Category Archives: Information Commissioner

November 27, 2024 · 5:57 am

Late (very late) reliance on exemptions, redux

[reposted from LinkedIn]

A Freedom of Information exemption may be relied upon “late” by a public authority (e.g. it can be claimed, after an initial refusal on other grounds, during an investigation by the Information Commissioner, or in the course of proceedings before the First-tier Tribunal). The jurisprudence on this is clear (Birkett v The Department for the Environment, Food and Rural Affairs [2011] EWCA Civ 1606, All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner & Ministry of Defence [2011] UKUT 153 (AAC), Information Commissioner v Malnick and the Advisory Committee on Business
Appointments [2018] UKUT 72 (AAC), McInerney v Information Commissioner and the Department for Education [2015] UKUT 0047 (AAC)).

But can a public authority, having received a preliminary decision from the FTT that an exemption is not engaged, and after the FTT has invited further submissions on the other exemptions said to be engaged, adduce new grounds for the rejection of the first exemption? Perhaps surprisingly, the FTT has answered “yes”.

In Finch v IC & HMT EA/2023/0303, the FTT had rejected HMT’s reliance on the section 12 costs exemption, in a preliminary decision of 12 January. HMT had argued that its IT supplier would charge more than £600 to retrieve the requested information from storage, and so the s12 exemption was engaged. However, the FTT held that no evidence was provided as to this, and so rejected the argument. As the ICO’s decision under appeal had only considered the s12 issue, the other exemptions said by HMT to be engaged (s40(2), s41, s43(2)) required further submissions from the parties, and so the FTT directed that these be provided and heard at a subsequent hearing.

HMT then submitted that it wished to rely on s12 on different grounds because a “new factual matrix” needed to be considered – in fact it did have access to repository of information, but the searches would take c.46.5 hours (and so exceed the s12 costs limits).

The FTT determined (Birkett, Malnick and – oddly – Browning v Information Commissioner [2013] UKUT 236 considered) that the broad case management powers under rule 5 of the Tribunal Rules allowed it to set its own procedure and that, accordingly, it would permit this “pivoted” reliance on new s12 grounds.

Those new grounds then prevailed, the s12 exemption applied (as would have, if necessary, the s40, 41, and 43 grounds) and the appeal failed.

Even though the ICO did not appear at the hearing, they did make submissions suggesting they opposed the late reliance. It will be interesting to see if they seek to appeal, as the idea that public authorities can as a general rule shift their grounds for relying on an exemption after it has been – in a preliminary decision – rejected, is not a particularly attractive one.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as

November 22, 2024 · 7:29 am

Yes, Ok, I can be vexatious

[reposted from LinkedIn]

Until a few days ago, I had never, in almost twenty years of making FOI requests, had one refused on the section 14(1) grounds that it was vexatious. But this one broke that streak.

A request can be vexatious for a number of reasons, most of which go to the motives or behaviour of the requester (see the leading case of IC v Dransfield [2012] UKUT 440 (AAC)), but the law has also developed to encompass requests which, by nature of the work which would be required to assess and redact exempt information, are simply too onerous to respond to (see Cabinet Office v Information Commissioner and Ashton [2018] UKUT 208 (AAC)).

As I try to have, and show, no bad motive or behaviour, and as I try very hard not to make requests that are too broad, I’d managed to avoid such a refusal until now.

I asked for the full dataset of Tribunal cases which the Information Commissioner has been involved in. In a previous disclosure an extract from this dataset had been provided to someone. I didn’t know that that full dataset had potentially exempt fields in it. Having had this explained to me I don’t doubt that these fields would be exempt, and I don’t doubt the onerousness of the work which would be required to redact it all. So on the face of it, the refusal is fine, and I’ve submitted a follow up request for narrowed-down information.

But I think this was a good example of how the public authority could have dealt with this differently. They knew that I’d seen the previous extract, and should reasonably have surmised from that that I only wanted those fields, but across the whole dataset. An email or phone call to clarify this would have resolved the issue straight away (and I wouldn’t be writing this now). The case officer does acknowledge this (“we apologise that we did not contact you sooner to advise that we would be unable to respond to this request and advise on how it could be revised”), and I’m not going to whinge (unless this is a whinge (it probably is, isn’t it?)) – everyone is busy, and I’ve certainly handled requests as a practitioner where I’ve realised I could done things differently and better earlier in the process.

But it’s a good example of how a small gap in understanding between requester and public authority can lead to more (and unnecessary) work for both.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under access to information, Freedom of Information, Information Commissioner, vexatiousness

Tagged as ,

November 1, 2024 · 5:44 am

Dismissed FE teacher’s data protection, MOPI, HRA claims fail

[reposted from LinkedIn]

Claims in misuse of private information, data protection and for breach of the Human Rights Act, by a dismissed further education teacher against Tameside College and three employees are struck out/subject to summary judgment for the defendant.

The claimant was initially suspended after evidence came to light that he had been dismissed from previous roles. The College’s investigation involved the sending of reference requests to two previous employers, and was also informed by disclosures of Facebook and WhatsApp messages which revealed the teacher had, contrary to instruction, communicated with students on social media whilst suspended, and “sent a threatening message to a WhatsApp Group chat comprising members of staff”.

The deputy master found that in relation to the misuse of private information claims, although the claimant had a reasonable expectation of privacy in the social media messages, “those expectations were greatly outweighed by the need to investigate those messages for the purposes of the disciplinary process”. These were subject to summary judgment for the defendant.

The data protection and human rights claims against individual employees were bound to fail, as they were neither data controllers nor public authorities.

As to the data protection claim against the college, a previous determination by the ICO that the sending of the reference requests was not fair and transparent, because it was contrary to the claimant’s expectations, was wrong: it was “plain that it ought to have been well within the Claimant’s reasonable expectation that, in order to investigate whether he had failed to disclose the fact of his dismissal from those two institutions, each would be contacted and asked about it.”

The college’s processing was lawful under Article 6(1)(b) and (c) of the UK GDPR: “The processing was necessary for the purposes of the contract of employment between the [college] and the Claimant and for the performance of the [college’s] obligations to its other staff, and to safeguard and promote the welfare of its students.” The various safeguarding legal duties and obligations on the college established a clear legal basis for the processing.

Similarly, the human rights claims against the college, which included complaints of unlawful monitoring and surveillance, were bound to fail: “There is no real prospect of establishing a breach of Article 8 for the same reasons that there is no real prospect of establishing misuse of private information. The alleged breaches of Articles 10 and 11 appear to relate to the College’s instructions to the Claimant not to communicate with other staff except with permission. The instruction was plainly a reasonable one made for a legitimate purpose.”

Accordingly, the data protection and Human Rights Act claims were struck out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, employment, Further education, human rights, Information Commissioner, judgments, LinkedIn Post, misuse of private information

Tagged as , ,

October 29, 2024 · 7:54 am

ICO and functus officio

[reposted from LinkedIn]

Can the Information Commissioner’s Office (ICO) withdraw or amend a decision notice it has issued under section 50 of the Freedom of Information Act 2000? And, if not, why not?

This FOI disclosure by the ICO states the orthodox (and surely correct) position that, once a section 50 decision has been made, “the Commissioner has discharged his duties under section 50…We can only act in accordance with our powers under the legislation. There is no provision in the FOIA that allows the Commissioner to amend or cancel a DN once it has been issued.”

But the letter goes on to say “…it [is not] accurate to say there is a law that prohibits us from amending a DN”. This is, to the contrary, surely incorrect: there may be no express statutory provision, but common law doctrine of “functus officio” applies.

Functus officio applies where “a judicial, ministerial or administrative actor has performed a function in circumstances where there is no power to revoke or modify it” (R (Commissioner of Police of the Metropolis) v Independent Police Complaints Commission [2015] EWCA Civ 1248, [2016] PTSR 891).

Although there may be exceptions where the decision has been obtained by fraud or it is based on a fundamental mistake of fact (R (Sambotin) v Brent London Borough Council [2018] EWCA Civ 1826, [2019] PTSR 371), the doctrine is most certainly “a law that prohibits” the ICO from amending a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under common law, Freedom of Information, Information Commissioner, Uncategorized

Tagged as ,

October 29, 2024 · 5:21 am

ICO, Clearview AI and Tribunal delays

[reposted from LinkedIn]

On 28 October the Information Commissioner’s Office (ICO) made the following statement in respect of the November 2023 judgment of the First Tier Tribunal upholding Clearview AI’s successful appeal of the ICO’s £7.5m fine, and posted it in an update to its original announcement about appealing:

The Commissioner has renewed his application for permission to appeal the First-tier Tribunal’s judgment to the Upper Tribunal, having now received notification that the FTT refused permission of the application filed in November 2023.

It is extraordinary that it has taken 11 months to get to this point.

So what does this mean?

If a party (here, the ICO) wishes to appeal a judgment by the First Tier Tribunal (FTT) to the next level Upper Tribunal (UT), they must first make an application to the FTT itself, which must decide “as soon as practicable” whether to grant permission to appeal its own judgment (rules 42 and 43 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009).

If the FTT refuses permission to appeal (as has happened here), the application may be “renewed” (i.e. made again) directly to the UT itself (rule 21(2) of the Tribunal Procedure (Upper Tribunal) Rules 2008).

So, here, after 11 months (“as soon as reasonably practicable”?) the ICO has just had its initial application refused, and is now going to make an applicant under rule 21(2) of the UT Rules.

The ICO’s wording in its statement is slightly odd though: it talks of “having now received notification” that the FTT “refused” (not, say, “has now refused”) the November 2023 application. The tense used half implies that the refusal happened at the time and they’ve only just been told. If so, something must have gone badly wrong at the Tribunal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, Information Commissioner, Information Tribunal, judgments, Upper Tribunal

Tagged as ,

October 24, 2024 · 11:20 am

Data (Use and Access) Bill – some initial thoughts

By me, on the Mishcon de Reya website.

Leave a comment

Filed under Data Protection, Data Protection Bill, Information Commissioner, Open Justice, ROPA, subject access

Tagged as

October 20, 2024 · 10:02 am

The missing page about the missing PhD

[reposted from LinkedIn]

[EDIT: you win some, you get the wrong end of the stick on some. It was pointed out to me that the ICO removes items from its disclosure log after two years, which is why the document no longer shows up, and in the comments below I was taken to a copy of the document at WhatDoTheyKnow. Both these points have been confirmed to me in an FOI response from the ICO. What mislead me into thinking there was something more going on was probably the Tribunal’s reference to a “new policy”: it clearly wasn’t so much a policy, as a statement that the ICO would rely on s17(6) FOIA to refuse to reply to future requests, on the grounds that a vexatious campaign was being pursued.]

This is plain odd.

For several years the The London School of Economics and Political Science (LSE), and, consequently, the Information Commissioner’s Office has had to deal to with FOI requests about former Taiwanese president Tsai Ing-wen’s “missing PhD dissertation” (for some background, see here (I don’t vouch for its accuracy)).

A number of these requests have been refused on the grounds of vexatiousness, with many upheld on referral to the ICO.

The Information Tribunal has recently given judgment on one of these, and ruled in favour of the appellant, holding that the request was not vexatious. But what struck me was the fact that both the appellant and the ICO cited in evidence a page (a hosted pdf, going by the URL) on the ICO’s website. The judgment says this

The Appellant stated in his grounds of appeal that after he had complained to the Commissioner about the Authority’s response to the Request, the Commissioner published on the ICO’s website (by reference to a disclosure log) a new policy of not processing FOIA requests seeking information on President Tsai Ing-wen’s PhD.

But a footnote (screenshotted here) correctly notes that the link does not go to this page, and further, I can’t find any sign of it on the UK government web archive or the Wayback Machine. An advanced Google search on the ICO website throws no light.

So I’ve made an FOI request to the ICO, and will update when I get a response.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

October 15, 2024 · 5:41 am

Third party rights under FOIA

[reposted from LinkedIn]

In a Freedom of Information Act (FOIA) matter there are two parties with express rights and obligations – the requester and the public authority (PA) – with the potential for the regulator – the Information Commissioner’s Office – to become involved if there is a dispute.

But there is often a third party involved, and one who has no express rights under FOIA – the person to whom requested information relates. This can be a corporate, but sometimes it will be an individual (think, for example of MPs whose expense claims were sought from the Commons many years ago).

The code of practice issued by the Cabinet Office under section 45 of FOIA recommends as best practice that, where a PA receives a request for information where a third party’s interests are engaged, the third party should be consulted, and given the opportunity to make representations. But the Code is clear that those representations cannot bind the PA, and that the decision on disclosure is ultimately for the PA to make.

All of this should, of course, run its course within the 20 working days that FOIA allows for responding to a request. So quite how a request from 2019, to the Legal Services Agency (LSA) for Northern Ireland, regarding the grant of legal aid to a self-styled peace campaigner, has only just been determined in the High Court is a pressing question. Nonetheless, the judgment (though slightly odd) is worth reading.

The man in question, Raymond McCord, was invited to make representations on the request (made by a unionist MP), having been informed of the LSA’s intention to disclose. He brought immediate judicial review proceedings to prevent disclosure and the LSA undertook not to disclose until the ICO had given a view on the lawfulness of processing (I pause to note that the LSA’s suggestion that McCord had an alternative remedy by way of a complaint to the ICO after disclosure for a determination as to whether FOIA had been complied with was wrong in law, and flawed in logic).

The ICO gave an opinion in June 2020 that disclosure would likely be both unfair and unlawful, but stressed that the opinion “is in no way legally binding in this case, however, it should be of assistance to the court in making a final decision.”

No explanation is given in the judgment of why it then took over four years for the court to rule on the application. This is simply ridiculous.

Nevertheless, the court conducted a rather eccentric analysis of the authorities on disclosure of personal data under FOIA (and of various non-authoritative prior ICO decision notices) before determining, five whole years (rather than twenty working days) after the FOIA request, that the information should be disclosed, holding that “the applicant cannot complain of any breach of privacy in respect of his pursuit of high‑profile public interest litigation in circumstances where he himself has commented publicly on the issues”.

The judgment, ultimately, is rather unsatisfactory. The interim judgment (in 2020(!)) of Keegan J, which noted the undertaking by the LSA not to disclose pending the ICO’s ruling, discusses alternative remedies, and implies that McCord would have a right to appeal the ICO’s decision to the First tier Tribunal. However, this predates the Killock and Delo cases which make clear that there is no substantive data subject right of appeal from an ICO data protection decision through the tribunal system. In Killock the Upper Tribunal made clear that a substantive data subject challenge (rather than a procedural one) to the ICO should, indeed, be by way of judicial review proceedings.

And it remains the case that, if you are a third party who has an interest (maybe a profound interest) in information which a public authority is proposing to disclose, in response to a FOIA request, your rights are unclear and limited.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Information Commissioner, judgments, judicial review

Tagged as , , ,

October 11, 2024 · 6:24 am

Still no clearer on reprimands

[reposted from LinkedIn]

What is a reprimand, and how does the ICO decide to issue one? This, bizarrely, remains a bit of a mystery – apparently even to the ICO themselves.

Under Article 58(2)(b) of the UK GDPR the Information Commissioner’s Office has the power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the UK GDPR.

Since January 2022 the ICO has issued 84 reprimands that it has made public (it’s possible there are others it hasn’t published – that’s certainly happened in the past). Yet there is still no clearly documented process that the ICO will follow to decide what might trigger the decision to issue a reprimand.

In February 2023 I was informed by the ICO that “there is no specific written policy or procedure covering the issuing of reprimands [but that they were] currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised”.

So I followed this up recently (18 months on from the previous request). And I’ve had a couple of documents disclosed to me, one a checklist that begins “Once reprimand agreed…” and another on how to apply redactions, but, otherwise, there appears still to be no way of an organisation – or even the ICO themselves(!) – knowing what might lead to a reprimand being issued, and how the decision will be made.

So, six years on from the ICO getting the power, those organisations placed on the naughty step appear to be no clearer to understanding what exactly they did to deserve it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, reprimand, UK GDPR

Tagged as ,

October 3, 2024 · 6:44 am

You must be taking the PSNI

[Reposted from LinkedIn]

The Information Commissioner’s Office has fined the Police Service of Northern Ireland £750,000 for the failings that led to the public disclosure of the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff, putting countless people’s lives at risk from dissident republicans. The fine would have been £5.6m if the ICO’s “public sector approach” had not been applied.

The disclosure was made in a spreadsheet attached to a Freedom of Information Act response. The spreadsheet was intended to disclose some information, but also contained a hidden tab, where the offending information was situated.

Eleven years ago I was asked to write a piece in The Guardian about the risks of hidden data in spreadsheets. At the time, as many of you will remember, these sort of incidents were prevalent in councils and the NHS. I called for the ICO to do more to warn, and, in fairness, they did. But the fact that this sort of incident was allowed to happen is shocking: the ICO notice points out that there PSNI would regularly create pivot tables to prepare information for disclosure, where the risk of data being hidden (but easily revealed) is particularly high.

The ICO announcement is unusual in that it also allows the Chief Constable of PSNI to comment, and – extraordinarily – to express that he is “extremely disappointed at the level of the fine” (despite the massive reduction over what it would have been if he was in charge of a private sector organisation).

Chief Constable Boucher – you got off lightly.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Freedom of Information, Information Commissioner, personal data breach, police, UK GDPR

Tagged as , , ,