Data Protection, FOISA, Freedom of Information, Information Law, Information Rights, Scots Law, Scottish Information Commissioner

Gilroy -v- Scottish Information Commissioner

The Court of Session has issued a rare judgment in respect of an appeal under the Freedom of Information (Scotland) Act 2002 (FOISA).  Yesterday the First Division published its judgment in the case of David Gilroy –v– The Scottish Information Commissioner and the Chief Constable of Police Scotland.

The Appellant, David Gilroy, had been convicted of the Murder of Suzanne Pilley at the High Court of Justiciary.  Mr Gilroy sought information from the Police Service of Scotland, as the statutory successor to Lothian and Borders Police (who had conducted the investigation to the murder of which Mr Gilroy has been convicted).  The information he sought related to CCTV that had been seized by the Police as part of the murder investigation.  The Police initially responded by saying that the information sought had been released to Mr Gilroy’s defence team and so he could obtain it that way, but had not complied with the technical requirements imposed in FOISA for a refusal notice.  Mr Gilroy required that the Police conducted a review into their handling of the request.  In response to the requirement for review, the Police refused the request on the grounds that it was exempt under section 38(1)(a) of FOISA – which provides that information to which the applicant is the data subject of is exempt.  This is an absolute exemption and therefore it is not subject to the public interest contained in section 2 of the FOISA.  Such information can be sought by way of a ‘subject access request’ pursuant to section 7 of the Data Protection Act 1998.  The Police also cited the exemption at section 34(1)(c) of FOISA.

Mr Gilroy made an application to the Scottish Information Commissioner pursuant to section 47(1) of FOISA.  The Commissioner issued a Decision in respect of that application (Decision 005/2015) finding that the Police were correct to withhold the information under section 38(1)(a).  Section 56 of the FOISA provides a right of appeal to the Court of Session against a decision of the Scottish Information Commissioner on a point of law.  Mr Gilroy appealed the decision of the Scottish Information Commissioner to the Court of Session.

The Court of Session’s decision is a short one. The relationship between the Data Protection Act 1998 and FOISA has been the subject of previous litigation and nothing new was brought out in this case.  The litigation that has previously occurred in this field has confirmed that the question of whether information is personal data is a factual one.  The Lord President (Carloway), in giving the decision of the Court, considered that there was “no identifiable error of law” in the Commissioner’s decision (para [14]) and that there was no “point of law to be considered” (Para [15]). The Lord President’s judgment states that Mr Gilroy’s appeal was “essentially an application to this court to review an assessment of fact made by the first respondent”. Mr Gilroy’s appeal was therefore refused by the Court.

The judgment does highlight (once again) the wide scope of the definition of personal data in the Data Protection Act.  The Information in question was not stills or footage from the CCTV, but rather a list of images together with details such as location, dates and times.  This was considered by the Court to clearly be within the definition of personal data and that the Appellant was the data subject (para [14]).

The Commissioner did not consider in her decision the question of the application of section 34(1)(c) to the information because it was, in her view, exempt under section 38(1)(a).  The Court of Session therefore did not consider it either.

The Court’s judgment can be read on the Scottish Courts and Tribunals website here.

Constitutional Law, Criminal Justice, Criminal Law, Human Rights, Legal System, Politics, Public Law, Scots Law

Statutory Judicial Directions in Sexual Offences Cases

In all democratic countries there is a very clear separation of powers between the Executive, Legislature and Judiciary.  This is important so as to ensure that there are proper checks and balances on power and is really quite fundamental so as to ensure an effective democracy.  It is so fundamental that when the Scottish Parliament embarked upon a programme of restructuring the judiciary, it set out in section 1 of the Judiciary and Courts (Scotland) Act 2008 that the judiciary are to continue to be independent of the First Minister, the Lord Advocate, the Scottish Ministers, Members of the Scottish Parliament and others.

Judicial independence and impartiality flows from the doctrine of the separation of powers which is so fundamental to democracy.  It is important that the judiciary is totally independent from the Executive and the legislature.  Although judges in Scotland are appointed by Her Majesty the Queen, they are done so after having been selected by a body independent of the State, the Judicial Appointments Board for Scotland.  Neither the legislature nor the Executive play any role in the appointment process, other than by setting out the qualifications required to be a judge (see Chapter 3 of the Judiciary and Courts (Scotland) Act 2008).

This independence means that neither the Scottish Ministers nor the Scottish Parliament should seek to interfere with the independence of the Judiciary.  Parliament serves two primary functions: to make laws and to hold the Executive to account.  The Judiciary interprets and applies the laws made by Parliament and also holds Ministers to account.  Finally, Parliament holds the judiciary to account by having the power to change laws when the Judiciary interpret either the common law or statutory provisions in a way that Parliament considers is wrong.  It is rightly difficult to remove judges from post, their independence would be threatened if it was far too easy to remove them; it might make judges less able to perform their important function of holding the Executive to account, for example.  These three parts of the State work together (not always harmoniously, but that is to be expected) to ensure that the State does not over exert its powers and that no part of the State becomes too powerful.

The impartiality is also of huge importance and two-fold.  Firstly, the judiciary must be politically impartial.  It is for this reason that when lawyers become judges they must sever ties with any political parties that they may well have had connections to.  They should not be seen to make political comments, whether in the press, in speeches or in their judgments; especially if such comments align themselves with a particular political position or party.  Their impartiality also extends to the parties before them.  They must be careful not to be seen to be supporting one side or the other in any way.  That is not an easy task.

There is currently a proposal before the Scottish Parliament that may impact, in a negative way, both the impartiality and independence of the judiciary.  Section 6 of the Abusive Behaviour and Sexual Harm (Scotland) Bill seeks to insert a section into the Criminal Procedure (Scotland) Act 1995 that would require judges to give specific directions in certain sexual offences cases.  Those directions are undoubtedly well-meaning and seek to address common misconceptions about complainers in sexual offences cases, especially around any perceived delay in making the allegation to the police and how they react during the alleged offence.  However, simply because they are well-meaning and seek to serve a wholly commendable purpose does not mean that they should not be enacted or questioned.  In my view the potential constitutional difficulties that they present far outweigh the benefits, especially when there are other ways to achieve the same aim that do not impugn upon fundamental constitutional principles.

Independence

These statutory provisions would require Judges to include specific information in their charges to juries in sexual offences cases.  This is something that clearly crosses the line in the separation between Parliament and the Judiciary.  This is wholly different to Parliament telling judges that they have come to the wrong conclusion as to what the law is by passing substantive statutory provisions.  It is Parliament expressly dictating to judges how they should do their job.  We should always prevent Parliament from taking such steps.

Impartiality

The Directions which Parliament proposes judges should make in their charges are well founded in evidence.  However, what they seek to do is bolster the credibility of the principal crown witness in a sexual offences claim (i.e. the complainer).  It is entirely appropriate that we seek to remove any myths about complainers in sexual offences cases; only when we do so can we move towards a position where those who have suffered at the hands of a sex offender can get a proper shot at receiving justice.  When a judge is giving their charge to the jury they set out plainly what the law is in respect of the offence(s) contained in the Complaint/Indictment, explain to the jury the three possible verdicts open to them, the concept of reasonable doubt and finally that a majority of the jurors must be satisfied beyond reasonable doubt of the accused’s guilt before they can convict the accused.  In a jury trial the judge is there to deal only with matters of law and procedure; they are there to ensure that both the prosecution and the defence act and are treated in a fair manner, as well as making rulings on issues of law and procedure and setting out the law to the jury that they need to apply to the evidence they have heard in court.

One of the factors that jurors need to weigh up in reaching their verdict is the credibility of not just the complainer, but every other person who has given evidence before them.  Only once they have assessed the credibility of a witness can they decide whether to believe them and how much weight to accord their evidence.  It is clear therefore that the credibility of the complainer in any case, including a sexual offences case, is of central importance to the jury.  In my view it therefore follows that any comment by a judge that seeks to bolster the credibility of a witness (regardless as to whether they are the complainer or the accused) impugns upon their impartiality from the parties to the case (in this situation, from the Crown).

How else can this issue be addressed?

As I have already stated, there are many myths around the conduct of sexual offences complainers – including around how quickly they make the allegation official and issues about their actions and reactions while the alleged offender is committing the alleged offence.  A complainer who makes their allegation quickly should not automatically be presumed to be more honest that one who waits weeks, months or even years to make their allegation.  It should not be relevant whether or not a complainer made attempts to fight the alleged offender off.  These are the issues that these proposed jury directions seek to address.

In my view, these can be addressed in ways other than by requiring judges to set out a case bolstering the credibility of the complainer in their charge to the jury.  The issue of the credibility of the complainer, or rather the task of presenting the complainer as a credible witness, lies with the Procurator Fiscal Depute or Advocate Depute who is prosecuting the case.  Therefore, we ought to be looking at ways to put this evidence before a jury; whether that is by obtaining it through a witness such as a specially trained police officer or an expert such as a psychologist.   It wouldn’t necessarily be essential to require a complainer to explain why they didn’t make an attempt to fight of the alleged offender or why they delayed in making the report; although, these matters may well be explored during the complainer’s evidence in either examination-in-chief or cross-examination.

Addressing this issue in the way I have described would ensure that what is essentially a question of fact for the jury (that being, the assessment of the credibility of the witness) is treated as such and is not dressed up as being a matter of law being dealt with by the presiding judge.  It would also ensure that points of view that might well be held by the jury, which are not supported by evidence are properly addressed.  Finally, it would ensure that the independence and impartiality of the judiciary is properly and rightly preserved.

It is therefore my view that the Scottish Parliament should remove section 6 from the Abusive Behaviour and Sexual Harm (Scotland) Bill.

FOIA, Freedom of Information, Information Law, Information Rights

Valid FOI Requests via Twitter: Part 2

Earlier this week the question of the validity of tweeted information requests under the Freedom of Information Act 2000 arose once again.  I have written on this subject previously and you can read that post here.  The discussion arose following the decision of the First-Tier Tribunal (Information Rights) in the case of Bilal Ghafoor v the Information Commissioner.  In that case the Tribunal determined that Mr Ghafoor had not made a valid request for information for two reasons: (1) Mr Ghafoor did not provide his real name in his request and (2) he did not provide an address for correspondence.  My view is that in respect of both of these questions the Tribunal was wrong.

You can read the full procedural history in the Tribunal’s decision (paragraphs 2 – 12).  Mr Ghafoor appealed to the Tribunal on whether the DWP had failed to comply with section 11 of the Freedom of Information Act 2000 buy not responding to his request via Twitter.  However, the Tribunal essentially performs a full reconsideration of the entire request when it hears a case.  Instead the Tribunal decided that Mr Ghafoor had not made a valid request for information by virtue of not including his real name (para 29) and also because twitter was no a valid address for correspondence (para 28).

Real Name

It has long been understood that in order for a request for information to be valid it must include a person’s real name.  This is not something that is new and it is something that I mentioned in my previous consideration on this blog of the question of tweeted FOI requests.  However, what I have not given much consideration to, until now, is the question of aliases as opposed to pseudonyms.

In my view the use of a pseudonym quite clearly fails to comply with the requirement that a requester include their real name.  The purpose of a pseudonym is to hide a person’s true identity.  This is, in my view, quite different to an alias.  An alias is a name by which a person is also known, it is not something that is used to hide their identity; rather it is more akin to a name which is part of their identity.

In the case of Mr Ghafoor, the name FOI Kid is more of an alias than a pseudonym.  It is a name by which he commonly goes, not to hide his identity (as evidence by his inclusion of his name in his twitter bio).  He may only be known by that name within certain circles, but in my view that does not detract from the fact that ‘FOI Kid’ could be considered as part of his identity.  It is a name by which he goes online and is identifiable within information rights circles.

What is someone’s real name?  Is it the name that appears on their birth certificate?  How many people do you know that do not go by the name that is on their birth certificate?  For example, I have an uncle who is more commonly known by his middle name – many people will not have a clue what is true first name is.  I know of others who also go by a name other than that on their birth certificate and again who people will not have any idea what their true name is.

Could a John Smith who trades as Smiths not be able to make a request for information in the name “Smiths”?  I would say that he can because it is a name by which he commonly goes, in a professional capacity at least.  Indeed, a public authority might want to know that it is John Smith of “Smiths” who is making the request because perhaps the tender exercise that Mr Smith is making a request for information about was one in which “Smiths” submitted a bid.  Mr Smith might therefore be entitled to additional information under section 7 on of the Data Protection Act 1998 (the right of subject access) than someone other than him making the request.

Therefore, my view is that an alias by which someone has been going for some time would comply with the requirement to provide the name of the applicant in section 8 of the Data Protection Act 1998.  In the case of Mr Ghafoor my view is that ‘FOI Kid’ is an alias so well established that it would comply with the requirements of section 8.

Address for Correspondence

The Tribunal also concluded that Mr Ghafoor did not make a valid request for information because twitter was unsuitable for responding to and made reference to the 140 character word limit.  However, I disagree with this conclusion also.

Firstly, there are free services such as ‘Twitlonger’ which enable people (including public authorities) to send tweets longer than 140 characters.  Furthermore, it is possible to attach media to tweets through the Twitter site and also a range of social media management services used by businesses and other organisations.  While it might not be possible to send a full refusal notice or to disclose information through the 140 characters permitted by Twitter, it is however possible to attach a pdf letter and other attachments to tweets.  In my view there is no difference between this and attaching letters and documents for disclosure to an E-mail.  It might take multiple tweets to send the complete response together with all of the attachments to the requester, but the same is true for E-mail.  File size limits often mean that multiple E-mails need to be sent in order to supply all of the information being disclosed by the public authority.

For those reasons I take the view that twitter is an appropriate address for correspondence and the Tribunal fell into error by concluding that it was not.  Perhaps their error came about as a failure to full understand the exact parameters of the operation of twitter, but in my view it fell into error nonetheless.

Data Protection, Information Law, Information Rights

More cross-border Data Protection

On Thursday the Court of Justice of the European Union issued another decision on the interpretation of Direction 95/46/EC – the Data Protection Directive.  The case was on reference from the Hungarian Supreme Court and asked a number of questions around when a data controller is established in a particular member state for the purposes of the Directive.

Factual Background

Weltimmo s.r.o is a company registered in Slovakia under Slovakian law. It operates one or more property websites which are written in Hungarian and feature Hungarian properties.  The Company offered one month’s free advertising before beginning to charge its customers for the use of its service.  Somewhat unsurprisingly a lot of people took advantage of the one month free offer and then sought to have their adverts and personal data erased at the conclusion of the free month.  Weltimmo did not delete the advertisements or their personal data and instead charged its customers for the use of its services.  Those charges went unpaid and Weltimmo passed details of the ‘debtors’ onto debt collection agencies in Hungary.

Complaints were made to the Hungarian Data Protection Authority who found that Weltimmo had breached Data Protection law.  A fine of approximately €32,000 was imposed on Weltimmo.  Weltimmo appealed and the fine was overturned; however, it was determined that Weltimmo was established in Hungary for the purposes of Hungary’s data protection law.  Weltimmo disagreed and appealed to the Hungarian Supreme Court, who made a reference to the Court of Justice of the European Union.

Other important facts narrated in the Court’s decision are: that the company had a Hungarian bank account; it had a letter box in Hungary that was used for its every day affairs; and it had a representative in Hungary who sought to negotiate settlements of the unpaid debts.

Court’s decision

The Court made reference to Google Spain and stated that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or subsidiary with a legal personality.” [28] The Court went on to say that there is a “flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered.” [29]

Essentially what the Court is stating here is that there may be a difference between where a company is registered and where it is established for the purposes of data protection law.  It is necessary to look at where the exercise of activity is and not just about where it has a physical presence by way of a building or a registered office.  A company registered in Scotland, but which deals exclusively in the Republic of Ireland might find itself subject to the data protection law of the Republic of Ireland as opposed to that of the United Kingdom.

In the present case, the Court noted at paragraph [32] that “the activity exercised by Weltimmo consists, at the very least, of the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian and whose advertisements are subject to a fee after a period of one month.  It must therefore be held that the company pursues a real and effective activity in Hungary.”

In Google Spain the Court held that the Directive does not require the processing of personal data to be carried out by the establishment, but only that it be carried out “in the context of the activities” of the establishment (Google Spain, [52]).  The Court considered that there was “no doubt” that this was the case in the Weltimmo case. [38] Therefore, unless any of the facts concerning bank accounts, representatives and letter boxes proved to be incorrect (matters which it is for the national court to determine) Weltimmo is established in Hungary for the purposes of data protection law.

The Court did stress that the owners of the properties being advertised had Hungarian nationality was of no relevance in determining the question of which national law was applicable. [40]

The referring court had also sought guidance from the Court concerning the imposition of sanctions.  The Court emphasised the responsibility of national authorities to take action within their own territory and that they may investigate any complaints made to it where the national law of another member state is applicable. [54] However, the Court was equally clear that a national authority cannot impose a sanction upon a data controller who is not established in their territory. [56] This is fairly obvious and stems from the sovereignty of nations.  In those circumstances the national authority that has investigated the matter should pass on the case to the national authority that has jurisdiction to impose a penalty seeking that they do so; based where necessary on any information supplied to that national authority by the authority who initially investigated the complaint.  [57]

For example, the Information Commissioner’s Office cannot take action against Facebook because it is not established in the UK; however, it may investigate a complaint from someone in the UK as to how Facebook has processed their personal data before passing it to the Irish Data Protection Commissioner, who does have jurisdiction by virtue of Facebook being established in the Republic of Ireland.  It would then be for the Irish Data Protection Commissioner to establish whether Facebook has broken Irish Law in relation to data protection and to then impose penalties in accordance with Irish Law, making use of the information passed to it by the ICO.

This is an important judgment that gives very good and strong advice on handling cross-border data protection issues where the internet is involved.  It stresses the need for data protection authorities across Europe to work in co-operation to ensure the rights of data subjects are protected whilst personal data is being processed.  The coming reforms (expected to be in force middle – late 2018) will not move away from that; indeed, with the proposed ‘one-stop’ regulation it will only increase that requirement.

Data Protection, Direct Marketing, Information Commissioner, Information Law, Information Rights, Privacy, Privacy and Electronic Communications Regulations

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.


September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.

Comment

In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

Random

International Right to Know Day 2015

On 28 September 2002 in Sofia, Bulgaria a group of Freedom of Information organisations from around the world proposed having a day to raise people’s awareness of their right of access to information, as well as to promote freedom of information as essential to good governance and democracy.  The day was to be called ‘International Right to Know Day’, and it is marked each year by freedom of information organisations and advocates to both celebrate freedom of information and to raise awareness of it.

Last week the Scottish Information Commissioner published her annual report in which it was reported that awareness of the right to access information is high among Scotland’s population.  The Commissioner’s report stated that 84% of people said that they are aware of FOI, the highest level recorded.  Scotland benefits from the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in relation to information and environmental information held by UK public bodies.  It also benefits from the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 in relation to information and environmental information held by public bodies in Scotland.

Earlier this month a Scottish Government consultation closed on extending the provisions of the Freedom of Information (Scotland) Act 2002 (and thereby also the Environmental Information (Scotland) Regulations 2004) to a number of bodies not already covered by the legislation.  Meanwhile, the UK Government announced in July that it had established a commission to look at the Freedom of Information Act and its operation; the terms of reference of that commission have broadly been interpreted as being about restricting information access rights.

The right to know is an important one that has seen lots of important information released over the years.  The MPs expenses scandal came about partly as a result of FOI and we also know about the matters and issues that HRH the Prince of Wales has lobbying Ministers about as a consequence of FOI.  On a local level people have been able to uncover in much more detail what has been going on in their local councils, police forces and NHS services.  If you are interested to see the sorts of information that have been released over the years then you can visit www.whatdotheyknow.com, a website that enables individuals to make Freedom of Information requests.  All requests made via the site are published online, including the authority’s response.  The site has been going since 2008 and hundreds of thousands of requests have been made using it since then; so there is highly likely to be something on there that interests you.  If there is anything you would like to know about what the Government or your local council/police force/NHS services are doing you could even use WhatDoTheyKnow to make a request and find out.

The right to know doesn’t just extend to public authorities in Scotland or the UK.  There are freedom of information rights in relation to the European Union and its institutions.  This right, in the UK at least, is probably a lot less well known than the domestic rights to access information.  With a referendum on our continued membership of the EU on the cards in 2017 it would seem like a good opportunity to get to know what the EU does and how it does it.  There is a website that uses the same software and principals as WhatDoTheyKnow, called AskTheEU, for information access requests to the EU.  It can be found at www.asktheeu.org.

When the Justice Select committee conducted its post-legislative scrutiny of the Freedom of Information Act 2000, it concluded that the Act “has been a significant enhancement of our democracy” which has “improved openness, transparency and accountability”. The committee also stated that they did “not believe that there has been any general harmful effect at all on the ability to conduct business in the public service” and in their view “the additional burdens are outweighed by the benefits.”

If you think that Freedom of Information is important and shouldn’t be restricted you can use www.writetothem.com to write to your MP asking them to protect the FOI Act.

Criminal Justice, Data Protection, Freedom of Information, Immigration Law

Home Office, Twitter and Immigration

Immigration is never far from the headlines in the UK and this has been true for a number of years.  On 1 August 2013 the Home Office conducted a high profile immigration operation around the UK which caused debate and discussion in the UK.  On that day in August 2013 the Home Office published a series of tweets which provided details of the number of persons that they had arrested during the day accompanied by the hashtag #immigrationoffenders and in some cases photographs.

In the days that followed there was national press coverage online on the BBC News website, the Guardian, the New Statesman and others as well as international, for example on the website of Le Parisen, a newspaper in France.  This operation came around a month or so after the mobile billboard campaign ran by the Home Office, which popularly became known as ‘the racist van’ – a campaign that was criticised by the Advertising Standards Authority when the partially upheld a complaint against the Home Office.  Much of the criticism of the 1 August 2013 operation, known as ‘Operation Compliance’ was around the operation itself and centred on concerns about racial profiling.  However, some people considered whether the Home Office was properly complying with the Data Protection Act 1998 and there was even some consideration as to whether the activities might be considered as prejudicing future criminal proceedings (if any).

After some consideration I made a Freedom of Information request to the Home Office in August 2013 concerning the events of 1 August 2013, a request that finally came to a conclusion on 3 September 2015.  The Home Office initially refused the request and largely upheld that position on internal review (which it took over 9 months to complete).  The Information Commissioner found in his decision notice that the Home Office were entitled to withhold some of the information that they had withheld, but not the rest (see the ICO’s decision here – which also sets out my request in full).  The Home Office then appealed this to the First-Tier Tribunal (Information Rights).  The Tribunal dismissed the Home Office’s appeal (the Tribunal’s decision can be read here) after a hearing in late June 2015.  The information that was disclosed can be read here (this document does include some of the information that had been earlier disclosed, but the Home Office included it in the new disclosure for “consistency”).

What the information reveals is nothing sinister; it shows civil servants planning and executing a public relations campaign highlighting the work that the Home Office is undertaking.  My principal interest though was always around what consideration the Home Office had given to data protection implications, as well as concerns around prejudicing future criminal prosecutions and also compliance with civil service guidance (which someone else had written about following a tweet of a similar nature about a month earlier).

The information that has been disclosed reveals quite a lot by what it does not contain.  There appears to be no direct consideration of data protection or of prejudice to future criminal proceedings or civil service guidance.  Of course, these matters could have been considered and there simply exists no record of them having been considered (that, I suggest, would show a lack of proper and effective record keeping).  There is an indirect reference to the data protection and prejudice matters in the email extract dated 31/7.2013 at 16:42.

The information also shows that the Home Office changed the hashtag prior to the operation commencing.  It would appear from the information disclosed that they had initially intended to use #illegalworking.  It seems that they changed their mind because the 1 August 2013 operation was not solely targeting those working without the proper papers and permission and they feared criticism from using the #illegalworking hashtag.

Of course this information is not anywhere near as valuable as it might have been had it been released in August or September 2013, many people will have forgotten all about the 1 August 2013 operation (I suspect it will be etched in my mind for some time to come having lived it, studied it, discussed it and litigated it for over 2 years).  It has been a long road, but nonetheless the information that has been released is valuable:  it largely shows a measured discussion by civil servants who appear to be trying to demonstrate to the public in relevant and imaginative ways the work of one of the Departments of State; however, it does appear to highlight some weaknesses in the planning for such media operations and if anything, hopefully these matters will be considered in future operations.

EIRs, Environmental Information, Freedom of Information, Scots Law, Scottish EIRs

Registered Social Landlords and the Scottish EIRs

On 2 June 2014 the Scottish Information Commissioner issued a decision notice finding that Dunbritton Housing Association Limited, a Registered Social Landlord (“RSL”), was a Scottish public authority for the purposes of the Environmental Information (Scotland) Regulations 2004 (the Scottish EIRs).  In that decision the Commissioner ordered the Housing Association to conduct an internal review and to respond to the requester accordingly.  Dunbritton Housing Association did not appeal that decision to the Court of Session, as was open to it.

It transpires that Dunbritton Housing Association complied with the Commissioner’s decision and conducted an internal review.  It released some information and withheld the remainder under Regulations 10(5)(e) and Regulation 11(2) of the Scottish EIRs.  The requester made a fresh application to the Commissioner seeking a decision on two matters: (1) whether Dunbritton had identified all of the information falling within the scope of the request; and (2) whether Dunbritton Housing Association was correct to apply the exceptions that it had.

What is interesting is that after not appealing the Commissioner’s decision to the Court of Session and after complying with the Commissioner’s decision by conducting a review and responding to the request, Dunbritton again tried to argue that it was not a Scottish public authority for the purposes of the Scottish EIRs.  The Scottish Information Commissioner, once again, decided that it was.

Dubritton referred to the UK Upper Tribunal’s decision in Fish Legal and argued that the control test within both the UK EIRs and the Scottish EIRs was a high one.  It contended that although the Scottish Housing Regulator had significant regulatory powers over RSLs like Dunbritton it only utilised those powers where a RSL was failing.  It argued that it was therefore not a Scottish public authority for the purposes of the Scottish EIRs.

The Commissioner concluded, correctly, that she is not bound by the UK Upper Tribunal decision and instead looked to the decision of the Court of Justice of the European Union in the Fish Legal case.  She determined, for the same reasons as set out in her previous decision that Dunbritton Housing Association is a Scottish public authority for the purposes of the Scottish EIRs.

There are now two decisions of the Scottish Information Commissioner determining that a RSL is a Scottish public authority for the purposes of the Scottish EIRs, albeit involving the same requester and the same RSL.  Her decision has expressly been based upon the decision of the Court of Justice of the European Union in one case and in the other was made following that Court issuing its decision.  It seems fairly certain that future RSLs that try to argue that they are not Scottish public authorities in applications to the Commissioner will not succeed; although the Commissioner’s decisions are not binding on anyone (including herself), these two decisions begin to show a clear and consistent line of thinking.  It is open to Dunbritton to appeal the decision to the Court of Session – whether or not a person is a Scottish public authority is clearly a question of law.  It remains to be seen whether Dunbritton does appeal.  While an appeal might be successful and create binding case law that RSLs are not Scottish public authorities for the purposes of the Scottish EIRs it could equally go the other way and create binding precedent that states they are.  While there is no binding case law it remains possible for Dunbritton or another RSL to convince the Commissioner that she got it wrong in the two previous decisions.  At this stage it remains a case of waiting and seeing; Dunbritton have 42 days from the date the decision was intimated to lodge any appeal.

Constitutional Law, Devolution, EIRs, Environmental Information, EU Law, FOISA, Freedom of Information, Information Law, Information Rights, Scots Law

A problem with the Scottish EIRs

The Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”) give individuals the right to request and obtain, subject to certain well defined exceptions, information in relation to the environment from Scottish public authorities.  They implement into the law of Scotland Directive 2003/4/EC of the European Parliament and of the Council on public access to environmental information (“the Directive”).  The Directive in turn implements the Convention on Access to Information, public participation in decision-making and access to justice in Environmental Matters done at Aarhus, Denmark on 25 June 1998 (“the Aarhus Convention”) into EU law.

In Scotland, like the rest of the UK, the Scottish EIRs are an adjunct to Freedom of Information.  The Scottish EIRs sit alongside the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Scottish Information Commissioner has the same powers of enforcement in respect of the Scottish EIRs as she does in respect of FOISA.  By virtue of Regulation 17 of the Scottish EIRs, Part 4 of FOISA applies to the Scottish EIRs.  The Regulations make certain amendments to Part 4 of FOISA for when it is being read in respect of the Scottish EIRs.

Section 48 of FOISA provides that no application can be made to the Scottish Information Commissioner in respect of three scottish public authorities: (1) the Commissioner herself; (2) a Procurator Fiscal; and (3) the Lord Advocate, where the information relates to his role as head of the systems of prosecution and the investigation of deaths in Scotland.  Essentially, this means that the Scottish Information Commissioner is prohibited from accepting any application for a decision by anyone that relates to the handling of a request for information under FOISA and the Scottish EIRs made to the Commissioner’s Office and the Crown Office and Procurator Fiscal Service (“the COPFS”).  I’m not a fan of this section and think it ought to be repealed in its entirety, but that is a subject for another time.  As far as the Scottish EIRs are concerned this section is a problem.  Essentially, once the Commissioner’s Office and the COPFS have conducted an internal review there is nowhere else for the requester to go if they remain dissatisfied with the response.

Article 6(2) of the Directive provides that:

In addition to the review procedure referred to in paragraph 1, Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final. Member States may furthermore provide that third parties incriminated by the disclosure of information may also have access to legal recourse.

The review procedure under paragraph 1 is essentially the internal review procedure provided for by Regulation 16 of the Scottish EIRs.  In respect of every other scottish public authority covered by the Scottish EIRs there exists a right to make an application to the Scottish Information Commissioner and have a decision notice issued by her office together with the ability to appeal (on a point of law only) that decision notice to the Inner House of the Court of Session, and then on to the Supreme Court of the United Kingdom.  There is a decision of a third party that is capable of becoming final.  Therefore, Article 6(2) of the Directive is complied with.  However, these appeal rights do not apply in respect of requests made to the Commissioner’s Office and the COPFS.

It should be theoretically possible to judicially review the internal review response of both the Commissioner and the COPFS.  At a first glance that might be thought to satisfy the requirements of Article 6(2) of the Directive; however, the wording of the Directive suggests that Judicial Review may not be sufficient.  Judicial Review is not an appellate procedure; it is a review procedure.  The Court of Session cannot substitute its own decision for that taken by the public authority.  The Court of Session could, in a judicial review, determine that irrelevant factors had been taking into consideration in respect of assessing the public interest where a qualified exception has been applied; it could not determine that the public interest does or does not support the maintaining of an exception.   Essentially, all the Court can do is uphold the decision of the Commissioner’s Office or the COPFS, or it can quash the decision – it cannot re-take the decision (something that the Commissioner effectively has the power to do when considering an application under section 47(1) of FOISA).  Therefore, judicial review cannot be a “review procedure… in which the acts or omissions of the public authority concerned can be reviewed” because it can only do so to a limited extent.  Therefore, for all practical purposes the decision of the public authority is final, not the decision of a court or another independent and impartial body established by law.

Furthermore, judicial review is expensive and comes with considerable risk in relation to expenses.  While it is theoretically possible for an applicant to represent themselves in the Court of Session, in all likelihood it will necessitate the instruction of a solicitor and at least junior counsel (if not junior and senior counsel); that is expensive.  Even if an applicant manages to represent themselves in the Court of Session; the court fees will be prohibitively expensive to many people.  These fees, payable at various stages throughout the process, will total hundreds of pounds.  The public authority in question will be represented by Counsel and if a requester loses, they may find themselves responsible for paying the public authority’s expenses (although, the Court does retain an inherent discretion in whether to make an award of expenses and to what extent the losing party shall pay the winner’s expenses).  This is relevant because the Aarhus Convention, upon which both the Directive and the Scottish EIRs are based, requires the review processes to be free of charge or inexpensive or not prohibitively expensive (Article 9).  The Court of Justice of the European Union found that the UK had failed to properly implement the Directive when looking at the costs under the English judicial system (see European Commission v United Kingdom).

The problem for the Scottish EIRs gets bigger once consideration is given to the Scotland Act 1998Section 57(2) of the Scotland Act provides that the Scottish Ministers have “no power to make any subordinate legislation, or to do any other act, so far as the legislation or act is incompatible with any of the Convention rights or with EU law.”  The Scottish EIRs are regulations and are therefore subordinate legislation.  By applying section 48 of FOISA to the Scottish EIRs the Scottish Ministers have made subordinate legislation that is ultra vires – it is outside of their competence.  For the Scottish EIRs to be compatible with EU law, section 48 of FOISA cannot apply to them; while it does, the Scottish EIRs do not fully implement Article 6 of the Directive.

This problem is easily resolved.  The Scottish Ministers simply need to amend the Scottish EIRs so as to disapply section 48 of FOISA in respect of the Scottish EIRs.  This would enable the Commissioner to consider applications made to her under section 47(1) of FOISA concerning requests for information made to either her office, or the COPFS that engage the Scottish EIRs.  Of course, the Scottish Ministers could introduce legislation into the Scottish Parliament to repeal section 48 of FOISA altogether (and that would kill two birds with one stone).

If the Scottish Ministers do not choose to make the relevant amendments they could be forced to.  All it would take is for someone to go through the process of making a request for environmental information to either the Commissioner or the COPFS, getting a refusal notice which is then upheld at internal review, and making an application to the Scottish Information Commissioner so as to get a notice from the Commissioner stating that no decision falls to be made.  This can then be appealed to the Court of Session for them to make what appears to be an inevitable decision: the Scottish Ministers acted ultra vires when applying section 48 of FOISA to the Scottish EIRs – an expensive process, but one that someone will eventually go down some day.

Politics, Vote 2015

Some thoughts on Proportional Representation

Following the 2015 general election there has been an incredible amount of support for and discussion about Proportional Representation.  I am 26 years old and I have been a proponent of Proportional representation for half of my life.  I first began to support the concept of PR for UK elections after studying different electoral systems during a Modern Studies class.   Even at the age of 13 it was clear to me that the First-past-the-Post electoral system that we use to elect people to the House of Commons does not work for our modern politics.

The system hasn’t always been broken; it worked when the two main parties attracted 95% of the votes cast by the electorate.  As time has marched on our politics has changed.  The political landscape is vastly different to how it looked in the late 1800s and early 1900s and as a consequence the electoral system no longer functions in a way that is appropriate.

The current Government in the UK consists of a single party which holds a (slim) majority of seats in the House of Commons.  In percentage terms, the Conservative Party has 50.9% of the seats having achieved only 36.9% of votes cast nationally.  It is over-represented in the commons by approximately 90 seats on a proportional votes to seats basis.

The Conservative Party is not the only party that is over-represented in the current House of Commons: the Labour Party, DUP and the Scottish National party are over-represented.  The Labour Party has 35.7% of the seats with 30.4% of the votes cast nationally; it is over-represented by about 31 seats on a proportaional votes to seats basis.  The Scottish National Party has 8.6% of the seats in the Commons having achieved 4.7% of the votes cast nationally (given that the SNP had candidates standing only in Scotland the figures are slightly misleading.  Looking only at the votes cast in Scotland for the seats allocated to Scottish constituencies it has 95% of the seats on 50% of the votes cast).  The SNP is over-represented in the House of Commons by about 30 seats on a proportional votes to seas basis.  The DUP has 1.2% of the seats available in the Commons with 0.6% of the votes cast nationally (like the SNP, it did not have candidates standing in all constituencies; it’s only candidates were in Northern Ireland and has 44.4% of the seats allocated to Northern Irish Constituencies with 25.7% of the votes cast in Northern Ireland) and is over-represented by about 3 seats.

If some parties are over-represented it follows that some must be under-represented; the Liberal Democrats, the Green Party and UKIP are all under-represented.  The Liberal Democrats have 1.2% of the seats with 7.9% of the votes cast nationally.  They are under-represented by about 42 seats.  As for the Green Party they have 0.2% of the seats in the Commons with 3.8% of the votes cast nationally and are under-represented by about 22 seats.  UKIP also have 0.2% of the seats in the Commons with 12.6% of the votes cast nationally; they are under-represented by about 81 seats.  There are other parties who are under-represented in the Commons based on the votes that were cast, but for the sake of brevity I will not set them out in detail.  The parties are: Plaid Cymru, Sinn Fein (who by convention don’t take up their seats in the Commons), the Ulster Unionist Party and the Alliance Party.  The only party whose representation under FPTP is what it would have been under a PR system is the SDLP.

You will notice that where I have stated by how many seats a party is over-represented or under-represented I have qualified it with “about”; I have done so because had the election been run using a PR system rather than FPTP it will likely have changed the way some people voted (and quite possibly in significant enough numbers to affect the seat distribution).  There will have inevitably been a great deal of tactical voting in this election; FPTP encourages tactical voting, especially in seats that are considered to be ‘marginal’.  In seats that are marginal, people who know their preferred candidate has little chance of being elected will often vote tactically; that is to say they will vote for the person most likely to defeat the candidate that they least want to win.  So, in a Labour-Tory marginal seat someone who might naturally prefer the Liberal Democrats may well recognise that the Lib Dem candidate is highly unlikely to win.  They may absolutely not want the Labour candidate to win and so vote Conservative because they are the candidate most likely to defeat the Labour candidate.

It is impossible to take account of tactical voting with any degree of certainty when modelling a PR based Parliament on votes cast under the FPTP system.  There are also a multitude of different PR systems; some of which it is not possible to translate FPTP results into because they use a preferential voting method (i.e. you rank as many or as few of the candidates/parties standing in the order that you prefer them).

I may be a proponent of PR, but I do recognise it is not perfect either; there is no such thing as the perfect system.  There are trade-offs to be made and which system you favour depends on what it is you value and what it is you hope you achieve by introducing PR.  For example, if you’re more interested in getting as close to a representative Parliament as possible and are not fussed about the ‘local link’ between the elected representative and the constituency; then a system based on a party list is likely to take your fancy.  However, if you favour keeping the local-link despite that resulting in an ever so slightly less representative Parliament (but still far more representative than FPTP), then something like the Single Transferrable Vote (STV) system is probably going to get your support.

Personally, I favour STV because I would prefer to keep the ‘local link’ over having a totally representative Parliament.  However, I recognise that such a system might not best serve the country.  Looking at it objectively a list system is probably more appropriate and that’s simply because I think, objectively, the local link has already largely been lost.  There are a few exceptions, but if you ask a representative sample in each constituency who they voted for you are most likely to get either the name of the party or the name of the party leader as opposed to the name of the candidate that actually appeared on the ballot paper.  That’s because in reality the majority of people vote for a party irrespective of the candidate.

Having long been a convert to the PR cause I am glad to see that more people appear to be coming round to the idea that PR is better in our modern politics.  I did vote for AV in 2011, but I also know that a lot of pro-reform people voted no.  I understand why they did so, AV was a false option; it’s not a PR system.  While it does deal with many of the issues with FPTP in the our modern political world, it does not result in a proportionate parliament; it doesn’t even deliver an a parliament that is approximately proportional.  I vote for it because despite its flaws it was progress, a move in the right direction.  The referendum in 2011 was lost, and clearly so.  However, that does not (nor should it) preclude reform.  Nor does it mean that there isn’t a huge level of support for a PR system.

I will continue to fight for, campaign for and support electoral reform to bring a more proportional electoral system for elections to the UK Parliament.

The Electoral Reform Society and Unlock Democracy currently have a petition running in support of PR; if you’ve not already signed it and support the concept of a PR voting system in the UK then please consider signing it.  The Petition can be found here.