Category: Freedom of Information

A New Commissioner, a New Approach?

Earlier this month John Edwards, former Privacy Commissioner and Barrister in New Zealand, replaced Elizabeth Denham as Information Commissioner.  The job of Information Commissioner is a significant one with many challenges. He has began what he calls a “listening exercise”. I have completed the survey, which didn’t give much room for comment. I thought I would place a more detailed outline of my thoughts here; more as an exercise for expressing my own frustrations with the ICO and to perhaps give others some ideas about what they can include in their own response to the Commissioner’s survey.

Freedom of Information

Under this heading, for the sake of clarity, I’m not simply referring to the Freedom of Information Act 2000, but also to both the Environmental Information Regulations 2004 and the more obscure INSPIRE Regulations 2009 (which are concerned with spatial data).

FOI, especially the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, is, as the Commissioner has himself acknowledged, critical to our democracy. They are a means for individuals to find out what is going on in areas that interest or directly affect them and to obtain information which they can use to help keep public bodies and officials accountable.

There are two main areas of concern, from my perspective, with the ICO in respect of FOI: (1) length of time taken to deal with regulatory complaints; (2) the apparent reluctance of previous commissioners to make full use of their enforcement powers in this area.

Turning first to the issue of delay; currently it is taking around 6 months for complaints, once received, to be allocated for investigation. That means that for up to six months the complaint is just sitting there, with absolutely nothing happening. The last decision notice I received from the Commissioner, was issued 11 months and 18 days after the complaint had been made to the ICO. This is unhelpful, and quite frankly, unacceptable. In many cases, these delays at the ICO are compounding already significant delays by some public bodies. There are some public authorities with well-known compliance issues in this area, where requests can take upwards of 6 months to be dealt with by the authority; meaning from request to ICO decision it can be upwards of 18 months.

FOI is a critical tool in helping individuals, community groups, journalists and others hold public bodies and officials to account. In a great many cases the value of the information sought diminishes over time; if information is being sought to help oppose, for example, changes to the provision of services in local communities, the delays at the ICO significantly hamper (and indeed damage) the usefulness of FOI in this area. If information is only, finally, being released several years after it was first requested it has almost certainly come far too late to be of any use to those requesting it.

The length of time that it takes for a FOI request to be dealt with is, in some respects, hampered by the legislation itself, with provisions for open-ended extensions for consideration of the public interest test and no statutory timescales (beyond the statutory Code of Practice) in relation to internal reviews. These have both been highlighted to Parliament on several occasions, but no legislative action has been forthcoming to deal with these issues. However, I will return to this in a moment.

What is completely within the control of the Commissioner is how long it takes his office to deal with matters once complaints have been made. A priority for the Commissioner should be looking to significantly reduce the backlog; and put in place systems that ensure complaints are being dealt with promptly once they end up with his office. The Scottish Commissioner (who, granted, has a much smaller office and a much smaller scope of responsibility in that he only deals with FOI complaints concerning Scottish public authorities) has an average closure time of just 4.37 months (2020-21), with 60% of all complaints to his office being dealt with within 4 months (the Freedom of Information (Scotland) Act 2002 makes provision for the Scottish Commissioner to deal with all such complaints within 4 months, but there is flexibility). It is not a like-for-like comparison due to the significant differences in volumes of work; however, the ICO needs to put more effort and resources into trying to resolve complaints much more quickly.

Turning to the issue of enforcement; some public authorities have a horrendous reputation for compliance with FOI, especially around the timeliness of responses. For some authorities these issues have existed for a decade or more. Previous Commissioners have seemed not just reluctant but almost wholly disinterested in exercising the significant enforcement powers that they possess to tackle problems here. Some public authorities have been having their compliance closely monitored by the ICO for years with no discernible improvement. Yet, no formal enforcement action has been taken to force these public authorities to make significant improvements.

Enforcement must be proportionate; formal enforcement powers should not, in most cases, be a first resort. However, they must be utilised if the ICO is going to be taken seriously as a regulator. Other authorities watch what the ICO is doing; there is currently no real incentive to engage with the ICO over poor FOI performance. The threat of formal enforcement action effectively doesn’t exist because of the apparent reluctance of the ICO to use its enforcement powers. The ICO needs to adopt a much more robust approach to regulation, which can be achieved in a way that is consistent with the relevant provisions of the Legislative and Regulatory Reform Act 2006.

Data Protection

Some of the problems that exist with the ICO’s FOI function also exist in relation to its Data Protection function. When it comes to Data Protection, the ICO is too business friendly and has often acted more like a think-tank than a regulator in this field.

As I have already said, enforcement must be proportionate. However, the ICO needs to remember that it is a regulator first and foremost. It is not a professional adviser for data controllers; there are lawyers and data protection consultants out there who can (and should) be fulfilling the professional advisor role. The balance between the informal methods of encouraging compliance and the formal methods of enforcing compliance have been all wrong. The ICO is obliged to have guidance in place, but it is not its sole purpose to produce and promulgate guidance.

The Regulators’ Code [pdf] (which applies to the ICO) does require regulators to carry out their activities in a way that supports those they regulate to comply and grow. It provides that “[r]egulators should avoid imposing unnecessary regulatory burdens through their regulatory activities and should assess whether similar social, environmental and economic outcomes could be achieved by less burdensome means.” However, it appears that the ICO has historically taken this to a degree that is inappropriate.

The Regulators’ code also provides that “[i]f a regulator concludes, on the basis of material evidence, that a specific provision of the Code is either not applicable or is outweighed by another relevant consideration, the regulator is not bound to follow that provision, but should record that decision and the reasons for it.” The balance is all wrong with the ICO; it appears to focus too much on the provisions of section 1 of the Regulators’ Code and not enough on forcing compliance where other, less burdensome, means have obviously failed.

In short, the ICO needs to re-orientate its relationship with those it regulates so that it is in a much stronger position to deploy its considerable enforcement powers when needed. When it comes to data protection, the most powerful tool at the ICO’s disposal is not the fines that it can levy but rather the power to issue Enforcement Notices; these can be used to force controllers to stop processing personal data altogether, or in certain ways, and they can be used to require data controllers to take certain specified steps to bring them into compliance.

The recent Enforcement Notice [pdf] issued to the Ministry of Justice is an example of formal enforcement action coming far too late; the MoJ has a backlog of many thousands of Subject Access Requests. The ICO records in its Enforcement Notice that it first became aware that the MoJ’s backlog had grown again (following an Enforcement Notice in 2017) in January 2019. It then records a shift in the ICO’s enforcement activities as a result of the COVID-19 pandemic, but that was more than a year after the ICO first became involved with the MoJ, for a second time, over its compliance with the right of subject access. An Enforcement Notice was then issued in January 2022, almost 2 years to the day after it started to get involved with the MoJ for a second time. This is, in my opinion, an example of a failure in regulation. The ICO watched as the MoJ continued to fail in a basic and important aspect of data protection law; much earlier formal intervention ought to have been taken (especially given that this was the second time the ICO had to get involved with the controller over the same issue).

Conclusion

The overriding issue with the ICO, in my opinion, is that it has got the balance wrong between soft and hard regulation. The ICO needs to adopt a much more robust approach to regulation; neither the 2006 Act nor the Regulators’ Code prohibits this. However, the ICO seems to have become paralysed in its regulatory activity in a way that the neither the 2006 Act, nor the Code which flows from it, intended.

Court Fees, Access to Justice and Freedom of Information

On Monday new tables of fees enter into force for the Sheriff Courts and Court of Session in Scotland.  The new table of fees is necessary because of the new Simple Procedure that is coming into force next week to replace the Small Claim procedure and to partially replace the Summary Cause procedure in the Sheriff Court.  It would appear that the Scottish Government has used this opportunity to increase some other fees as well.

The other increases are part of the Scottish Government’s aim to get “full cost recovery” in the civil courts; that is, that so far as is possible those who litigate in Scotland’s civil courts fully fund the cost of running those civil courts.  I have grave misgivings about such a policy for access to justice (and I am not alone in that view).  This blog has, in recent times, moved more towards the field of Information Law and to that extent, I am going to look at these latest court fee rises in the context of Freedom of Information appeals.

In Scotland, under the Freedom of Information (Scotland) Act 2002, if a person is dissatisfied with how a public authority has handled a FOI request they can make an application to the Scottish Information Commissioner (SIC).  The SIC has the power under the 2002 Act to make a decision as to whether the public authority has complied with the Act, and if not, she has the power to state what steps the public authority must take in order to comply with the act (including to order that the public authority release information to the requester).  If a requester or public authority is unhappy with the Commissioner’s decision there lies a right of appeal (on a point of law) to the Court of Session.

The Scottish appeals procedure differs vastly from the appeals procedure under the UK Freedom of Information Act, where a right of appeal (on both fact and law) exists to a specialist First-Tier Tribunal and then on to the Upper Tribunal and the Courts (on a point of law only).  There is currently no charge for lodging an appeal with the First-Tier Tribunal, nor for any step of process or a hearing.  That is not the case in Scotland.

Unless the party bringing the appeal is in receipt of Civil Legal Aid, there are court fees to be paid.  The appeals are also dealt with under Chapter 41 of the Rules of the Court of Session and go straight to the Inner House.  For those who are unfamiliar with the Scottish court structure, the Court of Session is split into two “houses”.  The Outer House hears cases at first instance and is usually presided over by a single Senator of the College of Justice; while the Inner House is the appellate court and hears appeals from the Outer House as well as other courts, tribunals and regulators (such as the Sheriff Appeal Court and the Scottish Information Commissioner).  Appeals from the Inner House are (with permission) to the UK Supreme Court; the Inner House is therefore Scotland’s supreme Civil Appellate court.  In the Inner House, at least three of Scotland’s most senior judges will sit to hear the appeal.

On 28 November, the Court Fees (Miscellaneous Amendment) (Scotland) Order 2016 shall enter into force.  Schedule 1 to that Order sets out a new table of fees in the Court of Session.  Paragraph 1 in Section B of the Table sets a new fee for lodging an “Appeal, application for leave or permission to appeal, summons, or other writ or step by which any cause or proceeding, other than a family action, is originated in either the Inner or Outer House (to include signeting in normal office hours)”.  The new fee is set at £300, up from £214.  So, in order to lodge your appeal against a decision of the SIC the Appellant (whether an individual or public authority) needs to stump up £300.  The Respondent (who is the SIC) will also have to pay £300 (again, up from £214) to lodge their Answers to the Appeal.

There may be other fees to pay along the way, depending on the procedure that ends up taking place; however, when it gets to the hearing of the appeal, the costs start to mount up significantly.  Each party (appellant and respondent) will be required to pay £500 (up from £239) per 30 minutes (or part thereof).  Therefore, a hearing that lasts a full court day (roughly 5-6 hours) will result in a court fee of between £5,000 and £6,000; and that is before solicitors’ fees and the fees of Counsel are added.  This is an astronomical figure.  It is not paid by anyone in receipt of legal aid (and legal aid is available for FOI matters in Scotland), but you do not have to be very well off not to qualify for legal aid.

This represents a significant barrier to accessing justice.  These are sums of money that most middle earners will struggle to get their hands on, even if they attempt the appeal as a party litigant (which given the complexity and sometimes archaic nature of the Court of Session Rules is no easy task).  When it comes to the question of FOI, it only strengthens my belief that appeals against decisions of the SIC should be to a lower court or tribunal in the first instance.

There is a much more fundamental point however; the civil courts should be accessible to everyone.  The level that court fees are rising to (and they are going to continue to rise over the next few years as the Government moves towards “full cost recovery”) presents a very real barrier to justice.  The Scottish Government accepted that fees represent a barrier to justice in respect of the Employment Tribunal fees set by the UK Government (and has pledged to abolish them when the power to do so comes to the Scottish Parliament in the near future).  However, the Government seems happy to continue with a policy of full cost recovery (that was, admittedly, started under the Labour/Liberal Democrat Administration that left office in May 2007).  It is a flawed policy that will place a very real barrier to the courts for very many people.  That, is a tragedy for justice and for democracy.

Gilroy -v- Scottish Information Commissioner

The Court of Session has issued a rare judgment in respect of an appeal under the Freedom of Information (Scotland) Act 2002 (FOISA).  Yesterday the First Division published its judgment in the case of David Gilroy –v– The Scottish Information Commissioner and the Chief Constable of Police Scotland.

The Appellant, David Gilroy, had been convicted of the Murder of Suzanne Pilley at the High Court of Justiciary.  Mr Gilroy sought information from the Police Service of Scotland, as the statutory successor to Lothian and Borders Police (who had conducted the investigation to the murder of which Mr Gilroy has been convicted).  The information he sought related to CCTV that had been seized by the Police as part of the murder investigation.  The Police initially responded by saying that the information sought had been released to Mr Gilroy’s defence team and so he could obtain it that way, but had not complied with the technical requirements imposed in FOISA for a refusal notice.  Mr Gilroy required that the Police conducted a review into their handling of the request.  In response to the requirement for review, the Police refused the request on the grounds that it was exempt under section 38(1)(a) of FOISA – which provides that information to which the applicant is the data subject of is exempt.  This is an absolute exemption and therefore it is not subject to the public interest contained in section 2 of the FOISA.  Such information can be sought by way of a ‘subject access request’ pursuant to section 7 of the Data Protection Act 1998.  The Police also cited the exemption at section 34(1)(c) of FOISA.

Mr Gilroy made an application to the Scottish Information Commissioner pursuant to section 47(1) of FOISA.  The Commissioner issued a Decision in respect of that application (Decision 005/2015) finding that the Police were correct to withhold the information under section 38(1)(a).  Section 56 of the FOISA provides a right of appeal to the Court of Session against a decision of the Scottish Information Commissioner on a point of law.  Mr Gilroy appealed the decision of the Scottish Information Commissioner to the Court of Session.

The Court of Session’s decision is a short one. The relationship between the Data Protection Act 1998 and FOISA has been the subject of previous litigation and nothing new was brought out in this case.  The litigation that has previously occurred in this field has confirmed that the question of whether information is personal data is a factual one.  The Lord President (Carloway), in giving the decision of the Court, considered that there was “no identifiable error of law” in the Commissioner’s decision (para [14]) and that there was no “point of law to be considered” (Para [15]). The Lord President’s judgment states that Mr Gilroy’s appeal was “essentially an application to this court to review an assessment of fact made by the first respondent”. Mr Gilroy’s appeal was therefore refused by the Court.

The judgment does highlight (once again) the wide scope of the definition of personal data in the Data Protection Act.  The Information in question was not stills or footage from the CCTV, but rather a list of images together with details such as location, dates and times.  This was considered by the Court to clearly be within the definition of personal data and that the Appellant was the data subject (para [14]).

The Commissioner did not consider in her decision the question of the application of section 34(1)(c) to the information because it was, in her view, exempt under section 38(1)(a).  The Court of Session therefore did not consider it either.

The Court’s judgment can be read on the Scottish Courts and Tribunals website here.

Valid FOI Requests via Twitter: Part 2

Earlier this week the question of the validity of tweeted information requests under the Freedom of Information Act 2000 arose once again.  I have written on this subject previously and you can read that post here.  The discussion arose following the decision of the First-Tier Tribunal (Information Rights) in the case of Bilal Ghafoor v the Information Commissioner.  In that case the Tribunal determined that Mr Ghafoor had not made a valid request for information for two reasons: (1) Mr Ghafoor did not provide his real name in his request and (2) he did not provide an address for correspondence.  My view is that in respect of both of these questions the Tribunal was wrong.

You can read the full procedural history in the Tribunal’s decision (paragraphs 2 – 12).  Mr Ghafoor appealed to the Tribunal on whether the DWP had failed to comply with section 11 of the Freedom of Information Act 2000 buy not responding to his request via Twitter.  However, the Tribunal essentially performs a full reconsideration of the entire request when it hears a case.  Instead the Tribunal decided that Mr Ghafoor had not made a valid request for information by virtue of not including his real name (para 29) and also because twitter was no a valid address for correspondence (para 28).

Real Name

It has long been understood that in order for a request for information to be valid it must include a person’s real name.  This is not something that is new and it is something that I mentioned in my previous consideration on this blog of the question of tweeted FOI requests.  However, what I have not given much consideration to, until now, is the question of aliases as opposed to pseudonyms.

In my view the use of a pseudonym quite clearly fails to comply with the requirement that a requester include their real name.  The purpose of a pseudonym is to hide a person’s true identity.  This is, in my view, quite different to an alias.  An alias is a name by which a person is also known, it is not something that is used to hide their identity; rather it is more akin to a name which is part of their identity.

In the case of Mr Ghafoor, the name FOI Kid is more of an alias than a pseudonym.  It is a name by which he commonly goes, not to hide his identity (as evidence by his inclusion of his name in his twitter bio).  He may only be known by that name within certain circles, but in my view that does not detract from the fact that ‘FOI Kid’ could be considered as part of his identity.  It is a name by which he goes online and is identifiable within information rights circles.

What is someone’s real name?  Is it the name that appears on their birth certificate?  How many people do you know that do not go by the name that is on their birth certificate?  For example, I have an uncle who is more commonly known by his middle name – many people will not have a clue what is true first name is.  I know of others who also go by a name other than that on their birth certificate and again who people will not have any idea what their true name is.

Could a John Smith who trades as Smiths not be able to make a request for information in the name “Smiths”?  I would say that he can because it is a name by which he commonly goes, in a professional capacity at least.  Indeed, a public authority might want to know that it is John Smith of “Smiths” who is making the request because perhaps the tender exercise that Mr Smith is making a request for information about was one in which “Smiths” submitted a bid.  Mr Smith might therefore be entitled to additional information under section 7 on of the Data Protection Act 1998 (the right of subject access) than someone other than him making the request.

Therefore, my view is that an alias by which someone has been going for some time would comply with the requirement to provide the name of the applicant in section 8 of the Data Protection Act 1998.  In the case of Mr Ghafoor my view is that ‘FOI Kid’ is an alias so well established that it would comply with the requirements of section 8.

Address for Correspondence

The Tribunal also concluded that Mr Ghafoor did not make a valid request for information because twitter was unsuitable for responding to and made reference to the 140 character word limit.  However, I disagree with this conclusion also.

Firstly, there are free services such as ‘Twitlonger’ which enable people (including public authorities) to send tweets longer than 140 characters.  Furthermore, it is possible to attach media to tweets through the Twitter site and also a range of social media management services used by businesses and other organisations.  While it might not be possible to send a full refusal notice or to disclose information through the 140 characters permitted by Twitter, it is however possible to attach a pdf letter and other attachments to tweets.  In my view there is no difference between this and attaching letters and documents for disclosure to an E-mail.  It might take multiple tweets to send the complete response together with all of the attachments to the requester, but the same is true for E-mail.  File size limits often mean that multiple E-mails need to be sent in order to supply all of the information being disclosed by the public authority.

For those reasons I take the view that twitter is an appropriate address for correspondence and the Tribunal fell into error by concluding that it was not.  Perhaps their error came about as a failure to full understand the exact parameters of the operation of twitter, but in my view it fell into error nonetheless.

Home Office, Twitter and Immigration

Immigration is never far from the headlines in the UK and this has been true for a number of years.  On 1 August 2013 the Home Office conducted a high profile immigration operation around the UK which caused debate and discussion in the UK.  On that day in August 2013 the Home Office published a series of tweets which provided details of the number of persons that they had arrested during the day accompanied by the hashtag #immigrationoffenders and in some cases photographs.

In the days that followed there was national press coverage online on the BBC News website, the Guardian, the New Statesman and others as well as international, for example on the website of Le Parisen, a newspaper in France.  This operation came around a month or so after the mobile billboard campaign ran by the Home Office, which popularly became known as ‘the racist van’ – a campaign that was criticised by the Advertising Standards Authority when the partially upheld a complaint against the Home Office.  Much of the criticism of the 1 August 2013 operation, known as ‘Operation Compliance’ was around the operation itself and centred on concerns about racial profiling.  However, some people considered whether the Home Office was properly complying with the Data Protection Act 1998 and there was even some consideration as to whether the activities might be considered as prejudicing future criminal proceedings (if any).

After some consideration I made a Freedom of Information request to the Home Office in August 2013 concerning the events of 1 August 2013, a request that finally came to a conclusion on 3 September 2015.  The Home Office initially refused the request and largely upheld that position on internal review (which it took over 9 months to complete).  The Information Commissioner found in his decision notice that the Home Office were entitled to withhold some of the information that they had withheld, but not the rest (see the ICO’s decision here – which also sets out my request in full).  The Home Office then appealed this to the First-Tier Tribunal (Information Rights).  The Tribunal dismissed the Home Office’s appeal (the Tribunal’s decision can be read here) after a hearing in late June 2015.  The information that was disclosed can be read here (this document does include some of the information that had been earlier disclosed, but the Home Office included it in the new disclosure for “consistency”).

What the information reveals is nothing sinister; it shows civil servants planning and executing a public relations campaign highlighting the work that the Home Office is undertaking.  My principal interest though was always around what consideration the Home Office had given to data protection implications, as well as concerns around prejudicing future criminal prosecutions and also compliance with civil service guidance (which someone else had written about following a tweet of a similar nature about a month earlier).

The information that has been disclosed reveals quite a lot by what it does not contain.  There appears to be no direct consideration of data protection or of prejudice to future criminal proceedings or civil service guidance.  Of course, these matters could have been considered and there simply exists no record of them having been considered (that, I suggest, would show a lack of proper and effective record keeping).  There is an indirect reference to the data protection and prejudice matters in the email extract dated 31/7.2013 at 16:42.

The information also shows that the Home Office changed the hashtag prior to the operation commencing.  It would appear from the information disclosed that they had initially intended to use #illegalworking.  It seems that they changed their mind because the 1 August 2013 operation was not solely targeting those working without the proper papers and permission and they feared criticism from using the #illegalworking hashtag.

Of course this information is not anywhere near as valuable as it might have been had it been released in August or September 2013, many people will have forgotten all about the 1 August 2013 operation (I suspect it will be etched in my mind for some time to come having lived it, studied it, discussed it and litigated it for over 2 years).  It has been a long road, but nonetheless the information that has been released is valuable:  it largely shows a measured discussion by civil servants who appear to be trying to demonstrate to the public in relevant and imaginative ways the work of one of the Departments of State; however, it does appear to highlight some weaknesses in the planning for such media operations and if anything, hopefully these matters will be considered in future operations.

Registered Social Landlords and the Scottish EIRs

On 2 June 2014 the Scottish Information Commissioner issued a decision notice finding that Dunbritton Housing Association Limited, a Registered Social Landlord (“RSL”), was a Scottish public authority for the purposes of the Environmental Information (Scotland) Regulations 2004 (the Scottish EIRs).  In that decision the Commissioner ordered the Housing Association to conduct an internal review and to respond to the requester accordingly.  Dunbritton Housing Association did not appeal that decision to the Court of Session, as was open to it.

It transpires that Dunbritton Housing Association complied with the Commissioner’s decision and conducted an internal review.  It released some information and withheld the remainder under Regulations 10(5)(e) and Regulation 11(2) of the Scottish EIRs.  The requester made a fresh application to the Commissioner seeking a decision on two matters: (1) whether Dunbritton had identified all of the information falling within the scope of the request; and (2) whether Dunbritton Housing Association was correct to apply the exceptions that it had.

What is interesting is that after not appealing the Commissioner’s decision to the Court of Session and after complying with the Commissioner’s decision by conducting a review and responding to the request, Dunbritton again tried to argue that it was not a Scottish public authority for the purposes of the Scottish EIRs.  The Scottish Information Commissioner, once again, decided that it was.

Dubritton referred to the UK Upper Tribunal’s decision in Fish Legal and argued that the control test within both the UK EIRs and the Scottish EIRs was a high one.  It contended that although the Scottish Housing Regulator had significant regulatory powers over RSLs like Dunbritton it only utilised those powers where a RSL was failing.  It argued that it was therefore not a Scottish public authority for the purposes of the Scottish EIRs.

The Commissioner concluded, correctly, that she is not bound by the UK Upper Tribunal decision and instead looked to the decision of the Court of Justice of the European Union in the Fish Legal case.  She determined, for the same reasons as set out in her previous decision that Dunbritton Housing Association is a Scottish public authority for the purposes of the Scottish EIRs.

There are now two decisions of the Scottish Information Commissioner determining that a RSL is a Scottish public authority for the purposes of the Scottish EIRs, albeit involving the same requester and the same RSL.  Her decision has expressly been based upon the decision of the Court of Justice of the European Union in one case and in the other was made following that Court issuing its decision.  It seems fairly certain that future RSLs that try to argue that they are not Scottish public authorities in applications to the Commissioner will not succeed; although the Commissioner’s decisions are not binding on anyone (including herself), these two decisions begin to show a clear and consistent line of thinking.  It is open to Dunbritton to appeal the decision to the Court of Session – whether or not a person is a Scottish public authority is clearly a question of law.  It remains to be seen whether Dunbritton does appeal.  While an appeal might be successful and create binding case law that RSLs are not Scottish public authorities for the purposes of the Scottish EIRs it could equally go the other way and create binding precedent that states they are.  While there is no binding case law it remains possible for Dunbritton or another RSL to convince the Commissioner that she got it wrong in the two previous decisions.  At this stage it remains a case of waiting and seeing; Dunbritton have 42 days from the date the decision was intimated to lodge any appeal.

A problem with the Scottish EIRs

The Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”) give individuals the right to request and obtain, subject to certain well defined exceptions, information in relation to the environment from Scottish public authorities.  They implement into the law of Scotland Directive 2003/4/EC of the European Parliament and of the Council on public access to environmental information (“the Directive”).  The Directive in turn implements the Convention on Access to Information, public participation in decision-making and access to justice in Environmental Matters done at Aarhus, Denmark on 25 June 1998 (“the Aarhus Convention”) into EU law.

In Scotland, like the rest of the UK, the Scottish EIRs are an adjunct to Freedom of Information.  The Scottish EIRs sit alongside the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Scottish Information Commissioner has the same powers of enforcement in respect of the Scottish EIRs as she does in respect of FOISA.  By virtue of Regulation 17 of the Scottish EIRs, Part 4 of FOISA applies to the Scottish EIRs.  The Regulations make certain amendments to Part 4 of FOISA for when it is being read in respect of the Scottish EIRs.

Section 48 of FOISA provides that no application can be made to the Scottish Information Commissioner in respect of three scottish public authorities: (1) the Commissioner herself; (2) a Procurator Fiscal; and (3) the Lord Advocate, where the information relates to his role as head of the systems of prosecution and the investigation of deaths in Scotland.  Essentially, this means that the Scottish Information Commissioner is prohibited from accepting any application for a decision by anyone that relates to the handling of a request for information under FOISA and the Scottish EIRs made to the Commissioner’s Office and the Crown Office and Procurator Fiscal Service (“the COPFS”).  I’m not a fan of this section and think it ought to be repealed in its entirety, but that is a subject for another time.  As far as the Scottish EIRs are concerned this section is a problem.  Essentially, once the Commissioner’s Office and the COPFS have conducted an internal review there is nowhere else for the requester to go if they remain dissatisfied with the response.

Article 6(2) of the Directive provides that:

In addition to the review procedure referred to in paragraph 1, Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final. Member States may furthermore provide that third parties incriminated by the disclosure of information may also have access to legal recourse.

The review procedure under paragraph 1 is essentially the internal review procedure provided for by Regulation 16 of the Scottish EIRs.  In respect of every other scottish public authority covered by the Scottish EIRs there exists a right to make an application to the Scottish Information Commissioner and have a decision notice issued by her office together with the ability to appeal (on a point of law only) that decision notice to the Inner House of the Court of Session, and then on to the Supreme Court of the United Kingdom.  There is a decision of a third party that is capable of becoming final.  Therefore, Article 6(2) of the Directive is complied with.  However, these appeal rights do not apply in respect of requests made to the Commissioner’s Office and the COPFS.

It should be theoretically possible to judicially review the internal review response of both the Commissioner and the COPFS.  At a first glance that might be thought to satisfy the requirements of Article 6(2) of the Directive; however, the wording of the Directive suggests that Judicial Review may not be sufficient.  Judicial Review is not an appellate procedure; it is a review procedure.  The Court of Session cannot substitute its own decision for that taken by the public authority.  The Court of Session could, in a judicial review, determine that irrelevant factors had been taking into consideration in respect of assessing the public interest where a qualified exception has been applied; it could not determine that the public interest does or does not support the maintaining of an exception.   Essentially, all the Court can do is uphold the decision of the Commissioner’s Office or the COPFS, or it can quash the decision – it cannot re-take the decision (something that the Commissioner effectively has the power to do when considering an application under section 47(1) of FOISA).  Therefore, judicial review cannot be a “review procedure… in which the acts or omissions of the public authority concerned can be reviewed” because it can only do so to a limited extent.  Therefore, for all practical purposes the decision of the public authority is final, not the decision of a court or another independent and impartial body established by law.

Furthermore, judicial review is expensive and comes with considerable risk in relation to expenses.  While it is theoretically possible for an applicant to represent themselves in the Court of Session, in all likelihood it will necessitate the instruction of a solicitor and at least junior counsel (if not junior and senior counsel); that is expensive.  Even if an applicant manages to represent themselves in the Court of Session; the court fees will be prohibitively expensive to many people.  These fees, payable at various stages throughout the process, will total hundreds of pounds.  The public authority in question will be represented by Counsel and if a requester loses, they may find themselves responsible for paying the public authority’s expenses (although, the Court does retain an inherent discretion in whether to make an award of expenses and to what extent the losing party shall pay the winner’s expenses).  This is relevant because the Aarhus Convention, upon which both the Directive and the Scottish EIRs are based, requires the review processes to be free of charge or inexpensive or not prohibitively expensive (Article 9).  The Court of Justice of the European Union found that the UK had failed to properly implement the Directive when looking at the costs under the English judicial system (see European Commission v United Kingdom).

The problem for the Scottish EIRs gets bigger once consideration is given to the Scotland Act 1998Section 57(2) of the Scotland Act provides that the Scottish Ministers have “no power to make any subordinate legislation, or to do any other act, so far as the legislation or act is incompatible with any of the Convention rights or with EU law.”  The Scottish EIRs are regulations and are therefore subordinate legislation.  By applying section 48 of FOISA to the Scottish EIRs the Scottish Ministers have made subordinate legislation that is ultra vires – it is outside of their competence.  For the Scottish EIRs to be compatible with EU law, section 48 of FOISA cannot apply to them; while it does, the Scottish EIRs do not fully implement Article 6 of the Directive.

This problem is easily resolved.  The Scottish Ministers simply need to amend the Scottish EIRs so as to disapply section 48 of FOISA in respect of the Scottish EIRs.  This would enable the Commissioner to consider applications made to her under section 47(1) of FOISA concerning requests for information made to either her office, or the COPFS that engage the Scottish EIRs.  Of course, the Scottish Ministers could introduce legislation into the Scottish Parliament to repeal section 48 of FOISA altogether (and that would kill two birds with one stone).

If the Scottish Ministers do not choose to make the relevant amendments they could be forced to.  All it would take is for someone to go through the process of making a request for environmental information to either the Commissioner or the COPFS, getting a refusal notice which is then upheld at internal review, and making an application to the Scottish Information Commissioner so as to get a notice from the Commissioner stating that no decision falls to be made.  This can then be appealed to the Court of Session for them to make what appears to be an inevitable decision: the Scottish Ministers acted ultra vires when applying section 48 of FOISA to the Scottish EIRs – an expensive process, but one that someone will eventually go down some day.

#GE2015, Data Protection, Privacy and FOI

It is now two days since the UK went to the polls to elect the 650 people who will be responsible for representing us until Parliament dissolves on Monday 20 April 2020 (assuming the Fixed-Term Parliaments Act 2011 remains in place and intact).  The result was significant for many reasons, some of which I may address in a future blog post.  The focus of this blog post though will be the possible impact on Data Protection, Privacy and Freedom of Information following the result in this election.

Data Protection and Privacy

These two areas, in their current form, rely heavily on EU law.  Both the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations implement EU directives into UK law.

It is well known that one of the promises David Cameron made was a referendum on the UK’s continued membership of the EU if the Conservatives were returned to power with a majority.  They were, albeit a small and fragile one, and as such it is likely that in 2017 we will have a referendum on whether the UK will continue to be part of the EU, or not.  If the UK were to leave the EU (and this is purely hypothetical at this stage), then there would be no requirement for the UK to continue to comply with EU law; including the Directives underpinning the Data Protection Act and the Privacy and Electronic Communications Regulations.

Withdrawal from the EU would not, of course, immediately repeal every piece of law that is implementing an EU Directive – such a position would be unworkable.  Overtime there would, like there is in every other area of law, be reform and that could include both the Data Protection Act and the Privacy and Electronic Communications Regulations.

That is not the end of the story though; our continued relationship with the EU will have some impact in this area, especially with regards to the Data Protection Act.  If we were to remain part of the EEA, we would still have to comply with EU law except in some areas: data protection is not one of those.  So, if we withdrew from the EU and remained part of the EEA, nothing would change.

If we withdrew from both the EU and the EEA there would still be some Data Protection implications.  The eighth Data Protection Principal prevents the transfer of personal data outside the EEA unless the country or territory to which the personal data is to be sent “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”  In other words, we would require some form of Data Protection or Privacy legislation that meets the test of “adequate” under EU data protection law.  This is a requirement that looks set to stay as part of the Data Protection Regulation currently working its way through the EU legislative process.  In all likelihood we would probably adopt the same data protection regulations as the EU, or something substantially similar thereto.  For that reason, Data Protection and Privacy looks fairly safe over the coming 5 years.

Freedom of Information

Scotland has its own Freedom of Information laws that cover Scottish public authorities.  These laws will likely remain largely unchanged in light of the 2015 election result.

Freedom of Information Act 2000

The FOIA covers English and Welsh authorities as well as UK-wide authorities such as UK Government Departments, the British Transport Police, the BBC, Channel 4 etc.  They are not popular with the Government; they force the Government to reveal information it would rather keep secret.  The Prime Minister isn’t a big fan of FOI; it “furs up the arteries of Government”.  We can expect to see some changes to FOI laws over the coming 5 years: the veto will likely be strengthened in light of the recent UK Supreme Court decision in the Prince Charles case; there could well be changes to the cost limits making it harder to get access to information and there could be the introduction of fees (at least for Tribunal cases).  Substantial harm could be done here (and if you value FOI and the power it gives you to access information held by public bodies I would commend the Campaign for Freedom of Information to you – they could need a lot of help, support and money over the coming 5 years).

Environmental Information Regulations 2004

These implement an EU Directive and provide a much tighter access to information regime with respect to Environmental Information – they also cover a much wider number of bodies than the FOIA does.  While they implement an EU Directive, they have their origin in another international Convention (one which is not anything to do with the EU), the Aarhus Convention.  The UK is a signatory and so if it were to remain a signatory it is likely that there would be no change to the substance of the EIRs.  There would be changes though.

Currently, because they are based upon EU law, they are subject to the primacy of EU law.  It is largely for this reason that the veto was held not to apply to Environmental Information.  It also gives recourse to the Court of Justice of the European Union in respect of interpretation (as was seen with Fish Legal).  This strengthens the EIRs significantly.  However, all is not lost.  In terms of the Aarhus Convention there is a right of remedy to the Aarhus Compliance Committee.

The Black Spider Letters – Part IV

This is the final in a series of four blog posts looking at the Supreme Court’s decision in R (Evans) v HM Attorney General.  The first post went through the background to the case, the second post focused on the Court’s decision in respect of section 53 of the FOIA and the third post looked at the Court’s decision in respect of Regulation 18(6) of the EIRs.

This was a significant decision for a number of reasons.  It significantly restricts section 53 of the FOIA and in essence makes it virtually impossible for the Executive to make use of it.  While this might seem, on the face of it, really good for transparency; it comes with a serious warning.  In 6 weeks time the UK will have a new Government and undoubtedly one of the first things that this new Government will want to do is address the decision of the Supreme Court in this case.  The current Government, which may be in its final hours, has previously hinted at making changes to the FOIA that would have a devastating effect on the effectiveness of FOI in the UK.  While addressing this issue the Government might be tempted to make other changes to FOI at the time.

While I fundamentally disagree with the principal that the Executive should be able to veto a decision made by the judiciary in respect of a cause in which it was a party, we do live in a system where Parliament has supremacy.  It is clear that Parliament intended that the Executive should be able to, in certain cases, veto a decision by the Tribunal that information should be disclosed.  For that reason, I disagree with the interpretation given to section 53 by Lords Neuberger, Kerr and Reed.  I find the position of Lord Mance and Lady Hale more in keeping with the intentions of Parliament.  It is my opinion that they struck the right balance between the intention of Parliament and the Rule of Law given the system in the UK and the wording of the statute.

The Regulation 18(6) issue is more problematic for the Government, and here I do think that the 6 Justices of the Supreme Court who held that Regulation 18(6) was incompatible with EU law got it correct.  The wording in Article 6 of the Directive clearly does not envisage the situation where the Executive, who will be the public body holding the information in question, is able to veto the decision of the Court.  It also seems clear from the wording of the Directive that it being open to a requester to judicially review the decision of the Executive to issue a certificate is not sufficient to comply with the review requirements therein.  Part of being a member of the European Union is to accept that EU law has supremacy, in passing the European Communities Act the UK Parliament agreed to have EU law take precedence over Acts passed by it.  Ultimately the UK Parliament is still supreme and would only need to repeal the European Communities Act (which would also necessitate the UK leaving the European Union, but that’s a whole other blog) in order to deal with the Supreme Court’s decision in respect of Regulation 18(6).

What is the impact for Scotland?  The decision in R (Evans) v HM Attorney General is technically not binding upon the Scottish Courts.  Section 41(2) of the Constitutional Reform Act 2005 makes it clear that decisions of the Supreme Court on appeal form Courts in one part of the United Kingdom are “to be regarded as the decision of a court of that part of the United Kingdom”; there is an exemption to this which is not relevant here. Therefore, only decisions issued by the Supreme Court in Scottish cases are considered binding in Scotland (although in cases from other parts of the UK will be highly persuasive on the Scottish Courts).  As this was a case on appeal from England in respect of FOIA and the EIRs, it is only binding on the Courts in England and Wales.

Section 52 of the Freedom of Information (Scotland) Act 2002 (FOISA) provides the First Minister a similar power to that contained in section 53 of the FOIA in respect of decision notices served on the Scottish Administration.  The wording in section 52 is almost identical to that in section 53.  The main difference is around timescales, in that the First Minister has longer than the accountable person under FOIA to issue a certificate.  So, section 52 of FOISA is probably in a precarious position following the decision of the Supreme Court.

The Scottish legislation could face further hurdles that the UK legislation did not due to the constitutional position of the Scottish Parliament.  The Scottish Parliament is a creature of Statute, it has only those powers which are given to it by the UK Parliament and cannot do anything which exceeds those powers.  Section 29(2)(d) of the Scotland Act 1998 provides that no Act of the Scottish Parliament may be incompatible with the rights in the European Convention on Human Rights as given effect to by the Human Rights Act 1998.  There could be a viable challenge to section 52 under Articles 6 (the right to a fair trial) and 10 (freedom of expression).  If it were to be found that the Scottish Administration being able to veto the decision of the Commissioner and/or the Courts was incompatible with either or both of those Rights then section 52 would have no effect as it would be outside of the Scottish Parliament’s legislative competence.  It would be much harder for the Scottish Parliament to get round that, and it would probably require the UK Parliament to legislate on its behalf.

Regulation 17(2)(e) of the Environmental Information (Scotland) Regulations 2004 (the Scottish EIRs) has the same effect as Regulation 18(6) of the EIRs in that it applies section 52 of FOISA to the Scottish EIRs.  However, like the EIRs, the Scottish EIRs are designed to implement the 2002 Directive into domestic law.  The supremacy of EU law is further underlined by the Scotland Act 1998, which provides in section 57(2) that the Scottish Ministers have no power to make subordinate legislation (which the Scottish Regulations are) which is incompatible with EU law.  I don’t think that the Scottish Courts would find differently from the Supreme Court in respect of section 52 being incompatable with EU law when related to requests under the Scottish EIRs.  In the event that the Scottish Ministers appealed to the Supreme Court it seems unlikely that it would conclude differently (although it should be noted that at least one Justice would have found that Regulation 18(6) did not violate EU law).

Because of the timing of the Supreme Court’s decision, it means that there is little that can be done to prevent disclosure of the information that the Upper Tribunal decided should be disclosed.  The UK Parliament has now prorogued and dealing with the Supreme Court’s decision will require primary legislation. Parliament will be dissolved as soon as we hit 30 March; that means all of he seats will become vacant and there will be no MPs to pass legislation.  The deadline for the Government to comply with the Supreme Court’s decision expires before the election. Therefore, it seems almost inevitable that we will get to see the contents of these letters.

It should be noted that FOIA has been amended to make the correspondence from the Prince of Wales subject to an absolute exemption.  However, that does not affect the position under the EIRs.  The exceptions under the EIRs are different from the exemptions under the FOIA, although they broadly enable the same types of information to be withheld.  What this means though is that it is possible that further letters written by the Prince of Wales which relate to environmental matters may be disclosed in the future.

It is also worth noting that FOISA has not been amended to make the equivalent exemption in respect of correspondence with the Monarch, the heir to the throne or the next in line (i.e. The Queen, Prince Charles and Prince William) an absolute one.  It had been proposed by the Scottish Government, but was dropped.  Therefore, the full range of correspondence between the Prince of Wales and the Scottish Ministers is theoretically obtainable under FOISA and the Scottish EIRs, subject to the public interest test.

The Black Spider Letters – Part III

This is the third in a series of four blog posts looking at the Supreme Court’s decision in R (Evans) v HM Attorney General.  The first post went through the background to the case, while the second post focused on the Court’s decision in respect of section 53 of the FOIA.  This third post will look at the Court’s decision in respect of Regulation 18(6) of the EIRs.

By a majority of 6:1 the Supreme Court held that the certificate issued by the Attorney General under Regulation 18(6) was invalid.  The arguments in respect of Regulation 18(6) related specifically to European law and to the Directive that they seek to implement.

Article 6 of the Directive makes provision for ‘Access to Justice’ in respect of Environmental Information.  It provides (1) that where a public body refuses to make environmental information available there must be a process whereby the decision can be ‘reviewed administratively by an independent and impartial body established by law’.  The right to complain to the Information Commissioner under section 50 of the FOIA (which extends to the EIRs) would meet this requirement; (2) that over and above the administrative review of the decision that there is provision for further review before a court or another independent or impartial body established by law.  This would be covered by the right of appeal against a decision of the Information Commissioner to the First-Tier Tribunal; and (3) the decision under (2) must be capable of becoming final and binding upon the public body that holds the information.

The effect of section 53 as applied to environmental information under Regulation 18(6) of the EIRs is to mean that the decision of the Tribunal (or whichever appellate Court or Tribunal last hears an appeal) ceases to be final or binding on the public body holding the information; the Certificate cancels out the decision of the Court or Tribunal.  The Attorney General had argued that the provisions of section 53 and Regulation 18(6) in respect of Environmental Information did not violate the terms of the Directive; he argued that, despite the effect of the Certificate being to set aside the decision of the Tribunal, there was still the ability for a decision of a Court to become final and binding upon the public body concerned.  He based that averment on the existence of Judicial Review: a decision by an accountable person to exercise their power under Regulation 18(6) as read with section 53 is open to be judicially reviewed.

In respect of the Attorney General’s argument, Lord Neuberger said at [105]:

A domestic judicial review does not normally involve reconsideration of the competing arguments or “merits”. However, it seems to me clear that article 6.2, with its stipulation that the court should be able to “review” the “acts and omissions of the public authority concerned”, requires a full “merits” review. Even assuming in the Attorney General’s favour that, on a domestic judicial review, the court could, unusually, consider the merits, it gets him nowhere at least in a case such as this, where a tribunal has ruled that the information should be disclosed and the certificate is merely based on the fact that he disagrees with the final decision of the Upper Tribunal. In such a case, a court would be bound to conclude that the certificate was not soundly based as a court of record had already decided that very point as between the applicant and “the public authority concerned”.

Lord Mance said at [148]:

what becomes final in the event of judicial review failing, is not a decision on the merits that the Upper Tribunal’s decision is wrong. It is the conclusion that there is nothing wrong with the minister’s or Attorney General’s decision to override the Upper Tribunal’s decision. That cannot be consistent with the evident intention of article 6(2) – to provide means of recourse to a court or similarly independent and impartial system, which will decide, one way or the other, on the merits.

As a consequence of the views of 6 of the 7 Justices who heard the case, Regulation 18(6) is no more. It has ceased to be. It rests in peace.  It is an ex-Regulation.