Tag Archives: Section 14 (FOIA)

Dealing with vexatious FOI Requests

The call for views by the Public Audit and Post-Legislative Scrutiny Committee of the Scottish Parliament (“the Committee”) in respect of its post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002 (“FOISA”) ended on 21 June 2019 (having been extended a couple of times). One of the issues that came up on a number of occasions in the Committee’s discussions and evidence sessions prior to formally deciding to undertake post-legislative scrutiny of FOISA was the issue of vexatious requests. This issue has come up again in a number of responses to the call for views provided by Scottish public authorities (but certainly not all those Scottish public authorities that submitted responses).

It does seem as though Scottish public authorities, generally, are fairly poor at utilising section 14 of FOISA, which provides that a Scottish public authority does not need to comply with a request for information where it is vexatious. The Scottish Information Commissioner has also expressed the view that authorities are not utilising the available provisions within FOISA to deal with vexatious requests, such as at an evidence session before the Committee on 10 January 2019 [pdf].

The response of by Glasgow City Council [pdf] provides an example of a single requester who has made around 100 FOI requests on a related topic. It strikes me that requests from this particular requester on this particular topic could very well fall within the ambit of section 14 (although, I make that comment with only that information which is available from Glasgow City Council in its response). While the law requires the request to be vexatious, rather than the requester themselves, it is permissible to look at the requester’s conduct towards, previous correspondence with and previous requests to the authority in determining whether a particular request that has come in is, in fact, vexatious. This is something that Scottish public authorities seem to struggle with and often seem look at a particular request in isolation and not necessarily consider the wider background and context.

The leading case on section 14 of FOISA, Beggs v Scottish Information Commissioner, was only decided at the end of 2018 and therefore prior to that there was no authoritative guidance on the application of section 14 of FOISA. However, the Scottish Information Commissioner and Scottish public authorities have looked to Dransfield v Information Commissioner to help with the application of section 14 of FOISA. In Beggs the Inner House of the Court of Session essentially approved of the decision of the Court of Appeal in Dransfield. The decision in Beggs is, subject to any appeal to the UK Supreme Court, binding authority on the operation of section 14 of FOISA. Scottish public authorities can therefore look to both the Judgment of the Court of Appeal in Dransfield and the opinion of Lord Brodie in Beggs for guidance on section 14 of FOISA and how to apply it in appropriate cases.

The Court of Appeal and the Inner House of the Court of Session have both stressed that the right of access to information is a constitutional one and so the bar for engaging section 14 is a high one. However, it is clear that the bar is not so high so as to be impossible to meet in practice.

Section 14 of FOISA allows Scottish public authorities to consider matters that would not normally be relevant to FOI requests, such as the identity of the requester and their motives. Scottish public authorities (and indeed, public authorities working under the Freedom of Information Act 2000) should remember that they can look at a requester’s motives; for example, a malicious motive can be an indicator that a request is vexatious (but is not necessarily evidence that the request is, in fact, vexatious): Beggs at paragraph 33. Equally, the absence of a malicious motivation is not necessarily evidence that the request is not vexatious.

A person’s previous dealings with an authority can be relevant as can their other FOI requests: if a person is showing signs of obsessive behaviour, then that could be an indicator that the request is vexatious. The authority needs to look at the request objectively, in the surrounding circumstances, and come to a judgement as to whether the request is vexatious. However, it will need to remember to have evidence to support its conclusion in case the requester makes an application to the Commissioner challenging the application of section 14 by the authority.

Perhaps there is concern within authorities about getting it wrong and having a section 14 refusal overturned by the Commissioner; however, we can only learn from doing and from our mistakes. There are 96 decision notices on the Scottish Information Commissioner’s website relating to section 14(1) of FOISA (the specific part of section 14 that deals with vexatious requests). This number does seem to be rather small given that wide opinion coming from Scottish public authorities over many years that vexatious requests are a particular problem. Over 50 of those decision notices find entirely in favour of the authority and a good number are classified as partially upheld (many of which appear to have included technical defaults by the authority). It is clear that where a Scottish public authority appropriately deploys section 14 in respect of vexatious requests, the Commissioner will uphold that decision.

It certainly does seem to be the case that Scottish public authorities are reticent to utilise section 14 of FOISA. Perhaps, it is because they do not fully understand the scope of section 14 or are unsure about its precise application – it can potentially be used in a wide variety of circumstances. Scottish public authorities could certainly be using section 14 much more frequently than what they are at present and they should seek to become much more confident in using section 14. Indeed, a majority of the examples that I have seen emanate from Scottish public authorities, which they put forward as examples of problems that they are facing which cannot be dealt with by the application of section 14; most probably could, in fact, have been dealt with by the application of section 14. The same level of reluctance is not obviously present in respect of those authorities subject to the Freedom of Information Act 2000.

Alistair Sloan

If you are a requester or a public authority who would like advice or assistance in regards to freedom of information law then contact our team on 0141 229 0880 or by E-mail. We are also able to assist with a range of other information law matters.

Personal Data and FOI: to anonymise or not to anonymise

I recently wrote a blog post covering the release of third party personal data under freedom of information laws in both Scotland and the rest of the UK. Requests which seek the release of third party personal data, or where information within the scope of a FOI request constitutes the personal data of a third party, are the most common examples of where freedom of information and data protection overlap; however, they are not the only examples.

On Friday of last week, the Herald contained a piece covering calls which had been made to anonymise FOI requests which are sent to government advisers. These calls follow on from some high profile disagreements between the Scottish Government and journalists. The allegations levelled against the Scottish Government is that ministers and their advisers are having undue influence over what information is and is not released under the Freedom of Information (Scotland) Act 2002; in particular where the request comes from a journalist. The Scottish Information Commissioner is currently carrying out an “intervention” which is looking at this matter alongside one which has a wider remit in relation to the Scottish Government’s handling of FOI requests. It is understood that the Commissioner’s Office will report its findings of these interventions in the next month or so.

These wider issues are not, however, the focus of this blog post. Rather, the focus of this blog post relates to the call to anonymise FOI requests in this way and whether this is a practice that public authorities ought to be following in any event.

The General Data Protection Regulation and the Data protection Act 2018 now govern how organisations, such as public authorities, process personal data. Reducing the data protection framework down to its most basic requirement, data controllers should not be processing the personal data of a data subject unless they have a lawful basis to do so.

When a public authority circulates a request for information, or a proposed response to a request for information, that is not stripped of the personal data of the requester then that would amount to the processing of personal data of which the requester is the data subject. What is the lawful basis of processing in Article 6 of the GDPR which enables the public authority to process the requester’s personal data in that way?  Clearly there is a need for the requester’s personal data to be processed in order to enable the response to be issued to the requester and there will no doubt be some central record which records who has made FOI requests, what the request was for and what the outcome of the request was – if only to enable the authority to respond to an internal review, appeal to the Commissioner or appeal to the tribunal/courts.

The Authority cannot possibly have the consent of the data subject to process their personal data by circulating it around the authority. Consent cannot be inferred in the way that would be necessary in order to rely upon consent. There’s no contract with the data subject which would require the processing of their personal data in this way.

Answering a FOI request is a legal obligation on behalf of the public authority, but is it necessary to provide the name of the requester to the department(s) who need to search for the information or to an official or adviser who is having in put into the response? Probably not, especially when set against the ‘applicant blind’ way in which FOI requests are supposed to be dealt with. Is it necessary in order to protect the vital interests of the data subject or of another natural person? I’d have thought it unlikely. Again, it’s unlikely to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Finally, it’s unlikely that it would be necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In short, it’s unlikely that it is necessary for those searching for the information or considering the proposed response to know who the requester is. There are, of course, situations where a different course might be required. For example, if considering refusing the request on the grounds that it is vexatious under section 14 of the Freedom of Information (Scotland) Act 2002 or section 14 of the Freedom of Information Act 2000; it will often be necessary to speak with other areas of the organisation, especially persons responsible for handling complaints. In such circumstances it would be necessary for those being consulted to know the identity of the requester, otherwise the evidence required in order to justify reliance upon the vexatious provisions could not be gathered.

In normal circumstances, public authorities should probably be removing personal data such as a requester’s name, place of work and job title (where included) from a request before sending it out to those who need to perform searches for information or those who, in accordance with the authority’s internal procedures, need to approve responses before they’re issued. Only where the identity of the requester is directly relevant to the response, such as where consideration is being given to refusing the request on the grounds that it is vexatious, should the identity of the requester be disclosed otherwise it may amount to a breach of data protection law.

It may be relevant at this juncture to look, briefly, at the applicant blind requirement of freedom of information law. The applicant blind requirement is not specifically provided for within the relevant legislation; however, it has been understood for some considerable time that requests ought to be dealt with in a way that means that they are applicant blind.  The applicant blind requirement is often largely over-stated.  There are clearly situations where the applicant’s identity will be relevant; for example is it a request for that person’s own personal data or is it a vexatious/repeated request or are you aware of any disability which may mean that you need to make reasonable adjustments in terms of the Equality Act 2010?  If public authorities applied the applicant blind requirement absolutely and slavishly, it would cause difficulties in those situations and also in others.

The purpose of the applicant blind test is to ensure that, other than where the exemption necessitates it, the requester’s identity does not form part of the decision in whether to apply an exemption or in the application of the public interest balancing test. Anonymising FOI requests when they go out to the wider organisation or to selected individuals for comment/approval assists to ensure that the applicant blind aspect of the FOI regime is also complied with.

Alistair Sloan

If you require advice and assistance in connection with a freedom of information or data protection matter then contact Alistair Sloan on 0141 229 0880. Alternatively you can send Alistair and E-mail.

FOISA Vexatious decision notice appealed to Court of Session

Section 14 in both the Freedom of Information Act 2000 (“FOIA”) and the Freedom of Information (Scotland) Act 2002 (“FOISA”) enable an authority not to comply with a request for information that is vexatious.  What is meant by vexatious in Section 14 of FOIA has been the subject of litigation all the way to the Court of Appeal and the leading authority is Dransfield and another v The Information Commissioner and others [2015] EWCA Civ 454; [2015] 1 WLR 5316.  However, there has not yet been any litigation in Scotland on the meaning of vexatious within Section 14 of FOISA; the Scottish Information Commissioner’s guidance [pdf] on the subject appears to draw heavily on the Dransfield decision.

Those who make a point of reading the Scottish Information Commissioner’s regular round-ups of decisions will note that the most recent one informs us of an appeal to the Court of Session against a decision of the Scottish Information Commissioner which upheld the authority’s use of Section 14.  If the appeal proceeds, it will be the first time that the Scottish courts will have considered Section 14 of FOISA.

It will be interesting to see whether the Court of Session adopts the Dransfield position, or whether it takes a different approach to vexatious requests in Scotland.  If the Court of Session does publish an Opinion, we will of course cover it on this blog.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0345 450 0123.  Alternatively, you can send him an E-mail.