc.

When you split organisations up into departmental silos, demanding they all meet ludicrous simplistic targets with much reduced operational budgets, it leads to internecine warfare between organisational units. The first thing to be sacrificed is the 95% of activities that the department used to do that constituted services to the rest of the organisation.

Need to save 15% costs - cut 15% that involves doing something for someone else that does not count in our target metrics.

And anyone requiring any useful activity out of any of these silos, remotely resembling the services they previously provided, is obliged to fall in line with keeping their internal administration tidy and filling out their forms. There's nothing more modern and efficient that getting your 'customers' to do your administration, preferably via the internet. The real costs are offloaded by the silo, magically and invisibly distributed as economic externalities and the organisation sinks a bit more under the strain.

What are the opportunity costs of this?

Nobody asks.

Nobody considers that when you dissect a living organism into its constituent atoms, in a futile attempt to control the atoms, you kill the organism (and the organisation).

The public sector has made an art form out of choking on the gigantic invisible costs of our internal accountability bureaucracy.

 Yet quis custodiet ipsos custodes?


I'm considering designing a Permission to Request Ray Fill Your Form Out Form when dealing with all public services including the day job.

It will require lots of spurious hard to find data, on multiple incompatible systems, including data I hold exclusive access to. It will not be submittable unless all fields are completed in the appropriate number of acceptable characters, within a closed and secretly specified set. Every time an attempt is made to submit an invalidly completed form, all fields will be cleared and the bureaucrat wanting me to fill out a form will be informed, in classic patronising & disapproving management-speak that they have to start from scratch.

It will require the approval of at least 5 layers of senior management in their organisation, and at least two external referees prepared to certify the worthiness of the bureaucrat to ask me to complete a form. It will round off with a minimum of 10,000 words of small print relating to the principles of section 11 (p28-33) of General Interference with Organizations and Production of the Simple Sabotage Field Manual

Additionally, it will require the head of the applicant bureaucrat's department and the organisation's executive board to submit themselves to border control, criminal records and qualifications checks and processes, and have their names entered permanently on a 'requester that Ray fill out a form' offenders register.

Finally, it will commit the requisite bureaucrat and departmental and organisation chiefs to an irrevocable agreement that they resign their commission and never darken the organisation's door again. Also in the small print is the assurance that the request that I fill out their form will be rejected in all circumstances.

I'll soon be wandering the streets of Oxford, Quasimodo-like, chanting "The Forms! The Forms! Economic Externalities! Economic Externalities"

That Form Rings a Bell.

Thursday, July 20, 2017

CJEU AG opinion in Peter Nowak v Data Protection Commissioner

Students are going to like this one. Lily livered, liberal, commie, Brexit hating, elitist, expert, EU & CJEU & human rights loving, ivory towered, [insult of choice] academics, a constituency the scars of which yours truly can display two decades plus residency of, possibly not quite so much. Educational bureaucrats may well spurt their morning tea into their cornflakes on noticing tomorrow morning's headlines relating the news.

The Advocate General of the European Court of Justice has decided, in Case C‑434/16, Novak v Irish Data Protection Commissioner, that exam scripts are classifiable as personal data under the data protection directive 95/46/EC.

Mr Novak failed the Strategic Finance and Management Accounting examination of the Chartered Accountants of Ireland (CAI) on four occasions. In the end he decided to submit a subject access request for all personal data held by the CAI, with the intention of getting hold of his exam scripts. CAI refused to hand over the scripts, so he complained to the data protection commissioner. The commissioner declared the scripts to be outside the scope of what constituted personal data.

And so it was onward to the courts and eventually the Irish Supreme Court referred the matter to the Court of Justice, requesting a response to the following questions:
‘(1)      Is information recorded in/as answers given by a candidate during a professional examination capable of being personal data within the meaning of Data Protection Directive?
(2)      If the answer to Question 1 is that all or some of such information may be personal data within the meaning of the Directive, what factors are relevant in determining whether in any given case such script is personal data, and what weight should be given to such factors?’
In accordance with Article 2(a) of the data protection directive, ‘personal data’ means any information relating to an identified or identifiable individual. So it has a very wide scope.

In paragraphs 19 to 28 of her opinion, AG Kokott today clearly disagrees with the decision of the Irish Data Protection Commissioner not to support Mr Novak's perspective. The logic underpinning that opinion is clear from paragraph 24:
"24.      However, in every case, the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate. Every examination aims to determine the strictly personal and individual performance of an examination candidate[emphasis added] There is a good reason why the unjustified use in examinations of work that is not one’s own is severely punished as attempted deception. 
25.      Consequently, an examination script incorporates information about the examination candidate and is in that sense a collection of personal data. [emphasis added]
26.      That this is the correct conclusion is also shown, moreover, in the fact that an examination candidate has a legitimate interest, based on the protection of his private life, in being able to object to the processing outside the examination procedure of the examination script ascribed to him. An examination candidate does not have to accept that his script can be disclosed to third parties or published without his permission.
27.      Contrary to the argument of the Irish Data Protection Commissioner, the personal data incorporated in an examination script is not confined to the examination result, the mark achieved or even points scored for certain parts of an examination. That marking merely summarises the examination performance, which is recorded in detail in the examination script itself.

28.      The classification of an examination script as incorporating personal data is not affected if, instead of bearing the examination candidate’s name, the script has an identification number or bar code. Under Article 2(a) of the Data Protection Directive, it is sufficient for the existence of personal information that the data subject may at least be indirectly identified. (6) Thus, at least where the examination candidate asks for the script from the organisation that held the examination, that organisation can identify him by means of the identification number."
AG Kokott is very clear that exam scripts are personal data. She also notes the importance of handwriting:
"29.      Mr Nowak, Poland and the Czech Republic also rightly argue that answers that are handwritten contain additional information about the examination candidate, namely about his handwriting. A script that is handwritten is thus, in practice, a handwriting sample that could at least potentially be used at a later date as evidence to determine whether another text was also written in the examination candidate’s writing. It may thus provide indications of the identity of the author of the script.
30.      The question whether such a handwriting sample is a suitable means of identifying the writer beyond doubt is of no importance for its classification as personal data. Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt. For that reason, neither is it necessary to determine whether the handwriting should be regarded as biometrical information."  
I'm a skeptic on handwriting analysis, so interested to see she refers to the potential practice of the use of handwriting analysis being the determinative factor here, rather than whether it has any legitimacy as a forensic tool.

Next up she tackles Ireland's concern that section 12(b), relating to the right to rectification of inaccurate data, will be used by unscrupulous students to demand incorrect answers to exams be declared correct. She beings by pointing out in paragraphs 32 to 34 that:
"32.      First, it must be remembered that the issue of right of access is only secondary in this case, where the main issue is in fact the interpretation of the concept of ‘personal data’... 
34.      Therefore, the classification of information as personal data cannot be dependent on whether there are specific provisions about access to this information which might apply in addition to the right of access or instead of it[emphasis added] Further, neither can problems connected with the right of rectification be decisive in determining whether there exists personal data. If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive,[emphasis added] even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best."
So, even if there were to be hypothetical problems with what someone might do with the personal data once they gain access to it, that cannot be used as an excuse to exclude access.

On the right to rectification of inaccurate data in this context again she is clear:
"35.      However, if one concentrates on the right of access and the issue of rectification, it must be recognised that in relation to an examination script this right clearly cannot be claimed in order, subsequent to obtaining that access, to demand rectification, pursuant to Article 12(b) of the Data Protection Directive, of the contents of the script, i.e. the solution written down by the examination candidate. [emphasis added] (9) As Poland has rightly emphasised, the accuracy and completeness of personal data pursuant to Article 6(1)(d) must be judged by reference to the purpose for which the data was collected and processed. The purpose of an examination script is to determine the knowledge and skills of the examination candidate at the time of the examination, which is revealed precisely by his examination performance and particularly by the errors in the examination. The existence of errors in the solution does not therefore mean that the personal data incorporated in the script is inaccurate.
36.      However, rectification would be conceivable if it were the case that the script inaccurately or incompletely recorded the examination performance of the data subject. For example, such a situation would arise if — as observed by Greece — the script of another examination candidate had been ascribed to the data subject, [emphasis added] which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost."
Next up comes the section of the decision - paragraphs 42 to 50 - that exams administrators, especially, are going gnash multitudes of molars on. The Irish Data Protection Commissioner, with the support of the Czech Republic, attempted to have Mr Novak's claim classed as abusive because he didn't follow the requisite procedures laid down for checking exam results. Instead he tried to bypass those procedures and get the information he wanted via data protection legislation.

Now anyone who has spent even a short time working in the education sector will tell you that it is a mortal sin, in the land of educational administrators, to attempt to circumvent their inviolable procedures. Forms must be filled in, boxes must be ticked and procedures must be followed. Even when those procedures are mutually exclusive and diametrically opposed. Exams procedures, in particular, are absolutely sacrosanct. In fairness to the exams zombies, this is often for good reasons - to protect the integrity of the institution, the exams and the interests of the students. But they are, nevertheless, sacrosanct, even if, over the generations, they evolve primarily to serve the interests of the examination bureaucracy.

AG Kokott does not see that Mr Novak was attempting, improperly or fraudulently, to take advantage of provisions of EU law, to gain access to scripts. After all, if he could otherwise have obtained access through exams procedures, why should he be considered to be engaged in abusive exploitation of data protection regulations, just to get access to the same information?
"45.      If examination scripts incorporate personal data, according to the pleadings of the Data Protection Commissioner and Ireland, a misuse of the aim of the Data Protection Directive would arise in so far as a right of access under data protection legislation would allow circumvention of the rules governing the examination procedure and objections to examination decisions.
46.      However, any alleged circumvention of the procedure for the examination and objections to the examination results via the right of access laid down by data protection legislation would have to be dealt with using the provisions of the Data Protection Directive. In that regard, Article 13 in particular comes to mind, which allows for exceptions to the right of access to be established to protect certain interests specified therein.
47.      To the extent that these grounds do not justify exceptions in certain situations, as may be the case in connection with examinations, it must be recognised that the legislature has given precedence to the data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance.
48.      However, it should be pointed out that the General Data Protection Regulation, which will apply in the future, resolves this tension. First, under Article 15(4) of the regulation, the right to obtain a copy of personal data is not to adversely affect the rights and freedoms of others. Second, Article 23 of the regulation sets out the grounds for a restriction of data protection guarantees in slightly broader terms than Article 13 of the Directive, since, in particular, protection of other important objectives of general public interest of the Union or of a Member State pursuant to Article 23(1)(e) of the regulation may justify restrictions.
49.      On the other hand, the mere existence of other national legislation that also deals with access to examination scripts is not sufficient to allow the assumption that the purpose of the Directive is being misused.
50.      However, even if one wished to assume misuse of purpose, it is still not apparent where the undue advantage lies if an examination candidate were to obtain access to his script via his right of access. In particular, no abuse can be identified in the fact that someone obtains information via the right of access which he could not otherwise have obtained. If there were already access to personal information, the introduction of a right of access under data protection law would not have been required. It is instead the task of the right to access under data protection legislation to make available to the person concerned — subject to the exceptions provided for in Article 13 of the Data Protection Directive — access to his own data, where otherwise no right of access exists."
The unuttered assumption, of course, is that Mr Novak would have had access to the information he was requesting under the requisite exams procedures or other national legislation. Even if there was a clash in relation to degree of access then, as paragraph 47 insists "data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance" take precedence. The AG is optimistic (para 48) that the GDPR will resolve any such tension in the future. I can't share that optimism until the scope and boundaries of articles 15(4) and 23 become more clearly defined in practice when such clashes do arise, in the wake of the GDPR implementation in May 2018.

That part of the analysis complete the AG declares in paragraph 51 that
"51.      In brief, it can be concluded that a handwritten examination script capable of being ascribed to an examination candidate constitutes personal data within the meaning of Article 2(a) of the Data Protection Directive."
She next tackles the question of examiner's corrections on an exam script in paragraphs 52 to 65. In particular she notes that it is a question for the Irish data protection commissioner whether the examiner's comments corrections are information about Mr Novak:
"53.      However, an answer to this question is not necessary for a decision in the main proceedings since it is not at issue whether any such corrections constitute information about Mr Nowak. Rather, the subject matter of the proceedings is whether the then Irish Data Protection Commissioner was entitled to dismiss the complaint submitted by Mr Nowak on the ground that his examination script was a priori not personal data. The extent to which corrections should also be regarded as data relating to the examination candidate would have to be ruled upon not by the Supreme Court but rather, should the action be successful, at first instance by the present Irish Data Protection Commissioner."
Having said it is a question for the DPC she, nevertheless, goes on to opine that examiner's corrections are information about an examination candidate, as well as the examiner's own personal data.
"61.      Nonetheless, the purpose of comments is the evaluation of the examination performance and thus they relate indirectly to the examination candidate. The organisation holding the examination is also able to identify the candidate without difficulty and link him with the corrections once it receives the marked script back from the examiner.
62. general, comments on an examination script are typically inseparable from the script itself ... because they would not have any informative value without it. However, the script itself incorporates, as previously stated, personal data of the examination candidate. The purpose of collecting and processing this data is precisely to permit the evaluation of the examination candidate’s performance as incorporated in the examiner’s corrections.
63.      Precisely because of that close link between the examination script and any corrections made on it, the latter also are personal data of the examination candidate pursuant to Article 2(a) of the Data Protection Directive.
65.      It should be mentioned for the sake of completeness that corrections made by the examiner are, at the same time, his personal data. His rights are an appropriate basis in principle for justifying restrictions to the right of access pursuant to Article 13(1)(g) of the Data Protection Directive if they outweigh the legitimate interests of the examination candidate. However, the definitive resolution to this potential conflict of interests is likely to be the destruction of the corrected script once it is no longer possible to carry out a subsequent check of the examination procedure because of the lapse of time."
AG Kokott then briefly addresses additional requirements on the application of the data protection directive and its facilitation of restrictions on the right to information.
"67.      However, no questions have been raised about these additional requirements and restriction options and therefore the Court need not address them. It would also appear that their consideration is not necessary in order for the Supreme Court to be able to rule on whether the then Irish Data Protection Commissioner was right to refuse further examination of the complaint made by Mr Nowak.
She finally concludes:
"70.      I therefore propose that the Court should rule as follows:
A handwritten examination script capable of being ascribed to an examination candidate, including any corrections made by examiners that it may contain, constitutes personal data within the meaning of Article 2(a) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
So it would appear that the Irish Supreme Court will be obliged to rule that the then Irish Data Protection Commissioner was not entitled to dismiss the complaint submitted by Mr Nowak, on the ground that his examination script was a priori not personal data.

As it is the Advocate General's opinion only, it remains advisory and it will be interesting to see if the the Court of Justice comes to the same conclusions. The Court often takes a strong lead from the AG Educational institutions, exams administrators in particular, would do well to take note.

Tuesday, May 23, 2017

Thoughts on our response to terrorism

Earlier today I posted a collection of thoughts on Twitter in response to the tragic bombing attack in Manchester last night. My friend, Tony Hirst, pointed out I had neglected to link them through threading. They are, therefore, reproduced in order below. If we are angry, fearful, sad, vengeful or harboring all of these emotions and more, we should try to focus them on a renewed determination to value our shared humanity and open society based on fundamental rights and the rule of law.