UK Supreme Court: South Lanarkshire Council v Scottish Information Commissioner

On 8 July 2013 the United Kingdom Supreme Court heard its first appeal in a Freedom of Information case under the Freedom of Information (Scotland) Act 2002 since the functions of the Law Lords in the House of Lords transferred to the Supreme Court.  The case concerned the appeal by South Lanarkshire Council agains a decision of the Inner House of the Court of Session.  That appeal was brought by South Lanarkshire Council against decision notice 056/2011 issued by the Scottish Information Commissioner.  The UK Supreme Court (Lady Hale sitting with Lords Kerr, Wilson, Reed and Carnworth)  issued its judgment dismissing the appeal on 29 July 2013.

In Decision 056/2011 the Scottish Information Commissioner had found that South Lanarkshire Council had not been enetitled to withhold information as to the number of persons at specific points on the Council’s pay spine under section 38 of the Freedom of Information (Scotland) Act 2002.  I wrote about this case when the Inner House issued its decision (also dismissing the appeal by South Lanarkshire Council), you can find out more about the case generally (and the Court of Session’s opinion) in that post.

The case is an important one for information law as it provides some important guidance on the tension between the Freedom of Information (Scotland) Act 2002 and the Data Protection Act 1998 (specifically, condition 6 of Schedule 2).  It is clear from this case and others (such as Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, 2008 SC (HL) 184) that there is certainly no presumption in favour of Freedom of Information over the protections in the Data Protection Act 1998.  Indeed, reading the legislation gives the opposite impression.  The protections for personal data in the Freedom of Information (Scotland) Act 2002 are absolute (i.e. once they apply, that is the end of the matter).

The first data protection principle in Schedule 1 to the Data Protection Act 1998 requires that a data controller shall process personal data only in a way that is fair and lawful.  The Act goes on to provide that personal data cannot be processed unless at least one of the conditions in Schedule 2 are met.  The case at had concerned condition 6 in schedule 2 which permits the processing of personal data where it is necessray for the legitimate interests of the data controller or any third party.  There is a qualification, in that the processing must not happen if it would be contrary to the fundamental rights of the data subject.  The case centred on the correct interpretation of ‘necessary’ in condition 6 of schedule 2.

In the Supreme Court’s judgment, Lady Hale made reference to a number of decicions of the European Court of Justice which supported the view taken by the Divisional Court in Corporate Office of the House of Commons v The Information Commisisoner [2008] EWHC 1084 (Admin) that the word ‘necessary’ had to be inrepreted in light of the European Convention on Human Rights and Fundamental Freedoms 1950.

In Rechnungshof v Osterrichischer Rundfunk the European Court of Justice stated, at paragraph 68:

“the provisions of Directive 95/46, in so far as they govern the processing of personal data likely to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights, which, according to settled case law, form an integral part of the general principles of law whose observance the Court ensures.”

The ECJ held that if the national legislation was incompatable with Article 8, it was unable to satisfy the proportionality requirements in article 7(c) or (e) of the EC Directive 95/46 (to which the Data Protection Act 1998 gives effect to in the United Kingdom).

This approach was followed by the ECJ in Huber v Bundesrepublik Deutschland, and so in order to be compatable with the proportionality requirements in the Data Protection Directive, the processing must be compatale with Article 8 of the European Convention on Human Rights and Fundemantal Freedoms.

Lady Hale observed at paragraph 26 that the information which Mr Irvine had requested would not allow him, or anyone else, to identify the individuals in question.  As such it was “quite difficult to see why there is any interference with their right to respect for their private lives.” As such, Lady Hale stated, also at paragraoh 26, that applying article 7(f) and condition 6 in their own terms was sufficient.

Delivering a final blow to the Council, Lady Hale conculded that the Scottish Information Commissioner “had applied a test that was probably more favourable to the Council than was required and certainly no less favourable.” (Paragraph 28).

So, while it was not really necessray to consider Article 8 of the European Convention on Human Rights and Fundamental Freedoms in this case due to the data subjects not being identifiable from the information requested, it is clear from the ECJ case law in lady Hale’s judgment that Article 8 is a consideration that must be taken into consideration when considering disclosing information under the Freedom of Information (Scotland) Act 2002 which is the personal information of an identifiable data subject.

Council appeals taxi recording Enforcement Notice

In July the Information Commissioner’s Office (ICO) served an Enforcement Notice against Southampton City Council over its requirement that all licensed taxi cars must record both audio and visual from within its vehicles on all journeys.  The Enforcement Notice was issued by the ICO using powers conferred on the Information Commissioner under the Data Protection Act 1998.

The City Council’s policy requires that all taxis and private hire vehicles which it licenses are fitted with audio and visual recording equipment and that this is recording at all times regardless of the purpose for which the vehicle is being used.  For example, a private hire taxi driver will likely use the car to transport their family or friends in the way that most people will use their vehicles (e.g. taking their children to school or extra-curricular activities, going to visit family, going for family day trips etc.)  Even in such situations the Council’s policy mandates that the vehicle is recording visual images and audio.  The private telephone conversations of the driver and his passengers will be recorded as will private conversations between passengers and conversations between the driver and his family.  All the recordings will be stored by the Council.

Such a policy is, to any reasonable person, an extreme interference with a person’s right to a private and family life.  It affords no private space to the driver or their passengers.  The driver is unable to switch the equipment off when using the vehicle for personal use or to afford passengers privacy when making or receiving private telephone calls.

The Information Commissioner’s decision that Southampton City Council should stop the practice seemed to be a sensible one.  Certainly in my view the compulsory recording of both visual images and audio in vehicles regardless of the type of journey being made is a step too far.  It is with regret that the City Council has decided to appeal the decision to the First-Tier Tribunal (Information Rights).

The Council contends that it takes steps to protect privacy by ensuring that the data is encrypted and assuring everyone that the recordings are only looked at when a complaint is made to the City Council or the police.  In support of its policy the City Council cited a number of allegations of sexual assault made against a licensed driver in a licensed vehicle where the allegations could not be taken forward due to a lack of evidence.  The City Council intends to use this evidence as well as other examples where the cameras were in use in support of its appeal.

There is no doubt that the constant video and audio recording of the inside of taxis and private hire vehicles will produced evidence that can cast light on allegations of criminality and also complaints against drivers.  That, it would appear, is not in dispute.  It seems to me that the City Council are entirely missing the point.  The processing of data (which includes the actual recording and not just the storing and/or watching) must be fair.  While the existence of the recordings could be useful in the investigation of a complaint or an alleged criminal offence one must consider the fairness to record even the private journeys of drivers while they are not on duty.  That at least should be considered as an unfair processing of personal data even if you accept the invasion of privacy involved in recording all journeys made while a driver is on duty.

There are some arguments in favour of requiring all journeys regardless of purpose to be recorded.  For example, it would ensure that drivers cannot “forget” to turn the equipment on when they begin driving officially and it ensures that drivers cannot switch the equipment off or delete recordings in order to evade prosecution for an offence.  However, these considerations do not appear to me to be sufficient justification for a blanket policy such as the one instigated by the Council.

The City Council is entitled to appeal the enforcement notice, but I hope that they see sense and abandon the appeal.  In the event that the City Council decide to continue with the appeal I hope that the Tribunal will reject it and uphold the Commissioner’s enforcement notice.  The City Council really has gone too far with this policy.

Enforcement Notice (pdf)
Council takes ICO to Information Rights Tribunal over cameras in taxis (Local Government Lawyer)

South Lanarkshire Council v The Scottish Information Commissioner

This decision of the Court of Session (Extra Division, Inner House) delivered on 27 March 2012 by Lord Marnoch is in relation to an appeal by South Lanarkshire Council (“the Council”) against decision 056/2011 of the Scottish Information Commissioner (“the Commissioner”).  It concerns a request for information made pursuant to the Freedom of Information (Scotland) Act 2002 (“FOISA”) by Mr Mark Irvine relating to the number of individuals employed by the Council placed at specific points in the pay structure.

The full facts of the case are set out within the Commissioner’s decision.  The Council, after initially ruling Mr Irvine’s requests as vexatious, withheld the information sought by Mr Irvine on the grounds that it was personal data and to disclose the information would be a breach of the Data Protection Principles.  This exemption is provided for within Section 38 of FOISA, specifically the Council applied Section 38(1)(b) of FOISA to the information sought by Mr Irvine.  The Commissioner found that the Council had incorrectly applied Section 38(1)(b) of FOISA and he ordered the Council to disclose the information to Mr Irvine.  The Council exercised its right under Section 56 of FOISA and appealed to the Court of Session.

One of the contentions that the Council made to the Court was that the Commissioner had erred in law by failing to identify Mr Irvine’s “legitimate interest” in obtaining the information sought.  There is not normally a requirement under FOISA to consider the interests or reasons behind a request for Information under FOISA.  However, Schedule 1 to the Data Protection Act 1998 (“DPA”) places an obligation upon the “data controller” (in this case the Council) to ensure that the processing of information is fair and lawful.  It goes on to provide that the data should not be processed unless certain conditions are met.  It should be noted that in this case processing the data would be its disclosure under FOISA.  Relevant in this case is paragraph 6(1) of Schedule 2 to the DPA.  It provides that the data can be processed if it is necessary for the purposes of a legitimate interest of the data controller, or any third party to whom the information would be disclosed (in this case Mr Irvine and the world at large).   There is an exception to this and that is where the processing would be “unwarranted…by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”  The data subjects in this case would be the employees who fall within the information sought by Mr Irvine.

In essence the Council had to, on this occasion (and unusually in FOISA requests), consider what legitimate interest Mr Irvine had to the information sought.  Furthermore the disclosure of the information had to be “necessary” for the pursuance of that legitimate interest.  The Council also contended that the Commissioner had failed to separately consider the necessity of the disclosure to Mr Irvine’s pursuance of any legitimate interest identified.

The Court of Session rejected both of these arguments.  It found that when viewing the Commissioner’s decision as a whole the Commissioner had identified a legitimate interest and the Court agreed with that legitimate interest.  Furthermore the Court also held that “the Commissioner could only have concluded that necessity was made out.”  Disappointingly, the Court of Session did not say one way or the other whether the Commissioner’s approach in deciding this was correct.  They were satisfied that even had the approach, applying a stricter test, advocated by the Council been followed, necessity would have been made out.

The Court of Session refused the appeal by the Council and upheld the decision of the Information Commissioner.  It remains to be seen whether the Council will further appeal to the United Kingdom Supreme Court.  Such an appeal would need to be filled within 42 days of the Court of Session’s decision and with the leave of the Court of Session.

POSTSCRIPT: 15/04/2013 – South Lanarkshire Council has appealed to the United Kingdom Supreme Court.  The case is due to be heard by that court on 8 July 2013.