Privacy v Freedom of Expression in the Court of Appeal

Last year, Mr Justice Arnold gave judgment in the interesting case of Ali & Aslam v Channel 5 Broadcasting. This case concerned the fly-on-the wall programme broadcast on Channel 5 called “Can’t Pay? We’ll take it away”; which follows the work of High Court Enforcement Officers as they enforce court orders relating to debt and housing matters. Mr Justice Arnold found Channel 5 to be liable to the Claimants in the sum of £10,000 each; holding that the Claimant’s rights to privacy outweighed the rights of Channel 5 in respect of freedom of expression and the public interest.

Both parties appealed to the England and Wales Court of Appeal; Channel 5 on the issue of liability and the Claimants on the grounds that the damages awarded were insufficient. In a judgment given on 16th April 2019, the Court of Appeal (Irwin LJ, Newey LJ and Baker LJ) refused both appeals.

The Court of Appeal addressed the issue of liability first, before dealing with the appeal on quantum (the amount of damages awarded). The issue for the Court of Appeal was whether Arnold J had gone beyond what was justified in balancing the Claimants’ rights to privacy against Channel 5’s rights to freedom of expression; and as a consequence had made an error of law. The Court of Appeal held that Arnold J had taken “too narrow a view of what was in the public interest, effectively confining it to the High Court Process.” [74] The Court considered that Arnold J was wrong to conclude “that the publication of each specific piece of information in respect of which the Claimants had a legitimate expectation of privacy had to be justified as a matter of general public interest.” [74]

An interference with privacy which cannot be justified (logically or rationally) by reference to the public interest served by publication cannot be rendered lawful by editorial discretion. However, where there is a rational view by which publication can be justified in the public interest the courts should be slow to interfere, giving full weight to editorial discretion and knowledge.

Despite having some reservations about the treatment of the public interest issues in the judgment from Arnold J (in particular, the narrow approach taken to the public interests issues which arose), the Court refused the cross-appeal by Channel 5. The court had three principal reasons for doing so, set out in paragraphs 92-94 of its judgment. Those can be summarised as follows:

  1. Arnold J was clearly well aware of the relevant legal principles set out in the applicable case law.
  2. The Court of Appeal was satisfied that Arnold J was fully aware of the range of public interest issues raised in the programme; and
  3. The Court of Appeal was satisfied that while another judge might have reasonably found against the Claimants, it was not unreasonable for Arnold J to have found in their favour.

Turning to the appeal on damages, the first ground of appeal advanced essentially amounted to one that the level of damages awarded to each Claimant did not reflect the scale and nature of the publication. The second ground is that the judge was wrong to take into account the publication of the postings by the Ahmeds when setting the awards of damages for the publications by the Defendant. The third ground is that the judge wrongly failed to take into account the impact of the programme on the Claimants’ children.

All three grounds of appeal in respect of quantum were refused by the Court of Appeal. In respect of ground 2, the Court of Appeal noted that “[i]t must be obvious that the distress attributable to the programme was reduced because a number of people within the Claimants’ community or network were already aware of the broad events from the postings”. In respect of ground 3, the Court of Appeal considered that Arnold J had taken into account t he potential impact on the Claimants’ children.

On ground 1, the Court of Appeal distinguished against damages awarded in the case of phone hacking and the present case. They did so on the basis that in t he hacking cases those responsible for the hacking knew full well what they were doing was illegal; however, in the present case Channel 5 had taken steps to ensure that they remained within the law; including obtaining expert legal opinion. Furthermore, in the circumstances it was appropriate for Mr Justice Arnold to make an award of damages in the round.

There is some helpful guidance from the Court of Appeal on the issue of quantum in respect of breaches of privacy in the media sphere. In assessing quantum it is possible to look at issues in the round and reach a global figure of damages, rather than awarding damages identifiable to each issue. Furthermore, damages for cases of this kind cannot be calculated mathematically. Finally, an appellate court should not seek to interfere with an assessment as to quantum unless the damages awarded are so high or so low as to be perverse.

Alistair Sloan

If you would like advice or assistance in connection with a privacy issue, or any other information law matter; contact Alistair Sloan on 0141 229 0880. You can also send him an E-mail.

True Vision Productions & Bounty UK

The Information Commissioner has recently served two Monetary Penalty Notices (“MPNs”) that are worthy of some note. They were both issued for breaches which occurred prior to 25 May 2018 and are therefore both under the Data Protection Act 1998. This means that the maximum penalty in both cases was £500,000, rather than the larger penalties under the General Data Protection Regulation.

The first MPN [pdf] of the two MPNs that will be discussed in this blog was served on True Visions Productions (“TVP”) in connection with filming undertaken in a maternity unit operated by Cambridge University Hospitals NHS Foundation Trust (“CUH”).

Between July 2017 and 29 November 2019 TVP had placed static CCTV-style cameras with audio recording capabilities within three out of the four assessment rooms at the maternity unit. This was to gather footage for possible use in a television documentary on still births. The Commissioner accepted that there was a public interest in documentaries of this nature; however, she found that TVP had breach the first data protection principle in Schedule 1 to the Data Protection Act 1998.

TVP had not done enough to ensure that they had the explicate consent of those being filmed and there appeared to be no way for CUH staff to turn the cameras off. Therefore, if anyone did not wish to be filmed they would need to be seen in the one room without cameras; if that room was unavailable then the patient would have no choice but to be filmed. The fact that no human had access to the footage without first having the consent of the patient was insufficient: the recording and temporary storage of the footage was processing of personal data and would have required the Schedule 3 condition of explicate consent. Very little was done to bring the filming to the attention of patients; CUH staff were only required to answer questions if asked and there were notices placed in the premises along with information on tables; however, these were inadequate. TVP was served with a MPN in the amount of £120,000.

The second MPN of note is one served on Bounty (UK) Ltd in the amount of £400,000 [pdf]. Bounty UK gives itself the description of being a pregnancy and parenting support club. It provides information and markets services (including offers) to parents at different stages from pre-conception to pre-school. As part of this it distributes packs to new parents. The company also operates as a data brokering service and had previously also supplied data to third parties for the purpose of direct marketing by electronic means (although this apparently ended on 30 April 2018). Bounty collected personal data for the purpose of registering new members and did so in a number of ways, including directly from new mothers at their hospital bedsides.

Bounty had shared personal data with a range of organisations including a credit reference agency, a marketing and profiling agency and a telecommunications company; all for the purposes of direct marketing by electronic means. This related to about 14,300,000 unique individuals. Each record could be shared on multiple occasions. This was, apparently, all done on the basis that Bounty had obtained consent from the data subjects concerned.

The Commissioner found that Bounty had failed to comply with the fairness requirement within the first data protection principle in Schedule 1 to the Data Protection Act 1998. Bounty had not been transparent enough in providing information about the purposes for which personal data would be used. Bounty failed to process personal data fairly because they did not adhere to individual’s reasonable expectations of how their personal data would be used.

The consent apparently obtained by Bounty did not meet the requirements of the Data Protection Act 1998; it was neither specific nor informed.

Of course, both Bounty (UK) Limited and TVP have a right of appeal against the MPNs issued to them (both in terms of the decision to impose a penalty and the amount of that penalty). It remains to be seen whether either will seek to appeal to the First-Tier Tribunal.

Alistair Sloan

We are able to assist with a wide range of privacy and data protection matters. If you would like advice or assistance on these issues, or any other information law matter, contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account

Call for Views: Post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002

In January it was announced that the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee would undertake formal post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee is now seeking views on the Freedom of Information (Scotland) Act 2002 and is inviting submissions to reach it by 5pm on Friday 10th May 2019. The call for views asks the following five questions:

  1. In your view, what effects has the Freedom of Information (Scotland) Act 2002 (FOISA) had, both positive and negative?
  2. Have the policy intentions of FOISA been met and are they being delivered? If not, please give reasons for your response.
  3. Are there any issues in relation to the implementation of and practice in relation to FOISA? If so, how should they be addressed?
  4. Could the legislation be strengthened or otherwise improved in any way? Please specify why and in what way.
  5. Are there any other issues you would like to raise in connection with the operation of FOISA?

It is not necessary to answer all five questions and the Committee is also inviting other information relevant to the remit.

Once the Committee has received the written evidence, it will consider it all and will thereafter decide who it wishes to take oral evidence from. It is expected that the oral evidence sessions will take place towards the end of the year.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.

Personal data and FOI: the conflict continues

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Information Notices: UKIP v Information Commissioner (Part 2)

Last year I blogged on UKIP’s appeal to the First-Tier Tribunal (Information Rights) (“FTT”) against an Information Notice issued by the Commissioner; the FTT dismissed UKIP’s appeal. UKIP sought (and was granted) permission to appeal to the Upper Tribunal. The Upper Tribunal has now issued its decision. The decision has not yet been published by HMCTS; however, the wonderful people at 11KBW have published it [pdf] on their Panopticon blog (you can read Robin Hopkin’s post on their blog here). If you can’t be bothered reading to the end; the spoiler is that UKIP’s appeal was also dismissed by the Upper Tribunal.

By the time that UKIP’s appeal came before the Upper Tribunal, there were four “heads of appeal”: (1) The FTT had erred in law in terms of its approach to the exercise of the Commissioner’s discretion in issuing the notice; (2) the FTT had erred in law in terms of the scope of the notice; (3) the FTT had erred in law in terms of the timeframe for the notice; and (4) the FTT had erred in law in terms of irrationality.

The first head of appeal related to whether or not the FTT was correct, in law, to conclude that the scope of the information notice was clear. Upper Tribunal Judge Wikeley, at paragraph 24, concluded that taking the first five paragraphs of the information notice together, they were sufficient to comply with the requirements in section 43(2)(b) of the Data Protection Act 1998 (“DPA98”). Judge Wikeley did concede that the FTT did not provide as full reasons as he had, but they were clear enough that the FTT was satisfied that the notice complied with the requirement in section 43(2)(b) of the DPA98. The Judge, again said (having said it previously in another case), that the FTT does not need to set out in detail “every twist and turn of its assessment of the evidence and its consequential reasoning.” It is enough that the decision shows that the FTT has applied the correct legal test and has explained its decision in “broad terms”.

The second head of appeal related to the period for which the Commissioner wanted information from UKIP. The notice made reference to the 2015 General Election, but then asked questions about the 2016 referendum of the UK’s membership of the European Union. The judge accepted “that some of the drafting of the information notice is not ideal.” The notice had used both the former and present tense; sometimes together as alternatives. The Upper Tribunal concluded that “on a fair and objective reading of the notice as a whole, the information sought was plainly not confined to the 2015 General Election; rather it related to the ongoing processing of personal data” and also noted that the notice “should not be read as if it were a criminal indictment.” [para 27].

The third head of appeal related to the Commissioner’s exercise of discretion. UKIP argued that the Commissioner should have used the ‘least restrictive’ means of obtaining the information that she wanted; in other words she could have and therefore should have simply written a further letter to UKIP. This submission was based on principles which were developed in the context of the legitimate interests ground of processing personal data in the DPA98; it was “inappropriate” to try and “read across” [para 29]. Further, UKIP argued that it did not have the resources to provide a satisfactory response to the Commissioner’s initial letter: this was given short shrift by the judge.

The final head of appeal was that the Tribunal’s final decision was irrational in legal terms. The FTT had started out by giving a provisional view that the notice lacked clarity in its scope, but ended up concluding that it was, in fact, clear. Again, the judge accepted that the FTT’s reasoning was “sparse”, but nonetheless concluded that it was “sufficient.” [para 34]

Therefore, UKIP’s appeal was dismissed and the information notice, once again, stands. It will need to be complied with, subject to any further appeal, within 30 days of the Upper Tribunal’s decision being sent to the parties.

One final point is worth noting; the Upper Tribunal comments that, like a decision notice issued pursuant to section 50 of the Freedom of Information Act 2000, the Commissioner cannot vary an information notice once it has been issued: the commissioner can, unlike a decision notice, cancel the notice and re-issue a fresh notice. That is a consequence of the statutory framework: the statute gives the Commissioner the power to cancel a notice and makes no mention of varying (however, the statute does make mention of the Commissioner being able to vary other notices). In the circumstances an information notice cannot be varied once it is issued; if there is a problem with it then the notice must be cancelled by the Commissioner and a fresh notice issued. The same, in my view, would hold true for information notice issued under the Data Protection Act 2018. The statute provides that the Commissioner can cancel a notice, but makes no mention of varying the notice (whereas, she can vary, for example, an enforcement notice – the statute expressly provides for that in section 153).

From this decision we can take the following:-

  1. An information notice does not need to give a detailed statement as to why the Commissioner requires the information requested in the notice.
  2. The commissioner’s drafting of information notices gets a pass, but could be better.
  3. The commissioner doesn’t need to utilise less intrusive methods of obtaining information instead of exercising her discretion to issue an information notice.
  4. A controller’s lack of resources is not a reason why the Commissioner should not issue an information notice (indeed, it may even be a reason in favour of exercising discretion to issue an information notice).
  5. The FTT is not bound by a preliminary view it expresses and can change its mind.
  6. The Commissioner cannot vary an information notice should there be a problem with it: only cancel it and issue a fresh notice.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

FOI in Scotland: Registered Social Landlords

Last week the Scottish Ministers laid The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019 (Draft) before the Scottish Parliament for the approval of the Parliament, as they are required to do in terms of the Freedom of Information (Scotland) Act 2002 (“FOISA”). This order is a long anticipated order to bring Registered Social Landlords (“RSLs”) within the scope of FOISA by designating them as Scottish public authorities. If approved (and there is nothing to suggest that the Order will not be approved by the Scottish Parliament), it will mean that RSLs (and their subsidiaries) will be designated as Scottish public authorities from 11 November 2019. Some had been hoping that they would have been designated from April this year, while others had been hoping that it would be April 2020. The Scottish Ministers appear to have split the difference and given RSLs a period of around 9 months to prepare for becoming Scottish public authorities.

RSLs have been, following a number of decisions of the Scottish Information Commissioner (which have never been appealed to the Court of Session), Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004 for a number of years. There is, however, some debate about whether they remain so, following some changes to the regulatory landscape pertaining to RSLs. It has not yet, to my knowledge, been tested whether they still are Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004. Whether the changes to the regulatory landscape of RSLs has had the effect of them no longer being Scottish public authorities, for the purposes of the Environmental Information (Scotland) Regulations 2004, is somewhat immaterial; designation as a Scottish public authority for the purposes of FOISA also means that they will be Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004.

It should be noted that the draft order has been drafted in such a way so as to make RSLs Scottish public authorities for limited purposes only. They will be Scottish public authorities in respect of the following functions:

  1. providing housing accommodation and related services and includes anything done, or required to be done, in relation to:- (a) the prevention and alleviation of homelessness; (b) the management of housing accommodation (limited to the management of housing accommodation for which a registered social landlord has, under the Housing (Scotland) Act 2001, granted a Scottish secure tenancy as defined in section 11 or a short Scottish secure tenancy as defined in section 34 of that Act); (c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
  2. the supply of information to the Scottish Housing Regulator by a registered social landlord or a connected body in relation to its financial well-being and standards of governance.

A register of social landlords can be found on the website for the Scottish Housing Regulator.

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Developing the Information Expressway

The Upper Tribunal has recently considered the meaning and scope of the exception in Regulation 12(4)(d) of the Environmental Information Regulations 2004 (“the EIRs”). This exception allows a public authority to withhold environmental information in response to a request where “the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data”.

Highways England Company Limited v Information Commissioner and Henry Manisty [2018] UKUT 432 (AAC) concerned a request made to Highways England by Mr Manisty in December 2016. Mr Manisty request related to the possible route of the Expressway between oxford and Cambridge being investigated by Highways England. His request was refused by Highways England and the Information Commissioner did not uphold Mr Manisty’s subsequent complaint to her office. Mr Manisty appealed to the First-Tier Tribunal who allowed his appeal, deciding that the exception in Regulation 12(4)(d) did not apply. Highways England sought, and was granted, permission to appeal to the Upper Tribunal.

Upper Tribunal Judge Jacobs reminds us that as the EIRs implement an EU Directive they must (for now) be interpreted in a way that accords with the normal principles that apply to EU law. Judge Jacobs reminds us that one of those principles is that the exceptions must be interpreted restrictively. Judge Jacobs points out that this is a separate consideration from the presumption in favour of disclosure enshrined within the EIRs; that presumption simply allocates the burden of proof while the restrictive approach defines the scope of the exception.

Judge Jacobs also addresses the Aarhus Convention and the Implementation Guide. The EU Directive, which the EIRs implements, implements the Aarhus Convention into EU law and so regard has to be had to the convention when interpreting the EIRs and the Directive. Judge Jacobs, in paragraph 19, reviews some of the relevant case law and concludes that the Implementation Guide “can be used to aid interpretation, but it is not binding and cannot override what the Convention provides.”

Judge Jacobs includes two helpful paragraphs setting out what the exception does not mean. When deciding the scope of the exception it is not permissible to take into account any adverse consequences that disclosure might have. This is relevant for the purposes of determining where the public interest lies and also, perhaps, deciding whether the exception is engaged. Judge Jacobs states that “[a]dverse consequences must not be made a threshold test for regulation 12(4)(d).” [para 21]

Judge Jacobs considers what “material” and “relates to” means within the exception. In respect of “material”, he considers that the word material “is not apt to describe something incorporeal, like a project, an exercise or a process.” The material in question may form part of a project or process etc.; however, the material in question must itself be in the course of completion. We are not necessarily concerned with whether the project is in the course of completion. [para 23] Judge Jacobs also holds that “[m]aterial includes information that is not held in documents and is not data: things like photographs, film, or audio recordings.” [para 24]

Having already looked at what the exception does not mean, Judge Jacob eventually gets around to deciding what the exception does mean. He notes, in paragraph 28, that the language in the exception is “deliberately imprecise.” That being said, Judge Jacobs, in paragraph 30, returns to the principle that the exception should be applied restrictively. The imprecise language does not mean the exception can be applied “so widely as to be incompatible with the restrictive approach required by EU law.” At the same time it cannot be applied so narrowly that its purpose is defeated. In paragraph 31 of the decision, Judge Jacobs, identifies yet another deliberately vague expression within the exception: ‘piece of work’. The judge identifies some factors that may be of some assistance in applying the exception. For example, if there has been a natural break in the public authority’s private thinking; or, perhaps, the public authority is at a stage where publicity around its progress so far is taking place. The continuing nature of the project, process or exercise might also be a relevant feature. However, public authorities shouldn’t get too excited: this is not, by any means, a checklist. Judge Jacobs makes it clear that each case will turn on its own circumstances.

Public authorities should also be aware that their own internal labels will not be determinative of matters; it is not possible to, in the words of Judge Jacobs “label [your] way out of [your] duty to disclose.” Labels such as “draft or preliminary thoughts may, or may not, reflect the reality.” [para 32]

Counsel for Highways England is recorded as having emphasised legal certainty and its importance. Judge Jacobs accepts that his decision will not produced legal certainty in the way that was possibly envisaged by Counsel for Highways England. Judge Jacobs notes that its application will not be easy; however, issues of judgement are involved and that limits what can be achieved.

In deciding that the First-Tier Tribunal had not erred in law, Judge Jacobs took the view that, when reading the First-Tier Tribunal’s reasoning as a whole; its approached accorded with his analysis of the operation of the exception. The First-Tier Tribunal “understood that it was exercising a judgment on whether the information requested could now properly be considered as independent from the continuing work on the Expressway.”

So, what have we learned? Judge Jacobs has certainly gone through the exception carefully and produced what he considers to be the best that can be achieved in terms of defining the scope of the exception in Regulation 12(4)(d). Its scope is narrow, but not so narrow as to defeat the policy intention of providing a space for public authorities to think in private; however, its imprecise nature should not be taken as giving public authorities cart blanche. Each and every case will turn on its own circumstances and a degree of judgement is involved in determining whether the exception will apply or not.

There are also some useful reminders (for now) about the need to utilise EU law principles when interpreting the EIRs. There is also a useful reminder, in paragraph 6, about the approach that the Upper Tribunal adopts when considering an appeal. It is unlike the First-Tier Tribunal; it is not conducting a re-hearing of the case. The Appellant has to show that the First-Tier Tribunal erred in law. We are also reminded that the nature of the language of the provision has to be taken into account when considering legal certainty; it is therefore not always possible to give a precise exposition of the scope of a provision – sometimes, it really does just come down to a matter of judgement.

Alistair Sloan

We are able to provide advice in connection with a wide range of information law matters, including Freedom of Information Act/Environmental Information Regulations appeals. If you would like advice and assistance on any of these matters then please contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on Twitter.

Openness by design: ICO’s draft access to information strategy

The Information Commissioner’s Office has published a draft access to information strategy [pdf] and is inviting comments on it. The document opens by explaining that over the next three years the ICO has the ambition to be “more proactive and increase the impact of” regulation in respect of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIRs”).

The document is intended to be read in conjunction with the ICO’s ‘Regulatory Action Policy’, which was consulted on last year (and covers all of the legislation that the Commissioner is tasked with enforcing, not just FOIA and the EIRs).

The draft strategy gives the impression that the ICO intends to become more proactive in its enforcement of FOIA and the EIRs – especially in relation to “systematic non-compliance”. This could mean that the ICO intends become more formal in its enforcement action. So we will need to wait and see how it pans out.

The other matter within the draft strategy that is worthy of note (although it really is worthwhile taking the time to read the whole document – it’s not a lengthy one) is the section which discusses the changes that have occurred since FOIA and the EIRs were enacted. In particular the draft strategy indicates that a report to Parliament will be published later this month “making recommendations for change in relation to outsourced public services and some other categories of public service provision that are not within the scope of the current legislation.” Quite what will happen with such a report, given that Parliament is pretty tied up with Brexit related matters, is unclear; however, it should be worth looking at – especially if you’re involved in the provision of public services under contract.

The ICO is inviting comments on the draft strategy document until 8th March 2019 and comments can be submitted via the ICO website.

Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002

For some time now the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee has been considering whether to undertake post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee’s decision on whether to undertake post-legislative scrutiny of FOISA was delayed while they awaited the Scottish Information Commissioner concluding his intervention in respect of the Scottish Government.

Yesterday, after hearing again from the Scottish Information Commissioner and his Head of Enforcement, the Committee took a decision (in private), as recorded in the Minutes [pdf], to undertake post-legislative scrutiny of FOISA.

It is not yet clear how the Committee will undertake its post-legislative scrutiny or what the timetable will be; but what can now be said is that there will be formal post-legislative scrutiny of FOISA by a committee of the Scottish Parliament for the first time since FOISA was enacted in 2002. Much has changed since FOISA was enacted and while the Act generally performs fairly well, there are undoubtedly some areas which are ripe for improvement.

Once we know more about the details of the post-legislative scrutiny I will, of course, blog about it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.