Category Archives: judgments

March 13, 2025 · 6:32 am

Cabinet Office unsuccessfully appeals FOIA information notices

When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.

And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.

The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, Freedom of Information, Information Commissioner, information notice, Information Tribunal, judgments

Tagged as ,

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

March 8, 2025 · 6:31 am

Can a data subject inspect withheld information in court proceedings?

When a controller, in response to a subject access request, has withheld personal data on the grounds of an exemption or exemptions, the data subject can apply to the court for a compliance order, under section 167 of the Data Protection Act 2018. That application will be determined by a judge who must determine whether the personal data was properly withheld or not. But general rules in adversarial proceedings do not permit one side and the judge to have access to material when the other side does not. So can the claimant and his/her lawyers therefore have access to the withheld information? Of course not – you all say – that would be absurd. However, the picture is not quite as clear as one might think.

Section 15(2) of the Data Protection Act 1998 specifically dealt with this issue: it said that the information should “be made available for [the judge’s] own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives”.

But no such provision is contained in the equivalent sections of the 2018 Act. That appears to have been a drafting error.

The issue came up in X -v- The Transcription Agency LLP [2024] 1 WLR 33, and the court there held that

it would defeat the purpose of the legislation if a person challenging the application of an exemption were to be given sight of the material for the purpose of advancing his or her arguments…It would bring about a situation in which a party seeking personal data “would have obtained the very thing which the hearing was designed to decide”

As a result, I imagine, of the X case, Parliament moved to address the lacuna in the law: the Data Protection and Digital Information Bill contained a clause which would have given the court the express power contained in section 15(2) of the 1998 Act. That Bill was, of course, dropped just before the 2024 General Election, but the Data (Use and Access) Bill, now speeding through the Commons, contains something similar, at clause 103.

And so it was that the issue again arose in recent proceedings – Cole v Marlborough College [2024] EWHC 3575 (KB) – involving a former pupil who is seeking information through subject access regarding an investigation into a disciplinary matter in his former school.

As in X, the judge noted the absence of any express power to inspect the materials without permitting their disclosure to the claimant. But, relying on X, the judge held that there was an implied power (either implied within section 167) and/or in exercise of the court’s inherent jurisdiction.

Given the impending amendment of the statute to make the power express, rather than implied, these cases will probably just become footnotes, rather than landmark judgments. But they’re interesting for illustrating how courts will find implied powers and procedures where justice demands it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Data Protection Act 2018, judgments, subject access

Tagged as ,

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

February 5, 2025 · 8:04 am

Is information held by external solicitors “held” for the purposes of FOIA?

[reposted from my LinkedIn account]

Where an external solicitor’s firm holds information in relation to advice given by the solicitor on instructions by a public authority client, is the information held by the solicitor “on behalf of” the public authority, for the purposes of section 3(2)(b) of the Freedom of Information Act 2000?

While the matter is live, the answer is probably “yes”, but what if the public authority client has long since destroyed its own records, but the solicitor’s firm has retained its records for its own regulatory or risk purposes? Here, the answer is probably “no”.

And that is the situation which came before the Information Tribunal recently. The requester was seeking information from Sheffield City Council about a development scheme from 2007/2008. The Council had said that it would have destroyed its own records, and said that to determine whether the information was held would necessitate the inspection of 28 box files held by law firm Herbert Smith Freehills, who had been instructed by the Council at the relevant time. To even determine whether the information was held or not would exceed the costs limits in section 12 of FOIA. The ICO, in the decision notice being appealed, had agreed.

As I was reading the first few paragraphs of the Tribunal judgment, I said to myself “hang on – is this info being held by HSF on behalf of the Council, or is it being held for HSF’s purposes?” I was limbering up my fingers to write a post criticising everyone for not spotting this, so I was then pleased to see that the Tribunal, of its own volition, identified it as an issue and sought submissions from the ICO and the Council on it.

After some back and fro (it is not entirely clear from the judgment who said what in their submissions, and there was a side issue as to whether in fact the Environmental Information Regulations applied) the evidence was pretty clear that the Council had had no intention to retain the information, nor to entrust it to HSF. Accordingly, the information was not “held” for the purposes of FOIA.

I’m not sure I understand why the Tribunal did not substitute a different decision notice to reflect this (it simply dismissed the requester’s appeal), but ultimately nothing really turns on that.

What one can take from this is that solicitors and their clients (especially public authority clients) should, jointly and separately, make clear in agreements and policies what the status is of information retained by solicitors after an instruction has ceased, and how requests for such information should be dealt with.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

January 30, 2025 · 7:54 am

Exceptionally unlikely: ICO and judicial review

[reposted from my LinkedIn account]

Where Parliament has entrusted a specialist body with bringing prosecutions, such as the Serious Fraud Office, or the Information Commissioner’s Office (ICO), it is “only in highly exceptional circumstances” that a court will disturb a decision made by that body (see Lord Bingham in R(Corner House and others) v Director of the Serious Fraud Office [2008] UKHL 60)).

Such was the situation faced by the claimant in an unsuccessful recent application for judicial review of two decisions of the ICO.

The claimant, at the time of the events in question, was a member of the Labour Party and of the Party’s “LGBT+Labour” group, She had been concerned about an apparent disclosure of the identity and trans status of 120 members of a “Trans Forum” of the group, of which she was also a member, and of what she felt was a failure by the LGBT+Labour group to inform members of the Forum of what had happened.

She reported this to the ICO as potential offences under sections 170 and 173 of the Data Protection Act 2018 (it’s not entirely clear what specific offences would have been committed), and she asked whether she was “able to discuss matters relating to potential data breaches with the individuals involved”. The ICO ultimately declined to prosecute, and also informed her that disclosing information to the individuals could in itself “potentially be a section 170 offence”.

The application for judicial review was i) in respect of the “warning” about a potential prosecution in the event she disclosed information to those data subjects, and her subsequent rejected request for a commitment that she would not be prosecuted, and ii) in respect of the decision not to prosecute LGBT+Labour.

Neither application for permission succeeded. In the first case, there was no decision capable of being challenged: it was an uncontroversial statement by the ICO about a hypothetical and fact-sensitive future situation, and in any event she was out of time in bringing the application. In the second case, there were no “highly exceptional circumstances” that would enable the court “to consider there was a realistic prospect of showing that the ICO had acted outside the wide range of its discretion when deciding not to prosecute”.

One often sees suggestions that the ICO should be JRd over its failure to take action (often in a civil context). This case illustrates the deference that the courts will give to its status and expertise both as regulator and prosecutor. Outside the most exceptional of cases, such challenges are highly unlikely to succeed.

Peto v Information Commissioner [2025] EWHC 146 (Admin)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner, judgments, judicial review

Tagged as ,

January 24, 2025 · 7:27 am

Cookies, compliance and individuated consent

[reposted from my LinkedIn account]

Much will be written about the recent High Court judgment on cookies, direct marketing and consent, in RTM v Bonne Terre & Anor, but treat it all (including, of course, this, with caution).

This was a damages claim by a person with a gambling disorder. The claim was, in terms, that the defendant’s tracking of his online activities, and associated serving of direct marketing, were unlawful, because they lacked his operative consent, and they led to damage because they caused him to gamble well beyond his means. The judgment was only on liability, and at the time of writing this post there has been no ruling on remedy, or quantum of damages.

The domestic courts are not regulators – they decide individual cases, and where a damages claim is made by an individual any judicial analysis is likely to be highly fact specific. That is certainly the case here, and paragraphs 179-181 are key:

such points of criticism as can be made of [the defendant’s] privacy policies and consenting mechanisms…are not made wholesale or in a vacuum. Nor are they concerned with any broader question about best practice at the time, nor with the wisdom of relying on this evidential base in general for the presence of the consents in turn relied on for the lawfulness of the processing undertaken. Such general matters are the proper domain of the regulators.

In this case, the defendant could not defeat a challenge that in the case of this claimant its policies and consenting mechanisms were insufficient:

If challenged by an individual data subject, a data controller has to be able to demonstrate the consenting it relies on in a particular case. And if that challenge is put in front of a court, a court must decide on the balance of probabilities, and within the full factual matrix placed before it, whether the data controller had a lawful consent basis for processing the data in question or not.

Does this mean that a controller has to get some sort of separate, individuated consent for every data subject? Of course not: but that does not mean that a controller whose policies and consenting mechanisms are adequate in the vast majority of cases is fully insulated from a specific challenge from someone who could not give operative consent:

In the overwhelming majority of cases – perhaps nearly always – a data controller providing careful consenting mechanisms and good quality, accessible, privacy information will not face a consent challenge. Such data controllers will have equipped almost all of their data subjects to make autonomous decisions about the consents they give and to take such control as they wish of their personal data…But all of that is consistent with an ineradicable minimum of cases where the best processes and the most robust evidential provisions do not, in fact, establish the necessary presence of autonomous decision-making, because there is specific evidence to the contrary.

This is, one feels, correct as a matter of law, but it is hardly a happy situation for those tasked with assessing legal risk.

And the judgment should (but of course won’t) silence those who promise, or announce, “full compliance” with data protection and electronic marketing law.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, consent, cookies, Data Protection, GDPR, judgments, marketing, PECR, Uncategorized

Tagged as , ,

December 14, 2024 · 9:52 am

Disclosing details of successful candidates from jobs

[reposted from my LinkedIn account]

Jones v Secretary of State for Health And Social Care [2024] EWCA Civ 1568

A question for data protection advisers. If you are asked by an unsuccessful candidate for a job what the age, gender and ethnic origin of the successful candidate was, do you disclose? (And what is your Article 6 basis and Article 9 UK GDPR condition for doing so?)

These questions are prompted by an interesting employment case in the Court of Appeal.

The appellant, who self-describes as black Caribbean, interviewed for a business development role at Public Health England (PHE) on 28 March 2019 but was not told, despite chasing, until 3 July 2019 that he had been unsuccessful. This was already outside the primary three month limitation period for bringing a claim in the employment tribunal (ET).

He then asked PHE for “age, gender and ethnic origin” of the successful candidate, and explained he needed to information to decide whether or not to make a claim in the ET.

It is not entirely clear what then happened: it’s suggested that PHE initially refused, but told the claimant he could make an FOI request, and there is also a suggestion that he was told that if he provided proof of his identity they would provide the information. In any event, he was not informed until much later in the proceedings that the successful candidate was white British.

His ET claim for discrimination was, therefore, submitted out of time. The ET can only extend the time for such a claim where it is “just and equitable” to do so, and, here, the ET held that it was not: he put off making his claim “because he was on an information gathering exercise. He was looking for the evidence to bolster his claim…Despite the Claimant’s criticisms, the respondent did in fact provide him with information and an explanation of its actions quite early on in the chronology. It gave him enough information to know that there was a claim for him to make if he wanted to present it to the Tribunal”. And, in any case, the ET dismissed the claim on its merits.

On appeal to the Employment Appeal Tribunal (EAT) the claimant submitted that it had been perverse of the ET to refuse to exercise its discretion to extend the time for making the application, but the EAT held that the ET had made no error of law in that regard.

The Court of Appeal felt differently; it was wrong for the ET to have held that the claimant had had, much earlier, the “raw materials” on which to formulate his claim, and it although it was correct that he was looking for information to bolster his claim, this ought not to have been held against him. “The information he was seeking about the ethnicity of the successful candidate was an essential part of his claim”.

Accordingly, the ET’s decision not to extend time under the “just and equitable” test was perverse, and the order of the EAT to uphold that decision was set aside, and the case on merits was remitted to the EAT.

And I guess my answer to my own questions at the start of this post would be: one or both of Articles 6(1)(c) and 6(1)(f), and Article 9(2)(f). But in all those cases, it’s going to be difficult for the controller to make the appropriate call on whether the request for information means that it’s necessary to make the disclosure, or whether it’s just a frivolous or aimless request.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, employment, judgments

Tagged as ,

December 12, 2024 · 8:29 am

Data protection claims against persons unknown

[reposted from my LinkedIn account]

Chirkunov v Person(s) Unknown & Ors [2024] EWHC 3177 (KB)

This is an important, and quite withering, judgment from Mr Justice Nicklin, which ends with a suggestion that from now on applications for permission to serve a Claim Form on ‘Persons Unknown’ out of the jurisdiction in claims in the Media & Communications List should not be dealt with without a hearing, unless a Master or Judge directs that a hearing is not necessary. The judgment records that, before hand down Nicklin J consulted the Judges in charge of the MAC List and they have endorsed his suggestion as the practice now to be followed in the MAC List.

The judgment is on an application to serve, out of the jurisdiction, a data protection claim on two persons unknown (the publishers of two websites said to infringe the data protection rights of the claimant). The claimant initially applied for orders to be made with a hearing, but Mrs Justice Steyn and gave directions for there to be a hearing.

Nicklin J was clearly unimpressed by the limited efforts the claimant and his lawyers had made to identify/locate the defendants, noting that the Norwich Pharmacal procedures had been available to the claimant, and concluded that “the Claimant has simply chosen not to pursue several avenues of investigation, including applications for Norwich Pharmacal relief. The basis for this decision is unpersuasive and unimpressive. On the evidence that has been provided, I am left with a very clear impression that the Claimant thought that he could avail himself of a simple short-cut – avoiding the cost of further investigations to identify the Defendants – by the expedient of issuing a claim against ‘Persons Unknown’”.

For this and other reasons the judge was also unwilling to give permission to serve out on persons unknown. Although such litigation can serve a purpose in some blackmail/cyber attack cases, for instance to “obtain interim remedies which can be used to counter the defendant’s threat to publish information that forms the basis of the blackmail/extortion threat”, he was not prepared to permit “litigation against someone who cannot be identified other than a description of his/her role, and with no indication of the state in which s/he is domiciled”.

Also notable was the judge’s approach to the part of the application which sought a declaration that the personal data on the website was inaccurate. The claimant was not “entitled” to such a declaration, and, in fact (Cleary v Marston Holdings and Aven v Orbis applied) declarations are not provided for under the data protection legislation and not generally granted in such litigation. The judge had “real difficulty in imagining the circumstances in which the Court would grant a declaration of “inaccuracy” in a data protection claim following a default judgment”.

The application was refused on all grounds.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, Norwich Pharmacal

Tagged as