Devolving Data Protection

The Data Protection Act 1998 (DPA) applies across the whole of the United Kingdom and is enforced centrally by the Information Commissioner’s Office in Wilmslow (which also has offices in Belfast, Cardiff and  Edinburgh).  Anyone who has been following Scottish politics recently will be aware that a Commission has been established to make proposals on further devolution to Scotland following the Scottish Independence Referendum in September.  It has been suggested by the Law Society of Scotland in their written evidence [pdf] to the Smith Commission that consideration should be given to devolving data protection to Scotland.

This was a proposal that caught my eye when I read the Law Society of Scotland’s evidence, and it is an interesting one. Is there any real reason as to why Data Protection ought not to be devolved?

The Law Society of Scotland narrate within their evidence the confusion that can arise with the Scottish Information Commissioner being approached in respect of enforcement action relating to Data Protection, a function that she does not presently undertake.  The Scottish Information Commissioner enforces the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009.  In their evidence, the Society makes reference to the way in which Freedom of Information (Scotland) Act 2002 and the DPA interact.  They rightly point out that the Scottish Information Commissioner is required to make decisions in respect of whether it would breach the DPA to release personal data in response to a FOI request.

The interaction between DPA and FOI is a well known difficulty and there has been litigation surrounding it, such as in South Lanarkshire Council v the Scottish Information Commissioner (on which I have previously written here and here).  Understandably it must be difficult for the Scottish Information Commissioner to take decisions on disclosure in respect of personal data when her office is not also responsible for enforcing the DPA – it risks her taking a decision with which the Information Commissioner in Wilmslow might well disagree with (and consequently result in a Scottish public Authority breaching its obligations under the DPA).

The law relating to Data Protection comes from the EU, but that on its own would not prohibit its devolution. The INSPIRE (Scotland) Regulations 2009 and the Environmental Information (Scotland) Regulations 2004 both give effect to EU Directives in Scotland.  Ultimately, it is the UK Government that is accountable to the EU for the implementation of EU law within the United Kingdom.  That fact though doesn’t appear to have stopped the UK Government from devolving to Scotland the power to implement EU law into Scots law in some areas already.

There is a difference between the DPA and the legislation that the Scottish Information Commissioner currently enforces. The DPA applies to the private sector to the same extent as the public sector.  The legislation currently enforced by the Scottish Information Commissioner applies to public sector and bodies falling within certain definitions that provide functions of a public nature only.  There is a degree of difference between them; for example, the bodies caught by the Environmental Information (Scotland) Regulations is wider than the bodies caught by the Freedom of Information (Scotland) Act 2002.  What has this got to do with devolving Data Protection?  It might not be of an immediately obvious nature; however, the bodies covered by the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009 are all largely based entirely within Scotland; there are almost no examples of where the Scottish law here applies to bodies carrying out functions elsewhere in the UK.  Is this difference (i.e. the cross jurisdictional aspect of Data Protection) a sufficient reason not to devolve Data Protection to Scotland?

In terms of FOI, public bodies which have functions across the whole of the UK, or are part of the UK Central Government, are covered by the UK equivalent and not the Scottish law. Some examples include: the BBC, the British Transport Police, the Scotland Office, the Office of the Advocate General for Scotland, the Home Office, the Department for Work and Pensions and HMRC.  In these cases the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply and it is the UK Information Commissioner in Wilmslow who enforces their compliance.

In terms of devolution, it is logical why the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply to UK wide bodies. It would undoubtedly present difficulties for those organisations if they had to comply with different requirements in different parts of the UK.  However, in terms of FOI, some bodies already have that difficulty.

It does not appear to be widely known, but some of the UKs biggest businesses are covered by FOI law to a very limited extent. The likes of Tesco, Sainsbury’s, Asda and Boots are all subject to FOI law in respect of their NHS Pharmaceutical and Optometry services.  These are the bodies that have the difficulty of complying with two separate FOI regimes.  In respect of their services contracted by the NHS in Scotland it is the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 that apply (and the Scottish Information Commissioner is responsible for enforcement) while in respect of their services contracted by the NHS in England it is the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 that apply (and the UK Information Commissioner is responsible for enforcement).  A request to one of those bodies for information on a UK wide scale would require them to deal with the request under two separate access to information schemes (potentially four if the information was environmental in nature).  Outside of the world of access to information legislation there is a great deal of differences between the legal frameworks in which UK wide businesses operate across the UK.  A contemporary example might be statutory charges for carrier bags.  Wales, Northern Ireland and Scotland all have them while England does not.  As a consequence businesses operating across the UK have to adopt difference practices on carrier bags to ensure legal compliance in those parts of the UK that do require charges to be made for carrier bags.  This is a fairly minor example, but there are some which are much more substantial in nature.

In terms of devolving data protection to Scotland, if it were to be devolved at all, there are two options. The first would be to devolve it only in respect of data controllers domiciled in Scotland.  This would mean Scottish domiciled data controllers would have to comply with a Scottish Data Protection Act while data controllers domiciled elsewhere in the UK would have to comply with a UK Data Protection Act.  This is probably not a good option from the point of view of Data Subjects; some UK wide companies would be domiciled in Scotland and some would be domiciled elsewhere in the UK.  This could cause confusion as to which Information Commissioner they ought to be dealing with in relation to a data protection concern.  For example, in that situation customers of RBS might find themselves dealing with the Scottish Commissioner as RBS is a company registered in Scotland.  This is the sort of confusion that the Law Society of Scotland mentioned within their response as to why consideration ought to be given to devolving data protection to Scotland.  The other option is to simply devolve Data Protection and that would mean any UK-wide organisation operating in Scotland would have to comply with both the UK and the Scottish Data Protection Acts – it would be no different to multi-nationals who have to comply with the different Data Protection regimes across the world or the multitude of other areas where UK-wide businesses already have to comply with different laws north and south of the border.

Devolving Data Protection to Scotland wouldn’t end the UK Information Commissioner’s responsibilities in Scotland. He would still be responsible for dealing with Freedom of Information in respect of the many bodies covered by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 which operate in Scotland.  His office would also still be responsible for enforcing the Privacy and Electronic Communications (EC Directive) Regulations 2003 (which overlap considerably with data protection) unless responsibility for implementing the E-Privacy Directive upon which they are based was similarly devolved to Scotland.

So, should Data Protection be devolved? Well, there is no good reason against it that I can see.  There would be a good opportunity for devolution in the form of the Data Protection Regulation currently working its way through the EU legislative process.  At that stage Data Protection law in the UK will have to change and if this were to be an area for devolution to Scotland that would seem like a sensible time to do it.  However, given the nature of EU Regulations as opposed to EU Directives, the practical effect of devolving Data Protection to the Scottish Parliament would be limited.  The question would become “what is the point?”.  The arguments in favour of further devolution to Scotland centre around the Scottish Parliament taking decisions on matters for Scotland which do not need to be reserved; however, the practical effect of the new Data Protection Regulation would be that there would be almost no scope for the Scottish Parliament to take decisions on data protection; there would be an EU Regulation which has direct effect in all EU member states, without the need to pass domestic legislation.  Any legislation, UK or Scottish, would simply be regurgitating the Regulation alongside some minor consequential and transitional matters.

The Law Society of Scotland argues that the new regulation means that there is less of a need for data protection to be a reserved matter; that would be true because from an EU compliance point of view there would be no risk to the UK Government. They also seem to place a lot of weight on the issue of confusion between the responsibilities of the two information commissioners; however, I’m not sure that would be resolved by devolving data protection – in fact there is real potential for it to be compounded rather than resolved.  The only real argument is the one concerning FOI decisions involving third party personal data, but so far that doesn’t appear to have been an issue.  Indeed, in the South Lanarkshire Council case mentioned above, the Supreme Court agreed with the approach of the Scottish Information Commissioner; although there is always scope for the Scottish Information Commissioner to get things wrong.  That said, the UK Information Commissioner could equally get things wrong and wrongly order the disclosure of personal data under FOI.

Should data protection be devolved?  There doesn’t seem to be strong case one way or the other.  In the grand scheme of things there are far more important issues in the devolution debate than whether the Scottish Parliament should get power devolved over an issue that won’t actually amount to much power at all.

Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA.  This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:

  • That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
  • The contravention was of a kind likely to cause substantial damage or substantial distress
  • and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it

It looks complicated, and to an extent it is.  However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:

  1. do nothing
  2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
  3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing

The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options).  What has struck me though is what is missing from option three.  The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it.  However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me.  It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk.  It basically excuses negligence.  It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS.  I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.

Direct Marketing by E-mail and Text: the need for consent

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them!  The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means.  Direct marketing means any form of advertising or marketing which is targeted at a specific individual.

The rules are really very simple, but are regularly not complied with by companies large and small.  The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means.  This post will focus on electronic mail only (such as text messages and E-mail).

What does not qualify as consent for the purposes of the PECRs?  Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive.  The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

It is very clear.  Consent must be:

  • Freely given
  • Specific
  • informed

When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements.  One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent.  That’s probably the most blatant and flagrant way of breaching the PECRs you can get.  The consent is neither freely given nor informed.  While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations.  Consent isn’t consent unless there is an option not to consent.  Refusing should also be free (except for the cost of transmitting the refusal).  In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.

Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent.  This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs.  So far as electronic mail is concerned, the only option is a clear decision to opt-in.

Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail.  Again, this is not compliant with the Regulations.  Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply  haven’t (for whatever reason) un-ticked the box.

All is not lost though if details have been obtained by stealth.  There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs).  However, there is another useful right open to individuals.  That right is contained in section 11(1) of the DPA which states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing.  This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like.  The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks.  These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.

This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide  to Direct Marketing [pdf] which covers everything in more detail.  I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are.  These breaches are by big names.  Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.

UK Supreme Court: South Lanarkshire Council v Scottish Information Commissioner

On 8 July 2013 the United Kingdom Supreme Court heard its first appeal in a Freedom of Information case under the Freedom of Information (Scotland) Act 2002 since the functions of the Law Lords in the House of Lords transferred to the Supreme Court.  The case concerned the appeal by South Lanarkshire Council agains a decision of the Inner House of the Court of Session.  That appeal was brought by South Lanarkshire Council against decision notice 056/2011 issued by the Scottish Information Commissioner.  The UK Supreme Court (Lady Hale sitting with Lords Kerr, Wilson, Reed and Carnworth)  issued its judgment dismissing the appeal on 29 July 2013.

In Decision 056/2011 the Scottish Information Commissioner had found that South Lanarkshire Council had not been enetitled to withhold information as to the number of persons at specific points on the Council’s pay spine under section 38 of the Freedom of Information (Scotland) Act 2002.  I wrote about this case when the Inner House issued its decision (also dismissing the appeal by South Lanarkshire Council), you can find out more about the case generally (and the Court of Session’s opinion) in that post.

The case is an important one for information law as it provides some important guidance on the tension between the Freedom of Information (Scotland) Act 2002 and the Data Protection Act 1998 (specifically, condition 6 of Schedule 2).  It is clear from this case and others (such as Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, 2008 SC (HL) 184) that there is certainly no presumption in favour of Freedom of Information over the protections in the Data Protection Act 1998.  Indeed, reading the legislation gives the opposite impression.  The protections for personal data in the Freedom of Information (Scotland) Act 2002 are absolute (i.e. once they apply, that is the end of the matter).

The first data protection principle in Schedule 1 to the Data Protection Act 1998 requires that a data controller shall process personal data only in a way that is fair and lawful.  The Act goes on to provide that personal data cannot be processed unless at least one of the conditions in Schedule 2 are met.  The case at had concerned condition 6 in schedule 2 which permits the processing of personal data where it is necessray for the legitimate interests of the data controller or any third party.  There is a qualification, in that the processing must not happen if it would be contrary to the fundamental rights of the data subject.  The case centred on the correct interpretation of ‘necessary’ in condition 6 of schedule 2.

In the Supreme Court’s judgment, Lady Hale made reference to a number of decicions of the European Court of Justice which supported the view taken by the Divisional Court in Corporate Office of the House of Commons v The Information Commisisoner [2008] EWHC 1084 (Admin) that the word ‘necessary’ had to be inrepreted in light of the European Convention on Human Rights and Fundamental Freedoms 1950.

In Rechnungshof v Osterrichischer Rundfunk the European Court of Justice stated, at paragraph 68:

“the provisions of Directive 95/46, in so far as they govern the processing of personal data likely to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights, which, according to settled case law, form an integral part of the general principles of law whose observance the Court ensures.”

The ECJ held that if the national legislation was incompatable with Article 8, it was unable to satisfy the proportionality requirements in article 7(c) or (e) of the EC Directive 95/46 (to which the Data Protection Act 1998 gives effect to in the United Kingdom).

This approach was followed by the ECJ in Huber v Bundesrepublik Deutschland, and so in order to be compatable with the proportionality requirements in the Data Protection Directive, the processing must be compatale with Article 8 of the European Convention on Human Rights and Fundemantal Freedoms.

Lady Hale observed at paragraph 26 that the information which Mr Irvine had requested would not allow him, or anyone else, to identify the individuals in question.  As such it was “quite difficult to see why there is any interference with their right to respect for their private lives.” As such, Lady Hale stated, also at paragraoh 26, that applying article 7(f) and condition 6 in their own terms was sufficient.

Delivering a final blow to the Council, Lady Hale conculded that the Scottish Information Commissioner “had applied a test that was probably more favourable to the Council than was required and certainly no less favourable.” (Paragraph 28).

So, while it was not really necessray to consider Article 8 of the European Convention on Human Rights and Fundamental Freedoms in this case due to the data subjects not being identifiable from the information requested, it is clear from the ECJ case law in lady Hale’s judgment that Article 8 is a consideration that must be taken into consideration when considering disclosing information under the Freedom of Information (Scotland) Act 2002 which is the personal information of an identifiable data subject.

Council appeals taxi recording Enforcement Notice

In July the Information Commissioner’s Office (ICO) served an Enforcement Notice against Southampton City Council over its requirement that all licensed taxi cars must record both audio and visual from within its vehicles on all journeys.  The Enforcement Notice was issued by the ICO using powers conferred on the Information Commissioner under the Data Protection Act 1998.

The City Council’s policy requires that all taxis and private hire vehicles which it licenses are fitted with audio and visual recording equipment and that this is recording at all times regardless of the purpose for which the vehicle is being used.  For example, a private hire taxi driver will likely use the car to transport their family or friends in the way that most people will use their vehicles (e.g. taking their children to school or extra-curricular activities, going to visit family, going for family day trips etc.)  Even in such situations the Council’s policy mandates that the vehicle is recording visual images and audio.  The private telephone conversations of the driver and his passengers will be recorded as will private conversations between passengers and conversations between the driver and his family.  All the recordings will be stored by the Council.

Such a policy is, to any reasonable person, an extreme interference with a person’s right to a private and family life.  It affords no private space to the driver or their passengers.  The driver is unable to switch the equipment off when using the vehicle for personal use or to afford passengers privacy when making or receiving private telephone calls.

The Information Commissioner’s decision that Southampton City Council should stop the practice seemed to be a sensible one.  Certainly in my view the compulsory recording of both visual images and audio in vehicles regardless of the type of journey being made is a step too far.  It is with regret that the City Council has decided to appeal the decision to the First-Tier Tribunal (Information Rights).

The Council contends that it takes steps to protect privacy by ensuring that the data is encrypted and assuring everyone that the recordings are only looked at when a complaint is made to the City Council or the police.  In support of its policy the City Council cited a number of allegations of sexual assault made against a licensed driver in a licensed vehicle where the allegations could not be taken forward due to a lack of evidence.  The City Council intends to use this evidence as well as other examples where the cameras were in use in support of its appeal.

There is no doubt that the constant video and audio recording of the inside of taxis and private hire vehicles will produced evidence that can cast light on allegations of criminality and also complaints against drivers.  That, it would appear, is not in dispute.  It seems to me that the City Council are entirely missing the point.  The processing of data (which includes the actual recording and not just the storing and/or watching) must be fair.  While the existence of the recordings could be useful in the investigation of a complaint or an alleged criminal offence one must consider the fairness to record even the private journeys of drivers while they are not on duty.  That at least should be considered as an unfair processing of personal data even if you accept the invasion of privacy involved in recording all journeys made while a driver is on duty.

There are some arguments in favour of requiring all journeys regardless of purpose to be recorded.  For example, it would ensure that drivers cannot “forget” to turn the equipment on when they begin driving officially and it ensures that drivers cannot switch the equipment off or delete recordings in order to evade prosecution for an offence.  However, these considerations do not appear to me to be sufficient justification for a blanket policy such as the one instigated by the Council.

The City Council is entitled to appeal the enforcement notice, but I hope that they see sense and abandon the appeal.  In the event that the City Council decide to continue with the appeal I hope that the Tribunal will reject it and uphold the Commissioner’s enforcement notice.  The City Council really has gone too far with this policy.

Links
Enforcement Notice (pdf)
Council takes ICO to Information Rights Tribunal over cameras in taxis (Local Government Lawyer)

South Lanarkshire Council v The Scottish Information Commissioner

This decision of the Court of Session (Extra Division, Inner House) delivered on 27 March 2012 by Lord Marnoch is in relation to an appeal by South Lanarkshire Council (“the Council”) against decision 056/2011 of the Scottish Information Commissioner (“the Commissioner”).  It concerns a request for information made pursuant to the Freedom of Information (Scotland) Act 2002 (“FOISA”) by Mr Mark Irvine relating to the number of individuals employed by the Council placed at specific points in the pay structure.

The full facts of the case are set out within the Commissioner’s decision.  The Council, after initially ruling Mr Irvine’s requests as vexatious, withheld the information sought by Mr Irvine on the grounds that it was personal data and to disclose the information would be a breach of the Data Protection Principles.  This exemption is provided for within Section 38 of FOISA, specifically the Council applied Section 38(1)(b) of FOISA to the information sought by Mr Irvine.  The Commissioner found that the Council had incorrectly applied Section 38(1)(b) of FOISA and he ordered the Council to disclose the information to Mr Irvine.  The Council exercised its right under Section 56 of FOISA and appealed to the Court of Session.

One of the contentions that the Council made to the Court was that the Commissioner had erred in law by failing to identify Mr Irvine’s “legitimate interest” in obtaining the information sought.  There is not normally a requirement under FOISA to consider the interests or reasons behind a request for Information under FOISA.  However, Schedule 1 to the Data Protection Act 1998 (“DPA”) places an obligation upon the “data controller” (in this case the Council) to ensure that the processing of information is fair and lawful.  It goes on to provide that the data should not be processed unless certain conditions are met.  It should be noted that in this case processing the data would be its disclosure under FOISA.  Relevant in this case is paragraph 6(1) of Schedule 2 to the DPA.  It provides that the data can be processed if it is necessary for the purposes of a legitimate interest of the data controller, or any third party to whom the information would be disclosed (in this case Mr Irvine and the world at large).   There is an exception to this and that is where the processing would be “unwarranted…by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”  The data subjects in this case would be the employees who fall within the information sought by Mr Irvine.

In essence the Council had to, on this occasion (and unusually in FOISA requests), consider what legitimate interest Mr Irvine had to the information sought.  Furthermore the disclosure of the information had to be “necessary” for the pursuance of that legitimate interest.  The Council also contended that the Commissioner had failed to separately consider the necessity of the disclosure to Mr Irvine’s pursuance of any legitimate interest identified.

The Court of Session rejected both of these arguments.  It found that when viewing the Commissioner’s decision as a whole the Commissioner had identified a legitimate interest and the Court agreed with that legitimate interest.  Furthermore the Court also held that “the Commissioner could only have concluded that necessity was made out.”  Disappointingly, the Court of Session did not say one way or the other whether the Commissioner’s approach in deciding this was correct.  They were satisfied that even had the approach, applying a stricter test, advocated by the Council been followed, necessity would have been made out.

The Court of Session refused the appeal by the Council and upheld the decision of the Information Commissioner.  It remains to be seen whether the Council will further appeal to the United Kingdom Supreme Court.  Such an appeal would need to be filled within 42 days of the Court of Session’s decision and with the leave of the Court of Session.

POSTSCRIPT: 15/04/2013 – South Lanarkshire Council has appealed to the United Kingdom Supreme Court.  The case is due to be heard by that court on 8 July 2013.