Monthly Archives: February 2019

Personal data and FOI: the conflict continues

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Information Notices: UKIP v Information Commissioner (Part 2)

Last year I blogged on UKIP’s appeal to the First-Tier Tribunal (Information Rights) (“FTT”) against an Information Notice issued by the Commissioner; the FTT dismissed UKIP’s appeal. UKIP sought (and was granted) permission to appeal to the Upper Tribunal. The Upper Tribunal has now issued its decision. The decision has not yet been published by HMCTS; however, the wonderful people at 11KBW have published it [pdf] on their Panopticon blog (you can read Robin Hopkin’s post on their blog here). If you can’t be bothered reading to the end; the spoiler is that UKIP’s appeal was also dismissed by the Upper Tribunal.

By the time that UKIP’s appeal came before the Upper Tribunal, there were four “heads of appeal”: (1) The FTT had erred in law in terms of its approach to the exercise of the Commissioner’s discretion in issuing the notice; (2) the FTT had erred in law in terms of the scope of the notice; (3) the FTT had erred in law in terms of the timeframe for the notice; and (4) the FTT had erred in law in terms of irrationality.

The first head of appeal related to whether or not the FTT was correct, in law, to conclude that the scope of the information notice was clear. Upper Tribunal Judge Wikeley, at paragraph 24, concluded that taking the first five paragraphs of the information notice together, they were sufficient to comply with the requirements in section 43(2)(b) of the Data Protection Act 1998 (“DPA98”). Judge Wikeley did concede that the FTT did not provide as full reasons as he had, but they were clear enough that the FTT was satisfied that the notice complied with the requirement in section 43(2)(b) of the DPA98. The Judge, again said (having said it previously in another case), that the FTT does not need to set out in detail “every twist and turn of its assessment of the evidence and its consequential reasoning.” It is enough that the decision shows that the FTT has applied the correct legal test and has explained its decision in “broad terms”.

The second head of appeal related to the period for which the Commissioner wanted information from UKIP. The notice made reference to the 2015 General Election, but then asked questions about the 2016 referendum of the UK’s membership of the European Union. The judge accepted “that some of the drafting of the information notice is not ideal.” The notice had used both the former and present tense; sometimes together as alternatives. The Upper Tribunal concluded that “on a fair and objective reading of the notice as a whole, the information sought was plainly not confined to the 2015 General Election; rather it related to the ongoing processing of personal data” and also noted that the notice “should not be read as if it were a criminal indictment.” [para 27].

The third head of appeal related to the Commissioner’s exercise of discretion. UKIP argued that the Commissioner should have used the ‘least restrictive’ means of obtaining the information that she wanted; in other words she could have and therefore should have simply written a further letter to UKIP. This submission was based on principles which were developed in the context of the legitimate interests ground of processing personal data in the DPA98; it was “inappropriate” to try and “read across” [para 29]. Further, UKIP argued that it did not have the resources to provide a satisfactory response to the Commissioner’s initial letter: this was given short shrift by the judge.

The final head of appeal was that the Tribunal’s final decision was irrational in legal terms. The FTT had started out by giving a provisional view that the notice lacked clarity in its scope, but ended up concluding that it was, in fact, clear. Again, the judge accepted that the FTT’s reasoning was “sparse”, but nonetheless concluded that it was “sufficient.” [para 34]

Therefore, UKIP’s appeal was dismissed and the information notice, once again, stands. It will need to be complied with, subject to any further appeal, within 30 days of the Upper Tribunal’s decision being sent to the parties.

One final point is worth noting; the Upper Tribunal comments that, like a decision notice issued pursuant to section 50 of the Freedom of Information Act 2000, the Commissioner cannot vary an information notice once it has been issued: the commissioner can, unlike a decision notice, cancel the notice and re-issue a fresh notice. That is a consequence of the statutory framework: the statute gives the Commissioner the power to cancel a notice and makes no mention of varying (however, the statute does make mention of the Commissioner being able to vary other notices). In the circumstances an information notice cannot be varied once it is issued; if there is a problem with it then the notice must be cancelled by the Commissioner and a fresh notice issued. The same, in my view, would hold true for information notice issued under the Data Protection Act 2018. The statute provides that the Commissioner can cancel a notice, but makes no mention of varying the notice (whereas, she can vary, for example, an enforcement notice – the statute expressly provides for that in section 153).

From this decision we can take the following:-

  1. An information notice does not need to give a detailed statement as to why the Commissioner requires the information requested in the notice.
  2. The commissioner’s drafting of information notices gets a pass, but could be better.
  3. The commissioner doesn’t need to utilise less intrusive methods of obtaining information instead of exercising her discretion to issue an information notice.
  4. A controller’s lack of resources is not a reason why the Commissioner should not issue an information notice (indeed, it may even be a reason in favour of exercising discretion to issue an information notice).
  5. The FTT is not bound by a preliminary view it expresses and can change its mind.
  6. The Commissioner cannot vary an information notice should there be a problem with it: only cancel it and issue a fresh notice.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

FOI in Scotland: Registered Social Landlords

Last week the Scottish Ministers laid The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019 (Draft) before the Scottish Parliament for the approval of the Parliament, as they are required to do in terms of the Freedom of Information (Scotland) Act 2002 (“FOISA”). This order is a long anticipated order to bring Registered Social Landlords (“RSLs”) within the scope of FOISA by designating them as Scottish public authorities. If approved (and there is nothing to suggest that the Order will not be approved by the Scottish Parliament), it will mean that RSLs (and their subsidiaries) will be designated as Scottish public authorities from 11 November 2019. Some had been hoping that they would have been designated from April this year, while others had been hoping that it would be April 2020. The Scottish Ministers appear to have split the difference and given RSLs a period of around 9 months to prepare for becoming Scottish public authorities.

RSLs have been, following a number of decisions of the Scottish Information Commissioner (which have never been appealed to the Court of Session), Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004 for a number of years. There is, however, some debate about whether they remain so, following some changes to the regulatory landscape pertaining to RSLs. It has not yet, to my knowledge, been tested whether they still are Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004. Whether the changes to the regulatory landscape of RSLs has had the effect of them no longer being Scottish public authorities, for the purposes of the Environmental Information (Scotland) Regulations 2004, is somewhat immaterial; designation as a Scottish public authority for the purposes of FOISA also means that they will be Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004.

It should be noted that the draft order has been drafted in such a way so as to make RSLs Scottish public authorities for limited purposes only. They will be Scottish public authorities in respect of the following functions:

  1. providing housing accommodation and related services and includes anything done, or required to be done, in relation to:- (a) the prevention and alleviation of homelessness; (b) the management of housing accommodation (limited to the management of housing accommodation for which a registered social landlord has, under the Housing (Scotland) Act 2001, granted a Scottish secure tenancy as defined in section 11 or a short Scottish secure tenancy as defined in section 34 of that Act); (c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
  2. the supply of information to the Scottish Housing Regulator by a registered social landlord or a connected body in relation to its financial well-being and standards of governance.

A register of social landlords can be found on the website for the Scottish Housing Regulator.

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Developing the Information Expressway

The Upper Tribunal has recently considered the meaning and scope of the exception in Regulation 12(4)(d) of the Environmental Information Regulations 2004 (“the EIRs”). This exception allows a public authority to withhold environmental information in response to a request where “the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data”.

Highways England Company Limited v Information Commissioner and Henry Manisty [2018] UKUT 432 (AAC) concerned a request made to Highways England by Mr Manisty in December 2016. Mr Manisty request related to the possible route of the Expressway between oxford and Cambridge being investigated by Highways England. His request was refused by Highways England and the Information Commissioner did not uphold Mr Manisty’s subsequent complaint to her office. Mr Manisty appealed to the First-Tier Tribunal who allowed his appeal, deciding that the exception in Regulation 12(4)(d) did not apply. Highways England sought, and was granted, permission to appeal to the Upper Tribunal.

Upper Tribunal Judge Jacobs reminds us that as the EIRs implement an EU Directive they must (for now) be interpreted in a way that accords with the normal principles that apply to EU law. Judge Jacobs reminds us that one of those principles is that the exceptions must be interpreted restrictively. Judge Jacobs points out that this is a separate consideration from the presumption in favour of disclosure enshrined within the EIRs; that presumption simply allocates the burden of proof while the restrictive approach defines the scope of the exception.

Judge Jacobs also addresses the Aarhus Convention and the Implementation Guide. The EU Directive, which the EIRs implements, implements the Aarhus Convention into EU law and so regard has to be had to the convention when interpreting the EIRs and the Directive. Judge Jacobs, in paragraph 19, reviews some of the relevant case law and concludes that the Implementation Guide “can be used to aid interpretation, but it is not binding and cannot override what the Convention provides.”

Judge Jacobs includes two helpful paragraphs setting out what the exception does not mean. When deciding the scope of the exception it is not permissible to take into account any adverse consequences that disclosure might have. This is relevant for the purposes of determining where the public interest lies and also, perhaps, deciding whether the exception is engaged. Judge Jacobs states that “[a]dverse consequences must not be made a threshold test for regulation 12(4)(d).” [para 21]

Judge Jacobs considers what “material” and “relates to” means within the exception. In respect of “material”, he considers that the word material “is not apt to describe something incorporeal, like a project, an exercise or a process.” The material in question may form part of a project or process etc.; however, the material in question must itself be in the course of completion. We are not necessarily concerned with whether the project is in the course of completion. [para 23] Judge Jacobs also holds that “[m]aterial includes information that is not held in documents and is not data: things like photographs, film, or audio recordings.” [para 24]

Having already looked at what the exception does not mean, Judge Jacob eventually gets around to deciding what the exception does mean. He notes, in paragraph 28, that the language in the exception is “deliberately imprecise.” That being said, Judge Jacobs, in paragraph 30, returns to the principle that the exception should be applied restrictively. The imprecise language does not mean the exception can be applied “so widely as to be incompatible with the restrictive approach required by EU law.” At the same time it cannot be applied so narrowly that its purpose is defeated. In paragraph 31 of the decision, Judge Jacobs, identifies yet another deliberately vague expression within the exception: ‘piece of work’. The judge identifies some factors that may be of some assistance in applying the exception. For example, if there has been a natural break in the public authority’s private thinking; or, perhaps, the public authority is at a stage where publicity around its progress so far is taking place. The continuing nature of the project, process or exercise might also be a relevant feature. However, public authorities shouldn’t get too excited: this is not, by any means, a checklist. Judge Jacobs makes it clear that each case will turn on its own circumstances.

Public authorities should also be aware that their own internal labels will not be determinative of matters; it is not possible to, in the words of Judge Jacobs “label [your] way out of [your] duty to disclose.” Labels such as “draft or preliminary thoughts may, or may not, reflect the reality.” [para 32]

Counsel for Highways England is recorded as having emphasised legal certainty and its importance. Judge Jacobs accepts that his decision will not produced legal certainty in the way that was possibly envisaged by Counsel for Highways England. Judge Jacobs notes that its application will not be easy; however, issues of judgement are involved and that limits what can be achieved.

In deciding that the First-Tier Tribunal had not erred in law, Judge Jacobs took the view that, when reading the First-Tier Tribunal’s reasoning as a whole; its approached accorded with his analysis of the operation of the exception. The First-Tier Tribunal “understood that it was exercising a judgment on whether the information requested could now properly be considered as independent from the continuing work on the Expressway.”

So, what have we learned? Judge Jacobs has certainly gone through the exception carefully and produced what he considers to be the best that can be achieved in terms of defining the scope of the exception in Regulation 12(4)(d). Its scope is narrow, but not so narrow as to defeat the policy intention of providing a space for public authorities to think in private; however, its imprecise nature should not be taken as giving public authorities cart blanche. Each and every case will turn on its own circumstances and a degree of judgement is involved in determining whether the exception will apply or not.

There are also some useful reminders (for now) about the need to utilise EU law principles when interpreting the EIRs. There is also a useful reminder, in paragraph 6, about the approach that the Upper Tribunal adopts when considering an appeal. It is unlike the First-Tier Tribunal; it is not conducting a re-hearing of the case. The Appellant has to show that the First-Tier Tribunal erred in law. We are also reminded that the nature of the language of the provision has to be taken into account when considering legal certainty; it is therefore not always possible to give a precise exposition of the scope of a provision – sometimes, it really does just come down to a matter of judgement.

Alistair Sloan

We are able to provide advice in connection with a wide range of information law matters, including Freedom of Information Act/Environmental Information Regulations appeals. If you would like advice and assistance on any of these matters then please contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on Twitter.