Author Archives: Alistair Sloan

Data Protection and Redundancy

The COVID-19 pandemic has had a considerable impact upon the economy. Government figures suggest that there have already been about half a million redundancies since the beginning of the pandemic; as the Government’s Job Retention Scheme put in place in March comes to an end at the end of this month, it is sadly inevitable that there will be further redundancies. When an employee leaves employment, whether by redundancy or not, there are data protection implications for employers that they ought to be aware of and take into consideration.

Many employers now have employees working from home when they would never have done so before. In early March, before the lockdown was put in place, many employers started kitting out their employees to enable them to work from home in line with government guidance and this continued as businesses tried to recover from the immediate aftermath of the lockdown. This will add a further dimension to the data protection considerations that employers should have in mind when making employees redundant.

When an employee is made redundant, employers have a duty to ensure that any personal data that the employee had in their possession continues to be secure. Employers should ensure that they revoke access to any IT systems that the employee had access to once the employee’s employment has terminated. If the employee is working out a period of notice then this should occur at the end of their last day; if not, it should happen as soon as is practicable after the employee’s employment has been terminated. Employers should ensure that any IT equipment that they provided is returned in case employees have stored personal data locally rather than inside the company’s system. Employers should also ensure that any printed material that the employee may have taken from the office or printed while working from home is also returned.

Where employees have been using their own devices in order to work from home things get a bit more complicated. Employers should ensure that they take steps to ensure that their former employees do not retain personal data for which the employer is the controller on their personal devices. What steps will be required will vary depending upon the circumstances. Obvious things will be around E-mail (for example, did the employee access their work E-mail on their personal phone), both in terms of existing E-mails on the system and ones that arrive after the employment has come to an end. Laptops, tablets and other computer devices which are owned by the employee may have personal data stored on them from the employee’s time working from home; this should not be overlooked.

If you’re an employee it’s also important to consider how this affects you. If you’re taking templates and styles you need to ensure that you have stripped these of all of the personal data within them; otherwise this could cause problems for you personally. Also, if you’re hoping to setup on your own or move clients/customers to any eventual new employment that you have then you should speak to your employer first. Taking personal data from an employer where you either do not have their consent, or could not reasonably believe that you would have their consent, could result in you being convicted of a criminal offence under the Data Protection Act 2018.

Working from home is likely to continue for some time and when offices do begin to re-open employees may not be flooding back into them. Employers who were previously hesitant to allow home working may now be willing to offer some degree of home working once the pandemic is over. Whether you have allowed home working for a while or whether COVID-19 has been the impetus to change working practices; a home working policy which includes data protection measures is important. Your policies relating to home working should account for how the recovery of personal data will be dealt with where an employee leaves, whether that is by redundancy or not.

Data protection considerations may seem fairly low down the agenda at the present time, but with significant financial penalties a possibility for failing to have adequate technical and organisational measures in place, it’s something that should not be ignored. When your business may already be struggling financially, an ICO investigation followed by a financial penalty is probably the last thing it needs. For employees, it is also important that you follow any relevant policies and procedures which deal with personal data at the end of your employment; there could be consequences for you personally as well if you fail to do so.

Alistair Sloan

If you would like advice or assistance in relation to the data protection aspects of redundancy or home working; or any other information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Facebook challenging temporary stop processing order by Irish DPC

Earlier this week it was reported that the Irish Data Protection Commission had taken action to temporarily suspend data transfers from the EU to the US by Facebook. It has now been reported that Facebook is challenging that decision in the Irish Courts by way of judicial review proceedings.

Following the European Court of Justice invalidating the Privacy Shield agreement between the EU and the US, Facebook decided to switch its transfer mechanism to standard contractual clauses (SSCs). The judgment of the ECJ in Schrems II approved of the SSCs, but made it clear that simply relying upon SSCs was not enough. The effect of the Schrems II decision is that supervisory authorities are required to suspend or prohibit transfers of personal data transferred in reliance of standard contractual clauses where they are not being complied with or are incapable of being complied with.

There was always going to be some doubt about whether SSCs were an effective alternative to privacy shield because the same issues that resulted in the invalidation of privacy shield exist in relation to transfers to the US utilising SSCs The Irish DPC appears to have taken a preliminary view which cannot be a favourable one given the action it has taken.

Little is known at this stage about the basis of Facebook’s judicial review, more on this will likely come to light as matters progress before the courts in Ireland. This is a case that anyone involved in international transfers of personal data should keep an eye on; the Irish Courts may apply some gloss onto the additional layers that may need to be added to SSCs in order to make them effective in particular situations.

The ability to order a controller to stop processing personal data (in whole or in part) is probably the most overlooked of the powers that supervisory authorities have; the impact of such orders can be more immediate and painful to controllers than an administrative fine. If the preliminary decision by the Irish Data Protection Commission survives judicial review then the implications for Facebook (and other companies that rely significantly on international transfers of personal data to third countries) could be significant.

Alistair Sloan

If you would like advice or assistance in relation to a data protection matter, or any other information law matter, then contact our team on 0141 229 0880 or by E-mail.

Data Subject Complaints: delays at the regulator

At the beginning of July it was reported that the Irish High Court had given permission for a judicial review of the Irish Data Protection Commission (“DPC”) to proceed. The judicial review has been brought by the European Centre for Digital Rights in respect of significant delays at the DPC in their handling of complaints made to them under the GDPR.

The application is being brought by the applicant as a representative body under Article 80 of the GDPR. The application pertains to two complaints made by two separate complainants; one in relation to Whatsapp Ireland Limited and one against Facebook Ireland Limited (as operator of Instagram). Both complaints were made on 25 May 2018, the day on which the GDPR became applicable throughout the European Union. The complaints, having originally been made to the German and Belgium supervisory authorities (respectively), were transferred by those supervisory authorities to the DPC as the lead supervisory authority for both companies.

The DPC is still to make a decision on the complaints, more than two years after they were made. Judicial Review is sought seeking (principally): (1) a declaration that the DPC has failed to catty out an investigation into the complaints within a reasonable period, contrary to their duty under Article 57 of the GDPR and/or section 113 of the Irish Data Protection Act 2018; (2) a declaration that the DPC has not provided information and/or a draft decision to the relevant national authorities without delay, contrary to its obligation under Article 60(3); (3) a declaration that the DPC is in beach of its obligations under the GDPR and or Irish data protection law; (4) an order directing the DPC to complete its investigation of the complaints within a time frame directed by the court; (5) a reference under Article 267, if required.

This is an interesting case from Ireland that is well worth keeping an eye on to see what the ultimate result is. Those who are familiar with the UK’s supervisory authority, the Information Commissioner, will see some similarities between the ICO and the DPC. The ICO is not renowned for acting quickly in respect of its regulatory functions; it’s yet to take a decision on regulatory action against British Airways and Marriott after issuing Notices of Intent (a precursor to a Penalty Notice; or, in GDPR parlance, an “administrative fine”) in excess of twelve months ago.

What can data subjects in the UK do where the ICO’s investigation of their complaint is moving at a glacial pace? The answer is to be found in section 166 of the Data Protection Act 2018; which makes provision for the First-Tier Tribunal to make orders requiring the Information Commissioner to progress a complaint.

Section 166 is a fairly limited provision; it does not create a route of appeal to the First-Tier Tribunal where the data subject is unhappy with the outcome of the complaint. It only provides a remedy to get the Information Commissioner to move the complaint forward to an outcome. Neither section 165 (which provides a right of complaint where Article 77 of the GDPR does not apply) nor section 166 requires the Commissioner to do anything more than investigate the subject matter of the complaint to the extent that is appropriate and to inform the complainant about the progress of the complaint (including about whether further investigation or co-ordination with another supervisory authority or foreign designated authority is necessary); they do not require the ICO to do anything at all about any breaches that may have occurred. Section 166 is therefore not a right of appeal against a decision of the Information Commissioner that there has been no breach of the relevant data protection laws or against a refusal to take enforcement action in respect of a breach.

The decision of the ECJ in respect of Schrems II, which was published last month; does, however, provide some scope of challenging a failure to act by the ICO. The ECJ was very clear about the duties and obligations on supervisory authorities to ensure that the GDPR is being complied with (and that includes positive obligations to stop processing where it is not being complied with). However, such a challenge would require to be by the much more expensive route of a judicial review in the Court of Session (Scotland) or the High Court (England and Wales / Northern Ireland).

Alistair Sloan

If you are a data subject who submitted a complaint to the Information Commissioner more than 3 months ago and have not had your complaint resolved or are dissatisfied with the outcome of your complaint to the Information Commissioner then we would be happy to discuss this with you. You can contact our Alistair Sloan on 0141 229 0880 or by E-mail.

When is a filing system a relevant one?

Yesterday, the Court of Appeal (England and Wales) delivered a fresh judgment in the field of data protection. In its judgment in Dawson-Damer v Taylor Wessing LLP [2020] EWCA Civ 352, the Court (Lord Justice Floyd, Lord Justice Newey and Lord Justice Arnold) considered two issues: (1) the exemption in paragraph 10 of Schedule 7 to the Data Protection Act 1998 relating to legal professional privilege; and (2) the meaning of a “relevant filing system” within section 1(1) of the Data Protection Act 1998. Although this case was concerned with the 1998 Act rather than the GDPR and Data Protection Act 2018, the guidance provided by the Court of Appeal will be of assistance when dealing with the current data protection landscape.

In this blog post I intend to focus only on the issue of a relevant filing system and not on the legal professional privilege. I may, should time permit, come back to the issue of Legal Professional Privilege in the near future.

In the court below, the judge decided that 35 paper files held by Taylor Wessing LLP constituted a relevant filing system and therefore the personal data contained therein were within scope of a subject access request. Every data protection practitioner’s favourite case (Durant v Financial Services Authority) was, of course, a feature of this latest judgment from the Court of Appeal. The Court decided, however, that the decision of the Court of Justice of the European Union in Tietosuojavaltuutettu had changed the landscape somewhat and that the decision of the Grand Chamber was inconsistent with the interpretation of “relevant filing system” in Durant. The Court of Appeal considered that the approach in Durant was “in some respects, more restrictive and cannot be fully reconciled with the CJEU’s interpretation.” [para 88]

At Paragraph 90 of its judgment, the Court of Appeal, sets out four questions that it considers should be asked in light of the CJEU’s decision in Tietosuojavaltuutettu. Those questions are:

1. Are the files a “structured set of personal data”?
2. Are the data accessible according to specific criteria?
3. Are those criteria “related to individuals”?
4. Do the specific criteria enable the data to be easily retrieved?

The Court of Appeal endorsed the “temp test” set out by the Information Commissioner in her guidance. That test explains the concepts by reference to the employment by a controller of a temporary administrative assistant. Would such a person be able to extract specific information about an individual from the controller’s manual records without any particular knowledge of the controller’s type of work of the documents held by a controller. The test does assume that the temp in question is reasonably competent, required on a short induction, explanation and/or operating manual on the controller’s particular filing system in order for them to be able to use it. In essence, if a temp could easily extract information from a controller’s filing system without any real skill or knowledge (beyond competence and basic introductory training), then the filing system is likely to be a “relevant filing system”

In Dawson-Damer, a trainee solicitor and a senior associate had been utilised in order to go through the paper files in order to extract the information. The Judge had relied upon this as a reason why it was a relevant filing system; this was an error, the Court of Appeal held. The Court of Appeal stated that “[i]f access to the relevant data requires the use of trainees and skilled lawyers, turning the pages of the files and reviewing the material identified, that is a clear indication that the structure itself does not enable ready access to the data.” [para 99]

It will not be enough to simply use highly skilled individuals in order to leaf through files and extract information to prove that a manual filing system is not a “relevant filing system”; if a temp could have been capable of performing the same work then it will still be a relevant filing system regardless of who actually performed the task. Data Controllers often put tasks like this out to their lawyers and it will often be trainee solicitors, under supervision (as is the case with all tasks performed by trainee solicitors) of experienced solicitors, who carry out these tasks on behalf of clients who elect to send it to their lawyers; simply deciding to do so will not be sufficient to be able to successfully argue that the filing system in question is not a “relevant filing system”. The court is likely to look at the matter objectively and decide whether a temp administrative assistant could have extracted the information had the controller kept the matter in-house. There are good reasons why a controller might wish to out-source the task to lawyers (there is value that a lawyer can add); however, if it’s simply to try and avoid disclosing personal data by arguing that the manual filing system is not a “relevant filing system” then the controller is likely to be out of luck.

It is also important to note that the temp test is more of a rule of thumb than an exacting legal test. It simply acts as a good indicator that the manual filing system is a relevant filing system for data protection purposes. However, in the case before the Court of Appeal, it was of assistance to Taylor Wessing. The Court determined that the Claimant had failed to prove that the filing system was a relevant filing system and that the conclusion reached by the judge at first instance was not supported by the evidence.

Alistair Sloan

We are able to provide advice and assistance to controllers, processors and data subjects in respect of data protection matters. If you would like advice or assistance in connection with a data protection matter, or any other information law concern, then please contact us on 0141 229 0880 or by E-mail to info@inksters.com.

Information Law Review of 2019

Well, it is that time again; the beginning of a New Year and therefore time for my third annual look at what happened in the world of information law in the previous twelve months and what those with an interest in the field should be looking out for in 2020. I would like to begin by wishing all readers of the Information Law Blog, both new and old, a very happy New Year.

My reviews of 2017 and 2018 began by looking at the case of Various Claimants v WM Morrisons Supermarkets Limited. I shall keep the tradition going by looking once again at this case. In 2018, the Court of Appeal dismissed the appeal by Morrisons against the decision of Mr Justice Langstaff holding them vicariously liable for the actions of an ex-employee. This case rumbled on again in 2019, with the Supreme Court hearing an appeal by Morrisons on 6th and 7th November. By the end of 2019, the Supreme Court had not yet issued its judgment and so that will be something to look out for in 2020; the Supreme Court’s judgment (although concerned with the Data Protection Act 1998, rather than the GDPR and Data Protection Act 2018) will have ramifications for data subjects and controllers, regardless of which way it goes.

Brexit continued to be a feature of 2019 in the Information law world. We have seen the changes that will take effect in data protection law as a result of the UK’s withdrawal from the European Union, which is now scheduled to take place at the end of this month. Brexit, however, will not stop being a feature of information law at 23:00 on 31st January (assuming there are no further delays). We will be in a transition period until the end of the year, but we don’t yet know exactly what we’re transitioning to which might start to become clearer by the Summer.

Brexit also featured in the information law world in other respects as well. There are still some data protection and privacy concerns floating around from the 2016 referendum on the UK’s membership of the EU. Indirectly related to that have been proceedings in the Upper Tribunal involving UKIP and in also in the First-Tier Tribunal. If reports are anything to go by, proceedings in the First-Tier Tribunal at the end of 2019 could result in an extremely critical decision against the Commissioner, so that is something to look out for in 2020.

We also saw the first GDPR administrative fine issued in the UK by the Information Commissioner (some 19 or so months after the GDPR became applicable and quite a bit behind other regulators in other EU Member States). The Commissioner has issued two Notices of Intent against two other Controllers (that we’re aware of) both of which were due to expire this month, but it has been confirmed by the Information Commissioner that the statutory six month period has been extended by agreement (in accordance with the statutory provisions). The reasons for this have not been made public at this time.

Just before Christmas the Advocate General of the European Court of Justice gave his opinion in Data Protection Commissioner v Facebook Ireland & Schrems concerning standard contractual clauses. We can expect a decision from the European Court of Justice to follow soon, whether that is before or after “exit day” at the end of January remains to be seen.

In the wider field of privacy law, the Court of Appeal took a look at the judgment of Mr Justice Arnold in the case involving Channel 5’s fly-on-the-wall documentary ‘Can’t Pay? We’ll Take it Away’. The Court of Appeal dismissed the appeals by the Respondents in respect of liability and the cross-appeal by the Claimants on the issue of quantum of damages. Meanwhile, in Scotland, Lord Bannatyne (for the first time) declared that there exists in the law of Scotland a common law right to privacy.

In May, Information Notices were again a feature of the decisions flowing from the First-Tier Tribunal; this time, however, it was concerning the Commissioner’s powers under the Freedom of Information Act 2000. The Tribunal confirmed that the Commissioner can issue an information notice in order to obtain information as part of her process for determining whether a person is a public authority for the purposes of the Environmental Information Regulations 2004.

In 2019, the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee began undertaking Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002. In 2019, I gave both written and oral [pdf] evidence to the Committee. The Committee is expected to release its report and recommendations next month.

In 2019, we saw the expansion of FOI in Scotland with Registered Social Landlords formally being designated as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002.

We also had one of those rare things: a decision from the Court of Session in an appeal against a decision of the Scottish Information Commissioner. In the sole decision in such an appeal issued by the Court of Session in 2019, my client successfully challenged (on a point of law) a finding by the Commissioner that information he had requested was not held by a local council for the purpose of the Freedom of Information (Scotland) Act 2002. This case provides some useful guidance on determining whether information is held, or not, for the purposes of the Freedom of Information (Scotland) Act 2002.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact our team on 0141 229 0880.

Commissioner Dispenses GDPR Administrative Fine

On 20th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

We don’t hold it…oh yes you do!

Dr Ian Graham v The Scottish Information Commissioner [2019] CSIH 57 is a rare decision of the Court of Session in an appeal against a decision of the Scottish Information Commissioner, the last one coming almost 12 months ago. The case was considered by the Second Division (with the bench comprising of the Lord Justice Clerk, Lord Malcolm and Lord Glennie) with Lord Glennie delivering the Opinion of the Court.

Before a Scottish public authority is required to release information, it actually has to hold it and information will not be held, according to the law, if it is held by the Scottish public authority on behalf of a third party. The question that was considered in the appeal by Dr Graham was on this fundamental point: whether the Scottish public authority held the information or not; and in particular whether information was held by a Council on behalf of a third party (in this case, the Returning Officer).

In January 2018, Dr Graham requested the following information from Aberdeenshire Council: (1) a list of the contracts called off by the council from the framework agreement, (2) invoice and order copies for each contract, (3) payment confirmation from the council of the invoices and (4) whether the council reclaimed the input VAT on the invoice. The framework agreement in question was for the provision of electoral services to the returning officer. In terms of the contract (and of importance for this appeal), the Council assumed obligations and liabilities under the contract and also had responsibilities and liabilities in respect of the procurement process.

Whilst the Council ultimately released information in relation to parts (3) and (4) of his request, initially the Council also claimed that it did not hold this information for the purposes of the Freedom of Information (Scotland) Act 2002 (“FIOSA”). The Council’s argument was that because a returning officer, although an official from within the council, was legally a separate entity from the rest of the council when acting in their capacity as returning officer, they only held the information on behalf of the returning officer and not in their own right. Dr Graham was dissatisfied with this and applied to the Scottish Information Commissioner for a decision on whether the Council had complied with its disclosure obligations under FOISA. The Commissioner upheld the Council’s decision, determining that the Council did not hold the information for the purposes of FOISA, but rather held it on behalf of the returning officer.

Counsel for the Appellant argued that the word ‘held’ was being submitted to too much scrutiny, as well as drawing attention to the spirit in which the FOISA had been made; that being to make information available to the public. Counsel contended that a liberal approach should be taken to the interpretation of this provision. Reference was made by the Appellant’s Counsel to University and Colleges Admission Service v Information Commissioner [2014] UKUT 0557 (AAC) and Common Services Agency v Scottish Information Commissioner 2008 SC (HL) 184. Counsel for the Appellant further drew upon University of Newcastle v Information Commissioner [2011] UKUT 185 (AAC) to demonstrate how a more common-sense approach was preferable. The broader interpretation of ‘held’ was further supported  by the decision of the Upper Tribunal in Department of Health v Information Commissioner where it was held that a ministerial diary was ‘held’ by a department purely as a historical record for reference purposes. With reference to the current case, he ultimately claimed that the differentiation between the council holding the information for itself or on behalf of the returning officer was immaterial and indeed that both conditions could be fulfilled simultaneously in the present circumstances; with the fine-tooth investigation of the council election laws amounting to little more than prevaricating.

The Court allowed Dr Graham’s appeal, emphasising that “that the relevant provisions of FOISA should, so far as possible, be interpreted in a manner consistent with the policy of the Act, namely the desirability of making information available to the public, all in the interests of promoting open, transparent and accountable government.” [15] The court also held “that the words and expressions used in the Act should, so far as possible, be given their ordinary and natural meaning” and that “[t]here should be no scope for the introduction of technicalities, unnecessary legal concepts calculated to over-complicate matters and, by so doing, to restrict the disclosure of relevant information.” [15].

The Court approved of and agreed with the reasoning given by the Upper Tribunal at paragraphs 21-22 of its decision in University of Newcastle. In essence, a Scottish public authority will hold information if it has more than a de minimis interest in the information. That is to say, it will only fall outside of the scope of FOISA if it has “no (or no material) interest of its own” in the information. [18] As a result of the Court’s decision, it reduced the Commissioner’s decision and remitted the matter back to him so that he could reconsider Dr. Graham’s application in light of its opinion.

The effect of this decision should be to widen the scope of information that is available to the public under FOISA. Scottish public authorities and the Commissioner will be required to take a more holistic approach in future to deciding whether information is only held by the Scottish public authority on behalf of a third party. A more practical approach requires to be taken than simply looking at whether the Scottish public authority and the third party are separate entities from one another; consideration must be given to the underlying factual matrix. The opinion of the Court also re-iterates previous comments by the courts that the Act should be interpreted in a way that isn’t too complex or technical.

Our Alistair Sloan acted for the successful appellant in this case, instructing John MacGregor, Advocate.

Danny Cummins (Trainee Solicitor)

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact us on 0141 229 0880 or you can send us an E-mail.

Penalty Notices and Notices of Intent

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or  it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Dealing with vexatious FOI Requests

The call for views by the Public Audit and Post-Legislative Scrutiny Committee of the Scottish Parliament (“the Committee”) in respect of its post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002 (“FOISA”) ended on 21 June 2019 (having been extended a couple of times). One of the issues that came up on a number of occasions in the Committee’s discussions and evidence sessions prior to formally deciding to undertake post-legislative scrutiny of FOISA was the issue of vexatious requests. This issue has come up again in a number of responses to the call for views provided by Scottish public authorities (but certainly not all those Scottish public authorities that submitted responses).

It does seem as though Scottish public authorities, generally, are fairly poor at utilising section 14 of FOISA, which provides that a Scottish public authority does not need to comply with a request for information where it is vexatious. The Scottish Information Commissioner has also expressed the view that authorities are not utilising the available provisions within FOISA to deal with vexatious requests, such as at an evidence session before the Committee on 10 January 2019 [pdf].

The response of by Glasgow City Council [pdf] provides an example of a single requester who has made around 100 FOI requests on a related topic. It strikes me that requests from this particular requester on this particular topic could very well fall within the ambit of section 14 (although, I make that comment with only that information which is available from Glasgow City Council in its response). While the law requires the request to be vexatious, rather than the requester themselves, it is permissible to look at the requester’s conduct towards, previous correspondence with and previous requests to the authority in determining whether a particular request that has come in is, in fact, vexatious. This is something that Scottish public authorities seem to struggle with and often seem look at a particular request in isolation and not necessarily consider the wider background and context.

The leading case on section 14 of FOISA, Beggs v Scottish Information Commissioner, was only decided at the end of 2018 and therefore prior to that there was no authoritative guidance on the application of section 14 of FOISA. However, the Scottish Information Commissioner and Scottish public authorities have looked to Dransfield v Information Commissioner to help with the application of section 14 of FOISA. In Beggs the Inner House of the Court of Session essentially approved of the decision of the Court of Appeal in Dransfield. The decision in Beggs is, subject to any appeal to the UK Supreme Court, binding authority on the operation of section 14 of FOISA. Scottish public authorities can therefore look to both the Judgment of the Court of Appeal in Dransfield and the opinion of Lord Brodie in Beggs for guidance on section 14 of FOISA and how to apply it in appropriate cases.

The Court of Appeal and the Inner House of the Court of Session have both stressed that the right of access to information is a constitutional one and so the bar for engaging section 14 is a high one. However, it is clear that the bar is not so high so as to be impossible to meet in practice.

Section 14 of FOISA allows Scottish public authorities to consider matters that would not normally be relevant to FOI requests, such as the identity of the requester and their motives. Scottish public authorities (and indeed, public authorities working under the Freedom of Information Act 2000) should remember that they can look at a requester’s motives; for example, a malicious motive can be an indicator that a request is vexatious (but is not necessarily evidence that the request is, in fact, vexatious): Beggs at paragraph 33. Equally, the absence of a malicious motivation is not necessarily evidence that the request is not vexatious.

A person’s previous dealings with an authority can be relevant as can their other FOI requests: if a person is showing signs of obsessive behaviour, then that could be an indicator that the request is vexatious. The authority needs to look at the request objectively, in the surrounding circumstances, and come to a judgement as to whether the request is vexatious. However, it will need to remember to have evidence to support its conclusion in case the requester makes an application to the Commissioner challenging the application of section 14 by the authority.

Perhaps there is concern within authorities about getting it wrong and having a section 14 refusal overturned by the Commissioner; however, we can only learn from doing and from our mistakes. There are 96 decision notices on the Scottish Information Commissioner’s website relating to section 14(1) of FOISA (the specific part of section 14 that deals with vexatious requests). This number does seem to be rather small given that wide opinion coming from Scottish public authorities over many years that vexatious requests are a particular problem. Over 50 of those decision notices find entirely in favour of the authority and a good number are classified as partially upheld (many of which appear to have included technical defaults by the authority). It is clear that where a Scottish public authority appropriately deploys section 14 in respect of vexatious requests, the Commissioner will uphold that decision.

It certainly does seem to be the case that Scottish public authorities are reticent to utilise section 14 of FOISA. Perhaps, it is because they do not fully understand the scope of section 14 or are unsure about its precise application – it can potentially be used in a wide variety of circumstances. Scottish public authorities could certainly be using section 14 much more frequently than what they are at present and they should seek to become much more confident in using section 14. Indeed, a majority of the examples that I have seen emanate from Scottish public authorities, which they put forward as examples of problems that they are facing which cannot be dealt with by the application of section 14; most probably could, in fact, have been dealt with by the application of section 14. The same level of reluctance is not obviously present in respect of those authorities subject to the Freedom of Information Act 2000.

Alistair Sloan

If you are a requester or a public authority who would like advice or assistance in regards to freedom of information law then contact our team on 0141 229 0880 or by E-mail. We are also able to assist with a range of other information law matters.

Privacy, the common law and Scotland

In a recent opinion from Lord Bannatyne (B C and Others v Chief Constable Police Service of Scotland and others [2019] CSOH 48), sitting in the Outer House of the Court of Session, we have the first express statement that there is a right of privacy at common law in Scotland. Traditionally in Scotland, privacy law has been dealt with through the European Convention on Human Rights, the Human Rights Act and data protection law.

This case involved a number of police officers who are facing disciplinary proceedings by the Police Service of Scotland for alleged misconduct which is founded upon a number of messages sent via WhatsApp. The messages came into the possession of the professional standards department having been discovered on the phone of an officer who was being investigated in connection with alleged sexual offences.

The messages in question were characterised by Senior Counsel for the Police Service of Scotland in her written submissions as being “on any view, blatantly sexist and degrading, racist, anti-semitic, homophobic, mocking of disability” and included “a flagrant disregard for police procedures by posting crime scene photos of current investigations.” [para 166] Lord Bannatyne believed that it was “a characterisation which a reasonable person having regard to the content of the messages would be entitled to reach. I conclude that the content of the messages can be regarded as potentially informing the issue of breach of Standards in circumstances calling into question the impartial discharge of the petitioners’ duties.” [para 166]

In terms of the common law right to privacy, the starting point for Lord Bannatyne was the relationship between the Human Rights Act 1998 and the Common Law. He quoted Lord Reid, with approval, in R (Osborn) v The Parole Board at paragraph 57 of that judgment. From that passage Lord Bannatyne concluded that if the right to privacy exists at common law, Article 8 of the convention does not supersede it. Lord Bannatyne noted that the European jurisprudence could be used to help inform and develop a common law right to privacy.

He then went on to ask whether there was a justification for a right to privacy in the common law. He cited, with approval, the words of Lord Nicholls at paragraph 12 of the judgment in Campbell v MGN Ltd. Lord Bannatyne thought that the right to privacy could “be described as a core value and one which is inherent in a democratic and civilised state.” [para 106]. He continued:

“[it] seems to flow from the centrality of the role of privacy in a democratic society and particularly in a society where electronic storage of information and electronic means of intrusion into the private lives of a citizen by government, private organisations and individuals are growing exponentially the common law should recognise the right to privacy.” [para 107]

Lord Bannatyne considered that the English authority on the point was of assistance. In England and Wales the common law on privacy has been developed in the context of the development of the law on breach of confidence. Scotland also has a concept of breach of confidence, which is a well understood remedy and it has been explicitly accepted previously that the law in Scotland in respect of breach of confidence is the same as the law in respect of breach of confidence in England and Wales (see, for example, Lord Advocate v Scotsman Publications).

At paragraph 116 of his opinion, Lord Bannatyne observed “that given privacy is a fundamental right I think it highly likely that it exists in the common law of Scotland.” He also noted that it was “inherently unlikely” that Scottish and English law in relation to this fundamental matter are entirely different.

Finally, he considered the existing case law in Scotland (to the extent that there is any) tended to support the view that such a right exists in the law of Scotland. He also found it “noteworthy” that none of the cases to which he was referred expressly or implicitly stated that there was no common law right to privacy in Scotland.

Lord Bannatyne went on to consider that the Petitioners could have “no reasonable expectation of privacy” flowing “from the attributes which arise as a result of their position as constables.” [para 166] It is not the case that police officers, as a result of their position, have no right to privacy at all, but, rather, that this right is limited. Lord Bannatyne opines that the limitation can be defined in the following way: “f their behaviour in private can be said to be potentially in breach of the Standards in such a way as to raise doubts regarding the impartial performance of their duties then they have no reasonable expectation of privacy.” [para 168] A police officer, because of the attributes of a person holding the office of constable, is in a different position to an ordinary member of the public. [para 168]

The remaining issues that had to be dealt with by Lord Bannatyne were dealt with in, comparably, fairly short compass. Lord Bannatyne held that “there is a clear and accessible basis for the disclosure [by the police, as a public authority, to the professional standards branch of Police Scotland] in the circumstances of this case.” [para 192] He also held that the disclosure decision was not an arbitrary one. [para 192]

Lord Bannatyne also held the interference was necessary, in accordance with Article 8(2) of the Convention. He did not agree that all of the matters listed in Article 8(2) were engaged, but did hold that ‘public safety’ and ‘the prevention and detection of crime’ were engaged. [para 198] In terms of the balancing exercise to be carried out, Lord Bannatyne considered that the balance was“heavily weighted on the side of disclosure” and he was “unable to identify a less intrusive measure which could have been used without unacceptably comprising the objectives [he had] identified.” [para 201]

Finally, in respect of interdict, Lord Bannatyne held that even if he had been with the Petitioners he would nevertheless have held that the Petitioners were not entitled to the interdict which they sought. [para 202]

This is an important case as it is the first time that a Scottish court has expressly declared that there is a common law right to privacy in Scotland. That, however, has to be tempered with the fact that it is a decision of the Outer House and therefore only of persuasive authority in the Court of Session and lower courts. A different Lord Ordinary (or a Sheriff) may ultimately reach a different conclusion (although, I think that unlikely). Although, the Petitioners were right on this point, they ultimately lost the case and the petition was refused. Therefore there may well be a reclaiming motion (appeal) to the Inner House and this point may well be considered and decided upon by the Inner House. This would give us binding authority which all the lower courts in Scotland would be required to follow stating that there is a common law right to privacy in Scotland.

The decision will certainly add an additional tool to the armory of individuals who are concerned about their privacy and breaches thereof; it will also be another angle which those advising on issues of privacy will have to consider. We may begin to see more cases proceed on the basis of a breach of the common law right to privacy as opposed to cases proceeding on breaches of convention rights and data protection law.

Alistair Sloan

If you would like advice in connection with any privacy matter, or any other information law matter; contact our team on 0141 229 0880 or by E-mail. You can also follow our dedicated Information law twitter account.