Monthly Archives: December 2018

Scottish Vexatiousness

Paragraph numbers in this blog post relate to the Court of Session’s decision in Beggs v Scottish Information Commissioner [2018] CSIH 80; unless the context requires, or it is expressly stated, otherwise.

If you’re regularly involved in the making of or responding to freedom of information requests then you are likely to be familiar with the decision of the English and Welsh Court of Appeal in Dransfield and Another v The Information Commissioner and another which deals with the meaning and application of “vexatious” within section 14 of the Freedom of Information Act 2000 (“FOIA”). In keeping with many of the provisions of FOIA, there has been considerable litigation on section 14 within the First-Tier Tribunal; however, the decision in Dransfield is the leading authority on the approach that public authorities, the UK Information Commissioner and the First-Tier and Upper Tribunals should take when applying or considering the exemption in section 14(1) of FOIA.

As with many aspects of the Freedom of Information (Scotland) Act 2002, the equivalent provisions within FOISA (also section 14) have escaped any judicial consideration; that is, until today when the First Division,  Inner House of the Court of Session (Lord President Carloway and Lords Brodie and Drummond Young) advised its opinion in an appeal under section 56 of FOISA against a decision of the Scottish Information Commissioner which upheld the decision of the Scottish Prison Service that a request for information made to it was vexatious: Beggs v Scottish Information Commissioner [2018] CSIH 80.

As with most cases involving vexatious requests, there is a history to the matter; this is briefly set out in paragraphs 5-15 of the Court’s Opinion. I am therefore not going to set it out here. There were two grounds of appeal advanced on behalf of the Appellant before the Court and these are set out, in full, by the Court in paragraph 4 of its Opinion. The grounds can  be summarised as follows: (1) that the test set out by Arden LJ (as she then was) in Dransfield should apply and that it had been incorrectly applied by the Scottish Information Commissioner (“SIC”); and (2) that the SIC’s decision was irrational as it failed to take into account a number of factors. The court ultimately rejected both grounds of appeal and refused the Appeal.

The Court makes some “preliminary comment” about the English and Welsh Court of Appeal’s decision in Dransfield. It notes that the decision is “an English case concerning English legislation” (para 26). This is not a wholly accurate statement by the Court: Dransfield concerns section 14 of FOIA, which cannot properly be said to be English legislation. FOIA covers UK-wide public bodies (such as UK Government departments, the BBC, UCAS, the British Transport Police and other); it can be used by people living in Scotland. There is also no separate Norther Irish FOI law and FOIA applies to bodies such as departments of the Northern Irish Government and the Police Service of Northern Ireland. Furthermore, it is possible for appeals against the Upper Tribunal to be taken to the Court of Session and the UK Commissioner can, for example, under section 54, make certifications to the Court of Session.

It appears that what the Court meant by “English legislation” is that the decision in Dransfield was not binding upon the SIC as the SIC is concerned with the enforcement of FOISA – an Act of the Scottish Parliament – rather than FOIA – an Act of the UK Parliament. I may, of course, be entirely wrong and the Court of Session has fundamentally misunderstood FOIA and the distinction between FOIA and FOISA. However, this is not really a matter upon which anything of substance in Beggs can be said to turn. It appears that the Court has essentially adopted the reasoning of Arden LJ and supplemented it with some of its own.

Also by way of preliminary comment the Court notes that Arden LJ expressly declined to offer a definition of or test for “vexatious” or “vexatiousness” (para 26) and so it was incorrect to argue that Dransfield set out a “test” for vexatious requests. The court went on (also at para 26) to state that “[i]t would be remarkable if the word “vexatious” when found in section 14(1) of the English Act of 2000 meant something different from the same word when found in section 14(1) of the Scottish Act of 2002; the terms of the two subsections are essentially identical.”

However, the Court of Session found that there was much in the judgment of Arden LJ that they would agree with and quote paragraph 68 of the judgment of Arden LJ with approval. The Court of Session, perhaps importantly, appears to have approved of the view that Arden LJ took that the rights in FOIA were constitutional in nature (para 28). The court also held that when assessing whether a request is vexatious or not, it must be viewed objectively. In the decision under challenge, the SIC had concluded that when viewed objectively the information sought was of no value to the Appellant. The First Division held that had the SIC followed Dransfield (which she was not obliged to do so) then she would have correctly reached the same conclusion: that Mr Beggs’ request was vexatious (para 30).

In terms of the irrationality ground of appeal, this was dealt with more swiftly by the Court. Counsel for the Appellant had characterised the three matters which the Appellant argued had been overlooked by the Court, were material.

The first matter was the Appellant’s express disavowal of any direct and personal attack. The Appellant had expressly disavowed in his request that there was any such attack. However, the Solicitor Advocate for the SIC argued that the contents of a letter sent to one of the SIC’s officers revealed the Appellant’s purpose; the Appellant’s purpose was “not to obtain information as such” (para 33) rather it was with a view to pursuing complaints about their conduct.” (also at para 33).

The court held that “the presence of a malicious motive may point to a request being vexatious the absence of a malicious motive does not point to a request not being vexatious” (para 33). In essence, while the Court appears to have been sceptical of the Appellant’s express disavowal of personal attack it seems that even if it had not been sceptical, the disavowal may not have assisted the Appellant anyway. The Court again expressed the objective nature of assessing whether a request is vexatious and agreed with the SIC that a request may be harassing even if that is not what is intended by the requester.

The second consideration referred to the past conduct of the authority; these requests appear to have been the result of the Scottish Prison Service putting forward inaccurate information in earlier proceedings before the Court of Session. The Court approved of the view of Arden LJ in respect of vengeful motives – such a motive might itself be an indicator that a request is vexatious. The court’s position here is fairly broad, but it does not appear to close off legitimate use of FOISA to uncover evidence of wrongdoing within a Scottish public authority. However, it is fairly clear that if a requester is using

The third consideration related to the importance of the information requested; the court concluded that the information was objectively of no value and this was therefore not a material consideration.

Comment
This is the first time that the vexatious requests provision in FOISA has been considered by the Scottish courts and will now be the leading case in applying section 14(1) of FOISA. The decision essentially approves of the approach set out by the English and Welsh Court of Appeal in Dransfield. It is important to remember that a request must be considered objectively. There is no express test for vexatious requests either under FOIA or FOISA, but it will be important for Scottish public authorities to keep in mind the constitutional nature of the rights in FOISA. With this in mind, the threshold for applying the provision in section 14(1) of FOISA is a high one.

The Court of Session considers that, when Arden LJ used the phrase “no reasonable foundation for thinking that the information sought would be of value”, it appears that Arden LJ was trying to encapsulate an idea of “gross disproportion as between much trouble inevitably caused and little benefit possibly gained.” How much traction this comment of the Court of Session will have in terms of the application of section 14 of FOIA (given that the Court of Session’s judgments in FOISA cases are of only persuasive authority to the Tribunals and English and Welsh Courts) remains to be seen. Of course, should Beggs seek permission (and be granted permission) to appeal to the Supreme Court we may get a definitive view from(the now)  Lady Arden on whether the Court of Session has correctly interpreted what she meant when sitting in the English and Welsh Court of Appeal.

For the time being, whether or not the Court of Session was right in what it said, this is now (subject to any appeal) the law as it applies in Scotland vis-à-vis FOISA. When considering whether a requester has a reasonable foundation for thinking that the information sought would be of value, it is necessary to look (objectively) at what value there is in the information (a mere assertion by the Applicant that it is of value will not itself be sufficient) and balance that against the inevitable burden that answering the request will place on the authority: they are inversely proportional to one another.

From the perspective of requesters, it is likely to be of little assistance to include express statements in requests that the request is not a personal attack on the authority or a member of its staff and even if you have no intent to cause harassment your request might well have that effect. Your request will be considered objectively in light of its facts and circumstances (and comments made in later correspondence may well be seen as tending to show the opposite).

The decision in Beggs is not likely to have much, if any, impact upon the way in which the vexatious requests provisions in FOISA operate in practice. The Court has essentially approved of the approach to the identical provisions under FOIA. In the absence of any previous authority from the Scottish courts in respect of section 14, the SIC and Scottish public authorities have historically found Dransfield to be persuasive and used it as a basis for understanding what section 14 means.

In short, to decide whether a request is vexatious it is necessary to consider the request objectively on its own facts and circumstances. There is no formula or checklist that can be followed which will give you a definitive answer.

Alistair Sloan

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail.

Data Protection and Privacy Enforcement: November 2018

0The year is progressing quickly and we’re now onto looking at November’s enforcement action published by the Information Commissioner’s Office in relation to privacy and data protection matters. We are beginning to see enforcement action under the Data Protection Act 2018 (“DPA18”) filter through, but the majority is very much still under the Data Protection Act 1998 (“DPA98”) in respect of breaches which occurred prior to 25 May 2018.

Key Points

  • Carrying out a Data Protection Impact Assessment in the early stages of any project where it is envisaged that personal data will be processed is a useful tool to help highlight privacy and data protection concerns so that they can be addressed in the planning phase. Data protection by design and privacy impact assessments were recommended good practice under the DPA98; however, the GDPR mandates data protection by design and default (Article 25) and the carrying out of data protection impact assessments in certain circumstances (Article 35). Even if the GDPR does not require you to complete a DPIA, it is worthwhile undertaking one in any event – it can also be a helpful document to present to the Commissioner should her office begin any investigation into your organisation.
  • It is important to regularly download an updated version of the Telephone Preference Service list and to do so as close as possible to an intended direct marketing campaign. If you undertake regular direct marketing campaigns then you should probably be downloading the updated list once per month. Relying on an out of date version could mean that you unlawfully call numbers – the cost of regularly obtaining a copy of the TPS list is insignificant compared to the financial penalties that can be issued by the Information Commissioner for contraventions of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • It should go without saying that if the Information Commissioner takes enforcement action against you for contravening privacy and data protection laws then you should ensure that you take adequate remedial measures to ensure that the contravention doesn’t happen again.
  • If you obtain a list of telephone numbers to call for marketing purposes from a third party the obligation rests with you to ensure that you have lawful authority to make (or instruct others on you behalf to make) calls to each intended number.
  • Controllers may no longer be required to notify the Commissioners of their processing of personal data; however, they are still required to make payment to the Commissioner of a fee. Those who either (a) don’t know they are due to pay  a fee; or (b) miss paying their fee and rectify the matter once the Commissioner has contacted them about their non-payment will likely not face formal enforcement action, but those who continue to fail to pay the fee once the Commissioner has contacted them can expect to be required to pay a financial penalty for failure to pay the fee.

Enforcement Action published by the ICO during November 2018

Metropolitan Police Service
The Commissioner of Police of the Metropolis (MPS) was served with an Enforcement Notice by the Information Commissioner [pdf] requiring the MPS to take a number of specified steps; including the conducting of a data protection impact assessment, in respect of its Gangs Matrix. The Gangs Matrix is part of the MPS’ ongoing effort to reduce the incidences of crime in London arising from gangs. The Notice only emphasises the Commissioner’s primary concerns in respect of the MPS’ compliance with the data protection principles, rather than listing every single contravention. The Notice makes reference to contraventions of the first, third, fourth, fifth and seventh data protection principles

DM Bedroom Design Ltd
The Information Commissioner served DM Bedroom Design Ltd with a monetary penalty in the sum of £160,000 [pdf] and also served it with an Enforcement Notice [pdf] after finding that the company had contravened Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). This was not the first time that the company had received a monetary penalty from the Commissioner for contravening PECR. The company operated an internal suppression list and also advised the Commissioner that it screened lists against the Telephone Preference Service (“TPS”) list; however, the Commissioner found that the company had not downloaded the TPS list since March 2017.

Solartech North East Limited
Solaretech North East Limited (“Solartech”) was served by the Information Commissioner with a monetary penalty in the amount of £90,000 [pdf] and an enforcement notice [pdf]. The Commissioner found that Solartech had contravened Regulation 21 of PECR by making almost 75,000 calls unlawfully to numbers listed with the Telephone Preference Service. Solartech had previously came to the attention of the Commissioner’s office in 2014 and had bene provided with advice from her office as well as subjected to a period of monitoring. Despite this, and further advice and monitoring in 2016/17 Solartech continued to contravene Regulation 21 of PECR. Solartech sought (unsuccessfully) to blame third parties for these contraventions.

Uber
Uber is a popular app which provides taxi services to its users by linking them with Uber drivers in their area. It has bene the subject of many recent legal battles in the Employment field and has now also come to the attention of data protection supervisory authorities in the United Kingdom and the Netherlands. The Information Commissioner served Uber with a monetary penalty notice in the amount of £385,000 following a cyber attack. [pdf] The Commissioner found that Uber had breached the seventh data protection principle by failing to have in place adequate technical and organisational measures.

Fixed Penalty Notices: Data Protection Fees
The old notification requirement and fee under the DPA98 has gone, but has been replaced with a new data protection fee payable by controllers who are not exempt from the fee. The new fees regulations are found in The Data Protection (Charges and Information) Regulations 2018. Organisations who are required to pay the fee and fail to do so may be served with a penalty notice by the Commissioner requiring them to pay a fixed penalty calculated in relation to the amount of the fee payable under the Regulations by the controller. The Commissioner has taken enforcement action, in the form of fixed penalty notices, against a number of controllers in the business, manufacturing and finance sectors for failure to pay their data protection fees; even after being contacted by the Commissioner about the unpaid fee. The Commissioner has not published all of the penalty notices, or even a list of controllers subject to enforcement action, but has instead published “example” notices (which read more like templates than examples) for each of the three sectors.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.