Tag Archives: FOI Enforcement

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.


Scottish Information Commissioner’s 2017/18 Annual Report

Friday 28 September 2018 was International right to Know Day, a day designed to highlight the public’s right to know and to campaign for FOI laws. Scotland has had Freedom of Information laws in place since January 2005 and a similar statutory regime entered into force on the same date for information held by UK public bodies. The Scottish Information Commissioner used International right to Know Day to launch his office’s annual report [pdf].

In 2017/2018 the Commissioner’s office received a total of 507 appeals, up from 425 in 2016/2017 (but not the highest number received in any one year). Of the appeals that were received the vast majority (75%) were classed by the commissioner’s office as coming directly from individuals with the media accounting for 11% and commercial/private enterprises accounting for 3%.

In terms of which public authorities have their responses appealed to the Commissioner; local authorities still make up the largest percentage (although there was a fairly significant decrease in the percentage share of appeals from the previous year). Local authorities are followed the Scottish Government and its agencies and the police.

30% of the appeals made to the Scottish Information Commissioner were deemed to be invalid appeals; that is to say they were appeals that the Commissioner’s office could not investigate. The annual report reveals that among the most common reasons why an appeal was not valid are that the applicant had not made a request for review to the Scottish public authority (an appeal can only be made to the Scottish Commissioner after the Scottish public authority has reviewed its initial decision or failed to carry out a review of its initial decision that has been requested) and that the timescales for making FOI appeals within the Act had not been met. Requesters should remember that they should make requests for review within 40 working days of the date that the authority issued its response or the date that it should have responded where no response has been received. Furthermore, it should be remembered that appeals to the Commissioner should normally be made within 6 months of the date on which the authority responded to the review request or, where no response has been recieved to a request for an internal review, within 6 months of the date that the authority should have responded to the internal review.

Failure to respond appeals, that is an appeal which concerns a failure by an authority to respond to a request and/or request for review, continue to be a problem. In 2017/18 19% of the appeals handled by the Commissioner concerned a failure to respond; this is down slightly from the 20% it was in 2016/17, but is up from the 16% figure in 2015/16. These are fairly clear-cut appeals as an authority has either responded within the statutory timeframe not and they should be appeals that authorities can avoid fairly easily. No authority can be perfect 100% of the time and there will be cases where the inflexibility of the 20 working-day rule, in particular cases where the public interest is finely balanced or where third party consultation is required, will mean that breaches will occur; however, staying in contact with the requester can help to avoid these appeals even where the authority is technically in breach of the law.

Of the decisions made by the Commissioner in response to appeals under section 47 of the Freedom of Information (Scotland) Act 2002, 65% resulted in a decision which was wholly or partially in favour of the requester.

Some interesting enforcement matters from within the report which are worthy of mention include:

  • Highland Council was issued with an Information Notice when it delayed in providing information to the Commissioner’s Office which was required in order to enable the Commissioner to investigate an appeal made to him by a requester.
  • The Commissioner also highlights that his office considered referring East Dunbartonshire Council to the Court of Session for failing to comply with one of his decisions (but in the end, it would appear that, such a step ultimately proved unnecessary).
  • The Commissioner refers to his high profile level 3 intervention in respect of the Scottish Government’s performance and culture in respect of FOI, which is still ongoing.
  • A less profile level 3 intervention by the Commissioner was the ongoing intervention in Police Scotland, which is now in the monitoring phase after an action plan was agreed between Police Scotland and the Commissioner. There were concerns about searching for and locating information to respond to information requests as well as concerns around record-keeping.
  • Two independent schools (which had become subject to FOI following the last extension of the Act by the Scottish Ministers) were subject to level 4 interventions where they had failed to adopt publication schemes as required by section 23 of the Freedom of Information (Scotland) Act 2002.

The Commissioner’s report makes reference to three Court of Session cases in respect of decisions that it had made, one of which Inksters were instructed in by one of the parties. The number of appeals against decisions of the Scottish Information Commissioner remain particularly low (both appeals taken by requesters and Scottish public authorities); whether this is because the Commissioner’s office is doing a good job in terms of interpreting the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004, or whether it has more to do with the significant costs to be faced by requesters and Scottish Public Authorities who decide to take an appeal to Scotland’s highest civil court is a matter which is very much open for debate.

There is lots of other useful information with the Commissioner’s annual report, but at the risk of this blog post becoming too unwieldy I shall leave it there.

Alistair Sloan

Whether you are a requester or a public authority we can provide you with advice and assistance on Freedom of Information matters. Contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated twitter account on information law matters.

 

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.

FOI in Scotland in 2016/17: The Scottish Information Commissioner’s Annual Report

Margaret Keyes, Acting Scottish Information Commissioner chose yesterday, International Right to Know Day, to launch her office’s annual report [pdf] for the 2016/17 year.  The report finds that the public’s awareness of the right to ask and obtain information from public bodies is high, at 85%.

The Scottish Information Commissioner is a statutory office holder charged with enforcing the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009.  The Commissioner’s office, amongst other things, investigates complaints made by individuals and organisations who have exercised their rights under these various pieces of legislation, but who are dissatisfied with how the Scottish public authority has handled their request.

In 2016/17 the Commissioner received a total of 425 appeals and issued a total of 252 formal, legally enforceable, decision notices.  Most of the appeals received related to requests made under the Freedom of Information (Scotland) Act 2002 with the remainder relating to requests which fell to be dealt with under the Environmental Information (Scotland) Regulations 2004.  The Commissioner received no appeals under the INSPIRE (Scotland) Regulations 2009 (although these Regulations are much more specialised and are probably only really of interest/relevance to a limited number of people).

There lies a right to appeal against formal notices issued by the Commissioner, including a formal decision notices, to the Court of Session.  A very small number of appeals were made to the Court of Session during the 2016/17 year, according to the Commissioner’s report (some of which Inksters were instructed in by the Appellant).

The Commissioner has a range of enforcement tools which can be deployed.  One of those is to issue an ‘enforcement notice’ which requires a Scottish public authority to take specified steps to comply with the legislation.  In 2016/17, the Commissioner issued four enforcement notices (which represented the first enforcement notices ever issued by the Commissioner).

Where the Commissioner reasonably requires information in order to (a) assess whether a Scottish public authority has complied, or is complying, with the legislation; or (b) assess whether a Scottish public authority has complied, or is complying, with the statutory codes of practice issued by the Scottish Ministers, the Commissioner can issue an Information Notice.  In 2016/17, the Commissioner issued 3 such notices.

The Commissioner’s decision notices are legally enforceable and where the Commissioner considers that a Scottish public authority is failing to comply with a decision notice the Commissioner has the power to certify this to the Court of Session.  The Court can ultimately, after making enquiries, deal with a Scottish public authority which has failed to comply with a decision notice as if they were in contempt of Court.  The Commissioner has never made such a certification, but the 2016/17 annual report reveals that the Commissioner came close to doing so during the course of that year.

On the whole it seems to have been a busy year for the Scottish Information Commissioner’s Office; although, the number of appeals received in 2016/17 was lower than in 2015/16.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

Welcome to the Information Law Blog by Inksters Solicitors

Welcome to the Information Law Blog from Inksters Solicitors.  On this blog we will be covering the latest issues in the areas of Data Protection/Privacy and also Freedom of Information.  Most of the contributions to this blog will be by Alistair Sloan, although there may be contributions from other members of the Inksters team from time to time.

Alistair is one our solicitors based in our Glasgow HQ; he offers legal services throughout Scotland in the field of information law, among others.   Alistair regulalry travels around Scotland and in particular visits our Caithness base in Wick on a frequent basis.  Alistair has been involved in the fields of freedom of information and data protection for a number of years, including prior to qualifying as a solicitor, and has built up a knowledge base on both areas throughout that time.  While studying for his Master of Laws degree, he researched the Information Commissioner’s use of Monetary Penalty Notices for breaches of the Data Protection Act 1998.

The area of information law is constantly developing.  The biggest change on the horizon is the General Data Protection Regulation, which will be applicable in the UK (and across the rest of the European Union) from 25 May 2018.  This new Regulation from the European Union represents the single biggest change to the laws relating to data protection and privacy in the UK in more than 20 years.

Much of the field of Information law is governed by EU law in one way or another, whether it be data protection or access to environmental information held by public authorities; therefore, the hot political subject of Brexit will feature heavily in the information law field over the coming years.

We’re not new to the world of information law; in 2016 our Sylvia MacLennan acted for the successful Petitioner in WF v Scottish Ministers.  This case challenged the position in Scotland where an accused person could seek access to the medical records of a complainer in a criminal case, but that the complainer was said not to have any standing to make representations directly to the court (including through their own solicitor) on the question of whether their medical records should be disclosed to the accused.  It also challenged the lack of availability of legal aid in Scotland to complainers concerning such issues.

We hope that this blog will become a useful resource for individuals to find out about the latest developments in the field of information law.  To keep up to date with this blog and what we are doing you can follow Alistair on twitter here; we also have a dedicated information law twitter account, which you can follow as well.

If you want to discuss an information law matter with Alistair you contact him on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.