Archive for the 'Freedom of Information' Category

Christine O’Neill blogs on our PublicLaw blog about the Information Tribunal’s first hearing in Scotland, following Scottish Borders Council’s appeal against its monetary penalty under the Data Protection Act issued as a result of a data breach by a contractor working on behalf of the Council.

Brodies PublicLawBlog

Interesting story carried by the BBC today suggests that (I think for the first time) the Information Tribunal (more properly the First tier Tribunal – Information Rights) is going to sit in Scotland to hear an appeal from a decision of the UK Information Commissioner. As has been widely reported, Scottish Borders Council was fined £250,000 by the ICO in relation to the discovery of pensions records in a supermarket car park.

SBC is appealing against the level of the fine and, it appears, the Tribunal has determined that it should hold an oral hearing in March in Edinburgh or in the Borders. A rare chance to see the Tribunal at work north of the border.

Christine O'Neill

View original post

Our Public Law team blog on a proposed extension to the number of bodies subject to the Freedom of Information (Scotland) Act 2002. Under the proposals, arm’s length bodies set up by local authorities to carry out certain functions will be within scope. IT and outsourcing vendors who currently provide services to these sorts of organisations (or are considering bidding for contract opportunities) may wish to bear this in mind when reviewing their contracts.

Brodies PublicLawBlog

The Scottish Government last week announced its intention to increase the number of bodies subject to the Freedom of Information (Scotland) Act 2002 (“FOISA”).   The Government wants to extend FOISA to arm’s length bodies established by local authorities that provide cultural, sports and leisure activities to the public.  It remains to be seen whether they will achieve their aim:  long-in-the-tooth FOI practitioners will know the history of attempts by previous administrations in Scotland to expand the scope of FOI.

Currently FOISA applies to the list of organisations at Schedule 1 (as amended from time to time by section 4).  The Scottish Ministers can also designate other bodies as a ‘Scottish public authority’ under section 5 of FOISA  if they are neither already on Schedule 1 nor capable of being added to Schedule 1 by the section 4 power.    Now that all sounds quite complicated, but in order to be designated a public authority the body must be exercising functions…

View original post 117 more words

Our colleagues over on Brodies PublicLawBlog have blogged on a recent decision of the Information Tribunal in relation to the definition of personal data.

The Tribunal’s decision places a strong emphasis on the Court of Appeal’s 2003 decision in Durant v the FSA, a widely criticised decision which applied a particularly narrow interpretation to the term, and led many to think that the European Commission may commence infraction proceedings against the UK for a failure to properly implement the Data Protection Directive.

Brodies PublicLawBlog

Here’s a phrase you won’t hear very often: the Information Tribunal has recently issued an interesting decision. (I of course use the word “interesting” the way all lawyers use it, which is to say quite wrongly. I also use the term “Information Tribunal” quite wrongly, as it is of course now the First-Tier Tribunal (Information Rights).)

The decision, involving the Financial Services Authority, concerns personal data – that most vexing of subjects – and in particular the interaction between Freedom of Information and the Data Protection Act. In this case, the Tribunal overturned a decision of the (UK) Information Commissioner, who had decided that the names of junior members of FSA staff could be withheld under section 40 of the (UK) Freedom of Information Act 2000 (the personal data exemption, equivalent to section 38 of FOISA) because the names were personal data and their disclosure would not be compatible with the data protection principles. The Tribunal…

View original post 563 more words

Improving public records: the Public Records (Scotland) Act 2011

Last Tuesday I attended the Public Records Conference in Edinburgh, and delivered a presentation on the potential legal implications of the new Public Records (Scotland) Act 2011 (the “PRSA”).

The PRSA is intended to “make provision about the management of records by certain authorities”. The theory is that there is a moral imperative to improve record keeping in Scotland, and that the data protection law and freedom of information regimes are only as good as the records which are kept.

In his keynote address, the Keeper of the Records of Scotland Mr George MacKenzie mentioned that records keepers hate the stereotype of “dusty archives”. When it came to my turn to speak, my opening line was, pointing to my grey suit – “I worked at the Registers of Scotland for 4 years – when I started at the Registers, this suit was white”.

After that it was down to serious law, and the headlines of my presentation were as follows:

  • The public authorities to which the PRSA applies are set out in the Schedule. The voluntary sector will only be involved in complying with the PRSA when and where they are contracted by a public authority to perform a public function. The concept of “public function” isn’t defined in the PRSA and could prove controversial. Should the public sector start making provision in contracts for private providers to comply with the PRSA?
  • Public records are those created by a public authority in carrying out its’ functions. They’re also records created by or on behalf of a contractor in carrying out the authority’s functions (this is not intended to include persons who provide goods or services, but does however mean that authorities must arrange for managing contractors’ records as well as their own). Finally they’re also records created by any other person that have come into the possession of the authority or a contractor in carrying out the authority’s functions (examples include correspondence, reports, evidence or statistics which relate to the function).
  • Authorities must create records management plans, “agreed” with the Keeper. The issue here is about selecting someone at senior enough level to be taken seriously in driving this forward. This is a resource burden for public authorities and others and may require investment in training.
  • By the end of 2011 the Keeper will issue guidance to authorities about the form and content of records management plans. s. 5 of the PRSA provides that a plan will be reviewed not earlier than 5 years after the date of last review. However under s. 6 at any time Keeper may carry out a records management review to check on compliance. The triggers for this ad hoc checking of a plan aren’t clear.
  • If the authority fails to comply with any of the requirements of the PRSA, the Keeper may take such steps as Keeper considers appropriate to publicise the failure. Unlike the Data Protection Act, there are no monetary penalties for failure to comply. There is therefore a suggestion that the PRSA may be “toothless”.
  • The PRSA is intended to be complimentary to the Freedom of Information (Scotland) Act (“FOISA”).  FOISA is a model publication scheme, while the PRSA is a model records management plan. The list of organisations to which FOISA and PRSA apply are different.  The PRSA seeks to support FOISA, but it will not in any way impinge on FOISA or bring about a change in Schedule 1 of FOISA.

The full guidance notes for the PRSA can be read here.

It became clear during the conference that, at the outset at least, the PRSA is going to be enforced in a collaborative fashion. I don’t think we will see authorities being publicly censured for failures to comply, in the short term at least. It is scheduled to come into force at the start of 2013.

If you’d like more information, or are interested in some training on the PRSA for your organisation, then please email me or your usual TIO Group contact.

ICO confirms that Twitter is a valid method of making a request for information under FOI

The UK Information Commissioner’s Office (ICO) has confirmed its view that tagging a public authority’s Twitter account in a tweet can be sufficient to constitute a request for information under the Freedom of Information Act 2000 (FOIA).

This may come as a surprise to a number of public authorities already struggling to manage and monitor requests for information under FOIA.

Making a request
Unlike a subject access request under the Data Protection Act 1998, a request for information does not need to be made in a particular form, or even identify itself as a request for information. It must simply be made in writing and identify the name of the applicant.

The ICO states that provided the applicant’s Twitter ID or profile gives its real name, that will be sufficient.

Monitoring of @mentions
In many instances, Twitter will be used by public authorities just for information dissemination to the public (for example, for realtime information), and not for engaging in conversations with other Twitter users.

However, given the ICO’s guidance, it is important that public authorities maintaining Twitter accounts monitor their @mentions for potential requests for information. This will apply not just to a public authority’s main Twitter account, but also (potentially) to Twitter accounts maintained by indvidual departments within that authority or (even) individuals, if they Tweet in the capacity of their job.

Note that the ICO’s guidance only applies to FOIA. It does not apply to the Freedom of Information (Scotland) Act 2002, which applies to Scottish public authorities. It’s not clear what the Scottish Information Commissioner’s view on this is.

ISPs fail to overturn Digital Economy Act

BT and Talk Talk have failed in their attempt to overturn certain provisions of the Digital Economy Act (“DEA”) by judicial review.

Justice Kenneth Parker rejected arguments led by the ISPs that the contested provisions of the DEA will breach key pieces of European Union legislation. In Justice Parker’s opinion:

  • The Technical Standards Directive will not be breached because the DEA is not currently legally enforceable against individuals or ISPs, and therefore it is perfectly acceptable for the Government to notify the DEA to the European Commission at the same time that it notifies the forthcoming draft Initial Obligations Code (which is being prepared by Ofcom);
  • The E-Commerce Directive (and its “mere conduit” protection for ISPs) will not be breached because the DEA will not impose liability on ISPs for copyright infringement; and
  • The Data Protection Directive will not be breached because, although the “relevant data” to be processed by copyright owners (ie IP addresses) will, in Justice Parker’s opinion, constitute “personal data”, the processing will be relevant and lawful for the purposes of preventing copyright infringement.

Justice Parker had more sympathy with the ISPs’ objection to bearing 25% of the costs incurred by Ofcom in carrying out functions under the contested provisions of the DEA. He ruled that these were administrative costs breaching Article 12 of the Authorisation Directive, and were therefore unlawful. (Nothing in the actual DEA will be changed, but the government will have to reapportion these costs. Note also that ISPs will still be required to pay 25 per cent of the costs of sending out letters to alleged infringers.)

Justice Parker then addressed the claim that the provision represented a disproportionate restriction on the free movement of services and/or the right to privacy and/or the right to free expression or to impart and receive information. He was reluctant to tamper with the legislation, saying: “the issues in this judicial review…are classically of the kind that Professor Lon Fuller famously described as ‘polycentric’ where it is hard enough for the legislature to seek to think through, and to weigh all the possible implications of a range of policy choices that are theoretically open, but it is nigh impossible for a judge…this Court must accord Parliament a wide margin of discretion in weighing the competing rights in this case.”

Despite this reticence, Justice Parker interestingly endorsed the DEA’s controversial “3 strikes and you’re out” regime, stating that it represented “a more efficient, focused and fair system than the current arrangements”. Justice Parker also noted that in any court actions against infringers the burden of proof will be on the rights holders to show that the accused is the party which has actually infringed copyright (as opposed to the party which has, for example, provided wi-fi access). He concluded by stating that he did not believe that any useful purpose would be served by referring to the European Court of Justice the questions of European Union law raised by the judicial review.

In contrast, BT and Talk Talk have announced that they are considering their options, and have not ruled out an appeal to the Court of Appeal, or a request that the Court of Appeal make a reference to European Court of Justice.

Personally, I’d disagree with Peter Bradwell from the Open Rights Group’s claim that “it is not a judgement about whether or not the Digital Economy Act is right in policy terms.” I think that close reading of the decision from paragraph 203 onwards leaves little doubt that Justice Parker tacitly approves of the reasoning behind the DEA.

The full text of the judicial review can be read here.

A Freedom Too Far?

It’s as if Mel Gibson shouted “FREEDOM (of information legislation)!” at the end of Braveheart. The Scottish Government is proposing that Freedom of Information legislation should be extended to cover a wider range of bodies which deliver public services in Scotland, making Scotland the most “open” country in the UK.

Further bodies can be “designated”, or brought under the scope of the Freedom of Information (Scotland) Act 2002 through powers set out in section 5 of the Act. According to the Scottish Government, bodies should only be considered for inclusion in a section 5 order where they undertake significant work of a public nature or receive significant public funding.

The specific bodies so far identified are building contractors on large public projects; private prison operators; leisure and culture trusts set up by local authorities; the Glasgow Housing Association; and the Association of Chief Police Officers in Scotland. Consultation with these bodies will take place in spring 2010.

In most cases it’s a fair cop (geddit).

However, the addition of “building contractors” private prison operators and leisure trusts seems uneccessary because information they have/generate in relation to a public sector contract is probably already caught under existing FOI legislation.

Freedom of information and privacy – finding the right balance

Yesterday I attended a very interesting seminar at the University of Dundee’s Centre for Freedom of Information.

The topic under consideration was the interaction between freedom of information and data protection legislation, and in particular how the law seeks to balance the “right to know” (the basic premise of freedom of information) and the privacy rights of the individual.

Christine O’Neill, Head of Brodies’ Public Sector Services Group, gave an excellent presentation on key case law to date, looking at where the law stands following the House of Lords’ decision last July in the case of Common Services Agency v Scottish Information Commissioner.

There was general consensus that the law in the UK on this issue is badly in need of clarification, in particular given the importance of the competing interests at stake.  The interaction between freedom of information and data protection legislation relies heavily on how we define “personal data” – the personal information to which data protection legislation applies. Broadly speaking, personal data is any information about a living individual from which that individual can be identified. However the decision in the CSA case (which dealt with statistical information about the incidence of childhood leukaemia in Dumfries and Galloway) has left information lawyers struggling to understand precisely how the “identifiable” element of the statutory definition should be interpreted, in particular in cases where an organisation tries to anonymise personal information in order to permit its release.

Comments from David Banisar of Privacy International supported a general view that the problems currently being encountered in the UK, in seeking to reconcile these two bodies of legislation, stem mainly from the wording of the UK’s Data Protection Act 1998. Many other jurisdictions around the world have both freedom of information and data protection legislation, but appear to have succeeded in achieving a smoother and more effective interaction between the two regimes than we have to date.

More developments are in the pipeline, with the Scottish Information Commissioner preparing to give his further decision on the CSA case in the coming months and another case (this time on the incidence of registered sex offenders living in certain postcode sectors) heading to the Court of Session.  This looks set to present more difficult issues, both from a policy and a technical, legal perspective.

Ultimately, it is looking increasingly likely that a satisfactory level of clarity will be achieved only through suitable amendments to the DPA. However, any light which further case law can shed on the issue in the meantime would be very welcome indeed.

Eleanor Peterkin

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: