True Vision Productions & Bounty UK

The Information Commissioner has recently served two Monetary Penalty Notices (“MPNs”) that are worthy of some note. They were both issued for breaches which occurred prior to 25 May 2018 and are therefore both under the Data Protection Act 1998. This means that the maximum penalty in both cases was £500,000, rather than the larger penalties under the General Data Protection Regulation.

The first MPN [pdf] of the two MPNs that will be discussed in this blog was served on True Visions Productions (“TVP”) in connection with filming undertaken in a maternity unit operated by Cambridge University Hospitals NHS Foundation Trust (“CUH”).

Between July 2017 and 29 November 2019 TVP had placed static CCTV-style cameras with audio recording capabilities within three out of the four assessment rooms at the maternity unit. This was to gather footage for possible use in a television documentary on still births. The Commissioner accepted that there was a public interest in documentaries of this nature; however, she found that TVP had breach the first data protection principle in Schedule 1 to the Data Protection Act 1998.

TVP had not done enough to ensure that they had the explicate consent of those being filmed and there appeared to be no way for CUH staff to turn the cameras off. Therefore, if anyone did not wish to be filmed they would need to be seen in the one room without cameras; if that room was unavailable then the patient would have no choice but to be filmed. The fact that no human had access to the footage without first having the consent of the patient was insufficient: the recording and temporary storage of the footage was processing of personal data and would have required the Schedule 3 condition of explicate consent. Very little was done to bring the filming to the attention of patients; CUH staff were only required to answer questions if asked and there were notices placed in the premises along with information on tables; however, these were inadequate. TVP was served with a MPN in the amount of £120,000.

The second MPN of note is one served on Bounty (UK) Ltd in the amount of £400,000 [pdf]. Bounty UK gives itself the description of being a pregnancy and parenting support club. It provides information and markets services (including offers) to parents at different stages from pre-conception to pre-school. As part of this it distributes packs to new parents. The company also operates as a data brokering service and had previously also supplied data to third parties for the purpose of direct marketing by electronic means (although this apparently ended on 30 April 2018). Bounty collected personal data for the purpose of registering new members and did so in a number of ways, including directly from new mothers at their hospital bedsides.

Bounty had shared personal data with a range of organisations including a credit reference agency, a marketing and profiling agency and a telecommunications company; all for the purposes of direct marketing by electronic means. This related to about 14,300,000 unique individuals. Each record could be shared on multiple occasions. This was, apparently, all done on the basis that Bounty had obtained consent from the data subjects concerned.

The Commissioner found that Bounty had failed to comply with the fairness requirement within the first data protection principle in Schedule 1 to the Data Protection Act 1998. Bounty had not been transparent enough in providing information about the purposes for which personal data would be used. Bounty failed to process personal data fairly because they did not adhere to individual’s reasonable expectations of how their personal data would be used.

The consent apparently obtained by Bounty did not meet the requirements of the Data Protection Act 1998; it was neither specific nor informed.

Of course, both Bounty (UK) Limited and TVP have a right of appeal against the MPNs issued to them (both in terms of the decision to impose a penalty and the amount of that penalty). It remains to be seen whether either will seek to appeal to the First-Tier Tribunal.

Alistair Sloan

We are able to assist with a wide range of privacy and data protection matters. If you would like advice or assistance on these issues, or any other information law matter, contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account

Call for Views: Post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002

In January it was announced that the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee would undertake formal post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee is now seeking views on the Freedom of Information (Scotland) Act 2002 and is inviting submissions to reach it by 5pm on Friday 10th May 2019. The call for views asks the following five questions:

  1. In your view, what effects has the Freedom of Information (Scotland) Act 2002 (FOISA) had, both positive and negative?
  2. Have the policy intentions of FOISA been met and are they being delivered? If not, please give reasons for your response.
  3. Are there any issues in relation to the implementation of and practice in relation to FOISA? If so, how should they be addressed?
  4. Could the legislation be strengthened or otherwise improved in any way? Please specify why and in what way.
  5. Are there any other issues you would like to raise in connection with the operation of FOISA?

It is not necessary to answer all five questions and the Committee is also inviting other information relevant to the remit.

Once the Committee has received the written evidence, it will consider it all and will thereafter decide who it wishes to take oral evidence from. It is expected that the oral evidence sessions will take place towards the end of the year.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.

Personal data and FOI: the conflict continues

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Information Notices: UKIP v Information Commissioner (Part 2)

Last year I blogged on UKIP’s appeal to the First-Tier Tribunal (Information Rights) (“FTT”) against an Information Notice issued by the Commissioner; the FTT dismissed UKIP’s appeal. UKIP sought (and was granted) permission to appeal to the Upper Tribunal. The Upper Tribunal has now issued its decision. The decision has not yet been published by HMCTS; however, the wonderful people at 11KBW have published it [pdf] on their Panopticon blog (you can read Robin Hopkin’s post on their blog here). If you can’t be bothered reading to the end; the spoiler is that UKIP’s appeal was also dismissed by the Upper Tribunal.

By the time that UKIP’s appeal came before the Upper Tribunal, there were four “heads of appeal”: (1) The FTT had erred in law in terms of its approach to the exercise of the Commissioner’s discretion in issuing the notice; (2) the FTT had erred in law in terms of the scope of the notice; (3) the FTT had erred in law in terms of the timeframe for the notice; and (4) the FTT had erred in law in terms of irrationality.

The first head of appeal related to whether or not the FTT was correct, in law, to conclude that the scope of the information notice was clear. Upper Tribunal Judge Wikeley, at paragraph 24, concluded that taking the first five paragraphs of the information notice together, they were sufficient to comply with the requirements in section 43(2)(b) of the Data Protection Act 1998 (“DPA98”). Judge Wikeley did concede that the FTT did not provide as full reasons as he had, but they were clear enough that the FTT was satisfied that the notice complied with the requirement in section 43(2)(b) of the DPA98. The Judge, again said (having said it previously in another case), that the FTT does not need to set out in detail “every twist and turn of its assessment of the evidence and its consequential reasoning.” It is enough that the decision shows that the FTT has applied the correct legal test and has explained its decision in “broad terms”.

The second head of appeal related to the period for which the Commissioner wanted information from UKIP. The notice made reference to the 2015 General Election, but then asked questions about the 2016 referendum of the UK’s membership of the European Union. The judge accepted “that some of the drafting of the information notice is not ideal.” The notice had used both the former and present tense; sometimes together as alternatives. The Upper Tribunal concluded that “on a fair and objective reading of the notice as a whole, the information sought was plainly not confined to the 2015 General Election; rather it related to the ongoing processing of personal data” and also noted that the notice “should not be read as if it were a criminal indictment.” [para 27].

The third head of appeal related to the Commissioner’s exercise of discretion. UKIP argued that the Commissioner should have used the ‘least restrictive’ means of obtaining the information that she wanted; in other words she could have and therefore should have simply written a further letter to UKIP. This submission was based on principles which were developed in the context of the legitimate interests ground of processing personal data in the DPA98; it was “inappropriate” to try and “read across” [para 29]. Further, UKIP argued that it did not have the resources to provide a satisfactory response to the Commissioner’s initial letter: this was given short shrift by the judge.

The final head of appeal was that the Tribunal’s final decision was irrational in legal terms. The FTT had started out by giving a provisional view that the notice lacked clarity in its scope, but ended up concluding that it was, in fact, clear. Again, the judge accepted that the FTT’s reasoning was “sparse”, but nonetheless concluded that it was “sufficient.” [para 34]

Therefore, UKIP’s appeal was dismissed and the information notice, once again, stands. It will need to be complied with, subject to any further appeal, within 30 days of the Upper Tribunal’s decision being sent to the parties.

One final point is worth noting; the Upper Tribunal comments that, like a decision notice issued pursuant to section 50 of the Freedom of Information Act 2000, the Commissioner cannot vary an information notice once it has been issued: the commissioner can, unlike a decision notice, cancel the notice and re-issue a fresh notice. That is a consequence of the statutory framework: the statute gives the Commissioner the power to cancel a notice and makes no mention of varying (however, the statute does make mention of the Commissioner being able to vary other notices). In the circumstances an information notice cannot be varied once it is issued; if there is a problem with it then the notice must be cancelled by the Commissioner and a fresh notice issued. The same, in my view, would hold true for information notice issued under the Data Protection Act 2018. The statute provides that the Commissioner can cancel a notice, but makes no mention of varying the notice (whereas, she can vary, for example, an enforcement notice – the statute expressly provides for that in section 153).

From this decision we can take the following:-

  1. An information notice does not need to give a detailed statement as to why the Commissioner requires the information requested in the notice.
  2. The commissioner’s drafting of information notices gets a pass, but could be better.
  3. The commissioner doesn’t need to utilise less intrusive methods of obtaining information instead of exercising her discretion to issue an information notice.
  4. A controller’s lack of resources is not a reason why the Commissioner should not issue an information notice (indeed, it may even be a reason in favour of exercising discretion to issue an information notice).
  5. The FTT is not bound by a preliminary view it expresses and can change its mind.
  6. The Commissioner cannot vary an information notice should there be a problem with it: only cancel it and issue a fresh notice.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

FOI in Scotland: Registered Social Landlords

Last week the Scottish Ministers laid The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019 (Draft) before the Scottish Parliament for the approval of the Parliament, as they are required to do in terms of the Freedom of Information (Scotland) Act 2002 (“FOISA”). This order is a long anticipated order to bring Registered Social Landlords (“RSLs”) within the scope of FOISA by designating them as Scottish public authorities. If approved (and there is nothing to suggest that the Order will not be approved by the Scottish Parliament), it will mean that RSLs (and their subsidiaries) will be designated as Scottish public authorities from 11 November 2019. Some had been hoping that they would have been designated from April this year, while others had been hoping that it would be April 2020. The Scottish Ministers appear to have split the difference and given RSLs a period of around 9 months to prepare for becoming Scottish public authorities.

RSLs have been, following a number of decisions of the Scottish Information Commissioner (which have never been appealed to the Court of Session), Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004 for a number of years. There is, however, some debate about whether they remain so, following some changes to the regulatory landscape pertaining to RSLs. It has not yet, to my knowledge, been tested whether they still are Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004. Whether the changes to the regulatory landscape of RSLs has had the effect of them no longer being Scottish public authorities, for the purposes of the Environmental Information (Scotland) Regulations 2004, is somewhat immaterial; designation as a Scottish public authority for the purposes of FOISA also means that they will be Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004.

It should be noted that the draft order has been drafted in such a way so as to make RSLs Scottish public authorities for limited purposes only. They will be Scottish public authorities in respect of the following functions:

  1. providing housing accommodation and related services and includes anything done, or required to be done, in relation to:- (a) the prevention and alleviation of homelessness; (b) the management of housing accommodation (limited to the management of housing accommodation for which a registered social landlord has, under the Housing (Scotland) Act 2001, granted a Scottish secure tenancy as defined in section 11 or a short Scottish secure tenancy as defined in section 34 of that Act); (c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
  2. the supply of information to the Scottish Housing Regulator by a registered social landlord or a connected body in relation to its financial well-being and standards of governance.

A register of social landlords can be found on the website for the Scottish Housing Regulator.

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Developing the Information Expressway

The Upper Tribunal has recently considered the meaning and scope of the exception in Regulation 12(4)(d) of the Environmental Information Regulations 2004 (“the EIRs”). This exception allows a public authority to withhold environmental information in response to a request where “the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data”.

Highways England Company Limited v Information Commissioner and Henry Manisty [2018] UKUT 432 (AAC) concerned a request made to Highways England by Mr Manisty in December 2016. Mr Manisty request related to the possible route of the Expressway between oxford and Cambridge being investigated by Highways England. His request was refused by Highways England and the Information Commissioner did not uphold Mr Manisty’s subsequent complaint to her office. Mr Manisty appealed to the First-Tier Tribunal who allowed his appeal, deciding that the exception in Regulation 12(4)(d) did not apply. Highways England sought, and was granted, permission to appeal to the Upper Tribunal.

Upper Tribunal Judge Jacobs reminds us that as the EIRs implement an EU Directive they must (for now) be interpreted in a way that accords with the normal principles that apply to EU law. Judge Jacobs reminds us that one of those principles is that the exceptions must be interpreted restrictively. Judge Jacobs points out that this is a separate consideration from the presumption in favour of disclosure enshrined within the EIRs; that presumption simply allocates the burden of proof while the restrictive approach defines the scope of the exception.

Judge Jacobs also addresses the Aarhus Convention and the Implementation Guide. The EU Directive, which the EIRs implements, implements the Aarhus Convention into EU law and so regard has to be had to the convention when interpreting the EIRs and the Directive. Judge Jacobs, in paragraph 19, reviews some of the relevant case law and concludes that the Implementation Guide “can be used to aid interpretation, but it is not binding and cannot override what the Convention provides.”

Judge Jacobs includes two helpful paragraphs setting out what the exception does not mean. When deciding the scope of the exception it is not permissible to take into account any adverse consequences that disclosure might have. This is relevant for the purposes of determining where the public interest lies and also, perhaps, deciding whether the exception is engaged. Judge Jacobs states that “[a]dverse consequences must not be made a threshold test for regulation 12(4)(d).” [para 21]

Judge Jacobs considers what “material” and “relates to” means within the exception. In respect of “material”, he considers that the word material “is not apt to describe something incorporeal, like a project, an exercise or a process.” The material in question may form part of a project or process etc.; however, the material in question must itself be in the course of completion. We are not necessarily concerned with whether the project is in the course of completion. [para 23] Judge Jacobs also holds that “[m]aterial includes information that is not held in documents and is not data: things like photographs, film, or audio recordings.” [para 24]

Having already looked at what the exception does not mean, Judge Jacob eventually gets around to deciding what the exception does mean. He notes, in paragraph 28, that the language in the exception is “deliberately imprecise.” That being said, Judge Jacobs, in paragraph 30, returns to the principle that the exception should be applied restrictively. The imprecise language does not mean the exception can be applied “so widely as to be incompatible with the restrictive approach required by EU law.” At the same time it cannot be applied so narrowly that its purpose is defeated. In paragraph 31 of the decision, Judge Jacobs, identifies yet another deliberately vague expression within the exception: ‘piece of work’. The judge identifies some factors that may be of some assistance in applying the exception. For example, if there has been a natural break in the public authority’s private thinking; or, perhaps, the public authority is at a stage where publicity around its progress so far is taking place. The continuing nature of the project, process or exercise might also be a relevant feature. However, public authorities shouldn’t get too excited: this is not, by any means, a checklist. Judge Jacobs makes it clear that each case will turn on its own circumstances.

Public authorities should also be aware that their own internal labels will not be determinative of matters; it is not possible to, in the words of Judge Jacobs “label [your] way out of [your] duty to disclose.” Labels such as “draft or preliminary thoughts may, or may not, reflect the reality.” [para 32]

Counsel for Highways England is recorded as having emphasised legal certainty and its importance. Judge Jacobs accepts that his decision will not produced legal certainty in the way that was possibly envisaged by Counsel for Highways England. Judge Jacobs notes that its application will not be easy; however, issues of judgement are involved and that limits what can be achieved.

In deciding that the First-Tier Tribunal had not erred in law, Judge Jacobs took the view that, when reading the First-Tier Tribunal’s reasoning as a whole; its approached accorded with his analysis of the operation of the exception. The First-Tier Tribunal “understood that it was exercising a judgment on whether the information requested could now properly be considered as independent from the continuing work on the Expressway.”

So, what have we learned? Judge Jacobs has certainly gone through the exception carefully and produced what he considers to be the best that can be achieved in terms of defining the scope of the exception in Regulation 12(4)(d). Its scope is narrow, but not so narrow as to defeat the policy intention of providing a space for public authorities to think in private; however, its imprecise nature should not be taken as giving public authorities cart blanche. Each and every case will turn on its own circumstances and a degree of judgement is involved in determining whether the exception will apply or not.

There are also some useful reminders (for now) about the need to utilise EU law principles when interpreting the EIRs. There is also a useful reminder, in paragraph 6, about the approach that the Upper Tribunal adopts when considering an appeal. It is unlike the First-Tier Tribunal; it is not conducting a re-hearing of the case. The Appellant has to show that the First-Tier Tribunal erred in law. We are also reminded that the nature of the language of the provision has to be taken into account when considering legal certainty; it is therefore not always possible to give a precise exposition of the scope of a provision – sometimes, it really does just come down to a matter of judgement.

Alistair Sloan

We are able to provide advice in connection with a wide range of information law matters, including Freedom of Information Act/Environmental Information Regulations appeals. If you would like advice and assistance on any of these matters then please contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on Twitter.

Openness by design: ICO’s draft access to information strategy

The Information Commissioner’s Office has published a draft access to information strategy [pdf] and is inviting comments on it. The document opens by explaining that over the next three years the ICO has the ambition to be “more proactive and increase the impact of” regulation in respect of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIRs”).

The document is intended to be read in conjunction with the ICO’s ‘Regulatory Action Policy’, which was consulted on last year (and covers all of the legislation that the Commissioner is tasked with enforcing, not just FOIA and the EIRs).

The draft strategy gives the impression that the ICO intends to become more proactive in its enforcement of FOIA and the EIRs – especially in relation to “systematic non-compliance”. This could mean that the ICO intends become more formal in its enforcement action. So we will need to wait and see how it pans out.

The other matter within the draft strategy that is worthy of note (although it really is worthwhile taking the time to read the whole document – it’s not a lengthy one) is the section which discusses the changes that have occurred since FOIA and the EIRs were enacted. In particular the draft strategy indicates that a report to Parliament will be published later this month “making recommendations for change in relation to outsourced public services and some other categories of public service provision that are not within the scope of the current legislation.” Quite what will happen with such a report, given that Parliament is pretty tied up with Brexit related matters, is unclear; however, it should be worth looking at – especially if you’re involved in the provision of public services under contract.

The ICO is inviting comments on the draft strategy document until 8th March 2019 and comments can be submitted via the ICO website.

Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002

For some time now the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee has been considering whether to undertake post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee’s decision on whether to undertake post-legislative scrutiny of FOISA was delayed while they awaited the Scottish Information Commissioner concluding his intervention in respect of the Scottish Government.

Yesterday, after hearing again from the Scottish Information Commissioner and his Head of Enforcement, the Committee took a decision (in private), as recorded in the Minutes [pdf], to undertake post-legislative scrutiny of FOISA.

It is not yet clear how the Committee will undertake its post-legislative scrutiny or what the timetable will be; but what can now be said is that there will be formal post-legislative scrutiny of FOISA by a committee of the Scottish Parliament for the first time since FOISA was enacted in 2002. Much has changed since FOISA was enacted and while the Act generally performs fairly well, there are undoubtedly some areas which are ripe for improvement.

Once we know more about the details of the post-legislative scrutiny I will, of course, blog about it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.