Category: Information Rights

Another day, another DPP7 breach and another Monetary Penalty

Section 2 of the Data Protection Act 1998 stipulates that information concerning a person’s health (mental or physical) is sensitive personal data.  This means that a person’s health information attracts a higher level of protection under the Data Protection Act 1998; the damage and distress that can result from the inappropriate disclosure or processing of a person’s health information can be significant.  People can experience bullying, harassment and/or discrimination as a consequence of mental or physical health conditions.  Some health conditions, mental or physical, can attract far more discrimination than others do.  HIV is, sadly, a health condition that still attracts a certain amount of discrimination and prejudice in the UK today.  With that in mind, an NHS Trust sending out its E-mail newsletter to users of its HIV sexual health services, with all of the recipients E-mail addresses visible to every other recipient, is likely to result in the said NHS Trust being in more than a bit of bother with the Information Commissioner’s Office.  That’s exactly what happened to one NHS Trust in London.

The Information Commissioner has served  a Monetary Penalty Notice in the amount of £180,000 on Chelsea and Westminster Hospital NHS Foundation Trust after a member of staff E-mailed out a Newsletter to users of 56 Dean Street with all 781 recipient’s E-mail addresses being visible to all of the recipients.

56 Dean Street is a Soho based sexual health clinic which provides sexual health services to patients, including patients who are HIV positive.  The clinic had developed a service whereby patients with HIV were able to receive results and to make appointments and enquiries online.  They, together with a small number of patients who were not HIV positive, received newsletters from the clinic.  Some of the E-mail addresses included the full name of the patient whose E-mail address it was.  In September 2015, a member of staff sending out one of the clinic’s newsletters sent the E-mail with all of the recipient’s E-mail addresses in the “to” field, rather than the “bcc” field.  This meant that each recipient was able to see the E-mail addresses of all other recipients.

This was not the first time that a member of the Trust’s staff had done this in respect of E-mail addresses of HIV Patients.  The Monetary Penalty Notice served on the Trust records a similar incident that occurred in March 2010.  In that incident, a Pharmacist sent out a questionnaire to 17 patients receiving treatment for HIV about their treatment.  The E-mail addresses of all recipients were included in the “to” field, rather than the ‘bcc’ field; meaning that they were visible to all recipients.  The Monetary Penalty Notice records that remedial steps were put into place by the Trust following that breach, it doesn’t state what they were; however, it does record that there was no training given to staff to remind them to check the group E-mail addresses were being placed in the correct field, nor had they replaced the E-mail account being used with one that would enable separate E-mails to be sent to each address on the mailing list.

The Monetary Penalty Notice records that subscribers were not told that their E-mail addresses would be used to send Newsletters to other patients by way of a bulk E-mail and also notes that one of the subscribers should have been removed from the list following their relocation to Essex.

The Commissioner found that the Trust had breached the seventh Data Protection Principle, which relates to having appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of personal data as well as against the accidental loss or destruction of, or damage to, personal data.  The Commissioner considered that the Trust had failed to comply with the seventh data protection principle by not using an E-mail account that enabled separate E-mails to be sent to each recipient, and also by failing to provide adequate training to staff to ensure that E-mail addresses were being placed in the correct field.

The Commissioner was satisfied that the Trust was responsible for the breach.  The Commissioner was also satisfied that the Trust had not intended to breach the seventh data protection principle.  However, the Commissioner was satisfied that the breach that had occurred was reasonably foreseeable and that the Trust should have therefore taken steps to prevent the breach from occurring.

Once again a breach of the seventh Data Protection Principle has resulted in enforcement action being taken by the Information Commissioner.  The Information Commissioner’s enforcement action in respect of Data Protection breaches has almost exclusively centred on breaches of the seventh Data Protection Principle.  Each time enforcement action is taken it carries with it national publicity.  Therefore, Data Controllers ought to be well aware that failures to have in place adequate internal processes and security measures to protect personal data, especially where that Data Controller is also a public authority, are extremely likely to result in enforcement action being taken by the Information Commissioner – and that is aside from the reputational damage that inevitably comes with security breaches around personal data.

It is important that Data Controllers ensure that they have in place adequate policies and procedures as well as software and other technical measures (such as password protection and encryption) to protect against all reasonably foreseeable data breaches.  That requires organisations to review the personal data that they hold, together with the ways in which they process that personal data, to identify vulnerabilities in respect of the security of personal data that they hold.  The results of getting it wrong can be substantial, both financially and reputational.

The current maximum financial penalty available to the Information Commissioner is capped at £500,000; however, when the new Data Protection regulation enters into force in May 2018 (subject to the results of the EU referendum next month) the maximum financial penalty for such breaches will increase to 4% of net global turnover of €20 million and so the financial consequences of getting it wrong could be even greater in two years time than what they currently are.

When a Data Controller processes personal data they are being trusted with that data by the Data Subject.  Some Data Controllers are entrusted with some of the most sensitive personal data about an individual, perhaps things that only a few other trusted people know; that level of trust can be huge.  It’s not the sort of information that should just be left lying around; it needs to be kept safely and securely and be processed in a way that is appropriate for its nature; especially when the information in question is (rightly) defined as sensitive personal data.

Gilroy -v- Scottish Information Commissioner

The Court of Session has issued a rare judgment in respect of an appeal under the Freedom of Information (Scotland) Act 2002 (FOISA).  Yesterday the First Division published its judgment in the case of David Gilroy –v– The Scottish Information Commissioner and the Chief Constable of Police Scotland.

The Appellant, David Gilroy, had been convicted of the Murder of Suzanne Pilley at the High Court of Justiciary.  Mr Gilroy sought information from the Police Service of Scotland, as the statutory successor to Lothian and Borders Police (who had conducted the investigation to the murder of which Mr Gilroy has been convicted).  The information he sought related to CCTV that had been seized by the Police as part of the murder investigation.  The Police initially responded by saying that the information sought had been released to Mr Gilroy’s defence team and so he could obtain it that way, but had not complied with the technical requirements imposed in FOISA for a refusal notice.  Mr Gilroy required that the Police conducted a review into their handling of the request.  In response to the requirement for review, the Police refused the request on the grounds that it was exempt under section 38(1)(a) of FOISA – which provides that information to which the applicant is the data subject of is exempt.  This is an absolute exemption and therefore it is not subject to the public interest contained in section 2 of the FOISA.  Such information can be sought by way of a ‘subject access request’ pursuant to section 7 of the Data Protection Act 1998.  The Police also cited the exemption at section 34(1)(c) of FOISA.

Mr Gilroy made an application to the Scottish Information Commissioner pursuant to section 47(1) of FOISA.  The Commissioner issued a Decision in respect of that application (Decision 005/2015) finding that the Police were correct to withhold the information under section 38(1)(a).  Section 56 of the FOISA provides a right of appeal to the Court of Session against a decision of the Scottish Information Commissioner on a point of law.  Mr Gilroy appealed the decision of the Scottish Information Commissioner to the Court of Session.

The Court of Session’s decision is a short one. The relationship between the Data Protection Act 1998 and FOISA has been the subject of previous litigation and nothing new was brought out in this case.  The litigation that has previously occurred in this field has confirmed that the question of whether information is personal data is a factual one.  The Lord President (Carloway), in giving the decision of the Court, considered that there was “no identifiable error of law” in the Commissioner’s decision (para [14]) and that there was no “point of law to be considered” (Para [15]). The Lord President’s judgment states that Mr Gilroy’s appeal was “essentially an application to this court to review an assessment of fact made by the first respondent”. Mr Gilroy’s appeal was therefore refused by the Court.

The judgment does highlight (once again) the wide scope of the definition of personal data in the Data Protection Act.  The Information in question was not stills or footage from the CCTV, but rather a list of images together with details such as location, dates and times.  This was considered by the Court to clearly be within the definition of personal data and that the Appellant was the data subject (para [14]).

The Commissioner did not consider in her decision the question of the application of section 34(1)(c) to the information because it was, in her view, exempt under section 38(1)(a).  The Court of Session therefore did not consider it either.

The Court’s judgment can be read on the Scottish Courts and Tribunals website here.

Valid FOI Requests via Twitter: Part 2

Earlier this week the question of the validity of tweeted information requests under the Freedom of Information Act 2000 arose once again.  I have written on this subject previously and you can read that post here.  The discussion arose following the decision of the First-Tier Tribunal (Information Rights) in the case of Bilal Ghafoor v the Information Commissioner.  In that case the Tribunal determined that Mr Ghafoor had not made a valid request for information for two reasons: (1) Mr Ghafoor did not provide his real name in his request and (2) he did not provide an address for correspondence.  My view is that in respect of both of these questions the Tribunal was wrong.

You can read the full procedural history in the Tribunal’s decision (paragraphs 2 – 12).  Mr Ghafoor appealed to the Tribunal on whether the DWP had failed to comply with section 11 of the Freedom of Information Act 2000 buy not responding to his request via Twitter.  However, the Tribunal essentially performs a full reconsideration of the entire request when it hears a case.  Instead the Tribunal decided that Mr Ghafoor had not made a valid request for information by virtue of not including his real name (para 29) and also because twitter was no a valid address for correspondence (para 28).

Real Name

It has long been understood that in order for a request for information to be valid it must include a person’s real name.  This is not something that is new and it is something that I mentioned in my previous consideration on this blog of the question of tweeted FOI requests.  However, what I have not given much consideration to, until now, is the question of aliases as opposed to pseudonyms.

In my view the use of a pseudonym quite clearly fails to comply with the requirement that a requester include their real name.  The purpose of a pseudonym is to hide a person’s true identity.  This is, in my view, quite different to an alias.  An alias is a name by which a person is also known, it is not something that is used to hide their identity; rather it is more akin to a name which is part of their identity.

In the case of Mr Ghafoor, the name FOI Kid is more of an alias than a pseudonym.  It is a name by which he commonly goes, not to hide his identity (as evidence by his inclusion of his name in his twitter bio).  He may only be known by that name within certain circles, but in my view that does not detract from the fact that ‘FOI Kid’ could be considered as part of his identity.  It is a name by which he goes online and is identifiable within information rights circles.

What is someone’s real name?  Is it the name that appears on their birth certificate?  How many people do you know that do not go by the name that is on their birth certificate?  For example, I have an uncle who is more commonly known by his middle name – many people will not have a clue what is true first name is.  I know of others who also go by a name other than that on their birth certificate and again who people will not have any idea what their true name is.

Could a John Smith who trades as Smiths not be able to make a request for information in the name “Smiths”?  I would say that he can because it is a name by which he commonly goes, in a professional capacity at least.  Indeed, a public authority might want to know that it is John Smith of “Smiths” who is making the request because perhaps the tender exercise that Mr Smith is making a request for information about was one in which “Smiths” submitted a bid.  Mr Smith might therefore be entitled to additional information under section 7 on of the Data Protection Act 1998 (the right of subject access) than someone other than him making the request.

Therefore, my view is that an alias by which someone has been going for some time would comply with the requirement to provide the name of the applicant in section 8 of the Data Protection Act 1998.  In the case of Mr Ghafoor my view is that ‘FOI Kid’ is an alias so well established that it would comply with the requirements of section 8.

Address for Correspondence

The Tribunal also concluded that Mr Ghafoor did not make a valid request for information because twitter was unsuitable for responding to and made reference to the 140 character word limit.  However, I disagree with this conclusion also.

Firstly, there are free services such as ‘Twitlonger’ which enable people (including public authorities) to send tweets longer than 140 characters.  Furthermore, it is possible to attach media to tweets through the Twitter site and also a range of social media management services used by businesses and other organisations.  While it might not be possible to send a full refusal notice or to disclose information through the 140 characters permitted by Twitter, it is however possible to attach a pdf letter and other attachments to tweets.  In my view there is no difference between this and attaching letters and documents for disclosure to an E-mail.  It might take multiple tweets to send the complete response together with all of the attachments to the requester, but the same is true for E-mail.  File size limits often mean that multiple E-mails need to be sent in order to supply all of the information being disclosed by the public authority.

For those reasons I take the view that twitter is an appropriate address for correspondence and the Tribunal fell into error by concluding that it was not.  Perhaps their error came about as a failure to full understand the exact parameters of the operation of twitter, but in my view it fell into error nonetheless.

More cross-border Data Protection

On Thursday the Court of Justice of the European Union issued another decision on the interpretation of Direction 95/46/EC – the Data Protection Directive.  The case was on reference from the Hungarian Supreme Court and asked a number of questions around when a data controller is established in a particular member state for the purposes of the Directive.

Factual Background

Weltimmo s.r.o is a company registered in Slovakia under Slovakian law. It operates one or more property websites which are written in Hungarian and feature Hungarian properties.  The Company offered one month’s free advertising before beginning to charge its customers for the use of its service.  Somewhat unsurprisingly a lot of people took advantage of the one month free offer and then sought to have their adverts and personal data erased at the conclusion of the free month.  Weltimmo did not delete the advertisements or their personal data and instead charged its customers for the use of its services.  Those charges went unpaid and Weltimmo passed details of the ‘debtors’ onto debt collection agencies in Hungary.

Complaints were made to the Hungarian Data Protection Authority who found that Weltimmo had breached Data Protection law.  A fine of approximately €32,000 was imposed on Weltimmo.  Weltimmo appealed and the fine was overturned; however, it was determined that Weltimmo was established in Hungary for the purposes of Hungary’s data protection law.  Weltimmo disagreed and appealed to the Hungarian Supreme Court, who made a reference to the Court of Justice of the European Union.

Other important facts narrated in the Court’s decision are: that the company had a Hungarian bank account; it had a letter box in Hungary that was used for its every day affairs; and it had a representative in Hungary who sought to negotiate settlements of the unpaid debts.

Court’s decision

The Court made reference to Google Spain and stated that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or subsidiary with a legal personality.” [28] The Court went on to say that there is a “flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered.” [29]

Essentially what the Court is stating here is that there may be a difference between where a company is registered and where it is established for the purposes of data protection law.  It is necessary to look at where the exercise of activity is and not just about where it has a physical presence by way of a building or a registered office.  A company registered in Scotland, but which deals exclusively in the Republic of Ireland might find itself subject to the data protection law of the Republic of Ireland as opposed to that of the United Kingdom.

In the present case, the Court noted at paragraph [32] that “the activity exercised by Weltimmo consists, at the very least, of the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian and whose advertisements are subject to a fee after a period of one month.  It must therefore be held that the company pursues a real and effective activity in Hungary.”

In Google Spain the Court held that the Directive does not require the processing of personal data to be carried out by the establishment, but only that it be carried out “in the context of the activities” of the establishment (Google Spain, [52]).  The Court considered that there was “no doubt” that this was the case in the Weltimmo case. [38] Therefore, unless any of the facts concerning bank accounts, representatives and letter boxes proved to be incorrect (matters which it is for the national court to determine) Weltimmo is established in Hungary for the purposes of data protection law.

The Court did stress that the owners of the properties being advertised had Hungarian nationality was of no relevance in determining the question of which national law was applicable. [40]

The referring court had also sought guidance from the Court concerning the imposition of sanctions.  The Court emphasised the responsibility of national authorities to take action within their own territory and that they may investigate any complaints made to it where the national law of another member state is applicable. [54] However, the Court was equally clear that a national authority cannot impose a sanction upon a data controller who is not established in their territory. [56] This is fairly obvious and stems from the sovereignty of nations.  In those circumstances the national authority that has investigated the matter should pass on the case to the national authority that has jurisdiction to impose a penalty seeking that they do so; based where necessary on any information supplied to that national authority by the authority who initially investigated the complaint.  [57]

For example, the Information Commissioner’s Office cannot take action against Facebook because it is not established in the UK; however, it may investigate a complaint from someone in the UK as to how Facebook has processed their personal data before passing it to the Irish Data Protection Commissioner, who does have jurisdiction by virtue of Facebook being established in the Republic of Ireland.  It would then be for the Irish Data Protection Commissioner to establish whether Facebook has broken Irish Law in relation to data protection and to then impose penalties in accordance with Irish Law, making use of the information passed to it by the ICO.

This is an important judgment that gives very good and strong advice on handling cross-border data protection issues where the internet is involved.  It stresses the need for data protection authorities across Europe to work in co-operation to ensure the rights of data subjects are protected whilst personal data is being processed.  The coming reforms (expected to be in force middle – late 2018) will not move away from that; indeed, with the proposed ‘one-stop’ regulation it will only increase that requirement.

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.


September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.

Comment

In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

A problem with the Scottish EIRs

The Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”) give individuals the right to request and obtain, subject to certain well defined exceptions, information in relation to the environment from Scottish public authorities.  They implement into the law of Scotland Directive 2003/4/EC of the European Parliament and of the Council on public access to environmental information (“the Directive”).  The Directive in turn implements the Convention on Access to Information, public participation in decision-making and access to justice in Environmental Matters done at Aarhus, Denmark on 25 June 1998 (“the Aarhus Convention”) into EU law.

In Scotland, like the rest of the UK, the Scottish EIRs are an adjunct to Freedom of Information.  The Scottish EIRs sit alongside the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Scottish Information Commissioner has the same powers of enforcement in respect of the Scottish EIRs as she does in respect of FOISA.  By virtue of Regulation 17 of the Scottish EIRs, Part 4 of FOISA applies to the Scottish EIRs.  The Regulations make certain amendments to Part 4 of FOISA for when it is being read in respect of the Scottish EIRs.

Section 48 of FOISA provides that no application can be made to the Scottish Information Commissioner in respect of three scottish public authorities: (1) the Commissioner herself; (2) a Procurator Fiscal; and (3) the Lord Advocate, where the information relates to his role as head of the systems of prosecution and the investigation of deaths in Scotland.  Essentially, this means that the Scottish Information Commissioner is prohibited from accepting any application for a decision by anyone that relates to the handling of a request for information under FOISA and the Scottish EIRs made to the Commissioner’s Office and the Crown Office and Procurator Fiscal Service (“the COPFS”).  I’m not a fan of this section and think it ought to be repealed in its entirety, but that is a subject for another time.  As far as the Scottish EIRs are concerned this section is a problem.  Essentially, once the Commissioner’s Office and the COPFS have conducted an internal review there is nowhere else for the requester to go if they remain dissatisfied with the response.

Article 6(2) of the Directive provides that:

In addition to the review procedure referred to in paragraph 1, Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final. Member States may furthermore provide that third parties incriminated by the disclosure of information may also have access to legal recourse.

The review procedure under paragraph 1 is essentially the internal review procedure provided for by Regulation 16 of the Scottish EIRs.  In respect of every other scottish public authority covered by the Scottish EIRs there exists a right to make an application to the Scottish Information Commissioner and have a decision notice issued by her office together with the ability to appeal (on a point of law only) that decision notice to the Inner House of the Court of Session, and then on to the Supreme Court of the United Kingdom.  There is a decision of a third party that is capable of becoming final.  Therefore, Article 6(2) of the Directive is complied with.  However, these appeal rights do not apply in respect of requests made to the Commissioner’s Office and the COPFS.

It should be theoretically possible to judicially review the internal review response of both the Commissioner and the COPFS.  At a first glance that might be thought to satisfy the requirements of Article 6(2) of the Directive; however, the wording of the Directive suggests that Judicial Review may not be sufficient.  Judicial Review is not an appellate procedure; it is a review procedure.  The Court of Session cannot substitute its own decision for that taken by the public authority.  The Court of Session could, in a judicial review, determine that irrelevant factors had been taking into consideration in respect of assessing the public interest where a qualified exception has been applied; it could not determine that the public interest does or does not support the maintaining of an exception.   Essentially, all the Court can do is uphold the decision of the Commissioner’s Office or the COPFS, or it can quash the decision – it cannot re-take the decision (something that the Commissioner effectively has the power to do when considering an application under section 47(1) of FOISA).  Therefore, judicial review cannot be a “review procedure… in which the acts or omissions of the public authority concerned can be reviewed” because it can only do so to a limited extent.  Therefore, for all practical purposes the decision of the public authority is final, not the decision of a court or another independent and impartial body established by law.

Furthermore, judicial review is expensive and comes with considerable risk in relation to expenses.  While it is theoretically possible for an applicant to represent themselves in the Court of Session, in all likelihood it will necessitate the instruction of a solicitor and at least junior counsel (if not junior and senior counsel); that is expensive.  Even if an applicant manages to represent themselves in the Court of Session; the court fees will be prohibitively expensive to many people.  These fees, payable at various stages throughout the process, will total hundreds of pounds.  The public authority in question will be represented by Counsel and if a requester loses, they may find themselves responsible for paying the public authority’s expenses (although, the Court does retain an inherent discretion in whether to make an award of expenses and to what extent the losing party shall pay the winner’s expenses).  This is relevant because the Aarhus Convention, upon which both the Directive and the Scottish EIRs are based, requires the review processes to be free of charge or inexpensive or not prohibitively expensive (Article 9).  The Court of Justice of the European Union found that the UK had failed to properly implement the Directive when looking at the costs under the English judicial system (see European Commission v United Kingdom).

The problem for the Scottish EIRs gets bigger once consideration is given to the Scotland Act 1998Section 57(2) of the Scotland Act provides that the Scottish Ministers have “no power to make any subordinate legislation, or to do any other act, so far as the legislation or act is incompatible with any of the Convention rights or with EU law.”  The Scottish EIRs are regulations and are therefore subordinate legislation.  By applying section 48 of FOISA to the Scottish EIRs the Scottish Ministers have made subordinate legislation that is ultra vires – it is outside of their competence.  For the Scottish EIRs to be compatible with EU law, section 48 of FOISA cannot apply to them; while it does, the Scottish EIRs do not fully implement Article 6 of the Directive.

This problem is easily resolved.  The Scottish Ministers simply need to amend the Scottish EIRs so as to disapply section 48 of FOISA in respect of the Scottish EIRs.  This would enable the Commissioner to consider applications made to her under section 47(1) of FOISA concerning requests for information made to either her office, or the COPFS that engage the Scottish EIRs.  Of course, the Scottish Ministers could introduce legislation into the Scottish Parliament to repeal section 48 of FOISA altogether (and that would kill two birds with one stone).

If the Scottish Ministers do not choose to make the relevant amendments they could be forced to.  All it would take is for someone to go through the process of making a request for environmental information to either the Commissioner or the COPFS, getting a refusal notice which is then upheld at internal review, and making an application to the Scottish Information Commissioner so as to get a notice from the Commissioner stating that no decision falls to be made.  This can then be appealed to the Court of Session for them to make what appears to be an inevitable decision: the Scottish Ministers acted ultra vires when applying section 48 of FOISA to the Scottish EIRs – an expensive process, but one that someone will eventually go down some day.

#GE2015, Data Protection, Privacy and FOI

It is now two days since the UK went to the polls to elect the 650 people who will be responsible for representing us until Parliament dissolves on Monday 20 April 2020 (assuming the Fixed-Term Parliaments Act 2011 remains in place and intact).  The result was significant for many reasons, some of which I may address in a future blog post.  The focus of this blog post though will be the possible impact on Data Protection, Privacy and Freedom of Information following the result in this election.

Data Protection and Privacy

These two areas, in their current form, rely heavily on EU law.  Both the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations implement EU directives into UK law.

It is well known that one of the promises David Cameron made was a referendum on the UK’s continued membership of the EU if the Conservatives were returned to power with a majority.  They were, albeit a small and fragile one, and as such it is likely that in 2017 we will have a referendum on whether the UK will continue to be part of the EU, or not.  If the UK were to leave the EU (and this is purely hypothetical at this stage), then there would be no requirement for the UK to continue to comply with EU law; including the Directives underpinning the Data Protection Act and the Privacy and Electronic Communications Regulations.

Withdrawal from the EU would not, of course, immediately repeal every piece of law that is implementing an EU Directive – such a position would be unworkable.  Overtime there would, like there is in every other area of law, be reform and that could include both the Data Protection Act and the Privacy and Electronic Communications Regulations.

That is not the end of the story though; our continued relationship with the EU will have some impact in this area, especially with regards to the Data Protection Act.  If we were to remain part of the EEA, we would still have to comply with EU law except in some areas: data protection is not one of those.  So, if we withdrew from the EU and remained part of the EEA, nothing would change.

If we withdrew from both the EU and the EEA there would still be some Data Protection implications.  The eighth Data Protection Principal prevents the transfer of personal data outside the EEA unless the country or territory to which the personal data is to be sent “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”  In other words, we would require some form of Data Protection or Privacy legislation that meets the test of “adequate” under EU data protection law.  This is a requirement that looks set to stay as part of the Data Protection Regulation currently working its way through the EU legislative process.  In all likelihood we would probably adopt the same data protection regulations as the EU, or something substantially similar thereto.  For that reason, Data Protection and Privacy looks fairly safe over the coming 5 years.

Freedom of Information

Scotland has its own Freedom of Information laws that cover Scottish public authorities.  These laws will likely remain largely unchanged in light of the 2015 election result.

Freedom of Information Act 2000

The FOIA covers English and Welsh authorities as well as UK-wide authorities such as UK Government Departments, the British Transport Police, the BBC, Channel 4 etc.  They are not popular with the Government; they force the Government to reveal information it would rather keep secret.  The Prime Minister isn’t a big fan of FOI; it “furs up the arteries of Government”.  We can expect to see some changes to FOI laws over the coming 5 years: the veto will likely be strengthened in light of the recent UK Supreme Court decision in the Prince Charles case; there could well be changes to the cost limits making it harder to get access to information and there could be the introduction of fees (at least for Tribunal cases).  Substantial harm could be done here (and if you value FOI and the power it gives you to access information held by public bodies I would commend the Campaign for Freedom of Information to you – they could need a lot of help, support and money over the coming 5 years).

Environmental Information Regulations 2004

These implement an EU Directive and provide a much tighter access to information regime with respect to Environmental Information – they also cover a much wider number of bodies than the FOIA does.  While they implement an EU Directive, they have their origin in another international Convention (one which is not anything to do with the EU), the Aarhus Convention.  The UK is a signatory and so if it were to remain a signatory it is likely that there would be no change to the substance of the EIRs.  There would be changes though.

Currently, because they are based upon EU law, they are subject to the primacy of EU law.  It is largely for this reason that the veto was held not to apply to Environmental Information.  It also gives recourse to the Court of Justice of the European Union in respect of interpretation (as was seen with Fish Legal).  This strengthens the EIRs significantly.  However, all is not lost.  In terms of the Aarhus Convention there is a right of remedy to the Aarhus Compliance Committee.

The Black Spider Letters – Part IV

This is the final in a series of four blog posts looking at the Supreme Court’s decision in R (Evans) v HM Attorney General.  The first post went through the background to the case, the second post focused on the Court’s decision in respect of section 53 of the FOIA and the third post looked at the Court’s decision in respect of Regulation 18(6) of the EIRs.

This was a significant decision for a number of reasons.  It significantly restricts section 53 of the FOIA and in essence makes it virtually impossible for the Executive to make use of it.  While this might seem, on the face of it, really good for transparency; it comes with a serious warning.  In 6 weeks time the UK will have a new Government and undoubtedly one of the first things that this new Government will want to do is address the decision of the Supreme Court in this case.  The current Government, which may be in its final hours, has previously hinted at making changes to the FOIA that would have a devastating effect on the effectiveness of FOI in the UK.  While addressing this issue the Government might be tempted to make other changes to FOI at the time.

While I fundamentally disagree with the principal that the Executive should be able to veto a decision made by the judiciary in respect of a cause in which it was a party, we do live in a system where Parliament has supremacy.  It is clear that Parliament intended that the Executive should be able to, in certain cases, veto a decision by the Tribunal that information should be disclosed.  For that reason, I disagree with the interpretation given to section 53 by Lords Neuberger, Kerr and Reed.  I find the position of Lord Mance and Lady Hale more in keeping with the intentions of Parliament.  It is my opinion that they struck the right balance between the intention of Parliament and the Rule of Law given the system in the UK and the wording of the statute.

The Regulation 18(6) issue is more problematic for the Government, and here I do think that the 6 Justices of the Supreme Court who held that Regulation 18(6) was incompatible with EU law got it correct.  The wording in Article 6 of the Directive clearly does not envisage the situation where the Executive, who will be the public body holding the information in question, is able to veto the decision of the Court.  It also seems clear from the wording of the Directive that it being open to a requester to judicially review the decision of the Executive to issue a certificate is not sufficient to comply with the review requirements therein.  Part of being a member of the European Union is to accept that EU law has supremacy, in passing the European Communities Act the UK Parliament agreed to have EU law take precedence over Acts passed by it.  Ultimately the UK Parliament is still supreme and would only need to repeal the European Communities Act (which would also necessitate the UK leaving the European Union, but that’s a whole other blog) in order to deal with the Supreme Court’s decision in respect of Regulation 18(6).

What is the impact for Scotland?  The decision in R (Evans) v HM Attorney General is technically not binding upon the Scottish Courts.  Section 41(2) of the Constitutional Reform Act 2005 makes it clear that decisions of the Supreme Court on appeal form Courts in one part of the United Kingdom are “to be regarded as the decision of a court of that part of the United Kingdom”; there is an exemption to this which is not relevant here. Therefore, only decisions issued by the Supreme Court in Scottish cases are considered binding in Scotland (although in cases from other parts of the UK will be highly persuasive on the Scottish Courts).  As this was a case on appeal from England in respect of FOIA and the EIRs, it is only binding on the Courts in England and Wales.

Section 52 of the Freedom of Information (Scotland) Act 2002 (FOISA) provides the First Minister a similar power to that contained in section 53 of the FOIA in respect of decision notices served on the Scottish Administration.  The wording in section 52 is almost identical to that in section 53.  The main difference is around timescales, in that the First Minister has longer than the accountable person under FOIA to issue a certificate.  So, section 52 of FOISA is probably in a precarious position following the decision of the Supreme Court.

The Scottish legislation could face further hurdles that the UK legislation did not due to the constitutional position of the Scottish Parliament.  The Scottish Parliament is a creature of Statute, it has only those powers which are given to it by the UK Parliament and cannot do anything which exceeds those powers.  Section 29(2)(d) of the Scotland Act 1998 provides that no Act of the Scottish Parliament may be incompatible with the rights in the European Convention on Human Rights as given effect to by the Human Rights Act 1998.  There could be a viable challenge to section 52 under Articles 6 (the right to a fair trial) and 10 (freedom of expression).  If it were to be found that the Scottish Administration being able to veto the decision of the Commissioner and/or the Courts was incompatible with either or both of those Rights then section 52 would have no effect as it would be outside of the Scottish Parliament’s legislative competence.  It would be much harder for the Scottish Parliament to get round that, and it would probably require the UK Parliament to legislate on its behalf.

Regulation 17(2)(e) of the Environmental Information (Scotland) Regulations 2004 (the Scottish EIRs) has the same effect as Regulation 18(6) of the EIRs in that it applies section 52 of FOISA to the Scottish EIRs.  However, like the EIRs, the Scottish EIRs are designed to implement the 2002 Directive into domestic law.  The supremacy of EU law is further underlined by the Scotland Act 1998, which provides in section 57(2) that the Scottish Ministers have no power to make subordinate legislation (which the Scottish Regulations are) which is incompatible with EU law.  I don’t think that the Scottish Courts would find differently from the Supreme Court in respect of section 52 being incompatable with EU law when related to requests under the Scottish EIRs.  In the event that the Scottish Ministers appealed to the Supreme Court it seems unlikely that it would conclude differently (although it should be noted that at least one Justice would have found that Regulation 18(6) did not violate EU law).

Because of the timing of the Supreme Court’s decision, it means that there is little that can be done to prevent disclosure of the information that the Upper Tribunal decided should be disclosed.  The UK Parliament has now prorogued and dealing with the Supreme Court’s decision will require primary legislation. Parliament will be dissolved as soon as we hit 30 March; that means all of he seats will become vacant and there will be no MPs to pass legislation.  The deadline for the Government to comply with the Supreme Court’s decision expires before the election. Therefore, it seems almost inevitable that we will get to see the contents of these letters.

It should be noted that FOIA has been amended to make the correspondence from the Prince of Wales subject to an absolute exemption.  However, that does not affect the position under the EIRs.  The exceptions under the EIRs are different from the exemptions under the FOIA, although they broadly enable the same types of information to be withheld.  What this means though is that it is possible that further letters written by the Prince of Wales which relate to environmental matters may be disclosed in the future.

It is also worth noting that FOISA has not been amended to make the equivalent exemption in respect of correspondence with the Monarch, the heir to the throne or the next in line (i.e. The Queen, Prince Charles and Prince William) an absolute one.  It had been proposed by the Scottish Government, but was dropped.  Therefore, the full range of correspondence between the Prince of Wales and the Scottish Ministers is theoretically obtainable under FOISA and the Scottish EIRs, subject to the public interest test.

The Black Spider Letters – Part III

This is the third in a series of four blog posts looking at the Supreme Court’s decision in R (Evans) v HM Attorney General.  The first post went through the background to the case, while the second post focused on the Court’s decision in respect of section 53 of the FOIA.  This third post will look at the Court’s decision in respect of Regulation 18(6) of the EIRs.

By a majority of 6:1 the Supreme Court held that the certificate issued by the Attorney General under Regulation 18(6) was invalid.  The arguments in respect of Regulation 18(6) related specifically to European law and to the Directive that they seek to implement.

Article 6 of the Directive makes provision for ‘Access to Justice’ in respect of Environmental Information.  It provides (1) that where a public body refuses to make environmental information available there must be a process whereby the decision can be ‘reviewed administratively by an independent and impartial body established by law’.  The right to complain to the Information Commissioner under section 50 of the FOIA (which extends to the EIRs) would meet this requirement; (2) that over and above the administrative review of the decision that there is provision for further review before a court or another independent or impartial body established by law.  This would be covered by the right of appeal against a decision of the Information Commissioner to the First-Tier Tribunal; and (3) the decision under (2) must be capable of becoming final and binding upon the public body that holds the information.

The effect of section 53 as applied to environmental information under Regulation 18(6) of the EIRs is to mean that the decision of the Tribunal (or whichever appellate Court or Tribunal last hears an appeal) ceases to be final or binding on the public body holding the information; the Certificate cancels out the decision of the Court or Tribunal.  The Attorney General had argued that the provisions of section 53 and Regulation 18(6) in respect of Environmental Information did not violate the terms of the Directive; he argued that, despite the effect of the Certificate being to set aside the decision of the Tribunal, there was still the ability for a decision of a Court to become final and binding upon the public body concerned.  He based that averment on the existence of Judicial Review: a decision by an accountable person to exercise their power under Regulation 18(6) as read with section 53 is open to be judicially reviewed.

In respect of the Attorney General’s argument, Lord Neuberger said at [105]:

A domestic judicial review does not normally involve reconsideration of the competing arguments or “merits”. However, it seems to me clear that article 6.2, with its stipulation that the court should be able to “review” the “acts and omissions of the public authority concerned”, requires a full “merits” review. Even assuming in the Attorney General’s favour that, on a domestic judicial review, the court could, unusually, consider the merits, it gets him nowhere at least in a case such as this, where a tribunal has ruled that the information should be disclosed and the certificate is merely based on the fact that he disagrees with the final decision of the Upper Tribunal. In such a case, a court would be bound to conclude that the certificate was not soundly based as a court of record had already decided that very point as between the applicant and “the public authority concerned”.

Lord Mance said at [148]:

what becomes final in the event of judicial review failing, is not a decision on the merits that the Upper Tribunal’s decision is wrong. It is the conclusion that there is nothing wrong with the minister’s or Attorney General’s decision to override the Upper Tribunal’s decision. That cannot be consistent with the evident intention of article 6(2) – to provide means of recourse to a court or similarly independent and impartial system, which will decide, one way or the other, on the merits.

As a consequence of the views of 6 of the 7 Justices who heard the case, Regulation 18(6) is no more. It has ceased to be. It rests in peace.  It is an ex-Regulation.

The Black Spider Letters – Part II

This is the second in a series of four blog posts looking at the Supreme Court’s decision in R (Evans) v HM Attorney General.  The first post went through the background to the case and this post will focus on the Court’s decision in respect of section 53 of the FOIA.

By a majority of 5:2 the Supreme Court held that the certificate issued by the Attorney General was invalid.  However, there was a split among the 5 as to the reasons for the certificate being invalid.  Lords Neuberger, Kerr and Reed were in agreement with one another, while  Lord Mance and Lady Hail found that the Certificate was invalid for different reasons.  Lords Wilson and Hughes disagreed entirely and would have allowed the Attorney General’s appeal.

The reasoning of Lord Neuberger (with home Lords Kerr and Reed agreed)

The Justices here looked at two constitutional principals which are at the cornerstone of our democracy and are at the very centre of the Rule of Law.  The first of those principals is that decisions of a Court are binding upon the parties involved, subject to rights of appeal (and as Lord Neuberger pointed out, a Statute passed by Parliament given the supremacy of Parliament in our democracy).  The second of those principals is that the decisions of the Executive are reviewable by the Judiciary, not the reverse.

Lord Neuberger said, at paragraph [52], that the way in which the Attorney General interpreted section 53 of the FOIA

 “flouts the first principle and stands the second principle on its head. It involves saying that a final decision of a court can be set aside by a member of the executive (normally the minister in charge of the very department against whom the decision has been given) because he does not agree with it. And the fact that the member of the executive can put forward cogent and/or strongly held reasons for disagreeing with the court is, in this context, nothing to the point: many court decisions are on points of controversy where opinions (even individual judicial opinions) may reasonably differ, but that does not affect the applicability of these principles.”

He went on to state at paragraph [58] that “section 53 falls far short of being “crystal clear” in saying that a member of the executive can override the decision of a court because he disagrees with it.”  This drew on a line of authority, fully set out in paragraphs [53] – [57], that concludes unless Parliament has made it crystal clear that it is legislating contrary to the rule of law it is to be presumed that it is not doing so.

Lord Neuberger went on to consider previous authorities where the Court of Appeal had considered the question of whether Parliament had “intended [that] a member of the executive to be able freely to consider, or reconsider, for himself the very issues, on the same facts, which had been determined by another person or a tribunal.” [60]

Lord Neuberger concluded that section 53 of the FOIA  does not permit the accountable person mentioned therein to issue a certificate “simply because, on the same facts and admittedly reasonably, he takes a different view from that adopted by a court of record after a full public oral hearing.”  He also noted that the basis for this conclusion could not have bene unknown to Parliament at the time the FOIA was passed.

Lord Mance (with whom Lady Hale agreed)

The conclusion reached by Lord Neuberger was different to that which was reached by Lord Mance (who Lady Hale agreed with).  They found that the accountable person was able to issue a certificate under section 53 of the FOIA simply because they disagreed with the Tribunal’s decision; however, that where the certificate was issued in respect of findings of fact or rulings of law which were fully explained would require an extremely clear justification.  Lord Mance found that the Certificate issued by the Attorney General under section 53 of the FOIA did “not engage with or give any real answer to [the Upper Tribunal’s] closely reasoned analysis and its clear rebuttal of any suggestion that a risk of misperception could justify withholding of disclosure.”

While the Attorney General, or indeed any other accountable person as defined by section 53, could issue a certificate under section 53 because he disagreed with the findings of the Tribunal, on the same facts and arguments as were before the Tribunal, he did not justify his decision enough to enable the certificate to stand and so the certificate was invalid.