Tag Archives: Court Decisions (FOI)

Information Law Review of 2019

Well, it is that time again; the beginning of a New Year and therefore time for my third annual look at what happened in the world of information law in the previous twelve months and what those with an interest in the field should be looking out for in 2020. I would like to begin by wishing all readers of the Information Law Blog, both new and old, a very happy New Year.

My reviews of 2017 and 2018 began by looking at the case of Various Claimants v WM Morrisons Supermarkets Limited. I shall keep the tradition going by looking once again at this case. In 2018, the Court of Appeal dismissed the appeal by Morrisons against the decision of Mr Justice Langstaff holding them vicariously liable for the actions of an ex-employee. This case rumbled on again in 2019, with the Supreme Court hearing an appeal by Morrisons on 6th and 7th November. By the end of 2019, the Supreme Court had not yet issued its judgment and so that will be something to look out for in 2020; the Supreme Court’s judgment (although concerned with the Data Protection Act 1998, rather than the GDPR and Data Protection Act 2018) will have ramifications for data subjects and controllers, regardless of which way it goes.

Brexit continued to be a feature of 2019 in the Information law world. We have seen the changes that will take effect in data protection law as a result of the UK’s withdrawal from the European Union, which is now scheduled to take place at the end of this month. Brexit, however, will not stop being a feature of information law at 23:00 on 31st January (assuming there are no further delays). We will be in a transition period until the end of the year, but we don’t yet know exactly what we’re transitioning to which might start to become clearer by the Summer.

Brexit also featured in the information law world in other respects as well. There are still some data protection and privacy concerns floating around from the 2016 referendum on the UK’s membership of the EU. Indirectly related to that have been proceedings in the Upper Tribunal involving UKIP and in also in the First-Tier Tribunal. If reports are anything to go by, proceedings in the First-Tier Tribunal at the end of 2019 could result in an extremely critical decision against the Commissioner, so that is something to look out for in 2020.

We also saw the first GDPR administrative fine issued in the UK by the Information Commissioner (some 19 or so months after the GDPR became applicable and quite a bit behind other regulators in other EU Member States). The Commissioner has issued two Notices of Intent against two other Controllers (that we’re aware of) both of which were due to expire this month, but it has been confirmed by the Information Commissioner that the statutory six month period has been extended by agreement (in accordance with the statutory provisions). The reasons for this have not been made public at this time.

Just before Christmas the Advocate General of the European Court of Justice gave his opinion in Data Protection Commissioner v Facebook Ireland & Schrems concerning standard contractual clauses. We can expect a decision from the European Court of Justice to follow soon, whether that is before or after “exit day” at the end of January remains to be seen.

In the wider field of privacy law, the Court of Appeal took a look at the judgment of Mr Justice Arnold in the case involving Channel 5’s fly-on-the-wall documentary ‘Can’t Pay? We’ll Take it Away’. The Court of Appeal dismissed the appeals by the Respondents in respect of liability and the cross-appeal by the Claimants on the issue of quantum of damages. Meanwhile, in Scotland, Lord Bannatyne (for the first time) declared that there exists in the law of Scotland a common law right to privacy.

In May, Information Notices were again a feature of the decisions flowing from the First-Tier Tribunal; this time, however, it was concerning the Commissioner’s powers under the Freedom of Information Act 2000. The Tribunal confirmed that the Commissioner can issue an information notice in order to obtain information as part of her process for determining whether a person is a public authority for the purposes of the Environmental Information Regulations 2004.

In 2019, the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee began undertaking Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002. In 2019, I gave both written and oral [pdf] evidence to the Committee. The Committee is expected to release its report and recommendations next month.

In 2019, we saw the expansion of FOI in Scotland with Registered Social Landlords formally being designated as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002.

We also had one of those rare things: a decision from the Court of Session in an appeal against a decision of the Scottish Information Commissioner. In the sole decision in such an appeal issued by the Court of Session in 2019, my client successfully challenged (on a point of law) a finding by the Commissioner that information he had requested was not held by a local council for the purpose of the Freedom of Information (Scotland) Act 2002. This case provides some useful guidance on determining whether information is held, or not, for the purposes of the Freedom of Information (Scotland) Act 2002.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact our team on 0141 229 0880.

We don’t hold it…oh yes you do!

Dr Ian Graham v The Scottish Information Commissioner [2019] CSIH 57 is a rare decision of the Court of Session in an appeal against a decision of the Scottish Information Commissioner, the last one coming almost 12 months ago. The case was considered by the Second Division (with the bench comprising of the Lord Justice Clerk, Lord Malcolm and Lord Glennie) with Lord Glennie delivering the Opinion of the Court.

Before a Scottish public authority is required to release information, it actually has to hold it and information will not be held, according to the law, if it is held by the Scottish public authority on behalf of a third party. The question that was considered in the appeal by Dr Graham was on this fundamental point: whether the Scottish public authority held the information or not; and in particular whether information was held by a Council on behalf of a third party (in this case, the Returning Officer).

In January 2018, Dr Graham requested the following information from Aberdeenshire Council: (1) a list of the contracts called off by the council from the framework agreement, (2) invoice and order copies for each contract, (3) payment confirmation from the council of the invoices and (4) whether the council reclaimed the input VAT on the invoice. The framework agreement in question was for the provision of electoral services to the returning officer. In terms of the contract (and of importance for this appeal), the Council assumed obligations and liabilities under the contract and also had responsibilities and liabilities in respect of the procurement process.

Whilst the Council ultimately released information in relation to parts (3) and (4) of his request, initially the Council also claimed that it did not hold this information for the purposes of the Freedom of Information (Scotland) Act 2002 (“FIOSA”). The Council’s argument was that because a returning officer, although an official from within the council, was legally a separate entity from the rest of the council when acting in their capacity as returning officer, they only held the information on behalf of the returning officer and not in their own right. Dr Graham was dissatisfied with this and applied to the Scottish Information Commissioner for a decision on whether the Council had complied with its disclosure obligations under FOISA. The Commissioner upheld the Council’s decision, determining that the Council did not hold the information for the purposes of FOISA, but rather held it on behalf of the returning officer.

Counsel for the Appellant argued that the word ‘held’ was being submitted to too much scrutiny, as well as drawing attention to the spirit in which the FOISA had been made; that being to make information available to the public. Counsel contended that a liberal approach should be taken to the interpretation of this provision. Reference was made by the Appellant’s Counsel to University and Colleges Admission Service v Information Commissioner [2014] UKUT 0557 (AAC) and Common Services Agency v Scottish Information Commissioner 2008 SC (HL) 184. Counsel for the Appellant further drew upon University of Newcastle v Information Commissioner [2011] UKUT 185 (AAC) to demonstrate how a more common-sense approach was preferable. The broader interpretation of ‘held’ was further supported  by the decision of the Upper Tribunal in Department of Health v Information Commissioner where it was held that a ministerial diary was ‘held’ by a department purely as a historical record for reference purposes. With reference to the current case, he ultimately claimed that the differentiation between the council holding the information for itself or on behalf of the returning officer was immaterial and indeed that both conditions could be fulfilled simultaneously in the present circumstances; with the fine-tooth investigation of the council election laws amounting to little more than prevaricating.

The Court allowed Dr Graham’s appeal, emphasising that “that the relevant provisions of FOISA should, so far as possible, be interpreted in a manner consistent with the policy of the Act, namely the desirability of making information available to the public, all in the interests of promoting open, transparent and accountable government.” [15] The court also held “that the words and expressions used in the Act should, so far as possible, be given their ordinary and natural meaning” and that “[t]here should be no scope for the introduction of technicalities, unnecessary legal concepts calculated to over-complicate matters and, by so doing, to restrict the disclosure of relevant information.” [15].

The Court approved of and agreed with the reasoning given by the Upper Tribunal at paragraphs 21-22 of its decision in University of Newcastle. In essence, a Scottish public authority will hold information if it has more than a de minimis interest in the information. That is to say, it will only fall outside of the scope of FOISA if it has “no (or no material) interest of its own” in the information. [18] As a result of the Court’s decision, it reduced the Commissioner’s decision and remitted the matter back to him so that he could reconsider Dr. Graham’s application in light of its opinion.

The effect of this decision should be to widen the scope of information that is available to the public under FOISA. Scottish public authorities and the Commissioner will be required to take a more holistic approach in future to deciding whether information is only held by the Scottish public authority on behalf of a third party. A more practical approach requires to be taken than simply looking at whether the Scottish public authority and the third party are separate entities from one another; consideration must be given to the underlying factual matrix. The opinion of the Court also re-iterates previous comments by the courts that the Act should be interpreted in a way that isn’t too complex or technical.

Our Alistair Sloan acted for the successful appellant in this case, instructing John MacGregor, Advocate.

Danny Cummins (Trainee Solicitor)

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact us on 0141 229 0880 or you can send us an E-mail.

Personal data and FOI: the conflict continues

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.


Scottish Vexatiousness

Paragraph numbers in this blog post relate to the Court of Session’s decision in Beggs v Scottish Information Commissioner [2018] CSIH 80; unless the context requires, or it is expressly stated, otherwise.

If you’re regularly involved in the making of or responding to freedom of information requests then you are likely to be familiar with the decision of the English and Welsh Court of Appeal in Dransfield and Another v The Information Commissioner and another which deals with the meaning and application of “vexatious” within section 14 of the Freedom of Information Act 2000 (“FOIA”). In keeping with many of the provisions of FOIA, there has been considerable litigation on section 14 within the First-Tier Tribunal; however, the decision in Dransfield is the leading authority on the approach that public authorities, the UK Information Commissioner and the First-Tier and Upper Tribunals should take when applying or considering the exemption in section 14(1) of FOIA.

As with many aspects of the Freedom of Information (Scotland) Act 2002, the equivalent provisions within FOISA (also section 14) have escaped any judicial consideration; that is, until today when the First Division,  Inner House of the Court of Session (Lord President Carloway and Lords Brodie and Drummond Young) advised its opinion in an appeal under section 56 of FOISA against a decision of the Scottish Information Commissioner which upheld the decision of the Scottish Prison Service that a request for information made to it was vexatious: Beggs v Scottish Information Commissioner [2018] CSIH 80.

As with most cases involving vexatious requests, there is a history to the matter; this is briefly set out in paragraphs 5-15 of the Court’s Opinion. I am therefore not going to set it out here. There were two grounds of appeal advanced on behalf of the Appellant before the Court and these are set out, in full, by the Court in paragraph 4 of its Opinion. The grounds can  be summarised as follows: (1) that the test set out by Arden LJ (as she then was) in Dransfield should apply and that it had been incorrectly applied by the Scottish Information Commissioner (“SIC”); and (2) that the SIC’s decision was irrational as it failed to take into account a number of factors. The court ultimately rejected both grounds of appeal and refused the Appeal.

The Court makes some “preliminary comment” about the English and Welsh Court of Appeal’s decision in Dransfield. It notes that the decision is “an English case concerning English legislation” (para 26). This is not a wholly accurate statement by the Court: Dransfield concerns section 14 of FOIA, which cannot properly be said to be English legislation. FOIA covers UK-wide public bodies (such as UK Government departments, the BBC, UCAS, the British Transport Police and other); it can be used by people living in Scotland. There is also no separate Norther Irish FOI law and FOIA applies to bodies such as departments of the Northern Irish Government and the Police Service of Northern Ireland. Furthermore, it is possible for appeals against the Upper Tribunal to be taken to the Court of Session and the UK Commissioner can, for example, under section 54, make certifications to the Court of Session.

It appears that what the Court meant by “English legislation” is that the decision in Dransfield was not binding upon the SIC as the SIC is concerned with the enforcement of FOISA – an Act of the Scottish Parliament – rather than FOIA – an Act of the UK Parliament. I may, of course, be entirely wrong and the Court of Session has fundamentally misunderstood FOIA and the distinction between FOIA and FOISA. However, this is not really a matter upon which anything of substance in Beggs can be said to turn. It appears that the Court has essentially adopted the reasoning of Arden LJ and supplemented it with some of its own.

Also by way of preliminary comment the Court notes that Arden LJ expressly declined to offer a definition of or test for “vexatious” or “vexatiousness” (para 26) and so it was incorrect to argue that Dransfield set out a “test” for vexatious requests. The court went on (also at para 26) to state that “[i]t would be remarkable if the word “vexatious” when found in section 14(1) of the English Act of 2000 meant something different from the same word when found in section 14(1) of the Scottish Act of 2002; the terms of the two subsections are essentially identical.”

However, the Court of Session found that there was much in the judgment of Arden LJ that they would agree with and quote paragraph 68 of the judgment of Arden LJ with approval. The Court of Session, perhaps importantly, appears to have approved of the view that Arden LJ took that the rights in FOIA were constitutional in nature (para 28). The court also held that when assessing whether a request is vexatious or not, it must be viewed objectively. In the decision under challenge, the SIC had concluded that when viewed objectively the information sought was of no value to the Appellant. The First Division held that had the SIC followed Dransfield (which she was not obliged to do so) then she would have correctly reached the same conclusion: that Mr Beggs’ request was vexatious (para 30).

In terms of the irrationality ground of appeal, this was dealt with more swiftly by the Court. Counsel for the Appellant had characterised the three matters which the Appellant argued had been overlooked by the Court, were material.

The first matter was the Appellant’s express disavowal of any direct and personal attack. The Appellant had expressly disavowed in his request that there was any such attack. However, the Solicitor Advocate for the SIC argued that the contents of a letter sent to one of the SIC’s officers revealed the Appellant’s purpose; the Appellant’s purpose was “not to obtain information as such” (para 33) rather it was with a view to pursuing complaints about their conduct.” (also at para 33).

The court held that “the presence of a malicious motive may point to a request being vexatious the absence of a malicious motive does not point to a request not being vexatious” (para 33). In essence, while the Court appears to have been sceptical of the Appellant’s express disavowal of personal attack it seems that even if it had not been sceptical, the disavowal may not have assisted the Appellant anyway. The Court again expressed the objective nature of assessing whether a request is vexatious and agreed with the SIC that a request may be harassing even if that is not what is intended by the requester.

The second consideration referred to the past conduct of the authority; these requests appear to have been the result of the Scottish Prison Service putting forward inaccurate information in earlier proceedings before the Court of Session. The Court approved of the view of Arden LJ in respect of vengeful motives – such a motive might itself be an indicator that a request is vexatious. The court’s position here is fairly broad, but it does not appear to close off legitimate use of FOISA to uncover evidence of wrongdoing within a Scottish public authority. However, it is fairly clear that if a requester is using

The third consideration related to the importance of the information requested; the court concluded that the information was objectively of no value and this was therefore not a material consideration.

Comment
This is the first time that the vexatious requests provision in FOISA has been considered by the Scottish courts and will now be the leading case in applying section 14(1) of FOISA. The decision essentially approves of the approach set out by the English and Welsh Court of Appeal in Dransfield. It is important to remember that a request must be considered objectively. There is no express test for vexatious requests either under FOIA or FOISA, but it will be important for Scottish public authorities to keep in mind the constitutional nature of the rights in FOISA. With this in mind, the threshold for applying the provision in section 14(1) of FOISA is a high one.

The Court of Session considers that, when Arden LJ used the phrase “no reasonable foundation for thinking that the information sought would be of value”, it appears that Arden LJ was trying to encapsulate an idea of “gross disproportion as between much trouble inevitably caused and little benefit possibly gained.” How much traction this comment of the Court of Session will have in terms of the application of section 14 of FOIA (given that the Court of Session’s judgments in FOISA cases are of only persuasive authority to the Tribunals and English and Welsh Courts) remains to be seen. Of course, should Beggs seek permission (and be granted permission) to appeal to the Supreme Court we may get a definitive view from(the now)  Lady Arden on whether the Court of Session has correctly interpreted what she meant when sitting in the English and Welsh Court of Appeal.

For the time being, whether or not the Court of Session was right in what it said, this is now (subject to any appeal) the law as it applies in Scotland vis-à-vis FOISA. When considering whether a requester has a reasonable foundation for thinking that the information sought would be of value, it is necessary to look (objectively) at what value there is in the information (a mere assertion by the Applicant that it is of value will not itself be sufficient) and balance that against the inevitable burden that answering the request will place on the authority: they are inversely proportional to one another.

From the perspective of requesters, it is likely to be of little assistance to include express statements in requests that the request is not a personal attack on the authority or a member of its staff and even if you have no intent to cause harassment your request might well have that effect. Your request will be considered objectively in light of its facts and circumstances (and comments made in later correspondence may well be seen as tending to show the opposite).

The decision in Beggs is not likely to have much, if any, impact upon the way in which the vexatious requests provisions in FOISA operate in practice. The Court has essentially approved of the approach to the identical provisions under FOIA. In the absence of any previous authority from the Scottish courts in respect of section 14, the SIC and Scottish public authorities have historically found Dransfield to be persuasive and used it as a basis for understanding what section 14 means.

In short, to decide whether a request is vexatious it is necessary to consider the request objectively on its own facts and circumstances. There is no formula or checklist that can be followed which will give you a definitive answer.

Alistair Sloan

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.

The National Security Blanket has been Shrunk

On 2nd January 2018 the Upper Tribunal (Administrative Appeals Chamber) (consisting of Charles J, Lane J and Anne Chafer)  published an important decision [pdf], dated 14th December 2017, on the application of the exemption in section 23 of the Freedom of Information Act 2000.

The exemption in section 23 relates to information supplied by, or relating to, bodies dealing with security matters.  Subsection (3) provides a list of 15 bodies to which the exemption applies; including the Security Service (MI5), the Secret Intelligence Service (MI6), the National Crime Agency (NCA) and the Government Communications Headquarters (GCHQ).  The actual exemption is contained in Section 23(1) and provides that:

Information held by a public authority is exempt information if it was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3).

Background

The decision is worth reading in full, but the essential background to the decision is as follows.  On 21st August 2015 the Royal Air Force carried out a precision air strike in Syria utilising a remotely piloted aircraft (commonly referred to as a ‘drone strike’).  The strike took place in the Syrian city of Raqqa and the target was 21 year-old Reyaad Khan, who was born in Cardiff, and had featured in a ‘recruitment video’ produced by ISIS (also known as IS, Dahesh or ISIL).  The strike killed the intended target along with two other ISIS fighters, one of whom was also British.

On 7th September 2015 the then Prime Minister, David Cameron, made a statement to the House of Commons.  In his statement to the House, Mr. Cameron provided details on the operation which had taken place in August 2015 in Raqqa.  The Upper Tribunal’s written reasons for its decision quote extensively, at paragraph 10, from Mr. Cameron’s statement to the House.  It also quotes an exchange between Mr. Cameron and the then acting leader of the Labour Party, Harriet Harman MP (paragraphs 11 and 12).

In compliance with the United Kingdom’s obligations in terms of Article 51 of the UN Charter, the UK’s Permanent Representative to the United Nations wrote to the President of the Security Council informing the President that the UK had undertaken the 25th August 2015 operation and that this was in “exercise of the inherent right of individual and collective self-defence.”  The Upper Tribunal have quoted further from that letter in paragraph 13 of its decision.

There is much more to the background which can be dealt with in this blog post; however, it is comprehensively set out in the Upper Tribunal’s decision.  It is suffice to say that Freedom of Information requests were made by the appellants to the Attorney General’s Office (AGO) and to the Cabinet Office.  These requests were refused by the public authorities and, in three decisions dated 30 August 2016, the Information Commissioner upheld the decisions of the AGO and the Cabinet Office.  The appellants appealed to the First-Tier Tribunal (Information Rights) and the appeals were transferred to the Upper Tribunal in terms of Rule 19 of The Tribunal Procedure (First-Tier Tribunal) (general regulatory Chamber) Rules 2009 – which allows appeals to the First-Tier Tribunal against decisions of the Information Commissioner’s office, amongst others, to be transferred to and be determined by the Upper Tribunal instead of the First-Tier Tribunal; essentially the appeal ‘leap-frogs’ the First-Tier Tribunal.

Section 23 of FOIA

Section 23 of FOIA is an absolute exemption, which means that it is not necessary for the public authority to consider where the public interest rests between maintaining the exemption and disclosure.  It was designed to ensure that there was no backdoor route to gaining access to information held by the security services under FOIA.  The security services are not public authorities for the purposes of FOIA and this exemption ensures that information which is supplied by, or relates to, one of the security bodies in section 23 cannot be obtained from a public body which is a public authority for the purposes of FOIA.  A similar exemption, but not identical, can be found at Section 31 of the Freedom of Information (Scotland) Act 2002.

The Upper Tribunal’s decision

The Tribunal’s starting position seems to have been that FOIA provides a right of access to information rather than documents.  When responding to an FOI request, a public authority does not need to supply a copy of the document which contains the requested information (although, in practice an authority will provide the document – redacted where necessary).  The request can be complied with by extracting the information from the document or other records held by the authority (APPGER v ICO and FCO [2015] UKUT 0377 (AAC)).  This seems to be a key pillar of the Upper Tribunal’s decision in Corderoy and another v The Information Commissioner and others.

The Upper Tribunal has in this case qualified a statement that was made in the decision of the Upper Tribunal in the APPGER case.  In the APPGER case, the Upper Tribunal stated that “…information, in a record supplied to one or more of the section 23 bodies for the purpose of the discharge of their statutory functions, is highly likely to be information which relates to an intelligence or security body and so exempt under section 23.”  The Respondents in the present case appear to have relied upon this position to argue for a very broad interpretation of section 23.  The Appellants however argued that the absolute exemption in section 23 would prevent disclosure under FOISA unless:  (a) the legal analysis to found the view that he policy decision was lawful can be disaggregated and provided in an intelligible form; and (b) any such disaggregated information falls outside the scope of section 23.

The Appellants were interested in the legal advice which underpinned the Government’s policy decision.  They argued that if this information could property be removed from the documents supplied to the section 23 bodies, and that information itself was not provided by, or related to, a section 23 body, then section 23 did not preclude disclosure and the information instead had to be considered under the qualified exemptions in sections 35(2) and 42 of FOIA (relating to the formulation of government policy and legal advice).

The Upper Tribunal eventually concluded that, while the information in question was clearly of interest to the section 23 bodies; Parliament did not intend, when enacting Section 23(1), for the exemption to apply to information simply because it might be of interest to the section 23 bodies.  The information in question in the present case was concerned with, and confined to, the question as to whether the Government’s policy was lawful.

The Upper Tribunal then went on to consider the public interest arguments, deciding that the public interest rested in maintaining the alternative qualified exemptions rather than in disclosure.  The Upper Tribunal held that it was not necessary for the Government’s legal advice to be shared in order to enable a debate on the lawfulness of the Government’s position to take place; indeed, a considerable debate had already taken place on the issue without the information.

Criticism of the Information Commissioner’s Investigations

The Upper Tribunal also took issue with the way in which the Information Commissioner had conducted her investigations into the complaints made by each of the appellants.  The Information Commissioner had proceeded on the basis of assurances given by the AGO and the Cabinet Office that the information was exempt under section 23(1) of FOIA rather then exercise her statutory powers to require the AGO and Cabinet Office to provide her with the information in question for her consideration.

The Upper Tribunal was extremely critical of this approach by the Commissioner.  The Commissioner did modify her position before the Upper Tribunal; however, the Upper Tribunal remained extremely critical.  At paragraph 95 of its decision, the Upper Tribunal stated:

We acknowledge the resource difficulties of the Information Commissioner but we consider that the course adopted here of effectively permitting the other tow Respondents to be the decision-maker on the challenge to their stance of the application of the absolute exemption in section 23 is unfair.

The Upper Tribunal went on to state in paragraph 97 of its decision that:

If the relevant public authority wishes to avoid a consideration of the relevant documents and so information and disaggregation issues, we have not thought of any circumstances in which it could rely on an assurance rather than a certificate given pursuant to s. 23(2) that can be appealed under section 60.

A certificate under section 23(2) is signed by a Minister of the Crown certifying that the information to which the certificate applies was directly or indirectly supplied by, or relates to, any of the bodies specified in section 23(3) is conclusive evidence of that fact.  The conclusiveness of the certificate is, however, subject to section 60 of FOIA which allows the Commissioner or any requester who is affected by the certificate to appeal the certificate to the First-Tier Tribunal.  The Tribunal can, if it decides that the information in question is not covered by section 23(1), quash the certificate.

Such a certificate may not ultimately prevent the First-tier Tribunal from carrying out the exercise that the Upper Tribunal ultimately carried out in this case, but it does prevent the Commissioner from doing so as the Commissioner is bound to rely upon such a certificate as being conclusive evidence of the application of section 23(1).

Comment

This was an important decision of the Upper Tribunal which clarifies the scope of Section 23(1) of FOIA and which also makes it clear how the Commissioner should conduct her investigations where a requester is challenging the application of section 23(1) of FOIA, but where no Minister of the Crown has signed a certificate pursuant to Section 23(2) of FOIA.

The Upper Tribunal has provided for a more defined exemption rather than for the blanket approach that was being taken by the Respondents.  What can be taken from this case is that information which may be of interest to those bodies listed in section 23(3) of FOIA, and thereby relate to them, will not automatically engage the exemption in section 23.

The Upper Tribunal’s comments on the way in which the Information Commissioner conducted her investigations in relation to these complaints are also of note, and indeed of wider importance.  It is clear that the Upper Tribunal expects the independent regulator to be independent (perhaps not an unsurprising conclusion); in this case it appears that she did not act as independently as she should have.  It was not appropriate for the Commissioner to rely on assurances given by the public bodies concerned and she ought to have required that a copy of the disputed information be provided to her for her consideration or a certificate issued pursuant to section 23(2) of FOIA.  While sympathetic to the pressure on resources that the Commissioner was experiencing, this did not provide an excuse to her for failing to properly investigate an area of contention between the requesters and the public authorities (and indeed between the public authorities themselves, who arrived at the same conclusion but for different reasons).

Alistair Sloan

We have experience of appeals against decisions of the UK Information Commissioner to the First-Tier and Upper Tribunals and also of handling appeals against decisions of the Scottish Information Commissioner.  If you would like to discuss a Freedom of Information matter with Alistair Sloan then you can contact him on 0345 450 0123 or send him an E-mail.

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.

More is less and less is more

On 30th October 2017 the First-Tier Tribunal (Information Rights) promulgated its decision in McGoldrick v The Information Commissioner; the Tribunal’s decision made two points which it is worth considering.  The request for information in question was made to HM Treasure concerning the Mersey Tunnels; the full terms of the request for information are set out in the Tribunal’s decision.

The first point relates to the use of section 12 of the Freedom of Information Act 2000 where some of the information that may fall within the scope of the request is likely to be environmental information; and the second is on the duty of a public authority to provide advice and assistance.

On the first issue, the Tribunal (at paragraph 12) states that it

“agrees with the Information Commissioner that the appellant’s request could cover both non-environment and environmental information, for the purposes of regulation 2(1)(c) but that it would defeat the purpose behind section 12 and regulation 12(4)(d) if a public authority were obliged to collate the requested information in order to ascertain what information fell under either FOIA or the EIR. We agree, therefore, that HM Treasury was correct to consider the request under section 12, even though it might include some environmental information.”

The Tribunal considers that it is appropriate for an authority to not separately identify environmental information and deal with that under the Environmental Information Regulations 2004 where there is a substantial volume of information which covers both environmental and non-environmental information.  It seems that the Tribunal is of the view that there is no need to issue a refusal notice citing Regulation 12(4)(b) [although the Tribunal refers to Regulation 12(4)(d), but this seems as though it may be a typographical error] where a request is going to exceed the appropriate limit and it is likely that there is going to be environmental information within the ambit of the request.

On the second issue, the Tribunal decided that, on the facts of the present case, that HM Treasure did not comply with its obligation to provide adequate advice and assistance and overturned the Commissioner’s decision that it had.  In this case, HM Treasure told the requester that he might like to consider refining his request by reducing the amount of information requested.  The Commissioner considered that such a suggestion was sufficient in order to discharge the authority’s duty to provide advice and assistance.

At paragraph 18 of the Tribunal’s decision it stated:

“Given the widespread nature of computer-driven searches for information in connection with FOIA requests, it is, we consider, reasonable to expect large, sophisticated organisations, such as HM Treasury, to point out to requesters how the most thorough search is likely to exceed the relevant financial limit under the Regulations made by reference to section 12, and to suggest a reformulation of the request in terms specific to computerised searches. Accordingly, if HM Treasury had asked the appellant to reformulate his request by reference to emails and documents containing both the terms “Mersey tunnel” and “toll”, the appellant may well have reformulated his request.”

The Tribunal appears to be suggesting that a large public authority may have to go a bit further than a smaller authority in order to discharge its duty to provide advice and assistance.  It appears that, in certain cases, it may be necessary for a public authority to not only suggest that a requester reformulate their request but rather to go further and actually suggest ways in which it could be reformulated; especially when computer-driver searches for information are involved.

This certainly does fit with the way in which the legislation has been drafted; Section 12(1) of the Freedom of Information Act 2000 does include “so far as it would be reasonable to expect the authority to do so” within its terms.  So, where an authority is issuing a refusal notice under Section 12 of the Freedom of Information Act 2000 authorities, especially larger ones, ought to consider whether they are capable of suggesting how a request could be refined, not just that the requester may wish to consider refining it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.