Author Archives: Jon Baines

July 18, 2024 · 4:21 am

FOIA appeals in the UT: when is there an “error of law”?

Here is a good and interesting judgment in the Upper Tribunal from Judge Citron, on a Freedom of Information Act 2000 (FOIA) case arising from defects in the 2019 “11+” exam run by The Buckinghamshire Grammar Schools (TBGS), with test materials designed and supplied by a third party – GL Assessment Limited. TBGS, as a limited company made up of a consortium of state schools, is a public authority under s6(1)(b) FOIA (by way of s6(2)(b)).

The FOI request was, in broad terms, for the analysis that had subsequently been conducted into the defects, and the statistical solution that had been adopted.

TBGS had refused the request on grounds including that disclosure of the requested information would be an actionable breach of confidence. The ICO upheld this, and, on appeal, the First-tier Tribunal agreed, although only by a majority decision (the dissent was on the part of the judge, and it’s worth reading his reasons, at 85-90 of the FTT judgment).

Possibly bolstered by the vehemence of that dissenting view of the FTT judge, the applicant appealed to the Upper Tribunal.

Judge Citron’s judgment is a measured one, addressing how an appellate court should approach an argument to the effect that there was an error of law at first instance, with a run-through, at 35, of the authorities (unfortunately, from that point, the paragraph numbering goes awry, because the judgment, at “67”, follows the numbering of the judgment it has just quoted).

Judge Citron twice notes that a different FTT might have approached the facts and the evidence in a different way, and weighted them differently, but

that is no indicator of the evaluative judgement reached being in error of law…The question is whether the evaluative judgement…was one no reasonable tribunal could have reached on the evidence before it; it whether some material factor was not taken into account. I am not persuaded.

Therefore, the FTT had made no material error in dismissing the appeal.

A final note. This was a judgment on the papers, but – remember – the Information Commissioner will always be a party to FOIA cases, because it is his decision that is at issue. In this instance, the Commissioner chose not to participate. Paragraph 32 records that he was “directed” to make a response to the appeal, but did not. If this correctly records a failure by the Commissioner to comply with a direction of the court, it is surprising there’s no note of disapproval from the judge.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under FOIA, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

Tagged as , ,

July 16, 2024 · 8:34 am

“Mom, we have discussed this”

A few years ago Gwyneth Paltrow’s daughter Apple took to social media to gently berate her mother for posting an image (not this one) which included her: “You may not post anything without my consent”. I’ve no idea whether Apple has other fine qualities, but I admired her approach here.

I was reminded of it by the – also admirable – approach by the Prime Minister and his wife to their two children’s privacy. Remarkably, it appears that their names and photographs have so far been kept from publication. It’s doubtful that will be able to continue forever (in any case, the children are at or coming to an age where they can take their own decisions) but I like the marked contrast with how many senior politicians co-opt their children into their campaigning platform.

One of the concerns of the legislator, when GDPR was being drafted, was children’s rights: recital 65 specifically addresses the situation of where a child has consented to publication of their data online, but later wants it removed.

Although Gwyneth Paltrow’s publishing of her child’s image would likely have been out of the material scope of GDPR under Article 2(2)(a) (and quite possibly out of its territorial scope) the thrust of recital 38 should apply generally: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”.

[Image licensed under CC BY-NC 4.0, creator not stated. Image altered to obscure children’s faces]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under children, consent, Data Protection, GDPR, Privacy, UK GDPR

Tagged as , ,

July 14, 2024 · 11:34 am

Based

For reasons I found myself browsing the privacy notices on the websites of some data protection consultancies this morning. In a large number of cases, where they address the situation of a potential client (which is highly likely to be a corporate entity) instructing them, they say/imply that they will process the personal data of people working for that potential client under the lawful basis of “contract”.

As well as this being, er, wrong, it concerns me for a couple of reasons.

First, why it’s wrong.

Article 5(1)(a) of the UK GDPR obliges a controller to process personal data lawfully. Article 6(1) provides a list of bases of which at least one must be met for processing to be lawful. The basis at Article 6(1)(b) is “processing is necessary for the performance of a contract…”.

I fear that many people stop there (in fact, I fear more that they don’t look at the actual law, and merely refer to some template or notes that were wrong in the first place). But there’s a reason I put an ellipsis: the full lawful basis is “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

A service contract with a corporate entity does not constitute the sort of contract which is dealt with by Article 6(1)(b).

The reason this really concerns me is that if these consultancies can’t get this fundamental point right in their own documentation, they are presumably advising clients along similar lines.

Such advice might well be negligent. Assuming the consultancies have professional indemnity insurance, it might be affected by matters like this. And there might be notification obligations arising if they become aware of the fact that they’ve given incorrect, and possibly negligent, advice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, privacy notice, UK GDPR

Tagged as , ,

July 12, 2024 · 7:05 am

Unreasonably accessible – ICO and misapplication of s21?

I’ll start with a simple proposition: if a dataset is made publicly available online by a public authority, but some information on it is withheld – by a deliberate decision – from publication, then the total dataset is not reasonably accessible to someone making an FOI request for information from it.

I doubt that any FOI practitioners or lawyers would disagree.

Well, sit back and let me tell you a story.

In November 2023 the Information Commissioner’s Office (ICO) refused to disclose information in response to a Freedom of Information request, on the grounds that the exemption at section 21 of the Freedom of Information Act 2000 (FOIA) applied: the information was “reasonably accessible to the applicant” without his needing to make a FOIA request.

The request was, in essence, for “a list…of the names of all the UK parish councils that have received 20 or more ICO Decision Notices (for FOIA cases only) since 1st January 2014”. The refusal by the ICO was on the basis that

the search function on the decision notice section of the ICO website returned 415 decision notices falling within the scope of the complainant’s request…[therefore] it is possible to place the names of the parish councils into an Excel sheet and then establish quickly how many decision notices relate to each individual parish council.

The ICO noted that, when it comes to the application of section 21

It is reasonable for a public authority to assume that information is reasonably accessible to the applicant as a member of the general public until it becomes aware of any particular circumstances or evidence to the contrary [emphasis added]

On appeal to the Information Tribunal, the ICO maintained reliance on the exemption, saying that all the applicant needed to do was to go to the ICO website and “look at each entry and count-up [sic] the numbers of [Decision Notices] against each parish council”. The Tribunal agreed: the ICO had provided the requester

with a link to the correct page of the ICO website, and instructing him how to use the search function. These instructions have enabled him to identify from the tens of thousands of published decision notices those 415-420 notices which have been issued to parish councils over the past decade or so

All straightforward, if one’s analysis is predicated on an assumption that the ICO’s public Decision Notice database is a complete record of all decision notices.

But it isn’t.

I made an FOI request of my own to the ICO; for how many Decision Notices do not appear on the database. And the answer is 45. A number of possible reasons are given (such as that sensitive information was involved, or that there was agreement by the parties not to publish). But the point is stark: the Decision Notice database is not a complete record of all Decision Notices issued. And I do not see how it is possible for the ICO to rely on section 21 FOIA in circumstances like those in this case. It is plainly the case that the ICO knew (or was likely reckless in not knowing) that there were “particular circumstances or evidence” which showed that the information could not have been reasonably accessible to the applicant.

Of course, it is quite likely (perhaps inevitable) that the 45 unpublished Decision Notices would make no difference at all to a calculation of how many UK parish councils have received 20 or more Decision Notices since 1st January 2014. But that really isn’t the point. The ICO could have come clean – could have done the search itself and added in the 45 unpublished notices. It knew they existed, but for some reason thought it didn’t matter.

The ICO is the regulator of FOIA, as well as being a public authority itself under FOIA. It has to get these things right. Otherwise, why should any other public authority feel the need to comply?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, datasets, Freedom of Information, Information Commissioner, Information Tribunal, section 21

Tagged as , ,

July 6, 2024 · 10:45 am

FOI and government/ministerial WhatsApps

[reposted from LinkedIn]

An important Information Tribunal (T) judgment on a FOIA request, by Times journalist George Greenwood, to DHSC for gov-related correspondence between Matt Hancock (MH) and Gina Coladangelo (GC), grappling with issues regarding modern messaging methods in government and how they fit into the FOIA scheme.

Two requests were made. The first was for government-related correspondence between MH and GC using departmental email accounts, and any private email account MH had used for government business. The second was for all correspondence between them using other methods, such as WhatsApp.

Request 1

DHSC had found four emails and by the time of the hearing had disclosed them. It maintained that no further info was held.

However DHSC argued that emails sent by MH’s private secretaries and not by MH himself were out of scope. Not so, said the T: “even if a private office email account is operated by a private secretary…correspondence with a private office email account ought to be regarded as correspondence with the relevant minister”. Accordingly, they upheld that part of the appeal and ordered further searches.

Request 2

DHSC had initially said, and ICO had agreed(!), that government-related WhatsApp messages sent from MH’s personal device were not “held” for the purposes of FOIA because they were not held “as part of the official record”. By the time of the hearing, all of the parties were agreed that this was an error, and the T ruled that section 3(2)(b) FOIA applied, and that “WhatsApp messages from Mr Hancock’s personal device were held [by MH] on a computer system on [DHSC’s] behalf”.

DHSC then sought to argue that WhatsApp messages in a group were not “correspondence” between MH and GC, saying (in the T’s formulation of DHSC’s argument) “unless correspondence consists of one person corresponding directly with another, it is not ‘true’ correspondence”. The T was dismissive of this: “correspondence in the age of multiple methods of electronic communication can take different forms…the fact that simply because one or other of the relevant parties did not respond or may not have responded to a particular message does not mean that communications within a WhatsApp group cannot be considered to be correspondence”. The T also rejected the related submission that a person posting a message to a WhatsApp group is “broadcasting”, rather than “corresponding”

(I have to say that I think the T probably overstepped here. I would tend to think that whether information in a WhatsApp group is correspondence or not should be determined on the facts, and not as a matter of general principle.)

Finally, the T did not warm to the evidence from an otherwise unidentified “Mr Harris” for the DHSC, to the effect that the request was vexatious on grounds of the burden. They therefore held that it was not. (As the messages were subsequently disclosed into the public domain during the Covid inquiry, not much turns on this.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, Information Tribunal, journalism

Tagged as , ,

July 3, 2024 · 8:05 pm

Data protection v Defamation

[Sometimes I will upload posts I make on LinkedIn to this blog, because they’re easier to archive here: however they’re a bit more “conversational” than usual]

Can (or in what circumstances can) a data protection claim be brought on the basis that processing involves harm to reputation of a sort which, more orthodoxically*, would be brought in defamation?

His Honour Justice Parkes has refused an application by Dow Jones to strike out a data protection erasure claim (with an associated compensation claim) on the grounds that in reality it is a “statute-barred defamation complaint dressed up as a claim in data protection, and brought in data protection to avoid the rules which apply to defamation claims” (the application was also on Jameel grounds).

The judge says he “cannot see how [the claimants] can be summarily denied access to the court to make [their] case, employing a cause of action which is legitimately open to them… simply because in the past they have repeatedly threatened to claim in defamation, or because the claim is heavily based (as it is) on considerations of harm to reputation, or because, had they brought the claim in defamation, it would have faced very difficult obstacles”.

HHJ Parkes notably (ie this needs to go to trial) says that “the state of the law on the recoverability of damages for injury to reputation in non-defamation claims is uncertain and in flux” and that it is “unsuitable for determination on a summary application and probably requires the attention of an appellate court”.

It will be very interesting if this now makes it to trial. But never hold your breath on that folks.

[*yes, I did intend to coin the most awkward adverb possible]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, defamation, erasure, journalism, judgments, Uncategorized

Tagged as ,

July 1, 2024 · 10:57 am

Can you stop election candidates sending you post?

During every recent general election campaign I can remember, there have been social media posts where people complain that they’ve received campaign material sent to them, by name, in the post. Electoral law (whether one likes it or not) permits a candidate to send, free of charge, one such item of post regardless of whether the recipient has objected to postal marketing, in general or specific terms. This right is contained in section 91 of The Representation of the People Act 1983. So, if you don’t like it, lobby your new MP in a few weeks’ time to get it changed.

Given that it’s always a topic of contention, I welcome the Information Commissioner’s Office’s publishing of guidance (including on the “one item of post” point) for the public on “The General Election and my personal data – what should I expect?

What the guidance does not address, however, is a conflict of laws point. Article 21(2-3) of the UK GDPR create an absolute right to object to direct marketing and a consequent absolute obligation on a person not to process personal data for direct marketing purposes upon receipt of an objection. So how does this talk with the right given to electoral candidates to send one such communication?

Tim Turner has written on this point, in his “DPO Daily”, and says “I don’t think the Representation of the People Act trumps the DP opt-out right”, but – on this rare occasion – I think I disagree with him. This is because section 3(1) of the Retained EU Law (Revocation and Reform) Act 2023 provides that retained direct EU legislation – such as the UK GDPR – must be read and given effect in a way which is compatible with all domestic enactments, and, insofar as it is incompatible with them, those domestic enactments prevail.

So, the short answer to the title of this blog is “no” (although they can only send you just one personally addressed item).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, elections, Information Commissioner, marketing, political parties, UK GDPR

Tagged as , , ,

June 29, 2024 · 10:16 am

An EIR judgment as long as a novel

Those who think the data protection statutory regime is complex might want to consider how it compares to that under the Environmental Information Regulations 2004 (EIR).

So if you fancy spending the day reading a judgment that is (by my calculations) longer than George Orwell’s 1984, now’s your chance.

A number of personal search companies, who undertake different types of searches for use in real property sale and purchase transactions, are bringing a claim in restitution regarding the charges they’ve paid to defendant water companies for reports under the CON29DW Drainage and Water Enquiry process. Their argument is that information responsive to a CON29DW is “environmental information” (EI) within the meaning of the EIR and that the water companies in question were obliged to make EI available for free or for no more than a reasonable charge. Accordingly, the charges levied by the water companies were unlawful and/ or paid under a mistake of law and that the water companies have been unjustly enriched to the extent of those charges.

The water companies, in turn, say that information responsive to a CON29DW was not EI, and/or that the information was not ‘held’ by them at the time the relevant request was made and/or that they were otherwise entitled under the EIR to refuse its disclosure.

Mr Justice Richard Smith’s magnum opus of a judgment bears close reading (closer than I’ve yet been able to give it), but it contains some notable findings, such as: not all of the information responsive to a CON29DW is EI; not all of the information was held for the purposes of the EIR and not by all of the defendants; information responsive to a CON29DW about internal flooding to a property is personal data (there’s an interesting discussion on the definition of personal data, touching on Durant, Edem, Ittihadieh and Aven v Orbis – but I think this part of the judgment is flawed – just because information about internal flooding could be personal data doesn’t mean it always is (which is what the judge appears to hold) – what about where a residential property is unoccupied and owned by a company?)

It seems to me that the effect of the judgment is to fracture the claim into small bits – some of the info is EI, some is held, by some defendants, some is exempt, etc. – and may well have the effect of damaging the chances of the claim progressing.

The judge ends by imploring the parties to try to resolve the issue other than through the court process. So let’s see if there’s an appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Environmental Information Regulations, judgments

Tagged as ,

June 24, 2024 · 12:51 pm

NADPO June webinar – subject access requests and political party data use

NADPO’s next lunchtime webinar is tomorrow 25 June at 12:30:

Jenna Corderoy – “Investigation into the state of Subject Access Requests” 

Duncan McCann – “Election deepfakes and political data use”

As always, members can attend for free.

Leave a comment

Filed under Uncategorized

June 12, 2024 · 6:14 pm

A violation of the presumption of innocence

This may not be a post directly related to information rights (although it does involve disclosure of information in response to a parliamentary question – which is a potential route to access to information which should never be underestimated). But I’m writing more because it’s on a topic of considerable public interest, and because the efforts and the campaigning of the applicants, and of Appeal, deserve support.

The Grand Chamber of the European Court of Human Rights (ECtHR) has held that the scheme in England and Wales for assessing whether people whose criminal convictions are subsequently overturned is compatible with the European Convention on Human Rights (the “Convention”).

Regardless of whether the ECtHR was correct or not, the underlying issue is, in my view, a national scandal and one that any incoming government should set right as a matter of priority.

Under Section 133(1ZA) of the Criminal Justice Act 1988 (as amended in 2018) the state must pay compensation where a new or newly discovered fact shows beyond reasonable doubt that there has been a miscarriage of justice. But a miscarriage of justice will only have occurred “if and only if the new or newly discovered fact shows beyond reasonable doubt that the person did not commit the offence”. This reverses what would be the normal burden of proof in criminal justice matters, and in effect requires the wrongfully convicted person to prove their innocence to gain compensation, despite the fact that their conviction has been overturned.

Figures given in response to a parliamentary question last year revealed that an extraordinary 93% of cases did not warrant compensation under the scheme. 

At the ECtHR, the applicants contended that the domestic scheme infringed Article 6(2) of the Convention, which provides that “Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law”. Although the ECtHR noted “the potentially devastating impact of a wrongful conviction” it also held that the UK was

free to decide how “miscarriage of justice” should be defined for these purposes, and to thereby draw a legitimate policy line as to who out of the wider class of people who had had their convictions quashed on appeal should be eligible for compensation…, so long as the policy line was not drawn in such a way that the refusal of compensation in and of itself imputed criminal guilt to an unsuccessful applicant

It was not, said the ECtHR, its role “to determine how States should translate into material terms the moral obligation they may owe to persons who have been wrongfully convicted”.

Although there was a strong dissenting opinion which would have held that the compensation scheme resulted in a violation of the presumption of innocence, it must now fall to the next Parliament to take forward the “moral obligation” and put right where a previous Parliament went wrong. This does not, and should not, need to wait for the outcome of the Malkinson Inquiry. That inquiry may well have things to find out, and things to say, in general, about miscarriages of justice but it is not in its remit to consider the compensation point: that can, and should, be resolved sooner.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Article 6, Europe, human rights, Ministry of Justice, parliament, Uncategorized

Tagged as