Category Archives: Freedom of Information

Scottish Information Commissioner’s 2017/18 Annual Report

Friday 28 September 2018 was International right to Know Day, a day designed to highlight the public’s right to know and to campaign for FOI laws. Scotland has had Freedom of Information laws in place since January 2005 and a similar statutory regime entered into force on the same date for information held by UK public bodies. The Scottish Information Commissioner used International right to Know Day to launch his office’s annual report [pdf].

In 2017/2018 the Commissioner’s office received a total of 507 appeals, up from 425 in 2016/2017 (but not the highest number received in any one year). Of the appeals that were received the vast majority (75%) were classed by the commissioner’s office as coming directly from individuals with the media accounting for 11% and commercial/private enterprises accounting for 3%.

In terms of which public authorities have their responses appealed to the Commissioner; local authorities still make up the largest percentage (although there was a fairly significant decrease in the percentage share of appeals from the previous year). Local authorities are followed the Scottish Government and its agencies and the police.

30% of the appeals made to the Scottish Information Commissioner were deemed to be invalid appeals; that is to say they were appeals that the Commissioner’s office could not investigate. The annual report reveals that among the most common reasons why an appeal was not valid are that the applicant had not made a request for review to the Scottish public authority (an appeal can only be made to the Scottish Commissioner after the Scottish public authority has reviewed its initial decision or failed to carry out a review of its initial decision that has been requested) and that the timescales for making FOI appeals within the Act had not been met. Requesters should remember that they should make requests for review within 40 working days of the date that the authority issued its response or the date that it should have responded where no response has been received. Furthermore, it should be remembered that appeals to the Commissioner should normally be made within 6 months of the date on which the authority responded to the review request or, where no response has been recieved to a request for an internal review, within 6 months of the date that the authority should have responded to the internal review.

Failure to respond appeals, that is an appeal which concerns a failure by an authority to respond to a request and/or request for review, continue to be a problem. In 2017/18 19% of the appeals handled by the Commissioner concerned a failure to respond; this is down slightly from the 20% it was in 2016/17, but is up from the 16% figure in 2015/16. These are fairly clear-cut appeals as an authority has either responded within the statutory timeframe not and they should be appeals that authorities can avoid fairly easily. No authority can be perfect 100% of the time and there will be cases where the inflexibility of the 20 working-day rule, in particular cases where the public interest is finely balanced or where third party consultation is required, will mean that breaches will occur; however, staying in contact with the requester can help to avoid these appeals even where the authority is technically in breach of the law.

Of the decisions made by the Commissioner in response to appeals under section 47 of the Freedom of Information (Scotland) Act 2002, 65% resulted in a decision which was wholly or partially in favour of the requester.

Some interesting enforcement matters from within the report which are worthy of mention include:

  • Highland Council was issued with an Information Notice when it delayed in providing information to the Commissioner’s Office which was required in order to enable the Commissioner to investigate an appeal made to him by a requester.
  • The Commissioner also highlights that his office considered referring East Dunbartonshire Council to the Court of Session for failing to comply with one of his decisions (but in the end, it would appear that, such a step ultimately proved unnecessary).
  • The Commissioner refers to his high profile level 3 intervention in respect of the Scottish Government’s performance and culture in respect of FOI, which is still ongoing.
  • A less profile level 3 intervention by the Commissioner was the ongoing intervention in Police Scotland, which is now in the monitoring phase after an action plan was agreed between Police Scotland and the Commissioner. There were concerns about searching for and locating information to respond to information requests as well as concerns around record-keeping.
  • Two independent schools (which had become subject to FOI following the last extension of the Act by the Scottish Ministers) were subject to level 4 interventions where they had failed to adopt publication schemes as required by section 23 of the Freedom of Information (Scotland) Act 2002.

The Commissioner’s report makes reference to three Court of Session cases in respect of decisions that it had made, one of which Inksters were instructed in by one of the parties. The number of appeals against decisions of the Scottish Information Commissioner remain particularly low (both appeals taken by requesters and Scottish public authorities); whether this is because the Commissioner’s office is doing a good job in terms of interpreting the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004, or whether it has more to do with the significant costs to be faced by requesters and Scottish Public Authorities who decide to take an appeal to Scotland’s highest civil court is a matter which is very much open for debate.

There is lots of other useful information with the Commissioner’s annual report, but at the risk of this blog post becoming too unwieldy I shall leave it there.

Alistair Sloan

Whether you are a requester or a public authority we can provide you with advice and assistance on Freedom of Information matters. Contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated twitter account on information law matters.

 

Personal Data and FOI: to anonymise or not to anonymise

I recently wrote a blog post covering the release of third party personal data under freedom of information laws in both Scotland and the rest of the UK. Requests which seek the release of third party personal data, or where information within the scope of a FOI request constitutes the personal data of a third party, are the most common examples of where freedom of information and data protection overlap; however, they are not the only examples.

On Friday of last week, the Herald contained a piece covering calls which had been made to anonymise FOI requests which are sent to government advisers. These calls follow on from some high profile disagreements between the Scottish Government and journalists. The allegations levelled against the Scottish Government is that ministers and their advisers are having undue influence over what information is and is not released under the Freedom of Information (Scotland) Act 2002; in particular where the request comes from a journalist. The Scottish Information Commissioner is currently carrying out an “intervention” which is looking at this matter alongside one which has a wider remit in relation to the Scottish Government’s handling of FOI requests. It is understood that the Commissioner’s Office will report its findings of these interventions in the next month or so.

These wider issues are not, however, the focus of this blog post. Rather, the focus of this blog post relates to the call to anonymise FOI requests in this way and whether this is a practice that public authorities ought to be following in any event.

The General Data Protection Regulation and the Data protection Act 2018 now govern how organisations, such as public authorities, process personal data. Reducing the data protection framework down to its most basic requirement, data controllers should not be processing the personal data of a data subject unless they have a lawful basis to do so.

When a public authority circulates a request for information, or a proposed response to a request for information, that is not stripped of the personal data of the requester then that would amount to the processing of personal data of which the requester is the data subject. What is the lawful basis of processing in Article 6 of the GDPR which enables the public authority to process the requester’s personal data in that way?  Clearly there is a need for the requester’s personal data to be processed in order to enable the response to be issued to the requester and there will no doubt be some central record which records who has made FOI requests, what the request was for and what the outcome of the request was – if only to enable the authority to respond to an internal review, appeal to the Commissioner or appeal to the tribunal/courts.

The Authority cannot possibly have the consent of the data subject to process their personal data by circulating it around the authority. Consent cannot be inferred in the way that would be necessary in order to rely upon consent. There’s no contract with the data subject which would require the processing of their personal data in this way.

Answering a FOI request is a legal obligation on behalf of the public authority, but is it necessary to provide the name of the requester to the department(s) who need to search for the information or to an official or adviser who is having in put into the response? Probably not, especially when set against the ‘applicant blind’ way in which FOI requests are supposed to be dealt with. Is it necessary in order to protect the vital interests of the data subject or of another natural person? I’d have thought it unlikely. Again, it’s unlikely to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Finally, it’s unlikely that it would be necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In short, it’s unlikely that it is necessary for those searching for the information or considering the proposed response to know who the requester is. There are, of course, situations where a different course might be required. For example, if considering refusing the request on the grounds that it is vexatious under section 14 of the Freedom of Information (Scotland) Act 2002 or section 14 of the Freedom of Information Act 2000; it will often be necessary to speak with other areas of the organisation, especially persons responsible for handling complaints. In such circumstances it would be necessary for those being consulted to know the identity of the requester, otherwise the evidence required in order to justify reliance upon the vexatious provisions could not be gathered.

In normal circumstances, public authorities should probably be removing personal data such as a requester’s name, place of work and job title (where included) from a request before sending it out to those who need to perform searches for information or those who, in accordance with the authority’s internal procedures, need to approve responses before they’re issued. Only where the identity of the requester is directly relevant to the response, such as where consideration is being given to refusing the request on the grounds that it is vexatious, should the identity of the requester be disclosed otherwise it may amount to a breach of data protection law.

It may be relevant at this juncture to look, briefly, at the applicant blind requirement of freedom of information law. The applicant blind requirement is not specifically provided for within the relevant legislation; however, it has been understood for some considerable time that requests ought to be dealt with in a way that means that they are applicant blind.  The applicant blind requirement is often largely over-stated.  There are clearly situations where the applicant’s identity will be relevant; for example is it a request for that person’s own personal data or is it a vexatious/repeated request or are you aware of any disability which may mean that you need to make reasonable adjustments in terms of the Equality Act 2010?  If public authorities applied the applicant blind requirement absolutely and slavishly, it would cause difficulties in those situations and also in others.

The purpose of the applicant blind test is to ensure that, other than where the exemption necessitates it, the requester’s identity does not form part of the decision in whether to apply an exemption or in the application of the public interest balancing test. Anonymising FOI requests when they go out to the wider organisation or to selected individuals for comment/approval assists to ensure that the applicant blind aspect of the FOI regime is also complied with.

Alistair Sloan

If you require advice and assistance in connection with a freedom of information or data protection matter then contact Alistair Sloan on 0141 229 0880. Alternatively you can send Alistair and E-mail.

The Tension Continues: GDPR, FOI and EIRs

An exemption that is frequently deployed by Scottish public authorities is the exemption in section 38 of Freedom of Information (Scotland) Act 2002 (along with its corresponding exception in the Environmental Information (Scotland) Regulations 2004, regulation 11) which relates to personal data; both the personal data of the requester themselves as well as the personal data of third parties.  Data protection law is changing later this month and as a consequence section 38 (as well as Regulation 11 of the Environmental Information Regulations) will also see some amendment.

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”).  The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018.  There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended.  However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved.  Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The Office of the Scottish Information Commissioner has published, in draft form, updated guidance on the application of section 38 to take account of the GDPR and the expected amendments to the relevant parts of FOISA and the Scottish EIRs. As it is still in draft form, anybody relying upon it (requester or public authority) should continue to monitor it to ensure that it has not been updated.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant.  However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground.  One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11.  These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime.  Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests.  It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all.  The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children.  In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now.  Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law.  Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information.  Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11.  In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

Alistair Sloan

If you require any assistance with any Freedom of Information or Data Protection/Privacy law matter you can contact Alistair Sloan on 0141 229 0880 or by E-mail.  We also have a twitter account dedicated to information law matters from across the UK.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.

The National Security Blanket has been Shrunk

On 2nd January 2018 the Upper Tribunal (Administrative Appeals Chamber) (consisting of Charles J, Lane J and Anne Chafer)  published an important decision [pdf], dated 14th December 2017, on the application of the exemption in section 23 of the Freedom of Information Act 2000.

The exemption in section 23 relates to information supplied by, or relating to, bodies dealing with security matters.  Subsection (3) provides a list of 15 bodies to which the exemption applies; including the Security Service (MI5), the Secret Intelligence Service (MI6), the National Crime Agency (NCA) and the Government Communications Headquarters (GCHQ).  The actual exemption is contained in Section 23(1) and provides that:

Information held by a public authority is exempt information if it was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3).

Background

The decision is worth reading in full, but the essential background to the decision is as follows.  On 21st August 2015 the Royal Air Force carried out a precision air strike in Syria utilising a remotely piloted aircraft (commonly referred to as a ‘drone strike’).  The strike took place in the Syrian city of Raqqa and the target was 21 year-old Reyaad Khan, who was born in Cardiff, and had featured in a ‘recruitment video’ produced by ISIS (also known as IS, Dahesh or ISIL).  The strike killed the intended target along with two other ISIS fighters, one of whom was also British.

On 7th September 2015 the then Prime Minister, David Cameron, made a statement to the House of Commons.  In his statement to the House, Mr. Cameron provided details on the operation which had taken place in August 2015 in Raqqa.  The Upper Tribunal’s written reasons for its decision quote extensively, at paragraph 10, from Mr. Cameron’s statement to the House.  It also quotes an exchange between Mr. Cameron and the then acting leader of the Labour Party, Harriet Harman MP (paragraphs 11 and 12).

In compliance with the United Kingdom’s obligations in terms of Article 51 of the UN Charter, the UK’s Permanent Representative to the United Nations wrote to the President of the Security Council informing the President that the UK had undertaken the 25th August 2015 operation and that this was in “exercise of the inherent right of individual and collective self-defence.”  The Upper Tribunal have quoted further from that letter in paragraph 13 of its decision.

There is much more to the background which can be dealt with in this blog post; however, it is comprehensively set out in the Upper Tribunal’s decision.  It is suffice to say that Freedom of Information requests were made by the appellants to the Attorney General’s Office (AGO) and to the Cabinet Office.  These requests were refused by the public authorities and, in three decisions dated 30 August 2016, the Information Commissioner upheld the decisions of the AGO and the Cabinet Office.  The appellants appealed to the First-Tier Tribunal (Information Rights) and the appeals were transferred to the Upper Tribunal in terms of Rule 19 of The Tribunal Procedure (First-Tier Tribunal) (general regulatory Chamber) Rules 2009 – which allows appeals to the First-Tier Tribunal against decisions of the Information Commissioner’s office, amongst others, to be transferred to and be determined by the Upper Tribunal instead of the First-Tier Tribunal; essentially the appeal ‘leap-frogs’ the First-Tier Tribunal.

Section 23 of FOIA

Section 23 of FOIA is an absolute exemption, which means that it is not necessary for the public authority to consider where the public interest rests between maintaining the exemption and disclosure.  It was designed to ensure that there was no backdoor route to gaining access to information held by the security services under FOIA.  The security services are not public authorities for the purposes of FOIA and this exemption ensures that information which is supplied by, or relates to, one of the security bodies in section 23 cannot be obtained from a public body which is a public authority for the purposes of FOIA.  A similar exemption, but not identical, can be found at Section 31 of the Freedom of Information (Scotland) Act 2002.

The Upper Tribunal’s decision

The Tribunal’s starting position seems to have been that FOIA provides a right of access to information rather than documents.  When responding to an FOI request, a public authority does not need to supply a copy of the document which contains the requested information (although, in practice an authority will provide the document – redacted where necessary).  The request can be complied with by extracting the information from the document or other records held by the authority (APPGER v ICO and FCO [2015] UKUT 0377 (AAC)).  This seems to be a key pillar of the Upper Tribunal’s decision in Corderoy and another v The Information Commissioner and others.

The Upper Tribunal has in this case qualified a statement that was made in the decision of the Upper Tribunal in the APPGER case.  In the APPGER case, the Upper Tribunal stated that “…information, in a record supplied to one or more of the section 23 bodies for the purpose of the discharge of their statutory functions, is highly likely to be information which relates to an intelligence or security body and so exempt under section 23.”  The Respondents in the present case appear to have relied upon this position to argue for a very broad interpretation of section 23.  The Appellants however argued that the absolute exemption in section 23 would prevent disclosure under FOISA unless:  (a) the legal analysis to found the view that he policy decision was lawful can be disaggregated and provided in an intelligible form; and (b) any such disaggregated information falls outside the scope of section 23.

The Appellants were interested in the legal advice which underpinned the Government’s policy decision.  They argued that if this information could property be removed from the documents supplied to the section 23 bodies, and that information itself was not provided by, or related to, a section 23 body, then section 23 did not preclude disclosure and the information instead had to be considered under the qualified exemptions in sections 35(2) and 42 of FOIA (relating to the formulation of government policy and legal advice).

The Upper Tribunal eventually concluded that, while the information in question was clearly of interest to the section 23 bodies; Parliament did not intend, when enacting Section 23(1), for the exemption to apply to information simply because it might be of interest to the section 23 bodies.  The information in question in the present case was concerned with, and confined to, the question as to whether the Government’s policy was lawful.

The Upper Tribunal then went on to consider the public interest arguments, deciding that the public interest rested in maintaining the alternative qualified exemptions rather than in disclosure.  The Upper Tribunal held that it was not necessary for the Government’s legal advice to be shared in order to enable a debate on the lawfulness of the Government’s position to take place; indeed, a considerable debate had already taken place on the issue without the information.

Criticism of the Information Commissioner’s Investigations

The Upper Tribunal also took issue with the way in which the Information Commissioner had conducted her investigations into the complaints made by each of the appellants.  The Information Commissioner had proceeded on the basis of assurances given by the AGO and the Cabinet Office that the information was exempt under section 23(1) of FOIA rather then exercise her statutory powers to require the AGO and Cabinet Office to provide her with the information in question for her consideration.

The Upper Tribunal was extremely critical of this approach by the Commissioner.  The Commissioner did modify her position before the Upper Tribunal; however, the Upper Tribunal remained extremely critical.  At paragraph 95 of its decision, the Upper Tribunal stated:

We acknowledge the resource difficulties of the Information Commissioner but we consider that the course adopted here of effectively permitting the other tow Respondents to be the decision-maker on the challenge to their stance of the application of the absolute exemption in section 23 is unfair.

The Upper Tribunal went on to state in paragraph 97 of its decision that:

If the relevant public authority wishes to avoid a consideration of the relevant documents and so information and disaggregation issues, we have not thought of any circumstances in which it could rely on an assurance rather than a certificate given pursuant to s. 23(2) that can be appealed under section 60.

A certificate under section 23(2) is signed by a Minister of the Crown certifying that the information to which the certificate applies was directly or indirectly supplied by, or relates to, any of the bodies specified in section 23(3) is conclusive evidence of that fact.  The conclusiveness of the certificate is, however, subject to section 60 of FOIA which allows the Commissioner or any requester who is affected by the certificate to appeal the certificate to the First-Tier Tribunal.  The Tribunal can, if it decides that the information in question is not covered by section 23(1), quash the certificate.

Such a certificate may not ultimately prevent the First-tier Tribunal from carrying out the exercise that the Upper Tribunal ultimately carried out in this case, but it does prevent the Commissioner from doing so as the Commissioner is bound to rely upon such a certificate as being conclusive evidence of the application of section 23(1).

Comment

This was an important decision of the Upper Tribunal which clarifies the scope of Section 23(1) of FOIA and which also makes it clear how the Commissioner should conduct her investigations where a requester is challenging the application of section 23(1) of FOIA, but where no Minister of the Crown has signed a certificate pursuant to Section 23(2) of FOIA.

The Upper Tribunal has provided for a more defined exemption rather than for the blanket approach that was being taken by the Respondents.  What can be taken from this case is that information which may be of interest to those bodies listed in section 23(3) of FOIA, and thereby relate to them, will not automatically engage the exemption in section 23.

The Upper Tribunal’s comments on the way in which the Information Commissioner conducted her investigations in relation to these complaints are also of note, and indeed of wider importance.  It is clear that the Upper Tribunal expects the independent regulator to be independent (perhaps not an unsurprising conclusion); in this case it appears that she did not act as independently as she should have.  It was not appropriate for the Commissioner to rely on assurances given by the public bodies concerned and she ought to have required that a copy of the disputed information be provided to her for her consideration or a certificate issued pursuant to section 23(2) of FOIA.  While sympathetic to the pressure on resources that the Commissioner was experiencing, this did not provide an excuse to her for failing to properly investigate an area of contention between the requesters and the public authorities (and indeed between the public authorities themselves, who arrived at the same conclusion but for different reasons).

Alistair Sloan

We have experience of appeals against decisions of the UK Information Commissioner to the First-Tier and Upper Tribunals and also of handling appeals against decisions of the Scottish Information Commissioner.  If you would like to discuss a Freedom of Information matter with Alistair Sloan then you can contact him on 0345 450 0123 or send him an E-mail.

Registered Social Landlords and FOI

Yesterday, the Scottish Government began a consultation on legislation to formally designate Registered Social Landlords (RSLs) as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 (“FOISA”).  The draft Order being consulted on proposes a commencement date of 1st April 2019.

This is not an unexpected development in the field of information law.  In December 2016 the Scottish Government consulted on the principle of designating RSLs as public authorities for the purposes of FOISA.  It has been widely anticipated that RSLs would be designated as a public authority for the purposes of FOISA.

A designation as a public authority for the purposes of FOISA will have ramifications for RSLs beyond the obvious need to comply with FOISA and being under the regulatory oversight of the Scottish Information Commissioner.  It will also have implications for RSLs in respect of how they implement the General Data Protection Regulation (“GDPR”), which becomes applicable from 25th May 2018.

There are a number of aspects of the GDPR which are directed towards public bodies.  The Data Protection Bill currently before the UK Parliament defines what a public body is for the purposes of the GDPR.  Clause 6 of the Bill provides that a body which is designated as a Scottish public authority for the purposes of the FOISA is a public body.  This will mean that RSLs will have to appoint a Data Protection Officer; even although many of them would not have had to before this decision was taken by the Scottish Government.

It also has implications for the grounds upon which they can legitimately process personal data.  Processing of personal data for the purpose of pursuing a legitimate interest of the controller is permissible under the GDPR.  However, the GDPR goes on to provide that public bodies cannot rely upon legitimate interest as a ground of processing in performance of their tasks.  Therefore, any RSL that has been preparing for the GDPR on the basis that they will be able to process personal data on the legitimate interests ground will have to re-evaluate its processing of personal data ahead of its designation as a public authority for the purposes of FOISA.

It is worthy of note, simply for interest, that the Data Protection Bill proposes giving the Secretary of State the power to make regulations which state that a public body is not in fact a public body for the purposes of the GDPR.  However, there has been no indication that the Secretary of State intends on making use of this power or how the power is intended to be used; therefore, it is probably advisable not to work on the basis that a RSLs will be declared not to be public bodies for the purposes of the GDPR.

Another possible implication for RSLs is in relation to the Environmental Information (Scotland) Regulations 2004 (“the EIRs”).  The Scottish Information Commissioner has already previously decided that RSLs are public authorities for the purpose of these regulations, which govern access to environmental information.  The Housing (Amendment) (Scotland) Bill may have implications for the basis upon which the Commissioner concluded that RSLs were a public authority for the purposes of the EIRs.  If it does, there may be a gap where RSLs are not public authorities for the purposes of EIRs.  Once they become designated as a public authority for the purposes of FOISA, they will automatically become a public authority for the purposes of the EIRs as well.

Alistair Sloan

If you would like advice or assistance in respect of a freedom of information or data protection matter then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

FOISA Vexatious decision notice appealed to Court of Session

Section 14 in both the Freedom of Information Act 2000 (“FOIA”) and the Freedom of Information (Scotland) Act 2002 (“FOISA”) enable an authority not to comply with a request for information that is vexatious.  What is meant by vexatious in Section 14 of FOIA has been the subject of litigation all the way to the Court of Appeal and the leading authority is Dransfield and another v The Information Commissioner and others [2015] EWCA Civ 454; [2015] 1 WLR 5316.  However, there has not yet been any litigation in Scotland on the meaning of vexatious within Section 14 of FOISA; the Scottish Information Commissioner’s guidance [pdf] on the subject appears to draw heavily on the Dransfield decision.

Those who make a point of reading the Scottish Information Commissioner’s regular round-ups of decisions will note that the most recent one informs us of an appeal to the Court of Session against a decision of the Scottish Information Commissioner which upheld the authority’s use of Section 14.  If the appeal proceeds, it will be the first time that the Scottish courts will have considered Section 14 of FOISA.

It will be interesting to see whether the Court of Session adopts the Dransfield position, or whether it takes a different approach to vexatious requests in Scotland.  If the Court of Session does publish an Opinion, we will of course cover it on this blog.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

More is less and less is more

On 30th October 2017 the First-Tier Tribunal (Information Rights) promulgated its decision in McGoldrick v The Information Commissioner; the Tribunal’s decision made two points which it is worth considering.  The request for information in question was made to HM Treasure concerning the Mersey Tunnels; the full terms of the request for information are set out in the Tribunal’s decision.

The first point relates to the use of section 12 of the Freedom of Information Act 2000 where some of the information that may fall within the scope of the request is likely to be environmental information; and the second is on the duty of a public authority to provide advice and assistance.

On the first issue, the Tribunal (at paragraph 12) states that it

“agrees with the Information Commissioner that the appellant’s request could cover both non-environment and environmental information, for the purposes of regulation 2(1)(c) but that it would defeat the purpose behind section 12 and regulation 12(4)(d) if a public authority were obliged to collate the requested information in order to ascertain what information fell under either FOIA or the EIR. We agree, therefore, that HM Treasury was correct to consider the request under section 12, even though it might include some environmental information.”

The Tribunal considers that it is appropriate for an authority to not separately identify environmental information and deal with that under the Environmental Information Regulations 2004 where there is a substantial volume of information which covers both environmental and non-environmental information.  It seems that the Tribunal is of the view that there is no need to issue a refusal notice citing Regulation 12(4)(b) [although the Tribunal refers to Regulation 12(4)(d), but this seems as though it may be a typographical error] where a request is going to exceed the appropriate limit and it is likely that there is going to be environmental information within the ambit of the request.

On the second issue, the Tribunal decided that, on the facts of the present case, that HM Treasure did not comply with its obligation to provide adequate advice and assistance and overturned the Commissioner’s decision that it had.  In this case, HM Treasure told the requester that he might like to consider refining his request by reducing the amount of information requested.  The Commissioner considered that such a suggestion was sufficient in order to discharge the authority’s duty to provide advice and assistance.

At paragraph 18 of the Tribunal’s decision it stated:

“Given the widespread nature of computer-driven searches for information in connection with FOIA requests, it is, we consider, reasonable to expect large, sophisticated organisations, such as HM Treasury, to point out to requesters how the most thorough search is likely to exceed the relevant financial limit under the Regulations made by reference to section 12, and to suggest a reformulation of the request in terms specific to computerised searches. Accordingly, if HM Treasury had asked the appellant to reformulate his request by reference to emails and documents containing both the terms “Mersey tunnel” and “toll”, the appellant may well have reformulated his request.”

The Tribunal appears to be suggesting that a large public authority may have to go a bit further than a smaller authority in order to discharge its duty to provide advice and assistance.  It appears that, in certain cases, it may be necessary for a public authority to not only suggest that a requester reformulate their request but rather to go further and actually suggest ways in which it could be reformulated; especially when computer-driver searches for information are involved.

This certainly does fit with the way in which the legislation has been drafted; Section 12(1) of the Freedom of Information Act 2000 does include “so far as it would be reasonable to expect the authority to do so” within its terms.  So, where an authority is issuing a refusal notice under Section 12 of the Freedom of Information Act 2000 authorities, especially larger ones, ought to consider whether they are capable of suggesting how a request could be refined, not just that the requester may wish to consider refining it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

FOI in Scotland in 2016/17: The Scottish Information Commissioner’s Annual Report

Margaret Keyes, Acting Scottish Information Commissioner chose yesterday, International Right to Know Day, to launch her office’s annual report [pdf] for the 2016/17 year.  The report finds that the public’s awareness of the right to ask and obtain information from public bodies is high, at 85%.

The Scottish Information Commissioner is a statutory office holder charged with enforcing the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009.  The Commissioner’s office, amongst other things, investigates complaints made by individuals and organisations who have exercised their rights under these various pieces of legislation, but who are dissatisfied with how the Scottish public authority has handled their request.

In 2016/17 the Commissioner received a total of 425 appeals and issued a total of 252 formal, legally enforceable, decision notices.  Most of the appeals received related to requests made under the Freedom of Information (Scotland) Act 2002 with the remainder relating to requests which fell to be dealt with under the Environmental Information (Scotland) Regulations 2004.  The Commissioner received no appeals under the INSPIRE (Scotland) Regulations 2009 (although these Regulations are much more specialised and are probably only really of interest/relevance to a limited number of people).

There lies a right to appeal against formal notices issued by the Commissioner, including a formal decision notices, to the Court of Session.  A very small number of appeals were made to the Court of Session during the 2016/17 year, according to the Commissioner’s report (some of which Inksters were instructed in by the Appellant).

The Commissioner has a range of enforcement tools which can be deployed.  One of those is to issue an ‘enforcement notice’ which requires a Scottish public authority to take specified steps to comply with the legislation.  In 2016/17, the Commissioner issued four enforcement notices (which represented the first enforcement notices ever issued by the Commissioner).

Where the Commissioner reasonably requires information in order to (a) assess whether a Scottish public authority has complied, or is complying, with the legislation; or (b) assess whether a Scottish public authority has complied, or is complying, with the statutory codes of practice issued by the Scottish Ministers, the Commissioner can issue an Information Notice.  In 2016/17, the Commissioner issued 3 such notices.

The Commissioner’s decision notices are legally enforceable and where the Commissioner considers that a Scottish public authority is failing to comply with a decision notice the Commissioner has the power to certify this to the Court of Session.  The Court can ultimately, after making enquiries, deal with a Scottish public authority which has failed to comply with a decision notice as if they were in contempt of Court.  The Commissioner has never made such a certification, but the 2016/17 annual report reveals that the Commissioner came close to doing so during the course of that year.

On the whole it seems to have been a busy year for the Scottish Information Commissioner’s Office; although, the number of appeals received in 2016/17 was lower than in 2015/16.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.