Entries from April 2007 ↓

I’ve always been puzzled about the use of force majeure clauses in the context of disaster recovery agreements.  How can a clause which excuses non-performance when there is something going on beyond the reasonable control of the supplier have any place in a contract which hopes to protect the customer against exactly that - an uncontrollable event?

Those great folks at the Society for Computers and Law have commented on just this point in this useful explanation of the history and use of force majeure provisions.  Concluding that:

“From a business continuity planning point of view, force majeure clauses require detailed examination, since they will come into effect under many circumstances where a business continuity plan is invoked. If you fail to do this you are leaving the door wide open to unexpected withdrawal of key services at a critical point in time.”

Standard clauses which you may rightfully accept in other circumstances may not be acceptable when looking at disaster recovery or business continuity services.  Keep your eye out for them!

SCL: ‘Greater Force’ - or A Good Excuse for Non-Performance? [paid subscription required]

The OFT is consulting on revisions that it has made to its guidance on the Unfair Terms in Consumer Contracts Regulations 1999.

The guidance makes interesting reading and is a godsend for those of us who deal with consumer contracts. In particular, it contains an annex which sets out examples of clauses which were rejected by the OFT as being in breach of the regulations, and the final clause accepted by the OFT.

Reponses are required by 22 May 2007.

The Office of Fair Trading: Unfair contract terms guidance

Is it time to dump powerpoint?  Many advanced presentation skills courses suggest that you should consider it, but many of us still use it in all our client-facing training.

I agree with this post - the problem isn’t powerpoint per se, but the way that it is used.  Your slides should not be your crib notes - as the post says, if your slides give the full picture without you being there, what’s the point of your presence?  Slides, if used, should be there to address the needs of the audience, not the speaker, and therefore should be a learning aid.

Presentation Zen

Reports are that Richard Thomas will be continuing as Information Commissioner until his 60th birthday - I think that this provides some welcome consistency to the world of data protection and freedom of information, and just hope that he can continue his efforts to make the ICO more business focussed and efficient.

Information commissioner Richard Thomas reinstated until June 2009 - 04/04/2007 - Personnel Today

Back in February, the Information Commissioner’s Office issued its first practice recommendation under the Freedom of Information Act 2000 against Nottingham City Council for failing to have adequate procedures in place for the implementation of the Act.

And last month it published details of enforcement action taken against 11 organisations for failure to dispose of personal data in accordance with the 7th principle (obligation to put in place adequate security for personal data) of the Data Protection Act 1998.  Each organisation had to give a written undertaking, detailing the nature of the various breaches, to the ICO, stating that they will comply with the DPA.

And we have already reported on the government’s approval for the ICO’s plan to impose custodial sentences for obtaining data unlawfully.

A taste of things to come?  The ICO has been promising for some time to step up enforcement action, and it seems that it is beginning to live up to this promise.  If nothing else, it is also clear that the ICO’s tactic of targetting high profile offenders is also bearing fruit.  Both peices of legislation are often criticised for being toothless, and whilst neither of these steps have resulted in any prosecutions or fines, I think they are likely to be the first steps in a gradual increase in enforcement proceedings.

That being said, those organisations required to give undertakings had already been “outed” in the mainstream media, and it still remains that one of the biggest drivers towards DPA and FOIA compliance are the adverse publicity that breaches bring, and for DPA, the growing insistence by consumers that their data be handled securely and fairly.

The case of Johnson v Medical Defence Union has hit the Court of Appeal, with Mr Johnson still pursuing a claim for breach of the Data Protection Act 1998 in relation to the processing of his personal data in relation to his indemnity insurance policy.  The original decision[case via BAILII] was made back in March last year.  The Court of Appeal decisionhas just been published on BAILII.

To recap for those of you who are not familiar with the case, Mr Johnson had had his membership, and therefore insurance, revoked by the Medical Defence Union, something that they were contractually entitled to do.  However, his claim was that the information which lead to this decision had been obtained through unfair processing of his personal data in breach of the Act.  A risk manager had reviewed his claims files, and inputted information from those files onto a summary sheet which incorporated a scoring system.  It was this sheet which, when presented to a committee set up to decide such things, lead to the withdrawal of his membership. 

Case law in this area is scarce, and so judicial interpretation of wide terms such as “processing” and “fairness” as are set out in this decision - even if the judges are divided - are welcome.  Even if it is just so that those of use who work in this sector can breathe a sigh of relief that the courts find as much difficulty in interpreting them as we do!

The court had to consider whether the Act applied, and if it did, if there had been a breach.  Mr Johnson claimed the breach arose from:

“Selecting the information contained in the personal data and thereby presenting a false picture of the situation.”

It was not sufficient to show that there was personal data processed, and the result was unfair.  Mr Johnson had to show which act of processing was in itself unfair. 

“However, that said, the difficulty for Mr Johnson remains that the selection, and thus the carrying out of operations, of which he complains was done by Dr Roberts, using her own judgement, and not by any computer or by any automatic means. To the extent that the material on which she worked was already recorded on a computer Dr Roberts had to operate that computer in order to access the information, but no complaint is made of that: because it is not suggested that in looking at Mr Johnson’s record Dr Roberts shut her mind to, and therefore refused even to look at, any particular data. Similarly, having made her decisions Dr Roberts recorded them, or caused them to be recorded, in electronic form; but by that stage Dr Roberts had already made her decision, so the subsequent mechanical recording of her decision did not add to the alleged unfairness.”

In other words, and to summarise an incredibly complicated analysis in one sentence, the judges held (by a majority) that the act of selecting data was not in itself processing of data for the purposes of the Act - it was not automatic processing. 

An analogy (one of many) which particularly caught my eye was this one:

“Judges when they have decided what their reserved judgments should say place those conclusions on a computer, or dictate those conclusions for typing up by their clerk, again by use of a computer. Judgments tend to contain or to refer to a good deal of personal data in respect of the parties to the case. Judges are for that reason data controllers under the terms of the 1998 Act; but one does not need to stress the oddity of a conclusion that the typing of the judgment brings the decision-making process that preceded the typing within the “fairness” terms of the first Data Processing Principle.”

I have a lot of sympathy with the analysis of Buxton LJ, but Arden LJ, in the minority, disagreed.  Like the definition of personal data before it, as explored in the Durant case, “processing” can mean so many different things in so many different scenarios that the effect of making a firm decision as to its meaning could lead to a whole manner of unjust effects where the facts differ.  Like Durant, I can tell that this case will require some time before its effects are fully understood.

As an aside however, the commentary on the purpose of the Act and indeed the data protection directive contained in this judgement is also of interest.  Buxton LJ draws our eye to recital 10 of the directive, which states that:

“Whereas the object of national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law;”

The judges seemed to agree on this point - the Act is primarily there to protect privacy - not employment related detriment which occurs as a result of a decision taken with reference to personal data.  It is not there to create a new cause of action for an injustice where no other cause would assist.  With the Data Protection Act being held as the reason for so much nonsensical bureaucracy, it is worth bearing in mind this overriding theme.

In this case from the European Court of Human Rights, an employee from a UK College was subjected to monitoring of telephone, email and internet use.  There was no policy in place at the relevant time regarding monitoring.

The court briefly considered the relevant domestic law, which included the Regulation of Investigatory Powers Act 2000, the tort of misfeasance in public office, the Data Protection Act 1984 (now replaced, but this was the relevant legislation at the time), the obligation of trust and confidence between employer and employee, and the lack of a distinct law of privacy.

It went on to consider whether there was a breach of Article 8 - namely whether the College had interfered with her right to respect for private life and correspondence.  The court referred to the existing case law which states that telephone calls made from work do consititute an element of private life.  It therefore summised that emails must also fall within this category, together with information gathered from internet monitoring.

As this was information relating to the private life of the individual, and it was monitored, the court found that there was interference with Article 8.  It then turned on whether this interference was “in accordance with the law”.

Whilst the government argued that College was authorised under its statutory powers to do “anything necessary or expedient” for the purposes of providing higher and further education, the court found this unpersuasive.

There was nothing in law at the time which permitted such monitoring (and in particular the provisions of Telecommunications (Lawful Business Practice) Regulations 2000, which permit monitoring under certain conditions) were not yet in force.  The individual in question had not been notified of the monitoring and so could not have expected that this monitoring was going to take place.

There had therefore been a breach of Article 8, and the court awarded damages for non-pecuniary loss of €3,000, as well as legal costs of €6,000 (which were limited due to the other complaints which had been brought but not upheld - total costs claimed had been £9,363).

This case doesn’t impact greatly on monitoring taking place today under the regime now in place.  However, it does stress the fact that an employee does  carry out his or her private life whilst at work, and as such there is some expectation of privacy. 

Tip: Monitoring if it does occur should take place only within the realms of the Lawful Business Practices Regulations, and employers should ensure that employees are informed of and understand the monitoring that takes place.

COPLAND v. THE UNITED KINGDOM - 62617/00 [2007] ECHR 253 3 April 2007 [link from BAILII]

…or the fear of public speaking (no - I didn’t know that either. I found it here - http://www.phobialist.com/, and apparently it’s from the Greek glosso-, meaning tongue, and phobia, fear or dread.

Anyway, in a vain attempt to encourage more lawyers to give internal training in law firms, I’m pointing you towards an article which aims to help those who are scared of speaking in public - and the key tip is practice, practice, practice.

All joking aside, preparation really is the key to confident public speaking - not only do you have to practice the physical side of the presentation, but you need to be comfortable with the subject matter and the structure and timing of the presentation, otherwise you will falter.

There are plenty of courses available if you would like to hone your skills in this area - or alternatively, just get up and try!

How to get over your fear of public speaking - lifehack.org

ISPA have published guidelines to ISPs on how to deal with spam, a growing problem, with 3 key strategies:

1. Attribution of emails - ISPs should not relay emails for non-verified third parties, and should be able to attribute email genertated on their systems to a user.
2. Abuse management - ISPs should have in place a system for users to report Spam, and to ensure that these reports are dealt with.
3. Customer information - ISPs should make sure that customers understand what Spam is, what action will be taken if they send it, and then follow up by publicising the action they take against those who abuse the system

ISPA publishes anti-spam standard - 04/Apr/2007 - ComputerWeekly.com

There are a number of blogs in the US currently commenting on the impact of Vista to electronic discovery.  Recent changes in the US to the Federal Rules of Civil Procedure around discovery of electronic documents have brought this subject close to the hearts of US attorneys, but the comment is no less significant in the UK.

Metadata is already an issue for businesses, as even outside the scope of litigation, documents which are let loose into the world electronically can contain information not immediately apparent to the naked eye - details of who had edited the document, changes from previous versions, even the originating document that this one is based on.

Microsoft’s new operating system Vista does not change the need for caution in this sphere, but its new security features may cause additional data to be disclosed during a disclosure process.  These features will no doubt be a welcome relief for those lawyers busily drafting late at night who suddenly “lose” hours of carefully crafted work when their computer crashes (or they close it without saving!).  But by saving numerous versions of the document as “shadow” documents, comments which may not be intended to see the light of day could find themselves basking in the sunlight.

I have yet to see any case where the existence of metadata has made or broken the case (although I’m willing to be proven wrong), and whether this does become an issue remains to be seen.  In the meantime, businesses should at least be aware of the information their computer systems are collecting about the work their employees are doing, and consider their information management strategies accordingly.

Legal Technology - Microsoft Brings an Altered Vista to EDD [via Dennis Kennedy’s blog]