Domestic CCTV and Data Protection

There was a time where CCTV systems were of a very poor quality and were rather expensive and were therefore limited to commercial premises. However it is now possible to get reasonably good quality CCTV cameras for less than £20 and as such there has been a steady rise in the number of homeowners installing CCTV cameras to help with home security.

Article 2 of the General Data Protection Regulation (GDPR) sets out the Regulation’s material scope; it includes a carve-out for processing of personal data “by a natural person in the course of a purely personal or household activity.” This replicates the language of the Directive which the GDPR replaces and which was reflected in section 36 of the Data Protection Act 1998 (the “domestic purposes” exemption).

On the face of it a home operated CCTV system seems to fall squarely within the scope of the carve-out for personal and household activities in Article 2 of the GDPR; however, the case law which interpreted the old Directive adds some complexity to matters. The placing of a home CCTV system is of particular importance; in particular, what is caught by the camera. If the camera is placed incorrectly then it can result in individuals falling outside of the carve-out in Article 2 of the GDPR and becoming a controller; with all of the liability and responsibility that this entails.

Domestic CCTV can be particularly useful in situations where there are neighbour disputes or where there is allegations of harassment; however, equally these are situations where a particular risk in terms of data protection law enters into the equation.

The issue of the use of domestic CCTV is something that I am increasingly being asked to advise on by clients; both the owners of the CCTV system and their neighbours. Invariably, there are issues that require to be resolved about the use of the domestic CCTV systems in these circumstances.

The matter has never been tested under the GDPR; however, given that the relevant provisions are substantially the same it seems likely that the cases decided under the older Directive and the now repealed Data Protection Act 1998 remain of relevance and will very likely be followed by the courts. Care should therefore be taken when installing domestic CCTV systems to ensure that you can continue to rely upon the domestic purposes exemption and not accidentally incur liability to third parties. People are becoming increasingly more privacy aware and concerned and as such it is becoming more important for domestic CCTV users to become aware of the limits of the domestic purposes exemption and how to avoid incurring liability under data protection laws.

Alistair Sloan

If you require advice and assistance in respect of the use of CCTV by individuals or business; or any other data protection or privacy law concern; then you can contact our team on 0141 229 0880 or by E-mail to info@inksters.com. You can also follow our dedicated information law twitter account for news and updates on a range of information law matters.

Cart before Horse

E.ON UK Plc v The Information Commissioner and Fish Legal [2019] UKUT 132 (AAC) is an appeal to the Upper Tribunal (Administrative Appeals Chamber) concerning an issue that doesn’t come up very often in information rights litigation: the Information Commissioner’s power to issue an Information Notice under section 51 of the Freedom of Information Act 2000 (“FOIA”).

The background to this appeal is a little convoluted, but of importance to understanding the issues and the decision of the Upper Tribunal. The solicitor of Fish Legal made a request for information to E.ON UK Plc seeking information from it. The information sought was environmental information and so the request fell to be dealt with under the Environmental Information Regulations 2004 (“EIRs”). E.ON UK Plc disputed that it was not a public authority and so did not issue a substantive response to the request. It became clear during the Commissioner’s involvement that the position of E.ON would be that, if it were a public authority, it did not hold the information.

As there was a dispute as to whether E.ON is a public authority, the Commissioner determined that she needed to resolve that issue first. If E.ON is not a public authority, then she had no jurisdiction to determine whether it held the information in question. After some exchange of correspondence between the Commissioner’s case officer and E.ON, an information notice was served on E.ON. The purpose of this Notice, we learn from the decision of the Upper Tribunal, was to assist the Commissioner in determining whether E.ON UK PLC is a public authority for the purposes of the EIRs.

E.ON appealed to the First-Tier Tribunal (Information Rights) against the information notice. It did so on two grounds: firstly, the decision to issue the information notice was unlawful because, as E.ON did not hold the requested information, it was pointless, disproportionate and academic. Secondly, the information requested in the notice was wholly or mainly in the public domain and so it was unlawful to issue an information notice to require E.ON to provide the information.

The First-Tier Tribunal heard argument and issued what it described as a decision on a preliminary issue, inviting written submissions from the parties as to how the remainder of the appeal should progress. E.ON appealed to the Upper Tribunal and its grounds of appeal are set out by the Upper Tribunal in paragraph 4 of its decision.

What is of most interest in this appeal was the position adopted by E.ON as to the Commissioner’s powers to determine whether the information was held or not. E.ON argued that the Commissioner could consider  whether a purported public authority held the information requested, before deciding whether it was reasonable and proportionate to issue an information notice seeking information to assist the Commissioner in deciding whether the purported authority is, in fact, a public authority. E.ON argued, essentially, that where a purported authority did not hold the information it was unlawful, disproportionate and unreasonable for the Commissioner to issue an Information Notice requiring a body to provide her with information to assist her in determining whether the purported authority was, in fact a public authority.

This argument was, ultimately, given short shrift by Upper Tribunal Judge Markus QC. The Upper Tribunal Judge considered that this “position would lead the Commissioner to a dead end” [47] as “[t]here is no statutory provision which could accommodate the outcome for which [Counsel for E.ON] contended, that being a decision by the Commissioner not to address the public authority question because there was no point in doing so.” [47] The outcome of the position advanced by E.ON before the Upper Tribunal would have simultaneously meant that the Commissioner could not have issued a decision notice under section 50 of FOIA that no information was held, because there was no decision that she had jurisdiction; she could not issue a decision on whether she had jurisdiction because it was pointless, and in any event she lacked the information she required to do so and she could not have refused a to make a decision under section 50 because none of the circumstances in section 50(2) of FOIA applied.

Upper Tribunal Markus QC remarks, paragraph 49 of her decision, that what the First-Tier Tribunal decided at paragraph 24 of its own decision was not that it was unable to decide any matter not determined by the Commissioner, but rather that the question whether the information requested by the applicant was held by the authority was irrelevant in an appeal against an information notice which was directed at establishing whether the Commissioner had jurisdiction. The question as to whether the information was held would be decided, if at all, if the Commissioner had jurisdiction to do so.

E.ON also tried to argue that the section 50 application by the applicant should be treated as being frivolous or vexatious by the Commissioner (thus giving her a reason under section 50(2) of FOIA to refuse to issue a decision notice). This, again, was also based upon E.ON’s position that it did not hold the information. E.ON seemed to be suggesting that it was frivolous or vexatious to press for the Commissioner to determine whether she had jurisdiction when the purported authority had demonstrated that it did not hold the information. The Upper Tribunal disagreed stating that “[t]here is nothing in this case which gets close to meeting the high standard set by vexatiousness” [61] (with reference to the principles set out in the Upper Tribunal and Court of Appeal in Dransfield v Information Commissioner and Devon CC).

What appears to have become lost in these appeal proceedings is that this is an appeal against an information notice and not an appeal against a decision notice. The Tribunal was not concerned with the substantive issue (whether or not E.ON had complied with its obligations under the EIRs, if it has any such obligation at all). E.ON, in this appeal, were getting ahead of themselves; or as the Commissioner reportedly put it “they were putting the cart before the horse”. The Commissioner had not made any decision on the issue (that would not stop the Tribunal considering it though if it were an appeal against a decision notice issued under section 50) as she had been unable to determine the preliminary issue of jurisdiction. The purpose of the Information Notice was to enable her to gather sufficient information to determine that issue.

The Commissioner simply does not, and this has been clear for some considerable time, have the power to determine a substantive issue (such as whether information is held) if she does not have jurisdiction. Where there is doubt about her jurisdiction, that matter has to be resolved by the Commissioner first. If the Commissioner is satisfied of her jurisdiction she will go on to consider the substantive issue (and the two matters will be dealt with in one decision notice dealing first with jurisdiction and then the substantive issue); if she determines that she has no jurisdiction she will issue a decision to that effect which can then be appealed in the normal way.

It remains to be seen whether the Commissioner’s Information Notice will survive; the First-Tier Tribunal has yet to consider all of the matters set out in the initial appeal by E.ON. Now that the Upper Tribunal has disposed of this appeal, the First-Tier Tribunal will now need to hear and determine the rest of the appeal.

Alistair Sloan

If you require advice and assistance with a Freedom of Information matter, or any other information law issue, contact our team on 0141 229 0880 or E-mail info@inksters.com.

Post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002

The Public Audit and Post-Legislative Scrutiny Committee of the Scottish Parliament is currently calling for views on the operation of the Freedom of Information (Scotland) Act 2002 (“FOISA”) as part of its post-legislative scrutiny of FOISA. I have submitted a response to the Committee, which addresses five issues in respect of FOISA (and also touches, where applicable, on the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”)). You can read my full submission here [pdf], but below is a summary of what I have discussed in my submission to the Committee.

The first thing that I have suggested is a possible change to the code of practice issued by the Scottish Ministers under section 60 of FOISA to deal with concerns raised about the processing of personal data in connection with FOI requests. I have covered this issue in more detail on this blog before. In my response I have suggested that this issue is probably best addressed through the code of practice rather than through a change to the wording of the Act.

I have also suggested that any concerns around a failure to make or keep records would not be an appropriate issue to address in the context of FOISA; however, it might be worthy of its own legislative project in the event that Parliament considered that this was an issue. This arises out of concerns expressed that FOISA has resulted in records not being made or kept so as to avoid the need to disclose them. I argue that it is inappropriate to bring this into FOISA; as FOISA has a different focus. FOISA is about giving a right of access to information that exists at the time it is requested and not about what information should be kept by Scottish public authorities. Furthermore, to introduce potentially detailed and technical rules around the making and keeping of records into FOISA could over-complicate FOISA.

I have also suggested that section 48 of FOISA be repealed; or, at least, amended. There is no equivalent provision within the UK Act and there doesn’t seem to be any issues under that legislative scheme that would suggest an outright ban on the Scottish Information Commissioner being able to look these requests is appropriate. Furthermore, it has a significant effect on requesters appeal rights and the alternatives available are not a proper substitute for an investigation by the Commissioner. In this context I also raised concerns about whether section 48 is compatible with our EU obligations as it also extends to requests made under the Scottish EIRs.

I have also suggested amending section 56 of FOISA so that appeals against decisions no longer go directly to the Court of Session. For quite a long time I have considered that this appeal route is prohibitive to most requesters and also to Scottish public authorities (especially smaller authorities with less in the way of financial resources). I’ve also suggested that this has affected the development of the law and Scotland lacks the same level of judicial authority in terms of what different parts of FOISA mean that exists under the UK Act. I’ve suggested, at the very least, appeals should be made to the new Upper Tribunal for Scotland in the first instance. I contrasted the Scottish appellate structure with that which applies under the UK Act. I have also suggested that the present appellate structure may mean that the law doe snot comply with EU law in respect of the Scottish EIRs.

Finally, I’ve also suggested that FOISA be updated to take account of advances in technology and in particular to allow the Scottish Information Commissioner to serve formal notices by E-mail rather than requiring them to be served by recorded delivery post (as is currently the case).

Alistair Sloan

If you would like advice or assistance in respect of freedom of information matters or any other information law matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account.

Privacy v Freedom of Expression in the Court of Appeal

Last year, Mr Justice Arnold gave judgment in the interesting case of Ali & Aslam v Channel 5 Broadcasting. This case concerned the fly-on-the wall programme broadcast on Channel 5 called “Can’t Pay? We’ll take it away”; which follows the work of High Court Enforcement Officers as they enforce court orders relating to debt and housing matters. Mr Justice Arnold found Channel 5 to be liable to the Claimants in the sum of £10,000 each; holding that the Claimant’s rights to privacy outweighed the rights of Channel 5 in respect of freedom of expression and the public interest.

Both parties appealed to the England and Wales Court of Appeal; Channel 5 on the issue of liability and the Claimants on the grounds that the damages awarded were insufficient. In a judgment given on 16th April 2019, the Court of Appeal (Irwin LJ, Newey LJ and Baker LJ) refused both appeals.

The Court of Appeal addressed the issue of liability first, before dealing with the appeal on quantum (the amount of damages awarded). The issue for the Court of Appeal was whether Arnold J had gone beyond what was justified in balancing the Claimants’ rights to privacy against Channel 5’s rights to freedom of expression; and as a consequence had made an error of law. The Court of Appeal held that Arnold J had taken “too narrow a view of what was in the public interest, effectively confining it to the High Court Process.” [74] The Court considered that Arnold J was wrong to conclude “that the publication of each specific piece of information in respect of which the Claimants had a legitimate expectation of privacy had to be justified as a matter of general public interest.” [74]

An interference with privacy which cannot be justified (logically or rationally) by reference to the public interest served by publication cannot be rendered lawful by editorial discretion. However, where there is a rational view by which publication can be justified in the public interest the courts should be slow to interfere, giving full weight to editorial discretion and knowledge.

Despite having some reservations about the treatment of the public interest issues in the judgment from Arnold J (in particular, the narrow approach taken to the public interests issues which arose), the Court refused the cross-appeal by Channel 5. The court had three principal reasons for doing so, set out in paragraphs 92-94 of its judgment. Those can be summarised as follows:

  1. Arnold J was clearly well aware of the relevant legal principles set out in the applicable case law.
  2. The Court of Appeal was satisfied that Arnold J was fully aware of the range of public interest issues raised in the programme; and
  3. The Court of Appeal was satisfied that while another judge might have reasonably found against the Claimants, it was not unreasonable for Arnold J to have found in their favour.

Turning to the appeal on damages, the first ground of appeal advanced essentially amounted to one that the level of damages awarded to each Claimant did not reflect the scale and nature of the publication. The second ground is that the judge was wrong to take into account the publication of the postings by the Ahmeds when setting the awards of damages for the publications by the Defendant. The third ground is that the judge wrongly failed to take into account the impact of the programme on the Claimants’ children.

All three grounds of appeal in respect of quantum were refused by the Court of Appeal. In respect of ground 2, the Court of Appeal noted that “[i]t must be obvious that the distress attributable to the programme was reduced because a number of people within the Claimants’ community or network were already aware of the broad events from the postings”. In respect of ground 3, the Court of Appeal considered that Arnold J had taken into account t he potential impact on the Claimants’ children.

On ground 1, the Court of Appeal distinguished against damages awarded in the case of phone hacking and the present case. They did so on the basis that in t he hacking cases those responsible for the hacking knew full well what they were doing was illegal; however, in the present case Channel 5 had taken steps to ensure that they remained within the law; including obtaining expert legal opinion. Furthermore, in the circumstances it was appropriate for Mr Justice Arnold to make an award of damages in the round.

There is some helpful guidance from the Court of Appeal on the issue of quantum in respect of breaches of privacy in the media sphere. In assessing quantum it is possible to look at issues in the round and reach a global figure of damages, rather than awarding damages identifiable to each issue. Furthermore, damages for cases of this kind cannot be calculated mathematically. Finally, an appellate court should not seek to interfere with an assessment as to quantum unless the damages awarded are so high or so low as to be perverse.

Alistair Sloan

If you would like advice or assistance in connection with a privacy issue, or any other information law matter; contact Alistair Sloan on 0141 229 0880. You can also send him an E-mail.

True Vision Productions & Bounty UK

The Information Commissioner has recently served two Monetary Penalty Notices (“MPNs”) that are worthy of some note. They were both issued for breaches which occurred prior to 25 May 2018 and are therefore both under the Data Protection Act 1998. This means that the maximum penalty in both cases was £500,000, rather than the larger penalties under the General Data Protection Regulation.

The first MPN [pdf] of the two MPNs that will be discussed in this blog was served on True Visions Productions (“TVP”) in connection with filming undertaken in a maternity unit operated by Cambridge University Hospitals NHS Foundation Trust (“CUH”).

Between July 2017 and 29 November 2019 TVP had placed static CCTV-style cameras with audio recording capabilities within three out of the four assessment rooms at the maternity unit. This was to gather footage for possible use in a television documentary on still births. The Commissioner accepted that there was a public interest in documentaries of this nature; however, she found that TVP had breach the first data protection principle in Schedule 1 to the Data Protection Act 1998.

TVP had not done enough to ensure that they had the explicate consent of those being filmed and there appeared to be no way for CUH staff to turn the cameras off. Therefore, if anyone did not wish to be filmed they would need to be seen in the one room without cameras; if that room was unavailable then the patient would have no choice but to be filmed. The fact that no human had access to the footage without first having the consent of the patient was insufficient: the recording and temporary storage of the footage was processing of personal data and would have required the Schedule 3 condition of explicate consent. Very little was done to bring the filming to the attention of patients; CUH staff were only required to answer questions if asked and there were notices placed in the premises along with information on tables; however, these were inadequate. TVP was served with a MPN in the amount of £120,000.

The second MPN of note is one served on Bounty (UK) Ltd in the amount of £400,000 [pdf]. Bounty UK gives itself the description of being a pregnancy and parenting support club. It provides information and markets services (including offers) to parents at different stages from pre-conception to pre-school. As part of this it distributes packs to new parents. The company also operates as a data brokering service and had previously also supplied data to third parties for the purpose of direct marketing by electronic means (although this apparently ended on 30 April 2018). Bounty collected personal data for the purpose of registering new members and did so in a number of ways, including directly from new mothers at their hospital bedsides.

Bounty had shared personal data with a range of organisations including a credit reference agency, a marketing and profiling agency and a telecommunications company; all for the purposes of direct marketing by electronic means. This related to about 14,300,000 unique individuals. Each record could be shared on multiple occasions. This was, apparently, all done on the basis that Bounty had obtained consent from the data subjects concerned.

The Commissioner found that Bounty had failed to comply with the fairness requirement within the first data protection principle in Schedule 1 to the Data Protection Act 1998. Bounty had not been transparent enough in providing information about the purposes for which personal data would be used. Bounty failed to process personal data fairly because they did not adhere to individual’s reasonable expectations of how their personal data would be used.

The consent apparently obtained by Bounty did not meet the requirements of the Data Protection Act 1998; it was neither specific nor informed.

Of course, both Bounty (UK) Limited and TVP have a right of appeal against the MPNs issued to them (both in terms of the decision to impose a penalty and the amount of that penalty). It remains to be seen whether either will seek to appeal to the First-Tier Tribunal.

Alistair Sloan

We are able to assist with a wide range of privacy and data protection matters. If you would like advice or assistance on these issues, or any other information law matter, contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law twitter account

Call for Views: Post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002

In January it was announced that the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee would undertake formal post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee is now seeking views on the Freedom of Information (Scotland) Act 2002 and is inviting submissions to reach it by 5pm on Friday 10th May 2019. The call for views asks the following five questions:

  1. In your view, what effects has the Freedom of Information (Scotland) Act 2002 (FOISA) had, both positive and negative?
  2. Have the policy intentions of FOISA been met and are they being delivered? If not, please give reasons for your response.
  3. Are there any issues in relation to the implementation of and practice in relation to FOISA? If so, how should they be addressed?
  4. Could the legislation be strengthened or otherwise improved in any way? Please specify why and in what way.
  5. Are there any other issues you would like to raise in connection with the operation of FOISA?

It is not necessary to answer all five questions and the Committee is also inviting other information relevant to the remit.

Once the Committee has received the written evidence, it will consider it all and will thereafter decide who it wishes to take oral evidence from. It is expected that the oral evidence sessions will take place towards the end of the year.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.

Personal data and FOI: the conflict continues

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Information Notices: UKIP v Information Commissioner (Part 2)

Last year I blogged on UKIP’s appeal to the First-Tier Tribunal (Information Rights) (“FTT”) against an Information Notice issued by the Commissioner; the FTT dismissed UKIP’s appeal. UKIP sought (and was granted) permission to appeal to the Upper Tribunal. The Upper Tribunal has now issued its decision. The decision has not yet been published by HMCTS; however, the wonderful people at 11KBW have published it [pdf] on their Panopticon blog (you can read Robin Hopkin’s post on their blog here). If you can’t be bothered reading to the end; the spoiler is that UKIP’s appeal was also dismissed by the Upper Tribunal.

By the time that UKIP’s appeal came before the Upper Tribunal, there were four “heads of appeal”: (1) The FTT had erred in law in terms of its approach to the exercise of the Commissioner’s discretion in issuing the notice; (2) the FTT had erred in law in terms of the scope of the notice; (3) the FTT had erred in law in terms of the timeframe for the notice; and (4) the FTT had erred in law in terms of irrationality.

The first head of appeal related to whether or not the FTT was correct, in law, to conclude that the scope of the information notice was clear. Upper Tribunal Judge Wikeley, at paragraph 24, concluded that taking the first five paragraphs of the information notice together, they were sufficient to comply with the requirements in section 43(2)(b) of the Data Protection Act 1998 (“DPA98”). Judge Wikeley did concede that the FTT did not provide as full reasons as he had, but they were clear enough that the FTT was satisfied that the notice complied with the requirement in section 43(2)(b) of the DPA98. The Judge, again said (having said it previously in another case), that the FTT does not need to set out in detail “every twist and turn of its assessment of the evidence and its consequential reasoning.” It is enough that the decision shows that the FTT has applied the correct legal test and has explained its decision in “broad terms”.

The second head of appeal related to the period for which the Commissioner wanted information from UKIP. The notice made reference to the 2015 General Election, but then asked questions about the 2016 referendum of the UK’s membership of the European Union. The judge accepted “that some of the drafting of the information notice is not ideal.” The notice had used both the former and present tense; sometimes together as alternatives. The Upper Tribunal concluded that “on a fair and objective reading of the notice as a whole, the information sought was plainly not confined to the 2015 General Election; rather it related to the ongoing processing of personal data” and also noted that the notice “should not be read as if it were a criminal indictment.” [para 27].

The third head of appeal related to the Commissioner’s exercise of discretion. UKIP argued that the Commissioner should have used the ‘least restrictive’ means of obtaining the information that she wanted; in other words she could have and therefore should have simply written a further letter to UKIP. This submission was based on principles which were developed in the context of the legitimate interests ground of processing personal data in the DPA98; it was “inappropriate” to try and “read across” [para 29]. Further, UKIP argued that it did not have the resources to provide a satisfactory response to the Commissioner’s initial letter: this was given short shrift by the judge.

The final head of appeal was that the Tribunal’s final decision was irrational in legal terms. The FTT had started out by giving a provisional view that the notice lacked clarity in its scope, but ended up concluding that it was, in fact, clear. Again, the judge accepted that the FTT’s reasoning was “sparse”, but nonetheless concluded that it was “sufficient.” [para 34]

Therefore, UKIP’s appeal was dismissed and the information notice, once again, stands. It will need to be complied with, subject to any further appeal, within 30 days of the Upper Tribunal’s decision being sent to the parties.

One final point is worth noting; the Upper Tribunal comments that, like a decision notice issued pursuant to section 50 of the Freedom of Information Act 2000, the Commissioner cannot vary an information notice once it has been issued: the commissioner can, unlike a decision notice, cancel the notice and re-issue a fresh notice. That is a consequence of the statutory framework: the statute gives the Commissioner the power to cancel a notice and makes no mention of varying (however, the statute does make mention of the Commissioner being able to vary other notices). In the circumstances an information notice cannot be varied once it is issued; if there is a problem with it then the notice must be cancelled by the Commissioner and a fresh notice issued. The same, in my view, would hold true for information notice issued under the Data Protection Act 2018. The statute provides that the Commissioner can cancel a notice, but makes no mention of varying the notice (whereas, she can vary, for example, an enforcement notice – the statute expressly provides for that in section 153).

From this decision we can take the following:-

  1. An information notice does not need to give a detailed statement as to why the Commissioner requires the information requested in the notice.
  2. The commissioner’s drafting of information notices gets a pass, but could be better.
  3. The commissioner doesn’t need to utilise less intrusive methods of obtaining information instead of exercising her discretion to issue an information notice.
  4. A controller’s lack of resources is not a reason why the Commissioner should not issue an information notice (indeed, it may even be a reason in favour of exercising discretion to issue an information notice).
  5. The FTT is not bound by a preliminary view it expresses and can change its mind.
  6. The Commissioner cannot vary an information notice should there be a problem with it: only cancel it and issue a fresh notice.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

FOI in Scotland: Registered Social Landlords

Last week the Scottish Ministers laid The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019 (Draft) before the Scottish Parliament for the approval of the Parliament, as they are required to do in terms of the Freedom of Information (Scotland) Act 2002 (“FOISA”). This order is a long anticipated order to bring Registered Social Landlords (“RSLs”) within the scope of FOISA by designating them as Scottish public authorities. If approved (and there is nothing to suggest that the Order will not be approved by the Scottish Parliament), it will mean that RSLs (and their subsidiaries) will be designated as Scottish public authorities from 11 November 2019. Some had been hoping that they would have been designated from April this year, while others had been hoping that it would be April 2020. The Scottish Ministers appear to have split the difference and given RSLs a period of around 9 months to prepare for becoming Scottish public authorities.

RSLs have been, following a number of decisions of the Scottish Information Commissioner (which have never been appealed to the Court of Session), Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004 for a number of years. There is, however, some debate about whether they remain so, following some changes to the regulatory landscape pertaining to RSLs. It has not yet, to my knowledge, been tested whether they still are Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004. Whether the changes to the regulatory landscape of RSLs has had the effect of them no longer being Scottish public authorities, for the purposes of the Environmental Information (Scotland) Regulations 2004, is somewhat immaterial; designation as a Scottish public authority for the purposes of FOISA also means that they will be Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004.

It should be noted that the draft order has been drafted in such a way so as to make RSLs Scottish public authorities for limited purposes only. They will be Scottish public authorities in respect of the following functions:

  1. providing housing accommodation and related services and includes anything done, or required to be done, in relation to:- (a) the prevention and alleviation of homelessness; (b) the management of housing accommodation (limited to the management of housing accommodation for which a registered social landlord has, under the Housing (Scotland) Act 2001, granted a Scottish secure tenancy as defined in section 11 or a short Scottish secure tenancy as defined in section 34 of that Act); (c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
  2. the supply of information to the Scottish Housing Regulator by a registered social landlord or a connected body in relation to its financial well-being and standards of governance.

A register of social landlords can be found on the website for the Scottish Housing Regulator.

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.