Our FOI request
The Transparency Project has been concerned for some time about judgments from family cases being published where the anonymisation was incomplete or non-existent.
Since formation we have regularly noticed or been notified of such anonymisation errors, and in each case we have reported them to the Judicial Press Office or BAILII or both (depending on the apparent urgency). Usually this results in the judgment being taken down – we have not always been able to check whether the properly anonymised judgment goes back up again.
After a particularly concerning instance of non-anonymisation in April (When Transparency Goes Wrong), we decided to investigate. Around the same time Lucy Reed wrote an article about the issue, which has recently been published in The Guardian and (in longer form) on her Pink Tape blog. We made some enquiries of the court service and the judiciary to see what steps were being taken (if any) to monitor or prevent the problem and on 30 April we asked the Judicial Press Office:
… if there is a procedure in place when this sort of thing happens – are the parties automatically notified by the court if there is a privacy breach like this? Is there any investigation into how things went wrong? Are these events logged or recorded (and if so who might we approach for the statistics)? …We like to write up these instances, and it would be useful to be able to reassure people about the processes behind the scenes if we can.
This approach didn’t produce a substantive answer, so we wrote in more detail to a contact we had been given at the court service in May, explaining the background and saying :
What we would like to understand is :
- the process for anonymisation, checking and sending of judgments to BAILII (we are aware of guidance for judges on publishing to BAILII and of Dr Brophy’s current work to produce guidance for judges on writing anonymised judgments, but our interest is in the processes in place for ensuring that only an appropriately anonymised version of a judgment is sent and published – e.g. the example given above seems to have involved HMCTS sending the wrong version of a judgment to BAILII rather than any failure by the judge to anonymise)
- the process for correcting any errors / recalling any judgments / dealing with queries about possible anonymisation / publication errors (we have had to resort to emailing BAILII and badgering legal colleagues to phone BAILII on weekends to secure the urgent removal of patently private information), including what arrangement is in place to help BAILII know in what circumstances they should take down a judgment pending making contact with the judge
- whether any records or statistics are kept of these issues when they arise and whether there is any process for reporting them to some central person or place (The President / Court Manager / HMCTS / The DFLJ in any given area for example) (and what those statistics show about how often this sort of thing has happened)
- what processes are in place for notifying the individuals whose data has been wrongly released of the data breach and if all such breaches are notified of the mistake
- whether or not the Information Commissioner is informed of these data breaches
- what steps are in train to improve the situation
We would like in due course to be able to write an article or blog post about these issues to explain to the public what happens to prevent things going wrong and what is done to remedy any mistakes when they happen – and we would also like to set out what steps should be followed by the public (or us) if issues are spotted in the future. Currently however it appears that there is little in place and it is all a bit ad hoc. If we have this wrong it would be most helpful if you could provide us with information (including any relevant process or policy and statistics etc) so that we can ensure we write accurately about this really very pressing issue. Naturally we do not ask for any material which would identify individual parties / data subjects.
We explained that we would like to avoid a formal FOI request, but would make one if requested to do so.
In the meantime the research team which is analysing published judgments asked for guidance on how to deal with emerging anonymisation errors that they were uncovering. You can read the response received to their enquiries received in mid June, set out in full in the judgment of the President of the Family Division in the case of Re X (A Child) (No 2)  EWHC 1668 (Fam) (08 July 2016), at paragraphs 31-32. This clarified how any question or request about the possible non-redaction of names would be dealt with by the judiciary.
As answers to most of our questions were outstanding by this point we chased our enquiry, rephrasing it in a more ‘FOI friendly’ format. We have now received a response to our FOI request. The response can be read here and the annexes are below :
In her Guardian article Lucy Reed said this :
The process is ad hoc and with everyone under pressure, errors are inevitable.
The FOI responses appear to confirm this. The judicial guidance at Annex A was already known to The Transparency Project, and does not provide any guidance to judges to prevent the sort of errors we have seen slipping through the net. Whilst the North East appear to have published their own similar guidance document for staff, this does not really advance matters. None of the other six regions has produced any guidance for staff at all. In summary, there is no universal system in place to prevent errors in publication of this really private and sensitive material. This is surprising, given the steps taken more than two years ago to vastly increase the volume of material published.
We are also surprised that since 2013 there have been only two incidents of family case breaches reported to the HMCTS internal Information Assurance & Data Security Team. It is unclear whether or not those two cases include the egregious breach that we referred to BAILII / the judiciary in April. Even if this was reported internally in April it appears from the FOI response that it has not been reported to the ICO. One might ask if this is not referred what would be? It is possible that HMCTS consider that this example is a matter of judicial responsibility and therefore falls for consideration by the Judicial Office not HMCTS.
The answer to our fifth question about notification to a data subject of a breach relating to their data is not illuminating and begs a number of questions:
The HMCTS Information Assurance team has not been able to locate a document that sets out the policy regarding this matter, but they do provide regular assistance to operational teams who must consider whether or not to inform the data subject.
The decision to inform a data subject(s) of a data incident is a local decision to be taken by the originating court or tribunal. The role of the HMCTS information Assurance team is to provide guidance such as:
- Are there any actions that the data subject needs to take because of the incident? E.g. if it is financial data, do they need to inform their bank etc
- Is there a threat of harm to the data subject(s)?
- Would informing the data subject(s) of the incident cause them additional distress?
- Has the incident been contained?
The advice given will depend upon the circumstances of the incident and any mitigation actions that have been taken to lessen the impact of the incident.
The issues are of course broader than mere data protection breach – the publication of details that should not have been published may amount to a breach of confidentiality or a breach of article 8 privacy rights which arguably the subject ought to be alerted to (and particularly in the case of a child his or her parents, carers or legal representatives ought to be informed). However, the narrowness of the answer may simply reflect the phrasing of our question – we will ask for clarification on whether or not there is any policy in this regard and whether or not any individuals have in fact been notified of inadvertent publication of their private information (and update this post as and when a response is received).
What IS more encouraging is the final answer :
HMCTS is reviewing its internal guidance to staff on the protocols for releasing judgments to BAILII, and is currently discussing this with the President of the Family Division to ensure it aligns with judicial guidance. The President of the Family Division has indicated that he intends to issue fresh guidance on the anonymisation of judgments following the publication of research on the issue expected in the summer. He is likely also to publish fuller guidance to judges on sending judgments to BAILII and taking them down from BAILII. HMCTS is currently drafting, and will issue in tandem with the Judicial Office, national guidance for court staff which will make clear what the roles and responsibilities of court staff should be in the publication and anonymisation of documents on Bailii and establishing clear lines of contact for staff and court users who discover errors on Bailii. I will be happy to provide you with copies of the fresh guidance to judiciary, staff and court users when it has been issued.
Perhaps our enquiries have helped to galvanise the powers-that-be into action on these important issues or perhaps the wheels were starting into motion anyway. Whichever it is, we are look forward to the publication of the judicial anonymisation guidance, along with the fuller procedural guidance. We hope that it will mean that the system will work more reliably and coherently and that it will enable further progression of transparency reforms without undue risk to those at the heart of the system. It is time to professionalise this aspect of how we work – it will not do to make it up as we go along – we should be preventing errors not fixing them.
It might be useful for all those various aspects of transparency guidance to be collected in one place in the form of some sort of Transparency Manual. Whether or not that in fact happens at source, we will place all those items of guidance in one place in the Resources section of the site for general access.