Category Archives: Uncategorized

June 15, 2013 · 9:30 am

Information Rights and Wrongs Alternative Honours List

Martin Hoskins muses today on why – apart from those who’ve worked for the Information Commissioner’s Office – no data protection professionals have ever received royal honours. I can certainly think of a few information rights people whose selflessness and length of practice deserve recognition – Dr Chris Pounder, for instance, whose career in data protection spans five decades, or Maurice Frankel, without whom we might not even have an FOI Act. But, given that there’s little chance of this happening, I am today announcing an alternative

Information Rights and Wrongs Birthday Honours List

First up…

For services to the DfE, the Financial Times’ Chris Cook. Without Chris’s sterling efforts we would have little understanding of the devotion to the cause of ministers and SpAds at the Department for Education. Chris revealed that, such was this devotion, they spend much of their time and resources using their own home email accounts to do government work.

For services to public authorities in general, Alan M Dransfield, whose FOI campaigns mean there is now much greater clarity about how and when to treat FOI requests as vexatious.

For apparent defiance of in the face of the law, Jim Shannon MP, who – as well as holding the title of least sexy MP – does not appear to have been registered with the Information Commissioner for at least three years, despite the fact that processing personal data without a registration is a criminal offence (unless there is an exemption).

For donations to the legal profession Brighton and Sussex University Hospital Trust, who paid lawyers £178,000 in fees seeking to challenge an Information Commissioner monetary penalty, before withdrawing their appeal before it went to a hearing.

But there is one candidate which stands out above all others. A group honour, because no single individual could have (not) achieved all that they have (not) achieved. They are the inspiration behind a great new website, and they are the winner of the highest accolade, the Information Rights and Wrongs Arcana Imperii honour…

my_medal(1)

For sheer jaw-dropping contempt of the law, the Cabinet Office, who have decided to dispense with the need to observe the FOI Act. They are an inspiration for all of us and for as long as no effective enforcement is taken to ensure compliance, they will continue to be the shining beacon for all public authorities.

5 Comments

Filed under Uncategorized

June 12, 2013 · 4:25 pm

Schools and Children’s Privacy

Parents, when confronted with the familiar complaint by a child that a parental decision “isn’t fair”, are entitled to say “I don’t care – what I say goes”.

Schools*, and their teachers, although acting in loco parentis, cannot necessarily do the same. Particularly in their role as public authorities they have obligations to act fairly and lawfully at common law, and under various statutes – not least the Human Rights Act 1998 (HRA). Article 8 of the European Convention on Human Rights, incorporated into domestic law by the HRA, famously provides everyone a qualified right

to respect for his private and family life, his home and his correspondence

Parents do not have to respect this in their dealings with their children: the latter cannot enforce the Article 8 right against a parent who demands access to their private correspondence, or who sends them to their bedroom for a spurious reason, or who uploads personal information to a dodgy cloud storage provider. Schools do have to respect the right – in loco parentis only goes so far.

I make this observation in light of research published by SafeGov.org and Ponemon Institute into the views of school staff on the use of cloud services in the education sector and the potential risks to student privacy. Among generally encouraging results (rejection of data-mining, seeing threats to student privacy as the top risk of cloud) was something less happy

Some schools admit to a conflict of interest regarding student privacy…47% say they might be tempted to trade student privacy for lower costs

If I were a child, or a parent, I would be tempted, in turn, to say “my (or my child’s) privacy is not yours to trade”. Rather, it is the school’s duty to protect that privacy, to the extent required by the law. Levels of privacy protection should not be related to cost (or only to the limited extent permitted by the second part of Article 8). Relatedly, the seventh principle of Schedule One of the Data Protection Act 1998 (DPA) requires a school, as data controller, to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

I would query whether a decision to adopt a software provider at lower cost, at the expense of student privacy, would be compliant with a school’s obligations under the DPA, or the HRA.

*I am talking about non-independent state schools

Leave a comment

Filed under Data Protection, human rights, Privacy, Uncategorized

Tagged as

May 16, 2013 · 7:58 am

NO THANK YOU I DON’T WANT TO REGISTER

The other day I was in town, and popped in to a shop to look at an interesting item. I was rather annoyed to be greeted by a shop assistant waving a large banner which obscured everything. He said he’d put the banner down if I handed over my contact details so he could send me marketing guff in the future. He only got out of the way when I kneed him in the Edwards.

Not strictly true of course. However – you wouldn’t run a physical shop this way, so why run web scripts that have the same effect?

bfp

I don’t want to register for your website – I just want to dip in for a quick look then leave (that still counts as a page view for you to quote to advertisers) and I’d suggest that’s pretty standard practice for the large majority of internet users.

I confidently state that no one, ever, in recorded history, has thought, when they got a pop-up inviting them to register their details, “Oo, how helpful that was. Thank you for obstructing my journey to what I really wanted”.

And I know I could probably configure a pop-up blocker to bypass them, but I don’t (often) walk around town accompanied by a bouncer. So just stop it, everyone who does this.

3 Comments

Filed under Uncategorized

April 5, 2013 · 5:11 pm

A Howitzer of an FOI Exemption

A recent decision by the Information Commissioner shows that the House of Commons is able, under the FOI Act, to apply a blanket provision preventing disclosure of information of potential public interest, from which there is no appeal. If I were a cynical adviser to the House, I’d suggest using it more often.

The Freedom of Information Act 2000 (FOIA) contains a few howitzers with which a relevant public authority can obliterate an otherwise valid request for information. The most familiar of these is at section 53, whereby, in relation to a Information Commissioner (IC) decision notice served on a government department requiring them to disclose information, a Cabinet minister can issue a veto, from which there is no right of appeal.

Less well-known are the certificates which can be served under sections 23 and 24, by ministers, to be conclusive evidence that information requested was supplied by or relates to national security bodies, or is exempt from disclosure for reasons of national security. (These are appealable, either by the IC or by the applicant, under section 60 of FOIA).

Less well-known still is a section which allows the Speaker of the House of Commons (or the Clerk of the Parliaments) to issue a certificate which provides conclusive evidence that disclosure would or would be likely to cause prejudice to the effective conduct of public affairs. This is section 36(7) and, read with section 2(3)(e), it provides an absolute exemption to disclosure, which the IC is duty bound to accept. In effect, it is a means whereby the Houses of Parliament can prevent FOIA disclosure, with no right of appeal.

Thus, in a decision notice published this week about a request for information relating to the tax treatment of residential accommodation provided by the House of Commons, the IC says

Given the nature and provenance of the certificate, the Commissioner is obliged by section 36(7) FOIA to accept the certificate as “conclusive evidence” that the opinion is reasonable in both process and substance and that the alleged inhibition would be likely to occur; therefore, the Commissioner accepts that section 36(2) FOIA is engaged and that the withheld information is exempt

Any appeal of this decision would have the same outcome: if a properly-made certificate states that the exemption applies, then it does, and no regulator or court can say different. So, despite what appears to be a potentially high degree of public interest in the information requested, about, in the applicant’s words

issues of principle… the provision of residential accommodation is a substantial benefit, and its tax treatment is of legitimate interest to the public

we will not get to see it.

There could, I imagine, potentially be an application for judicial review of the decision to issue the certificate, in the same way that the ministerial veto at section 53 is potentially amenable to judicial review, but this would have to be on the classic public law grounds, and would be a very difficult challenge.

One rather wonders why this provision has not been used more often. It has been used in the past to prevent disclosure of information relating to names and salaries of MPs’ staff, and to prevent disclosure of information about the claiming of parliamentary privilege. But when requests were made for disclosure of MPs’ expenses information, the exemption claimed was the one relating to personal data. A section 36(7) certificate would, it seems to me, have rendered those requests dead in the water. Did the House of Commons miss a cynical trick?

Leave a comment

Filed under Freedom of Information, Information Commissioner, Uncategorized

Tagged as ,

March 20, 2013 · 7:38 am

ICO Bares Teeth at Nuisance Callers

I know a retired chap whose daily life is blighted by nuisance marketing phone calls. Some are from charities he donates to, and I’ve told him he’s entitled to donate and still opt out of receiving these. But others are entirely unsolicited, and despite the fact that about a year ago I got him to register with the Telephone Preference Service (TPS) the calls continue.

Now I remember when I signed up with the TPS a few years ago it was remarkably successful in stopping all nuisance calls, especially when, if one got through, I’d threaten to complain. However, my retired friend won’t complain because, he says, “it wouldn’t achieve anything”. Until recently, I’d have tended to agree with him, but it is good to see the Information Commissioner’s Office (ICO) showing that it does have teeth when it comes to enforcement of the Privacy and Electronic Communications Regulations 2003 (PECR). The ICO have today announced that a monetary penalty notice of £90,000 has been served on a Glasgow company for a breach of the PECR.

DM Design, based in Glasgow, has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service (TPS). The company consistently failed to check whether individuals had opted out of receiving marketing calls – in clear breach of the law – and responded to just a handful of the complaints received.

In one instance an employee refused to remove a complainant’s details from the company’s system and instead threatened to “continue to call at more inconvenient times like Sunday lunchtime”

And it is interesting to note that the ICO say they intend to issue similar “fines” against two other companies.

Of course, this kind of robust enforcement action can only really happen if people complain about this type of call, either to the ICO or to the TPS. I will be encouraging my retired friend to do so, in the knowledge that it might actually achieve something.

Leave a comment

Filed under Uncategorized

March 13, 2013 · 8:25 am

The Right to Unknown Information

It is important to note that there is no requirement in the FOIA that those intending to make requests for information have any prior knowledge of the information they are requesting.

These words of the Information Commissioner (IC) in, Decision Notice FS50465008, are an important statement about the role of the Freedom of Information Act 2000 (FOIA) in investigative journalism and activism. They establish that, at least in the IC’s view, FOIA requests may be made on a speculative basis, without a knowledge of the specific contents of documents.

To many users and practitioners they are probably also an obvious statement about the right to information conferred by FOIA. If someone is asking for information from a public authority, it is self-evident that, at least in the large majority of cases, they do not know what the information specifically consists of – otherwise, why request it? As the IC goes on to say

The idea of a requirement of prior knowledge that the relevant information exists is itself contrary to the very purpose of the legislation, let alone prior knowledge as to what it comprises

The request in question, made – as those who followed the “Govegateimbroglio might have guessed – by the impressively dogged journalist Christopher Cook (who has given me permission to identify him as the requester), was to the Cabinet Office for

the last email received by the [Prime Minister] personally on government business via a private non-GSI account. I also want the last government email sent by the PM via such an account

It was made in the context of suspicions that attempts might have been made to circumvent FOIA by conducting government business using private email accounts. For obvious reasons Chris was unlikely to be able to identify the specific type of information he sought, and the Cabinet Office knew this, telling the IC that

he has no idea of the nature of the information that may be contained in such emails, if indeed such emails even exist…For a request for a document to be valid, it needs to describe (if it would not otherwise be apparent) the nature of the information recorded in the document. The Cabinet Office does not accept that asking a public authority to undertake a search for emails without any subject matter, or reference to any topic or policy, sent using a particular type of account can satisfy the requirement on the application to ‘describe the information requested’

However, the IC rejected this, splendidly demolishing the Cabinet Office’s position with an argument by analogy

a request for the minutes of the last Cabinet meeting would clearly describe the information requested, even though it does not describe the content by reference to the matters discussed

I think this decision is particularly important because it accepts that, sometimes, a person contemplating requesting information from a public authority might not have a fully-formed view of what it is she wants, or expects to get. Authorities sometime baulk at requests which they see as “fishing expeditions”, but the practice of investigative journalism (in de Burgh‘s classic formulation “…to discover the truth and to identify lapses from it in whatever media may be available…”) will often involve precisely that, and the IC recognises this

Whilst public authorities might find such requests irritating, the FOIA does not legislate against so-called ‘fishing expeditions’

 The Cabinet Office must now treat Chris’s request as properly-made under FOIA. That does not mean that they will necessarily disclose emails from the PM’s private email account (in fact I’d be amazed if they did), but no one ever suggested the trade of investigative journalism was easy.

5 Comments

Filed under Cabinet Office, enforcement, Freedom of Information, Information Commissioner, transparency, Uncategorized

Tagged as , ,

March 3, 2013 · 10:27 am

Human Rights and Wrongs

“The first major law to curtail the rights of Jewish German citizens was the “Law for the Restoration of the Professional Civil Service” of April 7, 1933, according to which Jewish and “politically unreliable” civil servants and employees were to be excluded from state service” (source: wikipedia)

I was talking to a friend with Jewish heritage yesterday who is researching his family history. His success at tracing his German and Polish ancestors using the superb JewishGen site was – as has happened to some many thousands of Jewish genealogists – desperately and sickeningly curtailed by the events of the 1930s and 1940s. People die, or disappear, and lineages that go back centuries are broken by something that happened within our fathers’ lifetimes.

“[in 1935 the] “Nuremberg Laws” excluded German Jews from Reich citizenship and prohibited them from marrying or having sexual relations with persons of “German or German-related blood.” Ancillary ordinances to these laws deprived them of most political rights. Jews were disenfranchised and could not hold public office” (source: wikipedia)

We speculated on how his family members in 1930s Berlin might have responded to the erosion of their rights during this period. Why didn’t they leave when they could? They were affluent and well-connected. They may even have had the opportunity to emigrate. Philip Roth’s novel The Plot Against America imagines an alternative American history under the leadership of the Fascist-sympathising Charles Lindbergh. It is chilling precisely because it shows how gradual the process of erosion might be, and how difficult it must have been for my friend’s ancestors to accept that their country, and their neighbours and friends, were capable of destroying them, and attempting to annihilate their racial and religious identity.

“Persecution of the Jews by the Nazi German occupation government, particularly in the urban areas, began immediately after the invasion. In the first year and a half, the Germans confined themselves to stripping the Jews of their valuables and property for profit, herding them into ghettoes and putting them into forced labor in war-related industries”(source: wikipedia)

We spoke of how two of his relatives appear to have died on successive days in 1939, and how this might have happened. Though this was after Kristallnacht history shows that that was but one spike in a relentless process of denial of freedom of thought, conscience, religion and expression, of inhuman and degrading treatment or punishment, of forced and compulsory labour in ghettoes, of forcing people to live in unbearably cramped and oppressive conditions, with no respect for family or privacy. Though some might have tried to resist, all rights to freedom of assembly would have gone. Others of his relatives simply disappear from the records, and we had little doubt this would have been after an arbitrary deprivation of liberty with no right to any court hearing.

“Extermination camps (or death camps) were camps built by Nazi Germany during World War II (1939–45) to systematically kill millions of people by gassing and extreme work under starvation conditions. While there were victims from many groups, Jews were the main targets” (source: wikipedia)

And my friend found a record indicating the death of one relative in 1942. The place of death was not known, but by that time the Nazi regime was pursuing a state program of genocide, of mass deprivation of life.

“The rights of every man are diminished when the rights of one man are threatened” (source: John F Kennedy)

The development of the European Convention of Human Rights, with its proclamation of the universality of the rights it described, was born out of an acknowledgment and experience that a state can change its own laws, and depart from acknowledging and protecting human rights. If governments can (and they can) derogate themselves from the obligations of their own laws, then a system of international jurisdiction over the protection of human rights was essential. David Maxwell-Fyfe, a future United Kingdom Attorney General and Home Secretary was a key figure in the drafting of the Convention.

“A country is considered the more civilised the more the wisdom and efficiency of its laws hinder a weak man from becoming too weak and a powerful one too powerful” (source: Primo Levi, If this is a Man)

This morning I read reports that the Home Secretary will announce that a majority Conservative government would withdraw from the European Convention.

1 Comment

Filed under human rights, Uncategorized

February 20, 2013 · 1:26 pm

Smeaton v Equifax overturned

The Court of Appeal has overturned what had seemed an important, if controversial, judgment on the legal duties owed by Credit Reference Agencies to those about whom they hold records and issue reports.

I blogged in May last year  about a high court claim for damages under section 13 of the Data Protection Act 1998 (DPA). The claimant, Mr Smeaton, successfully argued that, as a result of processing inaccurate data about his credit history, the Credit Reference Agency (CRA) Equifax was in breach of the fourth data protection principle, and that Equifax’s obligations under the DPA as a data controller meant that it owed a duty of care to Smeaton in tort. Accordingly, damages were owed (to be assessed at a later date).

The case has now been comprehensively overturned in the Court of Appeal. Primarily, the appeal succeeded because the judge’s findings on causation (i.e. had the inaccuracy in Mr Smeaton’s credit record led to the detriment pleaded?) were not sustainable. Lord Justice Tomlinson, giving the lead judgment, was highly critical of the judge’s approach

the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely (¶11)

That effectively dispensed with the claim for damages, but Equifax, clearly concerned about the implications of the original findings regarding a breach of the DPA and consequent breach of a duty of care, asked the Appeal Court to consider these points as well.

Was there a DPA breach?

Tomlinson LJ held that the procedures which obtained at the time of the alleged DPA breach, regarding the annulment (and communication thereof) of bankruptcy orders, had never been the subject of the expression of any concern by either the Information Commissioner or the Insolvency Service. In the first instance the judge had observed that inaccurate personal data could be “particularly damaging”. Tomlinson LJ did not demur, but said that

it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file (¶59)

Those arrangements are described in guidance both published by or approved by the Information Commissioner, and include the fact that, in the event of a failed credit application

[the] lender must tell a failed applicant by reference to the data of which CRA an application was declined, if it was, and the failed applicant, like any consumer, has the right to obtain a copy of his file from a CRA on payment of £2.00

and mistakes can thus be corrected.

Moreover, CRAs must, by reference to the Guide to Credit Scoring 2000, not decline a repeat application “solely on the grounds of having made a previously declined or accepted application to that credit grantor”. This, and other guidance, were inbuilt safeguards against the kind of detriment Mr Smeaton claimed to have suffered. Ultimately

Equifax did take steps to ensure that its bankruptcy data was accurate. It obtained the data from a reliable and authoritative source in the form of the [London] Gazette, it transferred the data accurately onto its data bases from that source and it amended its data immediately upon being made aware that it was inaccurate…the judge was wrong to conclude that Equifax had failed to take reasonable steps to ensure the accuracy of its data (¶81)

Was there a co-extensive duty of care in tort?

Here Tomlinson LJ considered the “traditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty” and held comprehensively that there was not. He agreed with counsel for Equifax’s argument that

(1)It is doubtful whether it was reasonably foreseeable that the recording of incorrect data on Mr Smeaton’s credit reference would cause him any loss…
(2)It would also not be fair, just or reasonable to impose a duty. In particular, imposing a duty owed to members of the public generally would potentially give rise to an indeterminate liability to an indeterminate class…
(3)It would also be otiose given that the DPA provides a detailed code for determining the civil liability of CRAs and other data controllers arising out of the improper processing of data
(4)Parliament has also enacted detailed legislation governing the licensing and operation of CRAs and the correction of inaccurate information contained in a credit file in the CCA 1974. This provides for the possibility of criminal sanctions, but does not create any right to civil damages. In such circumstances it would not be appropriate to extend the law of negligence to cover this territory (¶75)

The third of these seems to make it clear that the courts will be reluctant to allow for a notion of an actionable duty of care on data controller to process personal data fairly and lawfully. (This is in contrast, interestingly, with the situation in Ireland, whereby a statutory provision (section 7 of the Data Protection Act 1988) states that such a duty of care is owed (at least to the extent that “the law does not so provide”)).

My post on the first instance case has been one of the most-read (it’s all relative, of course – there haven’t been that many readers) so I think it only correct to post this update following the Court of Appeal judgment.

2 Comments

Filed under Data Protection, Information Commissioner, Uncategorized

January 25, 2013 · 8:54 am

Sony Make Believe?

The ICO has “fined” Sony £250k for its Playstation Network breach.

My swiftly-grabbed breakfast coffee yesterday morning was interrupted by an emailed press release from the Information Commissioner’s Office (ICO) informing us that a civil Monetary Penalty Notice (MPN) in the sum of £250,000 had been served on Sony Computer Entertainment Europe Limited by the ICO. It was such an important case it was celebrated by a rare foray into video by the ICO’s David Smith. This was the outcome of investigations into a data security breach in April 2011 which had, in the ICO’s words, the effect of

compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk

An MPN is served under section 55A of the Data Protection Act 1998. One can be served where the ICO determines that there has been a serious contravention of the Act, of a kind of a kind likely to cause substantial damage or substantial distress, and the data controller knew or ought to have known that there was a risk a contravention of this type would occur, but failed to take reasonable steps to prevent it.

There is a right of appeal against both the MPN itself, and the amount, to the First-tier Tribunal (FTT). Rather to my initial surprise Sony swiftly announced they were lodging an appeal. I had noticed that there were very large parts of the ICO’s formal MPN document that were blacked out. See

cropped-untitled.jpg

and

cropped-untitled.jpg

Even figures such as the estimated worldwide number (in millions) of PS Network users were redacted. I had a suspicion that some sort of negotiation might have taken place between the ICO and Sony, whereby the former would willingly redact everything the latter asked for, if the latter accepted their punishment. The announcement that they would appeal showed how I should be wary of my suspicious nature*.

Sony say

the ICO recognises Sony was the victim of “a focused and determined criminal attack,” that “there is no evidence that encrypted payment card details were accessed,” and that “personal data is unlikely to have been used for fraudulent purposes” following the attack on the PlayStation Network.

This seems to miss the point that section 55A does not require the ICO to determine that harm has occurred, only that the contravention was likely to cause substantial damage – or distress. As the ICO points out, thousands of people had their personal details (names, address, dates of birth and account password)s were compromised. The risk of identity theft existed, and, as the ICO points out, continues to exist. However, a question does arise as to how serious the breach was.

Last week the FTT handed down judgment in an unsuccessful appeal of a previous MPN served on Central London Community Healthcare NHS Trust (for a detailed analysis of that case, see Robin Hopkins’ piece on the Panopticon blog) . As a result of this we now know a bit more both about the ICO’s procedures in serving MPNs and the FTT’s likely approach to any further appeal. We know (paragraphs 37 and 38) that the FTT will conduct in effect a de novo hearing of the facts, and permit itself, where appropriate, to substitute its own view for the ICO’s, but that it will be likely to afford a degree of deference to the ICO’s views, given his expertise in DPA matters. We know (paragraph 39) that the FTT could increase the amount of the MPN. We also know that £250,000 marks the border between what the ICO sees as a “very serious” type of breach and the “most serious” type. One suspects Sony will be asking the FTT to consider whether this breach, which potentially affected a huge number of people, but which did not involve sensitive personal data, was as serious as the ICO treated it.

Personally, I think it was – the sheer numbers, and fact that this data is still out there, perhaps being sold and traded to crooks and spammers, make it so. Although the FTT could take a different view, Sony could well be living in the land of make believe.

One final point. Some have suggested that the ICO has traditionally been unwilling to take on the large private sector organisations when it comes to data protection enforcement. The suspicion has been that he is reluctant to risk lengthy and costly challenges. With this action, the ICO gives (at least a little bit of) lie to that. It would be a real shame if a lengthy and costly challenge ensues. We don’t want the ICO to whisper “I told you so”, do we?

*Actually, my suspicious nature makes me wonder if they will ultimately pursue the appeal. Although it will cost them nothing, this isn’t about cost, but reputation, and do Sony really want to risk another day of bad headlines about their data security, in the event that they lose the appeal?

UPDATE: 12 July

The First-tier Tribunal listings show that Sony withdrew their appeal on 8 July. We don’t know the reason why, but I wonder if I was right after all?

3 Comments

Filed under Uncategorized

January 8, 2013 · 3:48 pm

When is a working day not a working day?

If you made an FOI request over the Christmas period, be aware of a strange anomaly regarding time for compliance

Everyone knows that the time for compliance by a public authority with a request made under the Freedom of Information Act 2000 (FOIA) is twenty working days. Section 10 of FOIA says

a public authority must comply with [a request for information made under] section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt

A “working day” means (by s10(6))

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom. [emphasis added]

This means that, even when a request is made in England, Wales or Northern Ireland, to a English, Welsh or Northern Irish public authority, under FOIA (which in relevant part only applies to England, Wales and Northern Ireland – Scotland has its own Freedom of Information (Scotland) Act 2002), the existence of a Scottish bank holiday during the relevant period effectively extends the time for compliance by one day.

The 2nd of January is a bank holiday in Scotland.

So, think twice before you chase a public authority this month about a request you think is one day overdue.

9 Comments

Filed under Freedom of Information, Uncategorized

Tagged as