Procedures, Training and Data Protection

On Thursday last week the Information Commissioner’s Office published a Monetary Penalty Notice that it had served upon a GP Surgery in England for breaches of the Data Protection Act 1998.  The Notice cited the all too familiar seventh data protection principle.  This data protection principle broadly requires a data controller to have in place adequate technical and organisational measures to protect personal data.  It is the data protection principle which features in almost all of the Information Commissioner’s enforcement in relation to the Data Protection Act.

The Monetary Penalty Notice served on the GP Practice arose out of the practice’s handling of a Subject Access Request which it had received.  The request was received in respect of a child patient from one of the patient’s parents (the child’s father).  The child’s parents had separated sometime before and that separation had not been amicable.  The child’s mother had moved and did not want the father knowing where she was currently living.  The mother’s new address was contained within the child’s medical records.

The practice handled the Subject Access request and sent the father everything that was contained within the child’s medical records.  These records were subsequently lodged in court as part of ongoing court proceedings between the parents.  The records were then forwarded onto the mother who discovered that her personal data had been disclosed to the father in response to the subject access request concerning the child as well as personal data relating to another child not related to the father and other personal information that should not have been disclosed to the child’s father.

The Monetary Penalty Notice records that there had been no training given in respect of the handling of Subject Access Requests and that there were no procedures within the practice for the handling of these requests.  In this case the disclosure was not checked before it was sent out to ensure that there was nothing within the records that ought to be excluded.

The handling of Subject Access Requests are not straight forward.  It is not simply a matter of printing out all of the records held and posting them or downloading them and E-mailing them to the data subject.  The information has to be carefully gone through to identify any third party personal data so that decisions can be taken about whether or not that third party personal data can or should be disclosed.  Furthermore, there are a range of exemptions that can be applied to information that is held – some of which may well apply to medical records – which enable the data controller to refuse to provide that information in response to a Subject Access Request.  That is in addition to the other (often forgotten) rights contained in Section 7 of the Data Protection Act 1998.

Given the complexity of handling such requests it is important that there are proper procedures in place as to how such requests should be handled.  This should cover everything from the recording of the request having come in through to identifying the data subject’s personal data, considering it for disclosure, compiling the disclosure, checking and recording that the response has been sent (and everything else not mentioned in that list).

It’s not just a case of having in place a procedure; everyone who is involved in the process needs to have training appropriate to the functions that they are performing.  Those who are responsible for identifying what should be disclosed should have proper training to enable them to identify third party information as well as the information which could potentially be withheld.  That training must also be regular to ensure that persons involved in the process are kept up-to-date with the procedures and any changes in the relevant law – regular training is especially important for people who rarely handle Subject Access Requests.

Having in place good quality, detailed procedures together with a comprehensive training programme can substantially reduce the risk of experiencing a data breach.  If things do go wrong, having in place good quality, detailed procedures (compliance with which is being regularly monitored) and a comprehensive training programme can substantially mitigate any regulatory action taken by the Information Commissioner.

Can the Scottish Parliament block ‘Brexit’?

There has been some suggestion in the days since the EU Referendum, in which a sizable majority of Scottish voters voted to stay while a smaller majority of voters across the UK as a whole voted to leave, that the Scottish Parliament can in some way block the UK’s exit from the European Union.  That suggestion is, in my view, wrong; the Scottish Parliament cannot block the UK’s exit from the European Union.

Since Devolution there has been a convention operating whereby it has been understood that Westminster would not exercise its power as the sovereign and supreme legislative body for the United Kingdom to legislate in an area for which competence over has been devolved to the Scottish Parliament, without first obtaining the consent of the Scottish Parliament.  This convention is known as the Sewel convention.

Following the 2014 referendum on whether Scotland should become an independent country, a Commission was established by the UK Government to look at the Scottish devolution settlement.  That Commission, the Smith Commission, recommended that the Sewel convention was given legislative force.  Section 2 of the Scotland Act 2016 amends Section 28 of the Scotland Act 1998, which confirms in subsection (7) that Westminster can still legislate on areas of devolved competence, to add a subsection (8) which gives effect to that recommendation.  Section 28(8) provides that “it is recognised that the Parliament of the United Kingdom will not normally legislate with regard to devolved matters without the consent of the Scottish Parliament.”

What this means is that Westminster will not normally legislate on a devolved area without first obtaining the consent of the Scottish Parliament.  However, it can still legislate on an area of devolved competence without the consent of the Scottish Parliament (for example, in a time of emergency and where it wouldn’t be practical to obtain the Scottish Parliament’s consent).

What relevance does this have to blocking the UK’s exit from the European Union?  It would appear to me to be of no relevance whatsoever.  Firstly, we are not in a situation where the UK Parliament is going to be legislating.  The UK’s withdrawal from the EU is an exercise by the Executive of the prerogative power to conduct foreign affairs.  The Executive might well seek a vote in the UK Parliament on exercising the prerogative power (in the same way that appears to be becoming convention with the prerogative power to declare war), but that is not a legislative act by the UK Parliament.  Secondly, the United Kingdom’s relationship with the European Union is a specifically reserved matter in Schedule 5 to the Scotland Act 1998.  We are not, therefore, dealing with a devolved matter; we are dealing with a reserved matter.  Section 28(8) of the Scotland Act 1998 only relates to devolved matters.

It might be the case that, when the UK Parliament comes to give legislative effect to whatever relationship the UK is to have with the EU in the future, the Scottish Parliament may be able to invoke Section 28(8) of the Scotland Act 1998.  If that legislation were to affect a devolved area the Scottish Parliament could very well refuse to consent to the legislation; however, that would not necessarily equate to it being blocked.  The UK Parliament might have to rely on the word “normally in section 28(8) to legislate anyway so as to give effect to, what will be by then, the UK’s international law obligations.

The Scottish Parliament is still free to debate and vote on any issues that it chooses to do so.  We could therefore see in the coming days or weeks a debate and vote in the Scottish Parliament on whether the Parliament agrees with the UK’s withdrawal from the European Union.  However, it cannot invoke what is now Section 28(8) of the Scotland Act 1998 in relation to this issue.  Moreover, even it if it could invoke Section 28(8) of the Scotland Act 1998, that would not necessarily have the effect of blocking the action it refused to give consent to.

Gas Distribution Companies and the EIRs

The Environmental Information Regulations 2004 provide for important rights of access to environmental information that is held by or on behalf of public authorities in the United Kingdom (except Scottish public authorities, to which the Environmental Information (Scotland) Regulations 2004) apply.  The Regulations were introduced to give effect to a European Directive on access to environmental information, the Directive and Regulations are ultimately based upon the Aarhus Convention on access to environmental information.

The Environmental Information Regulations 2004 have a much wider application than the Freedom of Information Act 2000 does by virtue of the much wider definition of public authority in the Convention (and as a consequence the Directive and Regulations).  The leading case on the question as to exactly who is a public authority is Fish Legal & Emily Shirley v the Information Commissioner and Others which is a decision of the Grand Chamber of the Court of Justice of the European Union.  This decision has been given domestic application by the Upper Tribunal in a number of appeals, including the Fish Legal case (the Upper Tribunal having been the source of the reference to the court of Justice of the European Union).

In light of this decision I considered that the utilities companies were likely to be caught by the definition of a public authority. I therefore wrote to Northern Gas Networks Limited in December 2015 requesting information from them in respect of gas escapes.  Northern Gas Networks Limited is one of a number of gas distribution companies in the United Kingdom responsible for the gas distribution network in a given geographical area; in the case of Northern Gas Networks, they have responsible for the gas distribution network in the North of England.  The gas distribution companies are responsible for the distribution (but not the supply of) gas to domestic and commercial premises.  They are responsible for the physical network (i.e. the pipes, gas meters etc).

The Gas Act 1986 gives the gas distribution companies a range of powers that are not ordinarily available to private individuals or businesses.  For example, the gas distribution companies have the power (subject to authority from the Secretary of State) to compulsorily purchase land that is required by them to maintain the gas distribution network.  The Gas Act also gives the gas distribution companies the power to enter land or premises to inspect gas equipment and fittings on a safety basis and for the purposes of performing other duties.  They also have the power to lay pipes within streets, including the power to break up streets.

The “Special Powers” test derives from the Fish Legal cases; they are rights which are not normally available to private bodies or individuals – even where they are qualified (for example, by needing a warrant from the court or the authority of the Secretary of State). Clearly, the powers available to gas distribution companies under the Gas Act are just that:  they are powers not normally available to private individuals.

Northern Gas Networks did not respond to the request for information, nor to representations made pursuant to Regulation 11 of the Environmental Information Regulations 2004.  I wrote to the Information Commissioner to make an application for a decision pursuant to section 50 of the Freedom of Information Act 2000 (which applies to the Environmental Information Regulations by virtue of Regulation 18).

Northern Gas Networks maintained that it was not a public authority for the purposes of the Environmental Information Regulations 2004; however, the Commissioner considered the matter in light of Fish Legal and decided that Northern Gas Networks is a public authority for the purposes of the Environmental Information Regulations 2004. The Commissioner’s decision can be read here.

It follows from this decision that the other gas distribution companies in the United Kingdom are also public authorities for the purposes of the Environmental Information Regulations 2004. Those companies are:  SGN (Scotland & South East England); National Grid (Midlands and North West England) and Wales & West Utilities (Wales and South West England).

Electricity Distribution

The electricity distribution system is split-up in a similar fashion with electricity distribution companies responsible for the distribution (but not the supply of) electricity around the network in the United Kingdom. Those companies have similar powers to the gas distribution companies in respect of the distribution of electricity and it is therefore likely that they would also be public authorities for the purposes of the Environmental Information Regulations 2004.

The electricity distribution companies are: SSE Power Distribution (North of Scotland and Southern England); SP Energy Networks (Central Scotland, Southern Scotland, East Midlands, West Midlands, South Wales & South West England); Northern Powergrid (North East England and Yorkshire); Electricity North West (North West England); UK Power Networks (Eastern England, London, South East England) and Northern Ireland Electricity (Northern Ireland).

Scotland

Although, as set out at the beginning of this post, Scotland has separate access to environmental information regulations it is my view that the UK Regulations would apply to both the gas and electricity distribution companies in Scotland. This is because the distribution of gas and electricity is a matter reserved to Westminster and continues to be the responsibility of the Secretary of State for Energy and Climate Change and regulation is the responsibility of OFGEM.

Appeal

The Decision Notice was only issued last week and it therefore follows that Northern Gas Networks could yet appeal the Commissioner’s decision to the First-Tier Tribunal (Information Rights).

Data Protection and the #EUref

Data Protection is not an area that people generally get especially excited about, but the rights contained in the Data Protection Act 1998 (“the DPA”) are important.  They enable individuals to find out (mostly) what information companies and organisations hold about them, where they got it from, what they do with it, who they give it to and what it says.  It also enables people to take a degree of control over what companies and organisations do with that information; including the ability to prevent a company from using their information for marketing purposes, forcing them to correct inaccurate information and forcing them to stop “processing” their information where the processing causes substantial damage or distress that is unwarranted.

The DPA implements an EU Directive into domestic law.  Data Protection law in the UK has its roots in European law.  However, it’s not just the DPA that has its roots in European law; the connected Privacy and Electronic Communications Regulations 2003 (the full name of which is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003) also implement European law into domestic law.  These Regulations relate to the use of personal data and are the regulatory regime that governs the use of electronic communications (such as E-mail, phone and text) to market directly to individuals.  These are the regulations which help deal with those annoying and unsolicited PPI and accident claims telephone calls.

In 2018 the Directive that underpins the DPA is being replaced with a new EU Regulation on Data Protection and the Directive underpinning the 2003 Regulations is currently being reviewed in light of the new EU Data Protection Regulation (the European Commission is consulting on this issue until 5 July 2016).

The DPA replaced the Data Protection Act 1984.  The 1984 Act was introduced to give protection to individuals in relation to the automatic processing of their personal data and was based upon the Council of Europe’s (the same Council of Europe behind the European Convention on Human Rights and Fundamental Freedoms) 1981 Convention for the protection of individuals with regard to automatic processing of personal data.

Now that there has been a brief account in respect of the history of Data Protection law in the United Kingdom, it is possible to thrust into the main purpose of this article; that is to consider Data Protection in the context of the EU Referendum.

If the UK votes to remain in the European Union then in May 2018 the United Kingdom will have to comply with the General Data Protection Regulation (which, being a Regulation, will have direct effect regardless as to whether the UK Parliament enacts a new Data Protection Act or not) together with the associated Directives; including whatever eventually replaces the 2002 e-Privacy Directive.  The associated Directives, together with some of the fudges in the new Regulation, will likely mean that there will be a new Data Protection Act to replace the current Act (probably towards the end of 2017).

If the UK votes to leave the European Union what happens is a bit more uncertain.  A vote to leave the EU will not mean that there is a complete end to the UK’s relationship with the EU, and that will have an impact on Data Protection.

The first thing to note is that a vote to leave will not mean an instantaneous split.  There currently isn’t really a process for an EU Member State to leave the Union so some time will be spent working out how that happens and there will inevitably be a time spent negotiating a new relationship with the EU; whether that is inside of or outside of the EEA.  It seems quite likely that we will still be in the EU come May 2018, which might mean that the GDPR will automatically apply – but that is entirely dependent upon what happens in terms of negotiations between the vote to leave and May 2018.

If the United Kingdom simply becomes part of the EEA then the result, insofar as Data Protection is concerned, will be identical to a vote to remain; the GDPR applies to the EEA countries (presently being Iceland, Liechtenstein and Norway) as well as to EU Member States.

If the United Kingdom leaves the EU and doesn’t join the EEA there will be bit more freedom in respect of Data Protection.  However, the requirement for Data Controllers within EU Member States not to transfer personal data to a country outside of the EU/EEA, unless there is an adequate level of protection for personal data, will mean that we will continue to have some form of Data Protection law.

It is possible that the UK could meet the adequate level of protection requirement with rights that are substantially lower than those afforded by the DGPR (when it enters into force) and so the UK’s Data Protection law will not necessarily be all that similar to the GDPR – especially if the government of the day is one that favours light-touch regulation and a lack of “red tape”.  That means that even if the UK is forced to comply with the GDPR initially, Data Protection law in the UK could change dramatically to something that affords much less protection than the GDPR.  What the law will look like though will not only depend upon the ideals of the government of the day, but what they think would be politically acceptable; over the last 30 or so years people have become much more wary about what governments, public agencies and businesses do with their personal data; so while the political will might be to substantially lower the level of protection afforded to individual’s personal data, the public will might not let them go quite as far as they wish!

In short, the future of Data Protection law in the UK will be very much influenced by the result of the Referendum and the eventual relationship with the EU in the event of a vote to leave.

Another day, another DPP7 breach and another Monetary Penalty

Section 2 of the Data Protection Act 1998 stipulates that information concerning a person’s health (mental or physical) is sensitive personal data.  This means that a person’s health information attracts a higher level of protection under the Data Protection Act 1998; the damage and distress that can result from the inappropriate disclosure or processing of a person’s health information can be significant.  People can experience bullying, harassment and/or discrimination as a consequence of mental or physical health conditions.  Some health conditions, mental or physical, can attract far more discrimination than others do.  HIV is, sadly, a health condition that still attracts a certain amount of discrimination and prejudice in the UK today.  With that in mind, an NHS Trust sending out its E-mail newsletter to users of its HIV sexual health services, with all of the recipients E-mail addresses visible to every other recipient, is likely to result in the said NHS Trust being in more than a bit of bother with the Information Commissioner’s Office.  That’s exactly what happened to one NHS Trust in London.

The Information Commissioner has served  a Monetary Penalty Notice in the amount of £180,000 on Chelsea and Westminster Hospital NHS Foundation Trust after a member of staff E-mailed out a Newsletter to users of 56 Dean Street with all 781 recipient’s E-mail addresses being visible to all of the recipients.

56 Dean Street is a Soho based sexual health clinic which provides sexual health services to patients, including patients who are HIV positive.  The clinic had developed a service whereby patients with HIV were able to receive results and to make appointments and enquiries online.  They, together with a small number of patients who were not HIV positive, received newsletters from the clinic.  Some of the E-mail addresses included the full name of the patient whose E-mail address it was.  In September 2015, a member of staff sending out one of the clinic’s newsletters sent the E-mail with all of the recipient’s E-mail addresses in the “to” field, rather than the “bcc” field.  This meant that each recipient was able to see the E-mail addresses of all other recipients.

This was not the first time that a member of the Trust’s staff had done this in respect of E-mail addresses of HIV Patients.  The Monetary Penalty Notice served on the Trust records a similar incident that occurred in March 2010.  In that incident, a Pharmacist sent out a questionnaire to 17 patients receiving treatment for HIV about their treatment.  The E-mail addresses of all recipients were included in the “to” field, rather than the ‘bcc’ field; meaning that they were visible to all recipients.  The Monetary Penalty Notice records that remedial steps were put into place by the Trust following that breach, it doesn’t state what they were; however, it does record that there was no training given to staff to remind them to check the group E-mail addresses were being placed in the correct field, nor had they replaced the E-mail account being used with one that would enable separate E-mails to be sent to each address on the mailing list.

The Monetary Penalty Notice records that subscribers were not told that their E-mail addresses would be used to send Newsletters to other patients by way of a bulk E-mail and also notes that one of the subscribers should have been removed from the list following their relocation to Essex.

The Commissioner found that the Trust had breached the seventh Data Protection Principle, which relates to having appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of personal data as well as against the accidental loss or destruction of, or damage to, personal data.  The Commissioner considered that the Trust had failed to comply with the seventh data protection principle by not using an E-mail account that enabled separate E-mails to be sent to each recipient, and also by failing to provide adequate training to staff to ensure that E-mail addresses were being placed in the correct field.

The Commissioner was satisfied that the Trust was responsible for the breach.  The Commissioner was also satisfied that the Trust had not intended to breach the seventh data protection principle.  However, the Commissioner was satisfied that the breach that had occurred was reasonably foreseeable and that the Trust should have therefore taken steps to prevent the breach from occurring.

Once again a breach of the seventh Data Protection Principle has resulted in enforcement action being taken by the Information Commissioner.  The Information Commissioner’s enforcement action in respect of Data Protection breaches has almost exclusively centred on breaches of the seventh Data Protection Principle.  Each time enforcement action is taken it carries with it national publicity.  Therefore, Data Controllers ought to be well aware that failures to have in place adequate internal processes and security measures to protect personal data, especially where that Data Controller is also a public authority, are extremely likely to result in enforcement action being taken by the Information Commissioner – and that is aside from the reputational damage that inevitably comes with security breaches around personal data.

It is important that Data Controllers ensure that they have in place adequate policies and procedures as well as software and other technical measures (such as password protection and encryption) to protect against all reasonably foreseeable data breaches.  That requires organisations to review the personal data that they hold, together with the ways in which they process that personal data, to identify vulnerabilities in respect of the security of personal data that they hold.  The results of getting it wrong can be substantial, both financially and reputational.

The current maximum financial penalty available to the Information Commissioner is capped at £500,000; however, when the new Data Protection regulation enters into force in May 2018 (subject to the results of the EU referendum next month) the maximum financial penalty for such breaches will increase to 4% of net global turnover of €20 million and so the financial consequences of getting it wrong could be even greater in two years time than what they currently are.

When a Data Controller processes personal data they are being trusted with that data by the Data Subject.  Some Data Controllers are entrusted with some of the most sensitive personal data about an individual, perhaps things that only a few other trusted people know; that level of trust can be huge.  It’s not the sort of information that should just be left lying around; it needs to be kept safely and securely and be processed in a way that is appropriate for its nature; especially when the information in question is (rightly) defined as sensitive personal data.

Gilroy -v- Scottish Information Commissioner

The Court of Session has issued a rare judgment in respect of an appeal under the Freedom of Information (Scotland) Act 2002 (FOISA).  Yesterday the First Division published its judgment in the case of David Gilroy –v– The Scottish Information Commissioner and the Chief Constable of Police Scotland.

The Appellant, David Gilroy, had been convicted of the Murder of Suzanne Pilley at the High Court of Justiciary.  Mr Gilroy sought information from the Police Service of Scotland, as the statutory successor to Lothian and Borders Police (who had conducted the investigation to the murder of which Mr Gilroy has been convicted).  The information he sought related to CCTV that had been seized by the Police as part of the murder investigation.  The Police initially responded by saying that the information sought had been released to Mr Gilroy’s defence team and so he could obtain it that way, but had not complied with the technical requirements imposed in FOISA for a refusal notice.  Mr Gilroy required that the Police conducted a review into their handling of the request.  In response to the requirement for review, the Police refused the request on the grounds that it was exempt under section 38(1)(a) of FOISA – which provides that information to which the applicant is the data subject of is exempt.  This is an absolute exemption and therefore it is not subject to the public interest contained in section 2 of the FOISA.  Such information can be sought by way of a ‘subject access request’ pursuant to section 7 of the Data Protection Act 1998.  The Police also cited the exemption at section 34(1)(c) of FOISA.

Mr Gilroy made an application to the Scottish Information Commissioner pursuant to section 47(1) of FOISA.  The Commissioner issued a Decision in respect of that application (Decision 005/2015) finding that the Police were correct to withhold the information under section 38(1)(a).  Section 56 of the FOISA provides a right of appeal to the Court of Session against a decision of the Scottish Information Commissioner on a point of law.  Mr Gilroy appealed the decision of the Scottish Information Commissioner to the Court of Session.

The Court of Session’s decision is a short one. The relationship between the Data Protection Act 1998 and FOISA has been the subject of previous litigation and nothing new was brought out in this case.  The litigation that has previously occurred in this field has confirmed that the question of whether information is personal data is a factual one.  The Lord President (Carloway), in giving the decision of the Court, considered that there was “no identifiable error of law” in the Commissioner’s decision (para [14]) and that there was no “point of law to be considered” (Para [15]). The Lord President’s judgment states that Mr Gilroy’s appeal was “essentially an application to this court to review an assessment of fact made by the first respondent”. Mr Gilroy’s appeal was therefore refused by the Court.

The judgment does highlight (once again) the wide scope of the definition of personal data in the Data Protection Act.  The Information in question was not stills or footage from the CCTV, but rather a list of images together with details such as location, dates and times.  This was considered by the Court to clearly be within the definition of personal data and that the Appellant was the data subject (para [14]).

The Commissioner did not consider in her decision the question of the application of section 34(1)(c) to the information because it was, in her view, exempt under section 38(1)(a).  The Court of Session therefore did not consider it either.

The Court’s judgment can be read on the Scottish Courts and Tribunals website here.

Statutory Judicial Directions in Sexual Offences Cases

In all democratic countries there is a very clear separation of powers between the Executive, Legislature and Judiciary.  This is important so as to ensure that there are proper checks and balances on power and is really quite fundamental so as to ensure an effective democracy.  It is so fundamental that when the Scottish Parliament embarked upon a programme of restructuring the judiciary, it set out in section 1 of the Judiciary and Courts (Scotland) Act 2008 that the judiciary are to continue to be independent of the First Minister, the Lord Advocate, the Scottish Ministers, Members of the Scottish Parliament and others.

Judicial independence and impartiality flows from the doctrine of the separation of powers which is so fundamental to democracy.  It is important that the judiciary is totally independent from the Executive and the legislature.  Although judges in Scotland are appointed by Her Majesty the Queen, they are done so after having been selected by a body independent of the State, the Judicial Appointments Board for Scotland.  Neither the legislature nor the Executive play any role in the appointment process, other than by setting out the qualifications required to be a judge (see Chapter 3 of the Judiciary and Courts (Scotland) Act 2008).

This independence means that neither the Scottish Ministers nor the Scottish Parliament should seek to interfere with the independence of the Judiciary.  Parliament serves two primary functions: to make laws and to hold the Executive to account.  The Judiciary interprets and applies the laws made by Parliament and also holds Ministers to account.  Finally, Parliament holds the judiciary to account by having the power to change laws when the Judiciary interpret either the common law or statutory provisions in a way that Parliament considers is wrong.  It is rightly difficult to remove judges from post, their independence would be threatened if it was far too easy to remove them; it might make judges less able to perform their important function of holding the Executive to account, for example.  These three parts of the State work together (not always harmoniously, but that is to be expected) to ensure that the State does not over exert its powers and that no part of the State becomes too powerful.

The impartiality is also of huge importance and two-fold.  Firstly, the judiciary must be politically impartial.  It is for this reason that when lawyers become judges they must sever ties with any political parties that they may well have had connections to.  They should not be seen to make political comments, whether in the press, in speeches or in their judgments; especially if such comments align themselves with a particular political position or party.  Their impartiality also extends to the parties before them.  They must be careful not to be seen to be supporting one side or the other in any way.  That is not an easy task.

There is currently a proposal before the Scottish Parliament that may impact, in a negative way, both the impartiality and independence of the judiciary.  Section 6 of the Abusive Behaviour and Sexual Harm (Scotland) Bill seeks to insert a section into the Criminal Procedure (Scotland) Act 1995 that would require judges to give specific directions in certain sexual offences cases.  Those directions are undoubtedly well-meaning and seek to address common misconceptions about complainers in sexual offences cases, especially around any perceived delay in making the allegation to the police and how they react during the alleged offence.  However, simply because they are well-meaning and seek to serve a wholly commendable purpose does not mean that they should not be enacted or questioned.  In my view the potential constitutional difficulties that they present far outweigh the benefits, especially when there are other ways to achieve the same aim that do not impugn upon fundamental constitutional principles.

Independence

These statutory provisions would require Judges to include specific information in their charges to juries in sexual offences cases.  This is something that clearly crosses the line in the separation between Parliament and the Judiciary.  This is wholly different to Parliament telling judges that they have come to the wrong conclusion as to what the law is by passing substantive statutory provisions.  It is Parliament expressly dictating to judges how they should do their job.  We should always prevent Parliament from taking such steps.

Impartiality

The Directions which Parliament proposes judges should make in their charges are well founded in evidence.  However, what they seek to do is bolster the credibility of the principal crown witness in a sexual offences claim (i.e. the complainer).  It is entirely appropriate that we seek to remove any myths about complainers in sexual offences cases; only when we do so can we move towards a position where those who have suffered at the hands of a sex offender can get a proper shot at receiving justice.  When a judge is giving their charge to the jury they set out plainly what the law is in respect of the offence(s) contained in the Complaint/Indictment, explain to the jury the three possible verdicts open to them, the concept of reasonable doubt and finally that a majority of the jurors must be satisfied beyond reasonable doubt of the accused’s guilt before they can convict the accused.  In a jury trial the judge is there to deal only with matters of law and procedure; they are there to ensure that both the prosecution and the defence act and are treated in a fair manner, as well as making rulings on issues of law and procedure and setting out the law to the jury that they need to apply to the evidence they have heard in court.

One of the factors that jurors need to weigh up in reaching their verdict is the credibility of not just the complainer, but every other person who has given evidence before them.  Only once they have assessed the credibility of a witness can they decide whether to believe them and how much weight to accord their evidence.  It is clear therefore that the credibility of the complainer in any case, including a sexual offences case, is of central importance to the jury.  In my view it therefore follows that any comment by a judge that seeks to bolster the credibility of a witness (regardless as to whether they are the complainer or the accused) impugns upon their impartiality from the parties to the case (in this situation, from the Crown).

How else can this issue be addressed?

As I have already stated, there are many myths around the conduct of sexual offences complainers – including around how quickly they make the allegation official and issues about their actions and reactions while the alleged offender is committing the alleged offence.  A complainer who makes their allegation quickly should not automatically be presumed to be more honest that one who waits weeks, months or even years to make their allegation.  It should not be relevant whether or not a complainer made attempts to fight the alleged offender off.  These are the issues that these proposed jury directions seek to address.

In my view, these can be addressed in ways other than by requiring judges to set out a case bolstering the credibility of the complainer in their charge to the jury.  The issue of the credibility of the complainer, or rather the task of presenting the complainer as a credible witness, lies with the Procurator Fiscal Depute or Advocate Depute who is prosecuting the case.  Therefore, we ought to be looking at ways to put this evidence before a jury; whether that is by obtaining it through a witness such as a specially trained police officer or an expert such as a psychologist.   It wouldn’t necessarily be essential to require a complainer to explain why they didn’t make an attempt to fight of the alleged offender or why they delayed in making the report; although, these matters may well be explored during the complainer’s evidence in either examination-in-chief or cross-examination.

Addressing this issue in the way I have described would ensure that what is essentially a question of fact for the jury (that being, the assessment of the credibility of the witness) is treated as such and is not dressed up as being a matter of law being dealt with by the presiding judge.  It would also ensure that points of view that might well be held by the jury, which are not supported by evidence are properly addressed.  Finally, it would ensure that the independence and impartiality of the judiciary is properly and rightly preserved.

It is therefore my view that the Scottish Parliament should remove section 6 from the Abusive Behaviour and Sexual Harm (Scotland) Bill.