Author Archives: Alistair Sloan

We don’t hold it…oh yes you do!

Dr Ian Graham v The Scottish Information Commissioner [2019] CSIH 57 is a rare decision of the Court of Session in an appeal against a decision of the Scottish Information Commissioner, the last one coming almost 12 months ago. The case was considered by the Second Division (with the bench comprising of the Lord Justice Clerk, Lord Malcolm and Lord Glennie) with Lord Glennie delivering the Opinion of the Court.

Before a Scottish public authority is required to release information, it actually has to hold it and information will not be held, according to the law, if it is held by the Scottish public authority on behalf of a third party. The question that was considered in the appeal by Dr Graham was on this fundamental point: whether the Scottish public authority held the information or not; and in particular whether information was held by a Council on behalf of a third party (in this case, the Returning Officer).

In January 2018, Dr Graham requested the following information from Aberdeenshire Council: (1) a list of the contracts called off by the council from the framework agreement, (2) invoice and order copies for each contract, (3) payment confirmation from the council of the invoices and (4) whether the council reclaimed the input VAT on the invoice. The framework agreement in question was for the provision of electoral services to the returning officer. In terms of the contract (and of importance for this appeal), the Council assumed obligations and liabilities under the contract and also had responsibilities and liabilities in respect of the procurement process.

Whilst the Council ultimately released information in relation to parts (3) and (4) of his request, initially the Council also claimed that it did not hold this information for the purposes of the Freedom of Information (Scotland) Act 2002 (“FIOSA”). The Council’s argument was that because a returning officer, although an official from within the council, was legally a separate entity from the rest of the council when acting in their capacity as returning officer, they only held the information on behalf of the returning officer and not in their own right. Dr Graham was dissatisfied with this and applied to the Scottish Information Commissioner for a decision on whether the Council had complied with its disclosure obligations under FOISA. The Commissioner upheld the Council’s decision, determining that the Council did not hold the information for the purposes of FOISA, but rather held it on behalf of the returning officer.

Counsel for the Appellant argued that the word ‘held’ was being submitted to too much scrutiny, as well as drawing attention to the spirit in which the FOISA had been made; that being to make information available to the public. Counsel contended that a liberal approach should be taken to the interpretation of this provision. Reference was made by the Appellant’s Counsel to University and Colleges Admission Service v Information Commissioner [2014] UKUT 0557 (AAC) and Common Services Agency v Scottish Information Commissioner 2008 SC (HL) 184. Counsel for the Appellant further drew upon University of Newcastle v Information Commissioner [2011] UKUT 185 (AAC) to demonstrate how a more common-sense approach was preferable. The broader interpretation of ‘held’ was further supported  by the decision of the Upper Tribunal in Department of Health v Information Commissioner where it was held that a ministerial diary was ‘held’ by a department purely as a historical record for reference purposes. With reference to the current case, he ultimately claimed that the differentiation between the council holding the information for itself or on behalf of the returning officer was immaterial and indeed that both conditions could be fulfilled simultaneously in the present circumstances; with the fine-tooth investigation of the council election laws amounting to little more than prevaricating.

The Court allowed Dr Graham’s appeal, emphasising that “that the relevant provisions of FOISA should, so far as possible, be interpreted in a manner consistent with the policy of the Act, namely the desirability of making information available to the public, all in the interests of promoting open, transparent and accountable government.” [15] The court also held “that the words and expressions used in the Act should, so far as possible, be given their ordinary and natural meaning” and that “[t]here should be no scope for the introduction of technicalities, unnecessary legal concepts calculated to over-complicate matters and, by so doing, to restrict the disclosure of relevant information.” [15].

The Court approved of and agreed with the reasoning given by the Upper Tribunal at paragraphs 21-22 of its decision in University of Newcastle. In essence, a Scottish public authority will hold information if it has more than a de minimis interest in the information. That is to say, it will only fall outside of the scope of FOISA if it has “no (or no material) interest of its own” in the information. [18] As a result of the Court’s decision, it reduced the Commissioner’s decision and remitted the matter back to him so that he could reconsider Dr. Graham’s application in light of its opinion.

The effect of this decision should be to widen the scope of information that is available to the public under FOISA. Scottish public authorities and the Commissioner will be required to take a more holistic approach in future to deciding whether information is only held by the Scottish public authority on behalf of a third party. A more practical approach requires to be taken than simply looking at whether the Scottish public authority and the third party are separate entities from one another; consideration must be given to the underlying factual matrix. The opinion of the Court also re-iterates previous comments by the courts that the Act should be interpreted in a way that isn’t too complex or technical.

Our Alistair Sloan acted for the successful appellant in this case, instructing John MacGregor, Advocate.

Danny Cummins (Trainee Solicitor)

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact us on 0141 229 0880 or you can send us an E-mail.

Penalty Notices and Notices of Intent

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or  it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Dealing with vexatious FOI Requests

The call for views by the Public Audit and Post-Legislative Scrutiny Committee of the Scottish Parliament (“the Committee”) in respect of its post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002 (“FOISA”) ended on 21 June 2019 (having been extended a couple of times). One of the issues that came up on a number of occasions in the Committee’s discussions and evidence sessions prior to formally deciding to undertake post-legislative scrutiny of FOISA was the issue of vexatious requests. This issue has come up again in a number of responses to the call for views provided by Scottish public authorities (but certainly not all those Scottish public authorities that submitted responses).

It does seem as though Scottish public authorities, generally, are fairly poor at utilising section 14 of FOISA, which provides that a Scottish public authority does not need to comply with a request for information where it is vexatious. The Scottish Information Commissioner has also expressed the view that authorities are not utilising the available provisions within FOISA to deal with vexatious requests, such as at an evidence session before the Committee on 10 January 2019 [pdf].

The response of by Glasgow City Council [pdf] provides an example of a single requester who has made around 100 FOI requests on a related topic. It strikes me that requests from this particular requester on this particular topic could very well fall within the ambit of section 14 (although, I make that comment with only that information which is available from Glasgow City Council in its response). While the law requires the request to be vexatious, rather than the requester themselves, it is permissible to look at the requester’s conduct towards, previous correspondence with and previous requests to the authority in determining whether a particular request that has come in is, in fact, vexatious. This is something that Scottish public authorities seem to struggle with and often seem look at a particular request in isolation and not necessarily consider the wider background and context.

The leading case on section 14 of FOISA, Beggs v Scottish Information Commissioner, was only decided at the end of 2018 and therefore prior to that there was no authoritative guidance on the application of section 14 of FOISA. However, the Scottish Information Commissioner and Scottish public authorities have looked to Dransfield v Information Commissioner to help with the application of section 14 of FOISA. In Beggs the Inner House of the Court of Session essentially approved of the decision of the Court of Appeal in Dransfield. The decision in Beggs is, subject to any appeal to the UK Supreme Court, binding authority on the operation of section 14 of FOISA. Scottish public authorities can therefore look to both the Judgment of the Court of Appeal in Dransfield and the opinion of Lord Brodie in Beggs for guidance on section 14 of FOISA and how to apply it in appropriate cases.

The Court of Appeal and the Inner House of the Court of Session have both stressed that the right of access to information is a constitutional one and so the bar for engaging section 14 is a high one. However, it is clear that the bar is not so high so as to be impossible to meet in practice.

Section 14 of FOISA allows Scottish public authorities to consider matters that would not normally be relevant to FOI requests, such as the identity of the requester and their motives. Scottish public authorities (and indeed, public authorities working under the Freedom of Information Act 2000) should remember that they can look at a requester’s motives; for example, a malicious motive can be an indicator that a request is vexatious (but is not necessarily evidence that the request is, in fact, vexatious): Beggs at paragraph 33. Equally, the absence of a malicious motivation is not necessarily evidence that the request is not vexatious.

A person’s previous dealings with an authority can be relevant as can their other FOI requests: if a person is showing signs of obsessive behaviour, then that could be an indicator that the request is vexatious. The authority needs to look at the request objectively, in the surrounding circumstances, and come to a judgement as to whether the request is vexatious. However, it will need to remember to have evidence to support its conclusion in case the requester makes an application to the Commissioner challenging the application of section 14 by the authority.

Perhaps there is concern within authorities about getting it wrong and having a section 14 refusal overturned by the Commissioner; however, we can only learn from doing and from our mistakes. There are 96 decision notices on the Scottish Information Commissioner’s website relating to section 14(1) of FOISA (the specific part of section 14 that deals with vexatious requests). This number does seem to be rather small given that wide opinion coming from Scottish public authorities over many years that vexatious requests are a particular problem. Over 50 of those decision notices find entirely in favour of the authority and a good number are classified as partially upheld (many of which appear to have included technical defaults by the authority). It is clear that where a Scottish public authority appropriately deploys section 14 in respect of vexatious requests, the Commissioner will uphold that decision.

It certainly does seem to be the case that Scottish public authorities are reticent to utilise section 14 of FOISA. Perhaps, it is because they do not fully understand the scope of section 14 or are unsure about its precise application – it can potentially be used in a wide variety of circumstances. Scottish public authorities could certainly be using section 14 much more frequently than what they are at present and they should seek to become much more confident in using section 14. Indeed, a majority of the examples that I have seen emanate from Scottish public authorities, which they put forward as examples of problems that they are facing which cannot be dealt with by the application of section 14; most probably could, in fact, have been dealt with by the application of section 14. The same level of reluctance is not obviously present in respect of those authorities subject to the Freedom of Information Act 2000.

Alistair Sloan

If you are a requester or a public authority who would like advice or assistance in regards to freedom of information law then contact our team on 0141 229 0880 or by E-mail. We are also able to assist with a range of other information law matters.

Privacy, the common law and Scotland

In a recent opinion from Lord Bannatyne (B C and Others v Chief Constable Police Service of Scotland and others [2019] CSOH 48), sitting in the Outer House of the Court of Session, we have the first express statement that there is a right of privacy at common law in Scotland. Traditionally in Scotland, privacy law has been dealt with through the European Convention on Human Rights, the Human Rights Act and data protection law.

This case involved a number of police officers who are facing disciplinary proceedings by the Police Service of Scotland for alleged misconduct which is founded upon a number of messages sent via WhatsApp. The messages came into the possession of the professional standards department having been discovered on the phone of an officer who was being investigated in connection with alleged sexual offences.

The messages in question were characterised by Senior Counsel for the Police Service of Scotland in her written submissions as being “on any view, blatantly sexist and degrading, racist, anti-semitic, homophobic, mocking of disability” and included “a flagrant disregard for police procedures by posting crime scene photos of current investigations.” [para 166] Lord Bannatyne believed that it was “a characterisation which a reasonable person having regard to the content of the messages would be entitled to reach. I conclude that the content of the messages can be regarded as potentially informing the issue of breach of Standards in circumstances calling into question the impartial discharge of the petitioners’ duties.” [para 166]

In terms of the common law right to privacy, the starting point for Lord Bannatyne was the relationship between the Human Rights Act 1998 and the Common Law. He quoted Lord Reid, with approval, in R (Osborn) v The Parole Board at paragraph 57 of that judgment. From that passage Lord Bannatyne concluded that if the right to privacy exists at common law, Article 8 of the convention does not supersede it. Lord Bannatyne noted that the European jurisprudence could be used to help inform and develop a common law right to privacy.

He then went on to ask whether there was a justification for a right to privacy in the common law. He cited, with approval, the words of Lord Nicholls at paragraph 12 of the judgment in Campbell v MGN Ltd. Lord Bannatyne thought that the right to privacy could “be described as a core value and one which is inherent in a democratic and civilised state.” [para 106]. He continued:

“[it] seems to flow from the centrality of the role of privacy in a democratic society and particularly in a society where electronic storage of information and electronic means of intrusion into the private lives of a citizen by government, private organisations and individuals are growing exponentially the common law should recognise the right to privacy.” [para 107]

Lord Bannatyne considered that the English authority on the point was of assistance. In England and Wales the common law on privacy has been developed in the context of the development of the law on breach of confidence. Scotland also has a concept of breach of confidence, which is a well understood remedy and it has been explicitly accepted previously that the law in Scotland in respect of breach of confidence is the same as the law in respect of breach of confidence in England and Wales (see, for example, Lord Advocate v Scotsman Publications).

At paragraph 116 of his opinion, Lord Bannatyne observed “that given privacy is a fundamental right I think it highly likely that it exists in the common law of Scotland.” He also noted that it was “inherently unlikely” that Scottish and English law in relation to this fundamental matter are entirely different.

Finally, he considered the existing case law in Scotland (to the extent that there is any) tended to support the view that such a right exists in the law of Scotland. He also found it “noteworthy” that none of the cases to which he was referred expressly or implicitly stated that there was no common law right to privacy in Scotland.

Lord Bannatyne went on to consider that the Petitioners could have “no reasonable expectation of privacy” flowing “from the attributes which arise as a result of their position as constables.” [para 166] It is not the case that police officers, as a result of their position, have no right to privacy at all, but, rather, that this right is limited. Lord Bannatyne opines that the limitation can be defined in the following way: “f their behaviour in private can be said to be potentially in breach of the Standards in such a way as to raise doubts regarding the impartial performance of their duties then they have no reasonable expectation of privacy.” [para 168] A police officer, because of the attributes of a person holding the office of constable, is in a different position to an ordinary member of the public. [para 168]

The remaining issues that had to be dealt with by Lord Bannatyne were dealt with in, comparably, fairly short compass. Lord Bannatyne held that “there is a clear and accessible basis for the disclosure [by the police, as a public authority, to the professional standards branch of Police Scotland] in the circumstances of this case.” [para 192] He also held that the disclosure decision was not an arbitrary one. [para 192]

Lord Bannatyne also held the interference was necessary, in accordance with Article 8(2) of the Convention. He did not agree that all of the matters listed in Article 8(2) were engaged, but did hold that ‘public safety’ and ‘the prevention and detection of crime’ were engaged. [para 198] In terms of the balancing exercise to be carried out, Lord Bannatyne considered that the balance was“heavily weighted on the side of disclosure” and he was “unable to identify a less intrusive measure which could have been used without unacceptably comprising the objectives [he had] identified.” [para 201]

Finally, in respect of interdict, Lord Bannatyne held that even if he had been with the Petitioners he would nevertheless have held that the Petitioners were not entitled to the interdict which they sought. [para 202]

This is an important case as it is the first time that a Scottish court has expressly declared that there is a common law right to privacy in Scotland. That, however, has to be tempered with the fact that it is a decision of the Outer House and therefore only of persuasive authority in the Court of Session and lower courts. A different Lord Ordinary (or a Sheriff) may ultimately reach a different conclusion (although, I think that unlikely). Although, the Petitioners were right on this point, they ultimately lost the case and the petition was refused. Therefore there may well be a reclaiming motion (appeal) to the Inner House and this point may well be considered and decided upon by the Inner House. This would give us binding authority which all the lower courts in Scotland would be required to follow stating that there is a common law right to privacy in Scotland.

The decision will certainly add an additional tool to the armory of individuals who are concerned about their privacy and breaches thereof; it will also be another angle which those advising on issues of privacy will have to consider. We may begin to see more cases proceed on the basis of a breach of the common law right to privacy as opposed to cases proceeding on breaches of convention rights and data protection law.

Alistair Sloan

If you would like advice in connection with any privacy matter, or any other information law matter; contact our team on 0141 229 0880 or by E-mail. You can also follow our dedicated Information law twitter account.

Domestic CCTV and Data Protection

There was a time where CCTV systems were of a very poor quality and were rather expensive and were therefore limited to commercial premises. However it is now possible to get reasonably good quality CCTV cameras for less than £20 and as such there has been a steady rise in the number of homeowners installing CCTV cameras to help with home security.

Article 2 of the General Data Protection Regulation (GDPR) sets out the Regulation’s material scope; it includes a carve-out for processing of personal data “by a natural person in the course of a purely personal or household activity.” This replicates the language of the Directive which the GDPR replaces and which was reflected in section 36 of the Data Protection Act 1998 (the “domestic purposes” exemption).

On the face of it a home operated CCTV system seems to fall squarely within the scope of the carve-out for personal and household activities in Article 2 of the GDPR; however, the case law which interpreted the old Directive adds some complexity to matters. The placing of a home CCTV system is of particular importance; in particular, what is caught by the camera. If the camera is placed incorrectly then it can result in individuals falling outside of the carve-out in Article 2 of the GDPR and becoming a controller; with all of the liability and responsibility that this entails.

Domestic CCTV can be particularly useful in situations where there are neighbour disputes or where there is allegations of harassment; however, equally these are situations where a particular risk in terms of data protection law enters into the equation.

The issue of the use of domestic CCTV is something that I am increasingly being asked to advise on by clients; both the owners of the CCTV system and their neighbours. Invariably, there are issues that require to be resolved about the use of the domestic CCTV systems in these circumstances.

The matter has never been tested under the GDPR; however, given that the relevant provisions are substantially the same it seems likely that the cases decided under the older Directive and the now repealed Data Protection Act 1998 remain of relevance and will very likely be followed by the courts. Care should therefore be taken when installing domestic CCTV systems to ensure that you can continue to rely upon the domestic purposes exemption and not accidentally incur liability to third parties. People are becoming increasingly more privacy aware and concerned and as such it is becoming more important for domestic CCTV users to become aware of the limits of the domestic purposes exemption and how to avoid incurring liability under data protection laws.

Alistair Sloan

If you require advice and assistance in respect of the use of CCTV by individuals or business; or any other data protection or privacy law concern; then you can contact our team on 0141 229 0880 or by E-mail to info@inksters.com. You can also follow our dedicated information law twitter account for news and updates on a range of information law matters.

Cart before Horse

E.ON UK Plc v The Information Commissioner and Fish Legal [2019] UKUT 132 (AAC) is an appeal to the Upper Tribunal (Administrative Appeals Chamber) concerning an issue that doesn’t come up very often in information rights litigation: the Information Commissioner’s power to issue an Information Notice under section 51 of the Freedom of Information Act 2000 (“FOIA”).

The background to this appeal is a little convoluted, but of importance to understanding the issues and the decision of the Upper Tribunal. The solicitor of Fish Legal made a request for information to E.ON UK Plc seeking information from it. The information sought was environmental information and so the request fell to be dealt with under the Environmental Information Regulations 2004 (“EIRs”). E.ON UK Plc disputed that it was not a public authority and so did not issue a substantive response to the request. It became clear during the Commissioner’s involvement that the position of E.ON would be that, if it were a public authority, it did not hold the information.

As there was a dispute as to whether E.ON is a public authority, the Commissioner determined that she needed to resolve that issue first. If E.ON is not a public authority, then she had no jurisdiction to determine whether it held the information in question. After some exchange of correspondence between the Commissioner’s case officer and E.ON, an information notice was served on E.ON. The purpose of this Notice, we learn from the decision of the Upper Tribunal, was to assist the Commissioner in determining whether E.ON UK PLC is a public authority for the purposes of the EIRs.

E.ON appealed to the First-Tier Tribunal (Information Rights) against the information notice. It did so on two grounds: firstly, the decision to issue the information notice was unlawful because, as E.ON did not hold the requested information, it was pointless, disproportionate and academic. Secondly, the information requested in the notice was wholly or mainly in the public domain and so it was unlawful to issue an information notice to require E.ON to provide the information.

The First-Tier Tribunal heard argument and issued what it described as a decision on a preliminary issue, inviting written submissions from the parties as to how the remainder of the appeal should progress. E.ON appealed to the Upper Tribunal and its grounds of appeal are set out by the Upper Tribunal in paragraph 4 of its decision.

What is of most interest in this appeal was the position adopted by E.ON as to the Commissioner’s powers to determine whether the information was held or not. E.ON argued that the Commissioner could consider  whether a purported public authority held the information requested, before deciding whether it was reasonable and proportionate to issue an information notice seeking information to assist the Commissioner in deciding whether the purported authority is, in fact, a public authority. E.ON argued, essentially, that where a purported authority did not hold the information it was unlawful, disproportionate and unreasonable for the Commissioner to issue an Information Notice requiring a body to provide her with information to assist her in determining whether the purported authority was, in fact a public authority.

This argument was, ultimately, given short shrift by Upper Tribunal Judge Markus QC. The Upper Tribunal Judge considered that this “position would lead the Commissioner to a dead end” [47] as “[t]here is no statutory provision which could accommodate the outcome for which [Counsel for E.ON] contended, that being a decision by the Commissioner not to address the public authority question because there was no point in doing so.” [47] The outcome of the position advanced by E.ON before the Upper Tribunal would have simultaneously meant that the Commissioner could not have issued a decision notice under section 50 of FOIA that no information was held, because there was no decision that she had jurisdiction; she could not issue a decision on whether she had jurisdiction because it was pointless, and in any event she lacked the information she required to do so and she could not have refused a to make a decision under section 50 because none of the circumstances in section 50(2) of FOIA applied.

Upper Tribunal Markus QC remarks, paragraph 49 of her decision, that what the First-Tier Tribunal decided at paragraph 24 of its own decision was not that it was unable to decide any matter not determined by the Commissioner, but rather that the question whether the information requested by the applicant was held by the authority was irrelevant in an appeal against an information notice which was directed at establishing whether the Commissioner had jurisdiction. The question as to whether the information was held would be decided, if at all, if the Commissioner had jurisdiction to do so.

E.ON also tried to argue that the section 50 application by the applicant should be treated as being frivolous or vexatious by the Commissioner (thus giving her a reason under section 50(2) of FOIA to refuse to issue a decision notice). This, again, was also based upon E.ON’s position that it did not hold the information. E.ON seemed to be suggesting that it was frivolous or vexatious to press for the Commissioner to determine whether she had jurisdiction when the purported authority had demonstrated that it did not hold the information. The Upper Tribunal disagreed stating that “[t]here is nothing in this case which gets close to meeting the high standard set by vexatiousness” [61] (with reference to the principles set out in the Upper Tribunal and Court of Appeal in Dransfield v Information Commissioner and Devon CC).

What appears to have become lost in these appeal proceedings is that this is an appeal against an information notice and not an appeal against a decision notice. The Tribunal was not concerned with the substantive issue (whether or not E.ON had complied with its obligations under the EIRs, if it has any such obligation at all). E.ON, in this appeal, were getting ahead of themselves; or as the Commissioner reportedly put it “they were putting the cart before the horse”. The Commissioner had not made any decision on the issue (that would not stop the Tribunal considering it though if it were an appeal against a decision notice issued under section 50) as she had been unable to determine the preliminary issue of jurisdiction. The purpose of the Information Notice was to enable her to gather sufficient information to determine that issue.

The Commissioner simply does not, and this has been clear for some considerable time, have the power to determine a substantive issue (such as whether information is held) if she does not have jurisdiction. Where there is doubt about her jurisdiction, that matter has to be resolved by the Commissioner first. If the Commissioner is satisfied of her jurisdiction she will go on to consider the substantive issue (and the two matters will be dealt with in one decision notice dealing first with jurisdiction and then the substantive issue); if she determines that she has no jurisdiction she will issue a decision to that effect which can then be appealed in the normal way.

It remains to be seen whether the Commissioner’s Information Notice will survive; the First-Tier Tribunal has yet to consider all of the matters set out in the initial appeal by E.ON. Now that the Upper Tribunal has disposed of this appeal, the First-Tier Tribunal will now need to hear and determine the rest of the appeal.

Alistair Sloan

If you require advice and assistance with a Freedom of Information matter, or any other information law issue, contact our team on 0141 229 0880 or E-mail info@inksters.com.

Post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002

The Public Audit and Post-Legislative Scrutiny Committee of the Scottish Parliament is currently calling for views on the operation of the Freedom of Information (Scotland) Act 2002 (“FOISA”) as part of its post-legislative scrutiny of FOISA. I have submitted a response to the Committee, which addresses five issues in respect of FOISA (and also touches, where applicable, on the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”)). You can read my full submission here [pdf], but below is a summary of what I have discussed in my submission to the Committee.

The first thing that I have suggested is a possible change to the code of practice issued by the Scottish Ministers under section 60 of FOISA to deal with concerns raised about the processing of personal data in connection with FOI requests. I have covered this issue in more detail on this blog before. In my response I have suggested that this issue is probably best addressed through the code of practice rather than through a change to the wording of the Act.

I have also suggested that any concerns around a failure to make or keep records would not be an appropriate issue to address in the context of FOISA; however, it might be worthy of its own legislative project in the event that Parliament considered that this was an issue. This arises out of concerns expressed that FOISA has resulted in records not being made or kept so as to avoid the need to disclose them. I argue that it is inappropriate to bring this into FOISA; as FOISA has a different focus. FOISA is about giving a right of access to information that exists at the time it is requested and not about what information should be kept by Scottish public authorities. Furthermore, to introduce potentially detailed and technical rules around the making and keeping of records into FOISA could over-complicate FOISA.

I have also suggested that section 48 of FOISA be repealed; or, at least, amended. There is no equivalent provision within the UK Act and there doesn’t seem to be any issues under that legislative scheme that would suggest an outright ban on the Scottish Information Commissioner being able to look these requests is appropriate. Furthermore, it has a significant effect on requesters appeal rights and the alternatives available are not a proper substitute for an investigation by the Commissioner. In this context I also raised concerns about whether section 48 is compatible with our EU obligations as it also extends to requests made under the Scottish EIRs.

I have also suggested amending section 56 of FOISA so that appeals against decisions no longer go directly to the Court of Session. For quite a long time I have considered that this appeal route is prohibitive to most requesters and also to Scottish public authorities (especially smaller authorities with less in the way of financial resources). I’ve also suggested that this has affected the development of the law and Scotland lacks the same level of judicial authority in terms of what different parts of FOISA mean that exists under the UK Act. I’ve suggested, at the very least, appeals should be made to the new Upper Tribunal for Scotland in the first instance. I contrasted the Scottish appellate structure with that which applies under the UK Act. I have also suggested that the present appellate structure may mean that the law doe snot comply with EU law in respect of the Scottish EIRs.

Finally, I’ve also suggested that FOISA be updated to take account of advances in technology and in particular to allow the Scottish Information Commissioner to serve formal notices by E-mail rather than requiring them to be served by recorded delivery post (as is currently the case).

Alistair Sloan

If you would like advice or assistance in respect of freedom of information matters or any other information law matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account.

Privacy v Freedom of Expression in the Court of Appeal

Last year, Mr Justice Arnold gave judgment in the interesting case of Ali & Aslam v Channel 5 Broadcasting. This case concerned the fly-on-the wall programme broadcast on Channel 5 called “Can’t Pay? We’ll take it away”; which follows the work of High Court Enforcement Officers as they enforce court orders relating to debt and housing matters. Mr Justice Arnold found Channel 5 to be liable to the Claimants in the sum of £10,000 each; holding that the Claimant’s rights to privacy outweighed the rights of Channel 5 in respect of freedom of expression and the public interest.

Both parties appealed to the England and Wales Court of Appeal; Channel 5 on the issue of liability and the Claimants on the grounds that the damages awarded were insufficient. In a judgment given on 16th April 2019, the Court of Appeal (Irwin LJ, Newey LJ and Baker LJ) refused both appeals.

The Court of Appeal addressed the issue of liability first, before dealing with the appeal on quantum (the amount of damages awarded). The issue for the Court of Appeal was whether Arnold J had gone beyond what was justified in balancing the Claimants’ rights to privacy against Channel 5’s rights to freedom of expression; and as a consequence had made an error of law. The Court of Appeal held that Arnold J had taken “too narrow a view of what was in the public interest, effectively confining it to the High Court Process.” [74] The Court considered that Arnold J was wrong to conclude “that the publication of each specific piece of information in respect of which the Claimants had a legitimate expectation of privacy had to be justified as a matter of general public interest.” [74]

An interference with privacy which cannot be justified (logically or rationally) by reference to the public interest served by publication cannot be rendered lawful by editorial discretion. However, where there is a rational view by which publication can be justified in the public interest the courts should be slow to interfere, giving full weight to editorial discretion and knowledge.

Despite having some reservations about the treatment of the public interest issues in the judgment from Arnold J (in particular, the narrow approach taken to the public interests issues which arose), the Court refused the cross-appeal by Channel 5. The court had three principal reasons for doing so, set out in paragraphs 92-94 of its judgment. Those can be summarised as follows:

  1. Arnold J was clearly well aware of the relevant legal principles set out in the applicable case law.
  2. The Court of Appeal was satisfied that Arnold J was fully aware of the range of public interest issues raised in the programme; and
  3. The Court of Appeal was satisfied that while another judge might have reasonably found against the Claimants, it was not unreasonable for Arnold J to have found in their favour.

Turning to the appeal on damages, the first ground of appeal advanced essentially amounted to one that the level of damages awarded to each Claimant did not reflect the scale and nature of the publication. The second ground is that the judge was wrong to take into account the publication of the postings by the Ahmeds when setting the awards of damages for the publications by the Defendant. The third ground is that the judge wrongly failed to take into account the impact of the programme on the Claimants’ children.

All three grounds of appeal in respect of quantum were refused by the Court of Appeal. In respect of ground 2, the Court of Appeal noted that “[i]t must be obvious that the distress attributable to the programme was reduced because a number of people within the Claimants’ community or network were already aware of the broad events from the postings”. In respect of ground 3, the Court of Appeal considered that Arnold J had taken into account t he potential impact on the Claimants’ children.

On ground 1, the Court of Appeal distinguished against damages awarded in the case of phone hacking and the present case. They did so on the basis that in t he hacking cases those responsible for the hacking knew full well what they were doing was illegal; however, in the present case Channel 5 had taken steps to ensure that they remained within the law; including obtaining expert legal opinion. Furthermore, in the circumstances it was appropriate for Mr Justice Arnold to make an award of damages in the round.

There is some helpful guidance from the Court of Appeal on the issue of quantum in respect of breaches of privacy in the media sphere. In assessing quantum it is possible to look at issues in the round and reach a global figure of damages, rather than awarding damages identifiable to each issue. Furthermore, damages for cases of this kind cannot be calculated mathematically. Finally, an appellate court should not seek to interfere with an assessment as to quantum unless the damages awarded are so high or so low as to be perverse.

Alistair Sloan

If you would like advice or assistance in connection with a privacy issue, or any other information law matter; contact Alistair Sloan on 0141 229 0880. You can also send him an E-mail.

True Vision Productions & Bounty UK

The Information Commissioner has recently served two Monetary Penalty Notices (“MPNs”) that are worthy of some note. They were both issued for breaches which occurred prior to 25 May 2018 and are therefore both under the Data Protection Act 1998. This means that the maximum penalty in both cases was £500,000, rather than the larger penalties under the General Data Protection Regulation.

The first MPN [pdf] of the two MPNs that will be discussed in this blog was served on True Visions Productions (“TVP”) in connection with filming undertaken in a maternity unit operated by Cambridge University Hospitals NHS Foundation Trust (“CUH”).

Between July 2017 and 29 November 2019 TVP had placed static CCTV-style cameras with audio recording capabilities within three out of the four assessment rooms at the maternity unit. This was to gather footage for possible use in a television documentary on still births. The Commissioner accepted that there was a public interest in documentaries of this nature; however, she found that TVP had breach the first data protection principle in Schedule 1 to the Data Protection Act 1998.

TVP had not done enough to ensure that they had the explicate consent of those being filmed and there appeared to be no way for CUH staff to turn the cameras off. Therefore, if anyone did not wish to be filmed they would need to be seen in the one room without cameras; if that room was unavailable then the patient would have no choice but to be filmed. The fact that no human had access to the footage without first having the consent of the patient was insufficient: the recording and temporary storage of the footage was processing of personal data and would have required the Schedule 3 condition of explicate consent. Very little was done to bring the filming to the attention of patients; CUH staff were only required to answer questions if asked and there were notices placed in the premises along with information on tables; however, these were inadequate. TVP was served with a MPN in the amount of £120,000.

The second MPN of note is one served on Bounty (UK) Ltd in the amount of £400,000 [pdf]. Bounty UK gives itself the description of being a pregnancy and parenting support club. It provides information and markets services (including offers) to parents at different stages from pre-conception to pre-school. As part of this it distributes packs to new parents. The company also operates as a data brokering service and had previously also supplied data to third parties for the purpose of direct marketing by electronic means (although this apparently ended on 30 April 2018). Bounty collected personal data for the purpose of registering new members and did so in a number of ways, including directly from new mothers at their hospital bedsides.

Bounty had shared personal data with a range of organisations including a credit reference agency, a marketing and profiling agency and a telecommunications company; all for the purposes of direct marketing by electronic means. This related to about 14,300,000 unique individuals. Each record could be shared on multiple occasions. This was, apparently, all done on the basis that Bounty had obtained consent from the data subjects concerned.

The Commissioner found that Bounty had failed to comply with the fairness requirement within the first data protection principle in Schedule 1 to the Data Protection Act 1998. Bounty had not been transparent enough in providing information about the purposes for which personal data would be used. Bounty failed to process personal data fairly because they did not adhere to individual’s reasonable expectations of how their personal data would be used.

The consent apparently obtained by Bounty did not meet the requirements of the Data Protection Act 1998; it was neither specific nor informed.

Of course, both Bounty (UK) Limited and TVP have a right of appeal against the MPNs issued to them (both in terms of the decision to impose a penalty and the amount of that penalty). It remains to be seen whether either will seek to appeal to the First-Tier Tribunal.

Alistair Sloan

We are able to assist with a wide range of privacy and data protection matters. If you would like advice or assistance on these issues, or any other information law matter, contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account

Call for Views: Post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002

In January it was announced that the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee would undertake formal post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee is now seeking views on the Freedom of Information (Scotland) Act 2002 and is inviting submissions to reach it by 5pm on Friday 10th May 2019. The call for views asks the following five questions:

  1. In your view, what effects has the Freedom of Information (Scotland) Act 2002 (FOISA) had, both positive and negative?
  2. Have the policy intentions of FOISA been met and are they being delivered? If not, please give reasons for your response.
  3. Are there any issues in relation to the implementation of and practice in relation to FOISA? If so, how should they be addressed?
  4. Could the legislation be strengthened or otherwise improved in any way? Please specify why and in what way.
  5. Are there any other issues you would like to raise in connection with the operation of FOISA?

It is not necessary to answer all five questions and the Committee is also inviting other information relevant to the remit.

Once the Committee has received the written evidence, it will consider it all and will thereafter decide who it wishes to take oral evidence from. It is expected that the oral evidence sessions will take place towards the end of the year.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.