Author Archives: Jon Baines

November 22, 2024 · 7:29 am

Yes, Ok, I can be vexatious

[reposted from LinkedIn]

Until a few days ago, I had never, in almost twenty years of making FOI requests, had one refused on the section 14(1) grounds that it was vexatious. But this one broke that streak.

A request can be vexatious for a number of reasons, most of which go to the motives or behaviour of the requester (see the leading case of IC v Dransfield [2012] UKUT 440 (AAC)), but the law has also developed to encompass requests which, by nature of the work which would be required to assess and redact exempt information, are simply too onerous to respond to (see Cabinet Office v Information Commissioner and Ashton [2018] UKUT 208 (AAC)).

As I try to have, and show, no bad motive or behaviour, and as I try very hard not to make requests that are too broad, I’d managed to avoid such a refusal until now.

I asked for the full dataset of Tribunal cases which the Information Commissioner has been involved in. In a previous disclosure an extract from this dataset had been provided to someone. I didn’t know that that full dataset had potentially exempt fields in it. Having had this explained to me I don’t doubt that these fields would be exempt, and I don’t doubt the onerousness of the work which would be required to redact it all. So on the face of it, the refusal is fine, and I’ve submitted a follow up request for narrowed-down information.

But I think this was a good example of how the public authority could have dealt with this differently. They knew that I’d seen the previous extract, and should reasonably have surmised from that that I only wanted those fields, but across the whole dataset. An email or phone call to clarify this would have resolved the issue straight away (and I wouldn’t be writing this now). The case officer does acknowledge this (“we apologise that we did not contact you sooner to advise that we would be unable to respond to this request and advise on how it could be revised”), and I’m not going to whinge (unless this is a whinge (it probably is, isn’t it?)) – everyone is busy, and I’ve certainly handled requests as a practitioner where I’ve realised I could done things differently and better earlier in the process.

But it’s a good example of how a small gap in understanding between requester and public authority can lead to more (and unnecessary) work for both.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Freedom of Information, Information Commissioner, vexatiousness

Tagged as ,

November 19, 2024 · 5:15 am

Can directors and trustees of charities be controllers?

[reposted from LinkedIn]

Savva v Leather Inside Out & Ors [2024] EWHC 2867 (KB), Sam Jacobs of Doughty Street Chambers, instructed by Forsters LLP for the defendants (the applicant in the instant application)

Is it the case that a director or trustee of a charity (which is a controller) cannot be a controller? That, in effect, was one of the grounds of an application by two defendants to strike out and grant summary judgment in a claim arising from alleged failures to comply with subject access requests.

The claim arises from a dispute between the claimant, a former prisoner, employed by a subsidiary of a charity (“Leather Inside Out” – currently in administration), and the charity itself. The claim is advanced against the charity, but also against the charity’s founder and two trustees, who are said on the claim form to be controllers of the claimant’s data, in addition to, or jointly with, the charity.

In a solid judgment, Deputy Master Alleyne refused to accept that such natural persons were not capable of being a controller: the term is given a broad definition in Article 4(7) UK GDPR, and “includes a natural or legal person, public authority, agency or other body and that there may be joint controllers. On plain reading of the provisions, it is incorrect to suggest that an allegation of joint controllers is, per se, not a legally recognisable claim” (re Southern Pacific Loans applied).

However, on the specific facts of this case, the pleading of the claimant (the respondent to the strike out application) failed “to allege any decisions or acts in respect of personal data which were outside the authority of the trustees as agents for [the charity]…the Respondent’s submissions demonstrated he wrongly conflated the immutable fact that a legal person must have a natural person through whom its decisions are carried into effect, with his case that the natural person must be assuming the defined status of data controller in their personal capacity”. That was not the case here – the founder and the trustees had not acted other than as agents for the charity.

Accordingly, the strike out application succeeded (notably, though, there Deputy Master said he had reached his conclusion
“not without some caution”).

Assuming the claim goes forward to trial, therefore, it can only be advanced against the charity, as sole controller.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under charities, controller, Data Protection, judgments, subject access, UK GDPR

Tagged as , ,

November 16, 2024 · 6:56 am

Non-party access to court documents

The issue of non-party access to information from court cases, such as parties’ skeleton arguments and other case documents, continues to exercise the courts. In a recent judgment (Moss v The Upper Tribunal [2024] EWCA Civ 1414), the Court of Appeal has ruled that the president of the Administrative Appeals Chamber of the Upper Tribunal had been wrong to refuse an application for parties’ written submissions from a Freedom of Information Act case.

Following the Supreme Court’s judgment in Dring, it is clear that there is no presumptive right to such documents. Instead, as Baroness Hale put it, “it is for the person seeking access to explain why he seeks it and how granting him access will advance the open justice principle” (at para 45 of the SC judgment), and if that test is met, the court must consider any countervailing factors (at 46-47).

Here, the AAC President had rejected the applicant’s stated reason (“I am a campaigner and writer with a particular interest in information and rights law and certification/contempt proceedings, and I need copies of the skeleton arguments to see what arguments were deployed in these cases, to enable me to write about them from an informed point of view”) but did not explain why. This was an error of law, and Coulson LJ, reconsidering the material which had been before the President, decided instead that stated reason (just) met Baroness Hale’s first test. There were no countervailing factors, and so the appeal succeeded.

All three appeal court judges note that the Civil Procedure Rules Committee is in the process of considering how to deal with non-party information requests – something Baroness Hale had called for in a postscript to Dring.

However, as happened here, such requests are often made in relation to tribunal proceedings, which are not covered by the CPR. Tribunal rules are notably silent on such issues, and Underhill LJ wisely calls on the Tribunal Rules Committee also to consider the matter.

Aidan Wills of Matrix Chambers acted for the appellant, and Eric Metcalfe of Monckton Chambers for the Information Commissioner’s Office, as an interested party.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under access to information, Article 10, Freedom of Information, judgments, Open Justice

Tagged as

November 1, 2024 · 5:44 am

Dismissed FE teacher’s data protection, MOPI, HRA claims fail

[reposted from LinkedIn]

Claims in misuse of private information, data protection and for breach of the Human Rights Act, by a dismissed further education teacher against Tameside College and three employees are struck out/subject to summary judgment for the defendant.

The claimant was initially suspended after evidence came to light that he had been dismissed from previous roles. The College’s investigation involved the sending of reference requests to two previous employers, and was also informed by disclosures of Facebook and WhatsApp messages which revealed the teacher had, contrary to instruction, communicated with students on social media whilst suspended, and “sent a threatening message to a WhatsApp Group chat comprising members of staff”.

The deputy master found that in relation to the misuse of private information claims, although the claimant had a reasonable expectation of privacy in the social media messages, “those expectations were greatly outweighed by the need to investigate those messages for the purposes of the disciplinary process”. These were subject to summary judgment for the defendant.

The data protection and human rights claims against individual employees were bound to fail, as they were neither data controllers nor public authorities.

As to the data protection claim against the college, a previous determination by the ICO that the sending of the reference requests was not fair and transparent, because it was contrary to the claimant’s expectations, was wrong: it was “plain that it ought to have been well within the Claimant’s reasonable expectation that, in order to investigate whether he had failed to disclose the fact of his dismissal from those two institutions, each would be contacted and asked about it.”

The college’s processing was lawful under Article 6(1)(b) and (c) of the UK GDPR: “The processing was necessary for the purposes of the contract of employment between the [college] and the Claimant and for the performance of the [college’s] obligations to its other staff, and to safeguard and promote the welfare of its students.” The various safeguarding legal duties and obligations on the college established a clear legal basis for the processing.

Similarly, the human rights claims against the college, which included complaints of unlawful monitoring and surveillance, were bound to fail: “There is no real prospect of establishing a breach of Article 8 for the same reasons that there is no real prospect of establishing misuse of private information. The alleged breaches of Articles 10 and 11 appear to relate to the College’s instructions to the Claimant not to communicate with other staff except with permission. The instruction was plainly a reasonable one made for a legitimate purpose.”

Accordingly, the data protection and Human Rights Act claims were struck out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, employment, Further education, human rights, Information Commissioner, judgments, LinkedIn Post, misuse of private information

Tagged as , ,

October 30, 2024 · 6:09 am

Pacini & Geyer v Dow Jones – at the interface between libel and data protection

[reposted from LinkedIn]

This is an important judgment on preliminary issues (the second preliminary issues judgment in the case – the first was on an unsuccessful strike out application by the defendants) in a data protection claim brought by two businessmen against Dow Jones, in relation to articles in the Wall Street Journal in 2017 and 2018. The claim is for damages and for erasure of personal data which is said to be inaccurate.

It is believed to be the first time in a data protection claim that a court has been required to determine the meaning of personal data as a preliminary issue in an accuracy claim.

Determination of meaning is, of course, something that is common in defamation claims. The judgment is a fascinating, but complex, analysis of the parallels between determining the meaning of personal data in a publication and determining the meaning of allegedly defamatory statements in a publication. Although the judge is wary of importing rules of defamation law, such as the “single meaning rule” and “repetition rule” a key part of the discussion is taken up by them.

The single meaning rule, whereby “the court must identify the single meaning of a publication by reference to the response of the ordinary reader to the entire publication” (NT 1 & NT 2 v Google LLC [2018] EWHC 799 (QB)) is potentially problematic in a data protection claim such as this where the claimants argue that it is not the ordinary reader they are concerned about, but a reader who might be a potential business investor.

Similarly, it is not at all clear that the repetition rule, which broadly seeks to avoid a defamatory loophole by which someone argues “but I’m only reporting what someone else said – their words might be defamatory, but mine merely report the fact that they said them”, should carry over to data protection claims, not least because what will matter in defamation claims is the factual matrix at the time of publication, whereas with data protection claims “a claim for inaccuracy may be made on the basis that personal data are inaccurate at the time of the processing complained of, including because they have become misleading or out of date, regardless of whether they were accurate at the time of original publication. In that event, what matters is the factual matrix at the time when relief is sought” (at 66).

Nonetheless, and in a leap I can’t quite follow on first of the judgment, but which seems to be on the basis that the potential problems raised can be addressed at trial when fairness of processing (rather than accuracy) arises, the judge decides to determine meaning on a single meaning/repetition rule basis (at 82-84).

There’s a huge amount to take in though, and the judgment demands close reading (and re-reading). If a full trial and judgment ensue, the case will probably be a landmark one.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, Data Protection Act 2018, judgments, UK GDPR

Tagged as ,

October 29, 2024 · 7:54 am

ICO and functus officio

[reposted from LinkedIn]

Can the Information Commissioner’s Office (ICO) withdraw or amend a decision notice it has issued under section 50 of the Freedom of Information Act 2000? And, if not, why not?

This FOI disclosure by the ICO states the orthodox (and surely correct) position that, once a section 50 decision has been made, “the Commissioner has discharged his duties under section 50…We can only act in accordance with our powers under the legislation. There is no provision in the FOIA that allows the Commissioner to amend or cancel a DN once it has been issued.”

But the letter goes on to say “…it [is not] accurate to say there is a law that prohibits us from amending a DN”. This is, to the contrary, surely incorrect: there may be no express statutory provision, but common law doctrine of “functus officio” applies.

Functus officio applies where “a judicial, ministerial or administrative actor has performed a function in circumstances where there is no power to revoke or modify it” (R (Commissioner of Police of the Metropolis) v Independent Police Complaints Commission [2015] EWCA Civ 1248, [2016] PTSR 891).

Although there may be exceptions where the decision has been obtained by fraud or it is based on a fundamental mistake of fact (R (Sambotin) v Brent London Borough Council [2018] EWCA Civ 1826, [2019] PTSR 371), the doctrine is most certainly “a law that prohibits” the ICO from amending a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under common law, Freedom of Information, Information Commissioner, Uncategorized

Tagged as ,

October 29, 2024 · 5:21 am

ICO, Clearview AI and Tribunal delays

[reposted from LinkedIn]

On 28 October the Information Commissioner’s Office (ICO) made the following statement in respect of the November 2023 judgment of the First Tier Tribunal upholding Clearview AI’s successful appeal of the ICO’s £7.5m fine, and posted it in an update to its original announcement about appealing:

The Commissioner has renewed his application for permission to appeal the First-tier Tribunal’s judgment to the Upper Tribunal, having now received notification that the FTT refused permission of the application filed in November 2023.

It is extraordinary that it has taken 11 months to get to this point.

So what does this mean?

If a party (here, the ICO) wishes to appeal a judgment by the First Tier Tribunal (FTT) to the next level Upper Tribunal (UT), they must first make an application to the FTT itself, which must decide “as soon as practicable” whether to grant permission to appeal its own judgment (rules 42 and 43 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009).

If the FTT refuses permission to appeal (as has happened here), the application may be “renewed” (i.e. made again) directly to the UT itself (rule 21(2) of the Tribunal Procedure (Upper Tribunal) Rules 2008).

So, here, after 11 months (“as soon as reasonably practicable”?) the ICO has just had its initial application refused, and is now going to make an applicant under rule 21(2) of the UT Rules.

The ICO’s wording in its statement is slightly odd though: it talks of “having now received notification” that the FTT “refused” (not, say, “has now refused”) the November 2023 application. The tense used half implies that the refusal happened at the time and they’ve only just been told. If so, something must have gone badly wrong at the Tribunal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, Information Commissioner, Information Tribunal, judgments, Upper Tribunal

Tagged as ,

October 24, 2024 · 11:20 am

Data (Use and Access) Bill – some initial thoughts

By me, on the Mishcon de Reya website.

Leave a comment

Filed under Data Protection, Data Protection Bill, Information Commissioner, Open Justice, ROPA, subject access

Tagged as

October 24, 2024 · 8:06 am

Harassment of terrorism victims

[reposted from LinkedIn]

It is impossible to imagine claimants with whom one has more sympathy than Martin Hibbert and his daughter Eve, who each suffered grave, life-changing injuries in the 2017 Manchester Arena attack, and who then found themselves targeted by the bizarre and ghoulish actions of Richard Hall, a “conspiracy theorist” who has claimed the attack was in fact a hoax.

Martin and Eve brought claims in harassment and data protection against Hall, and, in a typically meticulous judgment Mrs Justice Steyn DBE yesterday gave judgment comprehensively in their favour on liability in the harassment claim. Further submissions are now invited on remedies.

The data protection claim probably adds nothing, but for those pleading and defending such claims it is worth reading Steyn J’s (mild) criticisms of the flaws, on both sides, at paragraphs 246-261. She has also invited further submissions on the data protection claim, although one wonders if it will be pursued.

Other than that, though, one hopes this case consigns Hall to the dustbin of history.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, UK GDPR

Tagged as ,

October 20, 2024 · 10:02 am

The missing page about the missing PhD

[reposted from LinkedIn]

[EDIT: you win some, you get the wrong end of the stick on some. It was pointed out to me that the ICO removes items from its disclosure log after two years, which is why the document no longer shows up, and in the comments below I was taken to a copy of the document at WhatDoTheyKnow. Both these points have been confirmed to me in an FOI response from the ICO. What mislead me into thinking there was something more going on was probably the Tribunal’s reference to a “new policy”: it clearly wasn’t so much a policy, as a statement that the ICO would rely on s17(6) FOIA to refuse to reply to future requests, on the grounds that a vexatious campaign was being pursued.]

This is plain odd.

For several years the The London School of Economics and Political Science (LSE), and, consequently, the Information Commissioner’s Office has had to deal to with FOI requests about former Taiwanese president Tsai Ing-wen’s “missing PhD dissertation” (for some background, see here (I don’t vouch for its accuracy)).

A number of these requests have been refused on the grounds of vexatiousness, with many upheld on referral to the ICO.

The Information Tribunal has recently given judgment on one of these, and ruled in favour of the appellant, holding that the request was not vexatious. But what struck me was the fact that both the appellant and the ICO cited in evidence a page (a hosted pdf, going by the URL) on the ICO’s website. The judgment says this

The Appellant stated in his grounds of appeal that after he had complained to the Commissioner about the Authority’s response to the Request, the Commissioner published on the ICO’s website (by reference to a disclosure log) a new policy of not processing FOIA requests seeking information on President Tsai Ing-wen’s PhD.

But a footnote (screenshotted here) correctly notes that the link does not go to this page, and further, I can’t find any sign of it on the UK government web archive or the Wayback Machine. An advanced Google search on the ICO website throws no light.

So I’ve made an FOI request to the ICO, and will update when I get a response.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,