Tag Archives: FOISA

Scottish Information Commissioner’s 2017/18 Annual Report

Friday 28 September 2018 was International right to Know Day, a day designed to highlight the public’s right to know and to campaign for FOI laws. Scotland has had Freedom of Information laws in place since January 2005 and a similar statutory regime entered into force on the same date for information held by UK public bodies. The Scottish Information Commissioner used International right to Know Day to launch his office’s annual report [pdf].

In 2017/2018 the Commissioner’s office received a total of 507 appeals, up from 425 in 2016/2017 (but not the highest number received in any one year). Of the appeals that were received the vast majority (75%) were classed by the commissioner’s office as coming directly from individuals with the media accounting for 11% and commercial/private enterprises accounting for 3%.

In terms of which public authorities have their responses appealed to the Commissioner; local authorities still make up the largest percentage (although there was a fairly significant decrease in the percentage share of appeals from the previous year). Local authorities are followed the Scottish Government and its agencies and the police.

30% of the appeals made to the Scottish Information Commissioner were deemed to be invalid appeals; that is to say they were appeals that the Commissioner’s office could not investigate. The annual report reveals that among the most common reasons why an appeal was not valid are that the applicant had not made a request for review to the Scottish public authority (an appeal can only be made to the Scottish Commissioner after the Scottish public authority has reviewed its initial decision or failed to carry out a review of its initial decision that has been requested) and that the timescales for making FOI appeals within the Act had not been met. Requesters should remember that they should make requests for review within 40 working days of the date that the authority issued its response or the date that it should have responded where no response has been received. Furthermore, it should be remembered that appeals to the Commissioner should normally be made within 6 months of the date on which the authority responded to the review request or, where no response has been recieved to a request for an internal review, within 6 months of the date that the authority should have responded to the internal review.

Failure to respond appeals, that is an appeal which concerns a failure by an authority to respond to a request and/or request for review, continue to be a problem. In 2017/18 19% of the appeals handled by the Commissioner concerned a failure to respond; this is down slightly from the 20% it was in 2016/17, but is up from the 16% figure in 2015/16. These are fairly clear-cut appeals as an authority has either responded within the statutory timeframe not and they should be appeals that authorities can avoid fairly easily. No authority can be perfect 100% of the time and there will be cases where the inflexibility of the 20 working-day rule, in particular cases where the public interest is finely balanced or where third party consultation is required, will mean that breaches will occur; however, staying in contact with the requester can help to avoid these appeals even where the authority is technically in breach of the law.

Of the decisions made by the Commissioner in response to appeals under section 47 of the Freedom of Information (Scotland) Act 2002, 65% resulted in a decision which was wholly or partially in favour of the requester.

Some interesting enforcement matters from within the report which are worthy of mention include:

  • Highland Council was issued with an Information Notice when it delayed in providing information to the Commissioner’s Office which was required in order to enable the Commissioner to investigate an appeal made to him by a requester.
  • The Commissioner also highlights that his office considered referring East Dunbartonshire Council to the Court of Session for failing to comply with one of his decisions (but in the end, it would appear that, such a step ultimately proved unnecessary).
  • The Commissioner refers to his high profile level 3 intervention in respect of the Scottish Government’s performance and culture in respect of FOI, which is still ongoing.
  • A less profile level 3 intervention by the Commissioner was the ongoing intervention in Police Scotland, which is now in the monitoring phase after an action plan was agreed between Police Scotland and the Commissioner. There were concerns about searching for and locating information to respond to information requests as well as concerns around record-keeping.
  • Two independent schools (which had become subject to FOI following the last extension of the Act by the Scottish Ministers) were subject to level 4 interventions where they had failed to adopt publication schemes as required by section 23 of the Freedom of Information (Scotland) Act 2002.

The Commissioner’s report makes reference to three Court of Session cases in respect of decisions that it had made, one of which Inksters were instructed in by one of the parties. The number of appeals against decisions of the Scottish Information Commissioner remain particularly low (both appeals taken by requesters and Scottish public authorities); whether this is because the Commissioner’s office is doing a good job in terms of interpreting the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004, or whether it has more to do with the significant costs to be faced by requesters and Scottish Public Authorities who decide to take an appeal to Scotland’s highest civil court is a matter which is very much open for debate.

There is lots of other useful information with the Commissioner’s annual report, but at the risk of this blog post becoming too unwieldy I shall leave it there.

Alistair Sloan

Whether you are a requester or a public authority we can provide you with advice and assistance on Freedom of Information matters. Contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated twitter account on information law matters.

 

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.

Registered Social Landlords and FOI

Yesterday, the Scottish Government began a consultation on legislation to formally designate Registered Social Landlords (RSLs) as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 (“FOISA”).  The draft Order being consulted on proposes a commencement date of 1st April 2019.

This is not an unexpected development in the field of information law.  In December 2016 the Scottish Government consulted on the principle of designating RSLs as public authorities for the purposes of FOISA.  It has been widely anticipated that RSLs would be designated as a public authority for the purposes of FOISA.

A designation as a public authority for the purposes of FOISA will have ramifications for RSLs beyond the obvious need to comply with FOISA and being under the regulatory oversight of the Scottish Information Commissioner.  It will also have implications for RSLs in respect of how they implement the General Data Protection Regulation (“GDPR”), which becomes applicable from 25th May 2018.

There are a number of aspects of the GDPR which are directed towards public bodies.  The Data Protection Bill currently before the UK Parliament defines what a public body is for the purposes of the GDPR.  Clause 6 of the Bill provides that a body which is designated as a Scottish public authority for the purposes of the FOISA is a public body.  This will mean that RSLs will have to appoint a Data Protection Officer; even although many of them would not have had to before this decision was taken by the Scottish Government.

It also has implications for the grounds upon which they can legitimately process personal data.  Processing of personal data for the purpose of pursuing a legitimate interest of the controller is permissible under the GDPR.  However, the GDPR goes on to provide that public bodies cannot rely upon legitimate interest as a ground of processing in performance of their tasks.  Therefore, any RSL that has been preparing for the GDPR on the basis that they will be able to process personal data on the legitimate interests ground will have to re-evaluate its processing of personal data ahead of its designation as a public authority for the purposes of FOISA.

It is worthy of note, simply for interest, that the Data Protection Bill proposes giving the Secretary of State the power to make regulations which state that a public body is not in fact a public body for the purposes of the GDPR.  However, there has been no indication that the Secretary of State intends on making use of this power or how the power is intended to be used; therefore, it is probably advisable not to work on the basis that a RSLs will be declared not to be public bodies for the purposes of the GDPR.

Another possible implication for RSLs is in relation to the Environmental Information (Scotland) Regulations 2004 (“the EIRs”).  The Scottish Information Commissioner has already previously decided that RSLs are public authorities for the purpose of these regulations, which govern access to environmental information.  The Housing (Amendment) (Scotland) Bill may have implications for the basis upon which the Commissioner concluded that RSLs were a public authority for the purposes of the EIRs.  If it does, there may be a gap where RSLs are not public authorities for the purposes of EIRs.  Once they become designated as a public authority for the purposes of FOISA, they will automatically become a public authority for the purposes of the EIRs as well.

Alistair Sloan

If you would like advice or assistance in respect of a freedom of information or data protection matter then contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.

FOISA Vexatious decision notice appealed to Court of Session

Section 14 in both the Freedom of Information Act 2000 (“FOIA”) and the Freedom of Information (Scotland) Act 2002 (“FOISA”) enable an authority not to comply with a request for information that is vexatious.  What is meant by vexatious in Section 14 of FOIA has been the subject of litigation all the way to the Court of Appeal and the leading authority is Dransfield and another v The Information Commissioner and others [2015] EWCA Civ 454; [2015] 1 WLR 5316.  However, there has not yet been any litigation in Scotland on the meaning of vexatious within Section 14 of FOISA; the Scottish Information Commissioner’s guidance [pdf] on the subject appears to draw heavily on the Dransfield decision.

Those who make a point of reading the Scottish Information Commissioner’s regular round-ups of decisions will note that the most recent one informs us of an appeal to the Court of Session against a decision of the Scottish Information Commissioner which upheld the authority’s use of Section 14.  If the appeal proceeds, it will be the first time that the Scottish courts will have considered Section 14 of FOISA.

It will be interesting to see whether the Court of Session adopts the Dransfield position, or whether it takes a different approach to vexatious requests in Scotland.  If the Court of Session does publish an Opinion, we will of course cover it on this blog.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.