Alistair Sloan, Advocate

Bundle Wars: FTT Directions, the ICO, and the Upper Tribunal’s Take

July 2nd, 2025

Decisions by the Upper Tribunal on whether to grant or refuse permission to appeal to it are rarely of any note; however, last month Upper Tribunal Judge Wikeley directed that his decision on the Information Commissioner’s application for permission to appeal to the Upper Tribunal against case management directions of the First-Tier Tribunal be given a neutral citation in order that it could be published.

The application for permission to appeal related to directions made by the First-tier Tribunal concerning who was to make up the bundles in an appeal by the Department for Health and Social Care (DHSC) against one of the Commissioner’s decisions. Two sets of directions had been made in relation to the bundles; the last of which clarified that the Commissioner (as respondent) was to make up the open bundle and the DHSC (as appellant) was to make up the closed bundle. The requester, Access Social Care, did not participate in the hearing before the Upper Tribunal.

The Commissioner was, in effect, challenging the application of guidance issued by the General Regulatory Chamber in relation to bundles, known as the Bundles Guide. This guidance applies to the full range of cases heard by the GRC and not just those within the Information Rights jurisdiction. At 2.1 the guide states:

“In this Tribunal, because the Respondent (the regulator) is a public body and is usually represented by legal professionals or other officials, they will normally be expected to put together the bundle and send it to you and the Tribunal. Even though you will not usually be expected to produce a bundle, you might still find it helpful to read the Notes for Bundle Providers section below.

Sometimes the Respondent may ask the Tribunal to direct that you should provide the bundle, but that is unusual. If that happens a decision will be made by a Tribunal registrar or judge, after considering any comments you have.”

The expectation that the regulator will prepare the bundle in appeals is also repeated at the beginning of Part 3 of the guide.

The Commissioner was taking issue with the directions in this case on two fronts. Firstly, that the failure of the FTT judge to give reasons for her direction and had misdirected herself as to the relevant law. The second was that the Judge’s direction was unreasonable and contrary to the overriding objective. The Upper Tribunal held a “rolled-up” hearing in relation to the application for permission to appeal.

Ground 2
The Upper Tribunal first turned to the second ground of appeal by the Commissioner. The Commissioner argued that, in this case, the DHSC should have been required to prepare the bundles. Counsel for the Commissioner advanced four arguments in support of this: (1) the DHSC was a well-resourced public body which was represented by legal professionals; (2) the DHSC had access to all the relevant documents; (3) it was the choice of the DHSC to bring the appeal whereas the Commissioner had no choice but to be a party; and (4) that if the DHSC had instituted judicial review proceedings, it would have borne the burden of preparing the bundles.

The Upper Tribunal found none of these arguments to be persuasive. In relation to the first argument, the UT Judge said that the “argument assumes that the explanatory consideration in paragraph 2.1 of the Bundles Guide necessarily underpins the usual expectation in Part 3 that the regulator prepares the bundles.” [ 27] The UT Judge pointed out that Part 2 of the guidance was confined to giving guidance to unrepresented parties whereas Part 3 applied across all of the GRC’s jurisdictions. [27]. The UT Judge further went on to state that the guide set out “clear delineation of the default (and usual but not immutable) position of the regulator’s responsibility for bundle preparation.” [27].

In relation to the second argument advanced by counsel for the Commissioner, the UT Judge held that it was “simply not correct” [28]. Counsel for the DHSC had argued that no single party had access to all the documents. In FOI cases, there would usually be correspondence passing between the requester and the Commissioner that the public authority sees for the very first time in the hearing bundle. [28]

Turning to the third argument advanced on behalf of the Commissioner, the UT Judge noted that in every FOI appeal before the First-tier Tribunal that the Commissioner is a “conscript rather than a volunteer”, that is the case whether the appellant is the requester or the public authority. [29] Under reference to Browning v IC and Department for Business, Innovation and Skills and Greenwood v IC and the Commissioner of the Police for the Metropolis the UT Judge concluded that this position reflected the Commissioner being the effective statutory guardian of the Freedom of Information Act 2000. [29]

Finally, addressing the fourth argument advanced on behalf of the Commissioner, the UT Judge considered that it didn’t take the Commissioner’s argument anywhere. The UT Judge stated that “[t]he FTT jurisdiction is consciously different from Part 54 CPR proceedings, and in any event in the latter arena the Department would be at risk of all costs and not just the cost of producing the bundle.” [30]

The UT Judge made it clear that what the Upper Tribunal was faced with in these proceedings was not an application for judicial review of the bundle guidance by the Commissioner [31] (which would be very much out of time, the bundle guide having been issued by the GRC President more than a year ago). What the Upper Tribunal was concerned with here was the much narrower question as to whether the direction in relation to the preparation of bundles in this specific case was plainly wrong. [31]. The UT Judge concluded that he did “not regard it as arguable that the FTT’s bundles direction was Wednesbury unreasonable.”

The Commissioner’s challenge to the directions, insofar as it was based on the overriding objective was equally unsuccessful. Here, it was argued on behalf of the Commissioner that the First-tier Tribunal had essentially disregarded rule 2(2)(a) of the Tribunal’s rules of procedure which required the Tribunal, as part of the overriding objective, to take account of the parties resources. In response to that argument, the UT Judge stated, at [33]

“There are at least three difficulties with this submission. The first is that the logical end-point of this submission is that the FTT should have considered the comparative budgets of the parties, a task which is completely unrealistic in practice. The second is that although consideration of resources is in very general terms relevant to the overriding objective, and underpins paragraph 2.1 of the Bundles Guide, it provides no real assistance in differentiating between the situation of the Information Commissioner and a central government department, each of which will face competing calls on their doubtless limited budgets to defend their decisions in litigation. The third is that in any event rule 2 mandates a multi-factorial assessment of competing considerations, not all of which may point in the same direction. The balancing of those considerations when making case management directions is quintessentially a matter for the good judgement of the tribunal charged with the conduct of the proceedings.”

Ground 1
The Commissioner’s reasons challenge did not fare any better. It was common ground that the FTT Judge had not given reasons at the time of giving the amended direction which required the Commissioner to produce the open bundle and the DHSC to produce the closed bundle. At paragraph [40], the UT Judge held that “[t]he default position, therefore, is that there is no categorical expectation in the statutory scheme governing the FTT’s procedural rules that reasons need to be given for a tribunal’s case management direction.”

Having dealt with what the rules required, the UT Judge then went on to consider whether there was any basis in the case law for reasons being required. Counsel for the Commissioner had relied heavily upon the judgment of Underhill LJ in R (LND1 & Ors) v Secretary of State for the Home Department. Counsel for the Commissioner did recognise that the subject matter facing the Court of Appeal was very different from that which was before the Upper Tribunal. LND1 concerned whether an Afghan judge qualified to be relocated to the United Kingdom. It was a judicial review challenge to an administrative decision by the Home Office in a matter that could potentially be, quite literally, life and death for the Afghan judge concerned. The Court of Appeal’s judgment was consequently “of very limited assistance in the current proceedings.” [42]

The UT Judge went on to consider the judgments of the Court of Appeal in Carpenter v Secretary of State for Work and Pensions and of the Upper Tribunal in KP v Hertfordshire CC (SEN) and Information Commissioner v Experian Limited. The UT Judge considered that the FTT Judge was dealing with a “tutored audience” who perfectly well understood where the battle lines were. The necessary and inevitable inference from the decision of the FTT Judge was that the submissions for the DHSC had been preferred for the reasons that it had given in its submissions. [48]

Permission to appeal was therefore refused on both grounds.

It is easy to see why the Commissioner might have taken this fight to the Upper Tribunal. His office is involved in a significant number of FOI appeals to the First-tier Tribunal every year. The default position is that in those cases his office bears the burden of making up the bundles. That takes time and there is therefore a cost associated with it in a jurisdiction where costs/expenses are typically not recoverable. If the Commissioner could shift that cost in at least some of the cases away from his office onto others, then that would represent a saving to his office’s budget.

However, it is also equally easy to see why the bundle guidance is what it is. Taking Information Rights cases as an example, in that jurisdiction many of the appeals are brought by requesters who are invariably not legally represented (if they are represented at all). Tribunals are supposed to be more informal, more flexible and less complicated than the courts and so, there is a justification for removing the burden of producing a bundle from individuals who know little about how courts and tribunals work and may, in the days of electronic bundles, lack software to put together a bundle. This is particularly true in a jurisdiction which is of constitutional importance.

The Bundle Guide lays down a default position, but it is not a position that cannot be changed in an appropriate case. The UT recognised that it was not an immutable position at [27]. It remains open to the Commissioner to suggest to the First-tier Tribunal that a public authority appellant ought to produce the bundles in such cases and the Tribunal retains the discretion to make such a direction. However, if the Tribunal chooses not to then it’s not going to be a decision that is open to challenge with any great prospect of success. So, for now at least, the Commissioner appears to be stuck with the burden of making up bundles in all, or at least nearly all, FOI appeal cases before the First-tier Tribunal.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Pleading data protection claims: A Scottish perspective

June 30th, 2025
Judgments from the Scottish courts in relation to data protection cases are much rarer than they are from other jurisdictions in the United Kingdom, but last week a judgment, from April, was published in relation to an action raised in Lanark Sheriff Court against the Chief Constable of the Police Service of Scotland under sections 167 and 169 of the Data Protection Act 2018 and at common law. The pursuer (Mr Prentice) had raised proceedings against the defender (the Chief Constable) seeking:
- a declarator that the defender had failed to comply with her statutory obligations under section 45(1) and (2) [of the Data Protection Act 2018] to fully and properly respond to subject access requests made on 17 November 2021, 22 February 2022, 31 July 2023 and 11 September 2023.
- a compliance order under section 167 of the Data Protection Act 2018
- damages of £5,000 for damage and distress suffered as a result of the defender’s failure to respond to the pursuer’s subject access requests.
The judgment followed a debate at the instance of the defender who sought to argue that the pursuer’s case was bound to fail and that it should be dismissed. A debate focusses on the pleadings and an action will only be dismissed after debate in circumstances where the pursuer is bound to fail even if they prove all that they offer to prove; it is a relatively high bar to meet. There was mixed success with only the issue of a compliance order being allowed to proceed to proof (for those not familiar with Scots law, a hearing on the merits of the action at which parties lead evidence).

It is a useful case as it considers pleadings in data protection cases from a Scottish perspective where pleadings take on a specific and important role and about which there are many important rules.

Turning first to the issue of declarator, the Sheriff determined that the crave for declarator was incompetent. At paragraph [43] the Sheriff encapsulates the Scots law in relation to declarators, stating:

“As per MacPhail, at Chapter 20 and Walker at Chapter 8, a crave for declarator is one which seeks that a right be declared in favour of the pursuer, or that it declares non-existent what appears to be an existent right. The pursuer must have an interest in the declarator sought, and the court will only grant a declarator in respect of a live, practical issue. It is incompetent to bring an action to have a fact declared which has no legal consequences for the pursuer, or to seek a judicial opinion on an abstract question of law. Similarly, to do so where the right is not challenged, or doubted (Walker at page 105, MacPhail 20.01, Scott v Kate Frame (ibid) paragraph 88).”

The Sheriff continued, at para [44]:

“Crave 1 of the application does not seek a declarator of the rights provided by section 45 of the 2018 Act. What is sought amounts to a finding in fact and law that on specified dates the defender failed to comply with her obligations in terms of that section. That is not a competent declarator. (…) As per Walker, MacPhail and Scott v Kate Frame the court should not make declarators of rights which are not doubted. The existence of section 45 rights, their availability to the pursuer, and the concurrent obligations they impose on the defender are not challenged in this case. What is challenged is the pursuer’s assertion that the defender failed to comply with her obligations.”

Here we have a clear expression from the Sheriff that seeking a declarator from a Scottish court that a controller has failed to comply with their statutory obligations under the Data Protection Act 2018 is incompetent. This is only a first instance decision that is not binding upon any other court in Scotland; however, this doesn’t seem to me to be a controversial position for the Sheriff to have arrived at. The function of a declarator is to declare that someone has a right or that a right that appears to exist does not, in fact, exist. There is, and must be, some practical effect to the pursuer seeking the declarator (such as establishing that they have a particular right or that a right that appears exercisable against them is not, in fact, exercisable against them).

A declarator that a data subject has a right to have their subject access request responded to by the controller would do nothing more than state what the law already clearly provides. Where a data subject has made a subject access request which has not been responded to by the controller (or where the data subject contests some or all of the exemptions applied by the controller when responding to the request), data protection law provides two remedies: firstly, a complaint to the Information Commissioner and secondly, an application to the court for a compliance order. A declarator would do nothing for the pursuer in that it would not, nor could it, force the controller to address any deficiency in their handling of the subject access request.

Turning to the pursuer’s third crave, which was for damages in the sum of £5,000. This was dismissed by the Sheriff on the grounds of a lack of specification. In Scots law, a party is entitled to know the case that they must meet and so sufficient facts must be pled by each party to give the opponent fair notice of their respective cases. At paragraph [53] of his judgment, the Sheriff sets out what was lacking in respect of the pursuer’s averments concerning his claim for damages. The Sheriff states:

“Section 169(5) of the Act defines damages available under the Act as including financial loss and damage not involving financial loss, such as distress. Those heads of claim are identified in the averments but not in a way that provides fair notice. The existence of distress, stress, anxiety, and frustration, are all averred, but no averments are provided as of how, or when, or where, they manifested themselves. The financial loss (styled as “detriment” by the pursuer) is averred to be the instruction of solicitors, however the legal expenses incurred are not specified at all. Neither do the averments as to the purported “disadvantage” suffered during the successful appeal against the revocation of the pursuer’s firearm license explain the loss suffered, if indeed this head of claim is available as per section 169(5) at all.”

It is of note that right at the very end of this paragraph, the Sheriff raises some doubt as to whether some of the “disadvantage” the pursuer had allegedly suffered was something that could be competently claimed in an action under section 169 of the Data Protection Act 2018. However, the Sheriff dismissed the pursuer’s third crave on the basis of a lack of specification, rather than on any question of the competency of the remedy sought. It would seem from the Sheriff’s judgment that despite the Record (the document which brings both parties pleadings together) running to 38 pages there was little in the way of specification in relation to the sum sought for damages. It seems that it was not clear how much of the £5,000 was attributable to financial loss and how much was attributable to non-financial damage such as distress. It also appears, from the terms of the Sheriff’s judgment, that there was nothing about how each head of claim had been calculated (see, for example, the reference to there not being specification of how much the legal fees referred to in the pursuer’s pleadings were).

The defender’s challenge to the averments supporting the second crave (for a compliance order under section 167) was not successful. The defender contended that the 17 November 2021 communication was not a subject access request. The Sheriff was directed to no authority which would enable the court to determine that issue at debate and took the view that the matter was one for proof [46]. More generally, the Sheriff took the view that the pursuer’s case that the exemptions were not properly applied was not bound to fail. At paragraph [51], the Sheriff stated that he “was persuaded that there was sufficient information and circumstances pled pertaining to the subject access requests to allow the court to consider finding in facts that the exemptions were not properly applied.” The Sheriff went on to state, at paragraph [51] that “crave 2 would not necessarily fail if all of the pursuer’s averments pertaining to it were proved.” That is, of course, not to say that the pursuer will surely succeed, only that he is not bound to fail.

In relation to the data protection case, the pursuer appears to have been unrepresented throughout and the Sheriff has addressed the issue of equal treatment at paragraphs [55] – [57] of his judgment under reference to the judgment of the UK Supreme Court in Barton v Wright Hassall LLP and the opinion of the Sheriff Appeal Court in Royal Bank of Scotland PLC v Aslam.

Overall, a rare and interesting data protection judgment emanating from Lanark Sheriff Court. The importance of properly framing pleadings in any civil case in Scotland, including data protection claims, cannot be understated. A poorly drafted data protection case can come unstuck at an early stage and result in a data subject being unable to even attempt to prove their case against the controller.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Transparency Recast: How the Freedom of Information Reform (Scotland) Bill could change FOI in Scotland

June 6th, 2025

On Monday 2 June 2025, Katy Clark MSP introduced her long-awaited Freedom of Information Reform (Scotland) Bill into the Scottish Parliament.

Katy Clark MSP, a Member of the Scottish Parliament for the West of Scotland, opened a consultation in November 2022 on a proposal to introduce a Members Bill to the Scottish Parliament to amend the Freedom of Information (Scotland) Act 2002 (FOISA). That consultation closed on 14 March 2023, extended from 2 February 2023 to coincide with the Scottish Government’s own consultation. A total of 96 responses were submitted to the consultation spanning the public, private and third sector as well as academics, professionals with relevant experience and members of the public. The analysis of the consultation response can be found on the Scottish Parliament’s website here. The consultations by Katy Clark MSP and the Scottish Government followed on from the post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002 carried out by the Parliament’s Public Audit and Post-legislative Scrutiny Committee which was carried out between 2019 and 2020; this, in turn, followed on from a vote in the Scottish Parliament in June 2017. It has, in short, taken almost 8 years to get to this stage. FOISA was last amended by the Freedom of Information (Amendment) (Scotland) Act 2013.

The Bill contains a number of important proposals; however, it should be borne in mind that this is not a Government Bill. The SNP administration is a minority administration and so they would need at least one other party to vote with them to defeat the Bill (more if it was the only Alba Party and/or independent MSP who voted with them to defeat the Bill). The proposal to introduce the Bill was supported by MSPs from three of the opposition parties. No SNP MSP supported the proposal to introduce the Bill.

General entitlement

The Bill proposes inserting a new subsection (5A) into section 1 of FOISA which would, if adopted by the Scottish Parliament, require a public authority to apply a presumption in favour of disclosure when considering a qualified exemption (i.e. one that is subject to the public interest test). This would bring FOISA into line with the Environmental Information (Scotland) Regulations 2004, which governs the access to environmental information held by Scottish public authorities, which provides for such a presumption in Regulation 10(2)(b).

The Scottish Government has previously taken the view that such an amendment is not necessary because there is already a presumption in favour of disclosure inbuilt within FOISA. However, the Court of Session held otherwise (for full disclosure, I appeared for the unsuccessful appellant in that case, which can be seen on the face of the court’s opinion) and permission to appeal to the Supreme Court was refused. The decision of the Court of Session means that, contrary to the view of the Scottish Government, there is no such presumption (a view which they continued to express in December 2023 (para 83), after the Court of Session had resolved the question). If the Scottish Government is of the view that there ought to be such a presumption in FOISA, or that it was the intention of Parliament when it legislated in 2002 that there was to be such a presumption, then it is difficult to see how they could not support this proposal unless they are proposing their own amendments in their own Bill.

Designation of Scottish public authorities

There are a number of ways in which people or bodies not covered by the FOISA can be covered. The first is for the person or body to be added to Schedule 1 (as typically happens when new public bodies are created by statute), either in primary legislation or through section 4 of FOISA. The other is by way of an order under section 5 of FOISA.

The Bill would insert a new section 5A into FOISA which would establish another new way of designating Scottish public authorities: parliamentary resolution. This power would apply where the person is not listed in Schedule 1 nor be capable of being added under section 4 and is neither a public body nor holder of any public office. Furthermore, the person would need to either appear to be exercising functions of a public nature or be providing, under a contract made with a Scottish public authority, any service whose provision is a function of that Scottish public authority.

This provision is, as the policy memorandum confirms, is to enable the Scottish Parliament “to take the initiative on the pace and detail of designation” while ensuring that “designation is measured, understandable and enforceable.”

This appears to be a novel provision whereby Parliament could designate a person as a public authority without the need to pass an Act of the Scottish Parliament. There is a requirement for prior consultation by a committees or sub-committee before it makes such a resolution.

Publicly-owned companies

The Bill contains a provision to fix a lacuna in relation to publicly-owned companies. The Bill would mean that companies which are owned by the Scottish Ministers and any other schedule 1 authority (except where such an authority is listed only in relation to information of a specified description) would be a Scottish public authority.

Pro-active publication

The publication scheme model adopted by the Freedom of Information Act 2000 and FOISA has often been criticised as being out-dated and not going far enough when it comes to pro-active publication. This Bill, if passed into law, would amend FOISA by repealing the sections relative to publication schemes and instead create a duty upon Scottish public authorities to take reasonable steps to “(a) organise and keep up to date the information, relevant to its functions, which it holds, and (b) make that information available to the public in an accessible form and manner.” In doing Scottish public authorities would be required to have regard to a statutory code of practice issued by the Scottish Information Commissioner (and any revised version thereof).

Compliance with this new code would be policed by the Scottish Information Commissioner who would gain enforcement powers in relation to this new code of practice (along with the existing codes of practice issued under sections 60 and 61 of FOISA).

Freedom of Information Officers

The final proposal in the Bill that I wish to look at in this post (there are, of course, more proposals in the Bill) is the one to require Scottish public authorities to appoint a Freedom of Information Officer. This proposal is based on the role of the Data Protection Officer in the UK GDPR.

The policy memorandum states that the “objective is to embed a professional culture, underpinned by sufficient resource and authority, within organisations when it comes to handling requests and publishing information.” The policy memorandum also points to the requirement under section 1(2) of the Public Records (Scotland) Act 2011 as support for this proposal.

As stated at the outset of this post, the Bill has not been introduced by the Scottish Government (which previously ruled out primary legislation in its response to the consultation that it held on FOI reform) and so it is therefore not guaranteed to become law. Bills introduced by back-bench and opposition MSPs typically have a greater chance of success than their equivalent (Private Members Bills) do in the UK Parliament. Furthermore, the current Scottish Government is a minority administration which also increases its chances. However, MSPs from only three parties represented within the Scottish Parliament supported the proposal for the Bill.

The next elections to the Scottish Parliament are scheduled for May 2026 so it will be interesting to see whether this Bill makes it through Parliament during what is the final gasp of this session of the Scottish Parliament and what it looks like should it become an Act of the Scottish Parliament.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Privilege without purpose: Law firm fined by Information Commissioner following cyber-attack

April 16th, 2025

In the recent past there has been a spate of law firms falling victim to cyber-attacks. In August 2024, the Law Society Gazette reported that the number in the UK had risen from 538 to 954. Law firms remain vulnerable to cyber-attacks, not just in relation to client accounts but also in relation to IT systems storing client files.

In 2022, DPP Law, based in Bootle with additional offices in Birmingham, Liverpool, London and Tolworth, was subject to a cyber-attack which resulted in 791 client files being uploaded onto the dark web; this included files in relation to criminal cases, family and matrimonial cases as well as actions against the police. On 14 April 2025, the Commissioner served a penalty notice (“PN”) on the law firm in the amount of £60,000 having found that the firm breached Articles 5(1)(f) and 33 of the UK General Data Protection Regulation. In doing so, the Commissioner had regard to the judgment in VB v Natsionalna agentsia za prihodite (Case C-340/21) [2024] 1 WLR 2559 that the fact that a cyber incident took place is not sufficient to make a finding that a controller has infringed Articles 5(1)(f) and 32 (see PN §38).

At the core of this breach was a user account which had access privileges far greater than was necessary. The account was an administrator account for a legacy case management system. The account had a limited role on the firm’s network; however, had full administrator rights across the network. The firm had been aware of the existence of the account for at least 11 years prior to the cyber-attack, but did not know the password and could not reset it – the password was only known by a third-party supplier. The legacy case management system was taken out of service in 2019 and the service agreement with the new supplier in relation to the legacy system account came to an end in 2021. This period seems to have been insufficient to meet the terms of the firm’s data retention policy because it argued that the system remained operational because the firm still required access to data in the legacy system. The firm appears from the terms of the penalty notice to have attempted to minimise its own role in the incident and shift blame onto its external IT suppliers. This apparent argument was given short shrift by the Commissioner. The full penalty notice is worthy of reading as it contains a number of useful lessons for not just law firms, but all data controllers.

The way in which the Commissioner calculated the penalty that it imposed is also worthy of consideration. The Commissioner does not issue that many financial penalties for breaches of the UK GDPR or Data Protection Act 2018, so it is always useful to gain an insight into how it applies its policy in practice. The Commissioner adopts a five-step approach, and this is dealt with at §§ 135-164 of the PN. Taking into account the seriousness of the contraventions and the firm’s turnover, the Commissioner determined that the starting point for computation of the penalty was £23,800. This represented 0.68% of the firm’s turnover for the 2023/24 financial year. In terms of aggravating and mitigating factors, the Commissioner decided that there were no mitigating factors and that there were not aggravating factors which merit adjustment of the amount.

However, the Commissioner determined that a penalty of £23,800 would be neither effective nor dissuasive (see PN §157). The Commissioner considered that a penalty of £60,000 would be more appropriate, which would represent 1.7% of the firm’s turnover for the 2023/24 financial year (PN §160). The firm sought to argue that the Notice of Intent (which was in the sum of £60,000) was not inline with the Penalty Notice issued to another firm of solicitors in 2022 and sought to argue that a penalty of £20,000 would be more appropriate. The Commissioner rejected this position for a number of reasons, including that the 2022 penalty notice was calculated under previous guidance for calculating monetary penalties and that it is not appropriate to compare enforcement action in previous cases because each case turns on its own individual facts and circumstances. (PN §163(a)). Furthermore, in calculating the fine to be imposed, due regard had to be given to all of the factors set out within Article 83(2) and that these differ between cases requiring consideration on the facts of each individual case (PN §163(c)).

The controller has 28 days to appeal the PN and/or the amount imposed in the PN to the First-Tier Tribunal or must pay the penalty by 19 May 2025.

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.
FOI Information Notices: Insights from the First-Tier Tribunal

March 13th, 2025

Earlier this week, the First-Tier Tribunal issued a decision in relation to two appeals against information notices served on the Cabinet Office by the Information Commissioner in relation to requests by journalists connected to the Good Law Project and the Times.

The first appeal arose out of a request made by someone described as a journalist at the Good Law Project for the name of the investment fund based in the United States of America that had been operating a blind management or trust arrangement in relation to the former Prime Minister, The Rt. Hon Rishi Sunak. The second appeal concerned a request for information made to the Cabinet Office by a journalist at the Times which sought disclosure of the then Prime Minister’s full declaration of interests document, including all the interests submitted to the Independent Adviser on Ministerial Interests as at the date of the request for information.

In relation to both requests, the Cabinet Office had withheld the information and the respective requesters had complained to the Information Commissioner under section 50 of the Freedom of Information Act 2000.

As is standard practice for the Commissioner, the Cabinet Office was written to with various questions as well as a request to provide a full unredacted copy of the information that was held by the Cabinet Office which was in scope. The Cabinet Office refused to provide a full unredacted copy of the former Prime Minister’s completed ministerial declaration of interest documents. It did so citing the “hugely significant sensitivities in terms of personal data and potential security implications.” The Cabinet Office explained that the documents were “handled extremely carefully within government, with only a very small number of people having access to it, on a strictly need-to-know and ‘hard copy’ basis.”

The Commissioner and the Cabinet Office then entered into correspondence and meetings took place between the Commissioner and a senior official from the Cabinet Office. The Commissioner then served information notices on the Cabinet Office pursuant to his powers under section 51 of the Freedom of Information Act 2000. The Cabinet office exercised its right of appeal, under section 57(2) of the Freedom of Information Act 2000, against the Commissioner’s decision to issue the information notices.

The first ground of appeal dealt with by the tribunal (referred to as Ground 1A in the Tribunal’s decision) was that the Commissioner’s power to issue an information notice is subject to a requirement that he reasonably require the information. The Cabinet office contended that the Commissioner had not identified any sensible basis upon which parliament might have intended a different operation of section 51(1)(a) and section 51(1)(b). Section 51(1)(a) provides that where the Commissioner has received an application under section 50 he may serve an information notice on the public authority whereas section 51(1)(b) confers a power upon the commissioner to issue an information notice where he “reasonably requires” information (i) “for the purpose of determining whether a public authority has complied or is complying with any of the requirements of Part I” or (ii) “for the purpose of determining whether the practice of a public authority in relation to the exercise of its functions under this Act conforms with that proposed in the codes of practice under sections 45 and 46.”

The Tribunal did not accept this proposition from the Cabinet Office. At [40], the tribunal found “no ambiguity” and accepted “the proposition that what the Cabinet Office is seeking to do is to read words into a statute which are not there and which are not necessary for it to make sense.” The Tribunal continued noting that there is a clear textual difference which can be seen by the use of the word “or” at the end of section 51(1)(a) and from the way in which the different duties had been separated out.

In essence, the Tribunal was satisfied that where the information notice is issued in circumstances where the Commissioner had received a complaint under section 50, the only limitations on his powers to issue an information notice are the usual public law ones.

The second ground considered by the Tribunal in its decision (referred to as Ground 1B in its decision) concerned the Cabinet Office’s contention that the Commissioner receiving and using the information would involve the unlawful processing of personal data. While the Tribunal accepted, at para [41], the contention that the Commissioner receiving the information and then using it to determine the section 50 complaints would amount to the processing of personal data under both the UK General Data Protection Regulation and the Data Protection Act 2018, it did not accept the submission on behalf of the Cabinet Office that (i) the processing by the Commissioner would not satisfy any of the conditions in Article 6(1) of the UK General Data Protection Regulation or (ii) that it would be unfair to the former Prime Minister in that it would be contrary to reasonable expectations of confidentiality that he had.

At [49] of its decision, the Tribunal recorded that it had “no reason to doubt the acceptance that ministers would or should be aware of Freedom of Information legislation and of course on the way in which a request would be handled including the way in which a complaint would be handled by the Commissioner and his office and the applicable exemptions.” In other words, although ministers, such as the Former Prime Minister, had a reasonable expectation of confidence in relation to the information they would be aware that the contents may be the subject of requests for information and that it would likely be disclosed to the Information Commissioner were a complaint made concerning a refusal to provide information within the declarations of interests.

The final ground of appeal dealt with by the Tribunal (referred to as Ground 2 in its decision), concerned the question of whether the Commissioner should have exercised his discretion to serve an information notice differently. The Tribunal noted that there was an overlap between this and what it refers to as ground 1B. The Tribunal began by finding, at [52], “that it would be an unusual case in which the Commissioner would simply accept a public authority’s assurance that the exemptions sought were made out.”

The Tribunal concluded, at [63], that it would not be possible for the Commissioner to determine any of the exemptions relied upon were made out without an examination of the material. It is a core element of the Commissioner’s duties when dealing with a complaint under section 50 to consider whether any exemption cited by the public authority applies to any or all of the withheld information.

Earlier in its decision the Tribunal had noted the terms of section 132 of the Data Protection Act 2018. That section prohibits, without lawful authority, the disclosure by the Commissioner or any member of his staff of information which (i) has been obtained by, or provided to the Commissioner, in the course of or for the purposes of discharging his functions, (ii) relates to an identified or identifiable individual or business and (iii) is not available to the public from other sources at the time of the disclosure and has not previously been publicly available from other sources. It also makes it an offence to knowingly or recklessly disclose such information (section 132(3)). This section provides a clear safeguard against the onward disclosure of information which has been provided in confidence to the Commissioner as part of his discharge of his functions under the Freedom of Information Act 2000.

It had also been argued that the service of the information notices had been premature. The Tribunal determined, at [57], that it was not satisfied, on the evidence, that the request was premature. The Tribunal stated, at [57], that the information notices were only issued “after a sustained period of negotiation and in any event provided 30 calendar days for compliance.” The Tribunal also noted that the Cabinet Office had also been given time to arrange for inspection of the information, which they had initially indicated was acceptable.

The Tribunal dismissed the appeals against the information notices.

The Tribunal had joined the Good Law Project as a party, but only in relation to what is described as the first appeal. The Tribunal considered that the submissions on behalf of the Good Law Project “added little of substance” to what had been said in the submissions on behalf of the Cabinet Office and the Information Commissioner and that much of the submissions made on behalf of the Good Law Project related to a matter that was “manifestly out with the scope of this appeal” (specifically the extent to which any exemptions might apply). Where an appeal has been brought against the service of an information notice, requesters may wish to consider whether they really need to be involved in such an appeal and what, if anything, they could realistically add to assist the Tribunal. Such an appeal does not really offer an opportunity to argue against the application of any exemptions or where the public interest lies in relation to maintaining any qualified exemptions.

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.
The Data (Use and Access) Bill: Third time’s a charm?

November 12th, 2024
Data Protection reform has been a consistent theme of government policy over the past couple of years. The previous government had two attempts at reforming the law relating to data protection in the form of the Data Protection and Digital Information Bill and then the (cleverly titled) Data Protection and Digital Information (No 2) Bill. The first attempt was abandoned, and the second attempt did not make it through parliament before the general election held earlier this year. The new government is now having its own attempt having introduced into the House of Lords the Data (Use and Access) Bill on 23 October 2024.

For those who were familiar with the proposals in the bills introduced by the previous government, there is a lot in the Data (Use and Access) Bill that is familiar; however, the government is not going ahead with some of the proposals from the previous government and has introduced some of its own proposals for good measure.

Abolition of the Information Commissioner

Potentially the biggest reform within the bill (and one which has carried over from the previous government’s bills) is to replace the Information Commissioner with a body corporate to be known as the Information Commission. Currently, everything in relation to data protection (and everything else that the ICO does) rests in the hands of one person: the Information Commissioner (currently John Edwards).

The model of a single office holder as the regulator has persisted since the introduction of the Data Protection Registrar in the Data Protection Act 1984. Over the years the Data Protection Registrar has evolved into the Information Commissioner as data protection regulation has evolved and the role gained new responsibilities in other areas (such as freedom of information). The previous government considered, and the present government would seem to agree, that the model was no longer appropriate for a regulator of the size of the Information Commissioner’s Office and with the range of functions that the Commissioner has.

Some of the more controversial elements of the previous government’s proposal for the establishment of a new body have not been carried over by the present government. In particular, the proposal to require the regulator to follow a statement of strategic priorities prepared by the Secretary of State has not been carried forward. This was an element of previous proposals that caused concern about the regulator’s independence from the government. However, the Secretary of State will still be responsible for appointing non-executive members of the commission (who, in turn, will be responsible for appointing the executive members of the commission). The Chair of the Commission will be appointed by The King on the recommendation of the Secretary of State. Given the role of the Secretary of State in the appointment of members of the commission, some concerns may remain about the independence of the new commission from the government. The Scottish Information Commissioner, for example, is appointed by The King after nomination by the Scottish Parliament and that method of appointment has been suggested by some in the past as a method of appointment for the UK Information Commissioner (without any success). There may be, as this bill navigates its parliamentary journey, suggestions that that there ought to be more involvement by parliament in the appointment process for members of the new commission.

Legitimate Interests

The proposal to create a list of “recognised legitimate interests” is being carried over into the current government’s bill; however, the list of “recognised legitimate interests’ is not identical to the list in the previous government’s proposals. In particular “democratic engagement” does not feature, as it would have done under the previous government’s proposals. The list of recognised legitimate interests will be subject to amendment by regulations made by the Secretary of State.

Rights of data subjects

The bill contains some minor changes to the rights of data subjects. It will codify the principle that data controllers have an obligation to carry out reasonable and proportionate searches for personal data in response to subject access requests. This implied obligation currently flows from a decision of the Court of Appeal in England and Wales in respect of cases under the (now repealed) Data Protection Act 1998. Decisions of the Court of Appeal are not binding on Scottish courts, even in relation to UK-wide legislation (and there are examples in other fields of the Scottish courts disagreeing with the English and Welsh courts in relation to UK-wide legislation resulting in the Supreme Court having to step in and sort it out), and so placing it on a statutory footing will provide certainty for controllers and data subjects elsewhere in the UK.

Another change of note is a new right of complaint to the controller by the data subject. Currently there is nothing to stop data subjects making a complaint to a controller about a response that they receive to, for example, a subject access request, but there is no legal obligation on the controller to deal with the complaint. Under the proposals in the Data (Use and Access) Bill, controllers would be required to deal with such complaints. This right is in addition to the right to complain to the Information Commissioner and the right to raise court proceedings seeking a compliance order; however, the Bill does not propose making a complaint to the controller a pre-requisite to doing either of those things.

The time for dealing with, for example a subject access request, will explicitly be stopped where further information is required by the controller. Current ICO guidance is that the days between requesting clarification and that clarification being provided do not count towards the time for responding to the request, but it is now proposed to make this the law.

Financial Penalties

The maximum penalty that the Information Commissioner can impose for contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 will be aligned with the maximum financial penalties under the UK GDPR (increasing it from £500,000 to the greater of £17,500,000 or 4% of global turnover). This is not a new proposal, having been carried over from the previous government’s proposals.

International Transfers

The bill will amend chapter 5 of the UK GDPR, which covers transfers of personal data to other countries and to international organisations. The Secretary of State will still be able to make adequacy decisions by way of regulations; however, a new Article 45A will be inserted into the UK GDPR which will provide that the Secretary of State may only make such regulations where they consider that “the data protection test” is met in relation to the transfers covered by the regulations. The test will be met where the protection provided in relation to the processing of personal data “is not materially lower than the standard of protection provided for data subjects” by the UK GDPR and Parts 2, 5, 6 and 7 of the Data Protection Act 2018. This will likely give the government much more flexibility when it comes to making adequacy regulations.

Interview Notices

The proposal to confer a power on the Information Commissioner to compel a person to attend an interview (including where the Commissioner suspects that a criminal offence has been committed) has been carried over into the Data (Use and Access) Bill. It is a power that is unlikely to be used often but adds to the tools available to the Commissioner should his office face any difficulties during investigations.

Significant proposals that are absent from the Data (Use and Access) Bill

The above proposals are just some of those contained within the Data (Use and Access) Bill; however, there are some significant proposals from the previous government that have not been carried over. These include:
- Replacing the Data Protection Impact Assessment with an ‘Assessment of high-risk processing’,
- Limiting the requirement to maintain a Record of Processing Activity to only high-risk processing; and
- The replacement of data protection officers with “senior responsible individuals”.
There is much more to this bill, both in terms of data protection reform and other data use and access matters, and it will now continue its passage through Parliament (its second reading in the House of Lords is on 19 November 2024). It is, of course, probable that there will be amendments to the bill during its passage; however, given that many of the significant proposals have already been the subject of substantial parliamentary consideration, it may well be that there are no significant amendments to it. We are at the early stages of a parliament in which the government has a sizeable majority, so it can be expected that this Bill will complete its parliamentary journey and become law (in whatever final form it takes).

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.
Disadvantages in FOI appeals back in the Upper Tribunal

May 19th, 2024

When requesters seek to challenge the refusal to release information to them under the freedom of information laws in place throughout the United Kingdom, they do so with one hand tied behind their back. They do not know the contents of the withheld information and that is for a very good and obvious reason: it would defeat the purpose of withholding the information if it was simply, as part of the appeal proceedings, going to be disclosed to the person from whom it was being withheld.

This causes significantly greater difficulties under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 than it does under the Scottish equivalents. This is primarily because of the appeals process that operates in relation to decisions of the UK Information Commissioner in relation to those pieces of legislation, in particular appeals to the First-Tier Tribunal. Those appeals are de novo (in other words, they are a complete rehearing of the case and the Tribunal is empowered to substitute its own decision for that of the Commissioner if it does not agree with the Commissioner’s decision). As a consequence of this, it is usually necessary for the First-Tier Tribunal to have sight of and consider the material that has been withheld from the requester. In Scotland, as the appeal to the Court of Session against a decision of the Scottish Information Commissioner is on a point of law only, it is not necessary for the Court of Session to have sight of the information at the centre of the dispute.

Normally, in proceedings before courts and tribunals, all parties see any document provided to the court or tribunal by every other party to the case. However, as indicated above, in appeals involving FOI requests, it would render the appeal pointless if the person who made the request was, as part of the appeal process, provided with a copy of the information that is in dispute. However, there is an obvious unfairness to the party who is kept in the dark about some of the material which is before the Tribunal. This unfairness and how to minimise it has come before the courts and Tribunals before, in particular in the case of Browning v Information Commissioner [2014] EWCA Civ 1050.

In the First-Tier Tribunal it is common for a “closed session” to take place, where the person who made the request (and their legal representatives, if any) is excluded from the hearing. During such closed sessions, the Tribunal will consider the withheld information. The Tribunal may also hear evidence from witnesses which could not be made in “open” without risking revealing the information in question. Submissions will usually be made on behalf of the Commissioner and the public authority which, again, could not be made without revealing the content of the withheld information. After the closed part of the hearing has concluded and the Tribunal is once again sitting in open session, the party who was excluded from the closed session will be given a “gist” of what happened in the closed session. This will consist of a summary of the closed hearing (including any evidence heard and submissions made), insofar as possible without undermining the purpose of the tribunal proceedings, and anything new which arose during the closed session which it is not necessary to withhold from the excluded party. The gist is necessary to minimise the unfairness faced by the excluded party to the utmost extent.

What is described above is what is happens when the Tribunal holds a hearing, either in person or by remote means. However, the Tribunal does not need to hold a hearing. It can, if the parties’ consent and the Tribunal agrees, consider the case solely on the papers. The issue of what should happen when the Tribunal considers “closed” material in cases where they are determining the appeal on the papers alone arose in the recent decision of the Upper Tribunal in Barrett v Information Commissioner and Financial Ombudsman Service [2014] UKUT 107 (AAC).

The First-Tier Tribunal had indicated in its decision that it was not normal practice to provide a gist of closed material in a case which is decided on the papers. This is not a satisfactory position. As the Upper Tribunal recognises at [103] of its decision, “the requirement to minimise the disadvantages faced by a FOIA appellant is uniform”. In other words, there is no distinction between cases decided after a hearing and cases decided on the papers when it comes to the need to minimise unfairness. A party who does not receive closed material (including closed submissions) in a case decided on the papers should not be in a less advantageous position than someone whose case is being decided at a hearing, simply because their case is being decided on the papers. In the case before it, the First-Tier Tribunal did not provide any gist in relation to the closed material, despite there being three requests for one by the appellant.

In responding to the Upper Tribunal appeal, the Financial Ombudsman Service had sought to rely on the First-Tier Tribunal having provided a further description of the closed material in its reasons. However, the Upper Tribunal held this to be “irrelevant” [101]. By the time the appellant had been given the further description of the closed material, it was too late; the First-Tier Tribunal had already taken its decision to refuse his appeal and therefore the appellant was deprived of an opportunity to make any submissions focussing on anything that arose from that additional information. What the First-Tier Tribunal had said in its reasons was not capable of minimising the disadvantages faced by the appellant in arguing his case.

The Upper Tribunal did not go on to prescribe or give guidance as to how the First-Tier Tribunal should gist closed material in a case being decided on the papers, leaving it to the First-Tier Tribunal to decide this. However, what is clear from the decision of the Upper Tribunal is that the practice of the First-Tier Tribunal of not normally providing a gist of closed material in cases decided on the papers is not proper. The First-Tier Tribunal will now require to alter its procedures for determining cases on the papers to ensure that the panel deciding the case gives adequate consideration to whether a gist should be provided and, if so, what it should contain in those cases.

The other two issues considered by the Upper Tribunal in its decision are also worthy of note. The first relates to whether the First-Tier Tribunal’s Registrar has the power to give a direction under Rule 14(6) of the First-Tier Tribunal’s rules that information must or may be disclosed to the Tribunal on the basis that it will not be disclosed to other persons, or to specified other persons. This is the rule under which the withheld information is kept private from the person who made the FOI request in proceedings before the First-Tier Tribunal. It was not necessary for the Upper Tribunal to decide this point as it had found in favour of the Appellant on the gist issue; however, it is clear that the Upper Tribunal considers that this is not something that the Senior President of Tribunals has delegated to the First-Tier Tribunal’s Registrars.

The other issue was the approach adopted by the Registrar in making the direction under Rule 14(6) (a direction that they probably didn’t have the power to make anyway). The Upper Tribunal considered that the process adopted was flawed. The Registrar refused to allow the Appellant to make submissions on the request for the Rule 14(6) direction because his submissions would cause unnecessary delay because they were pointless. This was, the Upper Tribunal stated at [92] an irrelevant (or a non-existent) consideration. The reasoning adopted by the Registrar for their refusal amounted to a “categorical bar on the appellant making representations” concerning the application made under Rule 14(6). Furthermore, it had the effect of “nullifying” the provisions of Rule 14(8), which requires the Tribunal to notify all other parties if one party applies for a direction under Rule 14(6). The appellant ultimately lost in the Upper Tribunal on this ground of appeal because over the course of the whole proceedings before the First-Tier Tribunal, he did get an opportunity to make submissions on the application of Rule 14(6). However, it is clear, that all parties should be permitted to make submissions in relation to an application for a direction under Rule 14(6) before such a direction is made. Clearly, the party who made the request for information is at a disadvantage in this regard because they do not know what they do not know. Their submissions will likely be less focussed than those of the public authority and the Commissioner, both of whom know the content of the withheld information. However, their submissions are still relevant and can be of value to the Tribunal in considering what direction to make in terms of Rule 14(6). A direction under Rule 14(6) shouldn’t go any further than is necessary to protect the integrity of the proceedings before it.
Scotland’s Hate Crime Act…what is it and what isn’t it?

April 15th, 2024

On 1 April 2024, the Hate Crime and Public Order (Scotland) Act 2021 entered into force. To say that there has been controversy in the two weeks since its coming into force would be an understatement. However, what is clear from the public discourse that’s taken place in the run-up to implementation and in the two weeks since it was implemented is that it is a very misunderstood piece of legislation.

Background to the Act

The concept of hate crime is not new in this country. There has been an offence of stirring up racial hatred in Scotland for more than 35 years. An offence of stirring up racial hatred was inserted into the Public Order Act 1936 by the Race Relations Act 1976. It was then re-enacted in the Public Order Act 1986 and has again, insofar as Scotland is concerned (the 1986 Act offence still applying to England and Wales), in the Hate Crime and Public Order (Scotland) Act 2021.

There have been other “hate crime” provisions within Scots law, such as the offence of racially-aggravated harassment within the Criminal Law (Consolidation) (Scotland) Act 1995.

In addition to those offences there have been statutory aggravations, such as a racial aggravation in the Crime and Disorder Act 1998, religious prejudice under the Criminal Justice (Scotland) Act 2003 and disability, transgender identity and sexual orientation in the Offences (Aggravation by Prejudice) (Scotland) Act 2009.

In 2017 Lord Bracadale (a retired judge of the High Court of Justiciary and the Court of Session and also a prosecutor in his career at the Scottish Bar) was appointed by the then Community Safety Minister to carry out an independent review of hate crime legislation in Scotland. Lord Bracadale published his report in 2018 and the Hate Crime and Public Order (Scotland) Act 2021 largely follows the recommendations made by Lord Bracadale (although, not entirely).

What does the Act do?

The Act does a number of things. Firstly, the Act is consolidating legislation. What this means, essentially, is that it has taken all of the existing provisions in relation to “hate crime” and re-enacted them into one place. It is now no longer necessary to look at lots of different pieces of legislation to locate the legislative provisions on “hate crime” insofar as it relates to Scotland (as can be seen above, the provisions that existed prior to the 2021 Act were scattered across a number of different pieces of legislation).

Section 1 of the Act consolidates the provisions concerning offences aggravated by prejudice. However, it does add in a new characteristic which had not previously been covered by the law: age (this was a recommendation made by Lord Bracadale in his report). With that exception, the law in relation to offences aggravated by prejudice did not change on 1 April 2024.

It is important to note that section 1 is not a “standalone provision”; it relates to the aggravation of an offence. In other words, for it to apply there must first have been an offence committed. So, for example, if someone assaulted another person because of their religious affiliation (or perceived religious affiliation) then that person could be charged with an assault and the summary complaint or indictment could also contain an aggravation of religious prejudice. This means that, in this example, if the finder of fact (a Summary Sheriff or Sheriff in the case of a summary complaint or a jury in the case of an indictment) decides that the accused assaulted the complainer they would then need to consider whether the assault was aggravated by religious prejudice. Unlike the assault, the aggravation does not need to be corroborated (in other words the evidence of one witness would be sufficient to enable them to find the aggravation proved); this is not a change in the law either: an aggravation did not need corroboration before 1 April 2024 either.

If the finder of fact found that the assault was aggravated, section 2 of the Act means that the offence must be treated more seriously by the courts: in other words, the court is required to impose a harsher sentence on the accused than would be justified if the assault had not been aggravated by prejudice. If the finder of fact decided that the assault had not happened, then the aggravation also falls away: the aggravation cannot exist without the offence (but the offence can exist without the aggravation).

The aggravations do not just apply to an assault. In theory any offence could be aggravated by prejudice by reference to one of the characteristics listed in section 1. It could be murder, a breach of the peace or the crime of threatening or abusive behaviour under section 38 of the Criminal Justice and Licensing (Scotland) Act 2010.

Section 3 re-enacts the offence that used to be in section 50A of the Criminal Law (Consolidation) (Scotland) Act 1995 of racially-aggravated harassment.

Section 4 is where there has been the most controversy. Section 4 deals with the “stirring up” offences. Section 4 contains, in effect, two separate offences. The first re-enacts the decades old provisions in relation to stirring up racial hatred. This relates to situations where someone acts in a manner, or communicates material to another person, which a reasonable person would consider to be threatening, abusive or insulting and (i) in doing so the person intends to stir up hatred against a group of persons based on the group being defined by reference to race, colour, nationality (including citizenship), or ethnic or national origins OR (ii) a reasonable person would consider the behaviour or the communication of the material to be likely to result in hatred being stirred up against such a group.

The other offence created is stirring up hatred on the grounds of the characteristics of age, disability, religion (or, in the case of a social or cultural group, perceived religious affiliation), sexual orientation, transgender identity or variations in sex characteristics. This is new in Scotland (England and Wales, they do have a stirring up offence in relation to religion and sexual orientation in the Public Order Act 1986). The offence is essentially the same as the religious hatred one, but in relation to the other characteristics “insulting” does not appear – only “threatening or abusive.” The offences are not about causing offence, or being rude or anything like that. The conduct in question has to be more than that; it has to be likely to cause the reasonable person to suffer fear or alarm. The police and courts in Scotland are very much used to dealing with the concept of “threatening or abusive” behaviour given there is an offence of threatening or abusive behaviour”.

However, for the this offence to be committed, it has to go further than merely being threatening or abusive. The accused has to intend stir up hatred against a group of persons by reference to the characteristic of age, disability, religion, sexual orientation, transgender identity or variations in sex characteristics. That being said, behaviour which as merely threatening or abusive and was motivated by prejudice on the grounds of age, disability, race, religion, sexual orientation, transgender identity or variations in sex characteristics a person could be prosecuted for threatening or abusive behaviour under the Criminal Justice and Licensing (Scotland) Act 2010 with the appropriate aggravation under section 1 of the Hate Crime and Public Order (Scotland) Act 2021.

What about free speech?

Article 10 of the European Convention on Human Rights guarantees freedom of expression, including the right to hold opinions and to impart information and ideas. However, it is not an absolute right. It is recognised in the Convention that there may require to be limits on free speech when balancing against other legitimate interests. For example, defamation laws are a restriction on free speech, but it is right and proper that people are able to seek recourse when they have been defamed. There were also already existed restrictions on free speech in the criminal law prior to 1 April 2024: the offence of stirring up racial hatred is, as pointed out earlier in this post, one that has existed for a long time. The offence of threatening or abusive behaviour in section 38 of the Criminal Justice and Licensing (Scotland) Act 2010 can be a restriction on free speech if it relates to things that are spoken or written. A breach of the peace can be a restriction on free speech if it relates to things that are written or spoken. Those are just a few examples, there are others.

There are specific protections within the Hate Crime and Public Order (Scotland) Act 2021 in relation to free speech. Section 9 of the Act sets out certain protections. Furthermore, the police, the Procurator Fiscal, the Lord Advocate and courts are all public authorities for the purposes of the Human Rights Act 1998 and cannot act incompatibly with people’s “convention rights” (being the rights from the European Convention on Human Rights listed within the Human Rights Act 1998). In exercising their powers and authority, each has to ensure that they are acting compatibly with, amongst other things, a person’s right to freedom of expression (and, indeed, their (qualified) right to respect for their private and family life).

What is missing?

It has been suggested that the non-inclusion of sex as one of the characteristics, particularly in relation to stirring up offence, is an omission on the part of the Scottish Parliament.

Lord Bracadale recommended in his report that sex be included, but the Scottish Government, when framing the Bill that became the Act, decided not to include it. That is a policy decision for which they are accountable and whether they were right to take that decision or not is not something that I am going to comment on in this post – it would be opinion rather than analysis of the statute. However, it is worth noting that the Scottish Government has said it is looking at the issue and that section 12 of the 2021 confers a power on the Scottish Ministers to add sex into the Act by way of regulations (so, if the Scottish Government were to decide to add sex in, it could be done relatively quickly without having to pass a new Act).

Is the Act unclear?

Another criticism that has been made of the Act is that it is unclear or vague in some sense. Those criticisms are, again, in my opinion, unfounded. All of the provisions within the Act either already existed within Scots law and have been applied time and again by police, prosecutors and the courts or build upon those provisions which have existed in the law for a long time.

Conclusion

In short, there has been a lot of controversy surrounding the Act. Much of it has been ill-informed (not helped by pronouncements made by Ministers and the police in the run-up to the Act coming into force which did not reflect the wording of the Statute). Little of the controversy has any sound basis in the text of the Act (the words used in the statute are what matter; those words and their meaning cannot be changed by way of statements made by Ministers or police officers – no matter how senior). Being offensive, even deliberately so, is not likely to result in a charge under the 2021 Act. However, if conduct were to be threatening or abusive then this may amount to an offence under other legislation.

A lot of what is contained within the Hate Crime and Public Order Act 2021 is not new, and the bits that are new are, essentially, extensions of what already existed. Those new bits are also based upon recommendations made following an independent review of the law in this area.

It is highly likely that the effects of the Act have been considerably overstated and that, in fact, the numbers of people caught by the 2021 Act will not be much greater than under the laws that went before it (although, recognition has to be given to the bits that are actually new and the likely effect that might have overall on the number of people caught by the 2021 Act). Holding and expressing, for example, gender critical beliefs would not, on its own, pass the criminal threshold. The conduct would have to go further: it would have to go into the realm of being likely to cause the reasonable person (that is, the ordinary man or woman on the street) fear or alarm. Referring to a trans man as a woman or a trans woman as a man, on its own, would not cross the threshold; again, something more would be required. Whether the behaviour is threatening or abusive is an objective test, not a subjective one. While the feelings of the complainer may be relevant, they are not determinative. What matters is whether the conduct would be likely to cause the reasonable person fear or alarm.

Disclaimer: This post is for information purposes only and nothing in it should be taken as constituting legal advice.
Access to justice and the rule of law: the morality of acting for the good and the bad

March 24th, 2023

It has been reported that some 120 or so Barristers in England and Wales are going to sign a “Declaration of Conscience” stating that they will not prosecute people who are accused of crimes in the course of climate activism nor will they give advice which would further the exploration of oil and gas. I think they are wrong to do so and in this blog post I will explain why I think they are wrong to do so.

There are two fundamental interlinked principles which I think are being undermined here. The first is that equality before the law demands that every person be able to access legal representation and the second is that counsel should not be identified with their client. These two fundamental principles are, in my view, essential to the proper functioning of the administration of justice.

It is common to both the Bars of England and Wales and Scotland that their members are bound by a rule known as the “cab-rank rule”. At a taxi rank the driver at the front of the queue is bound to take the first fare that comes along: no matter who the customer is and no matter the journey. They can’t, for example, decline a fare because it’s too short a journey in the hope that a better fare will come along. At its core, the cab-rank principle, as it applies to the Bar, is that lawyers must accept instructions where they are available, can competently do the work and the client is offering to pay a reasonable fee (and that, certainly so far as Scotland is concerned, includes a client in receipt of legal aid).

The cab-rank rule means that lawyers are unable to decline instructions simply because they don’t like the client or the client’s case is a moral affront to them. Therefore, it becomes wrong to associate the lawyer with their client; they’re not acting because they support the client, they are acting because they have a duty in a society governed by the rule of law to act. It means that lawyers should not be criticised for, for example, acting on behalf of asylum seekers in appeals against decisions of the Secretary of State or acting for the Secretary of State in such appeals; it means that lawyers should not be criticised for defending those who have committed the most depraved crimes and so on. They are, after all, simply doing their job.

It is often said that this approach is, itself, lacking in morality. I disagree, in a democratic society the rule of law is fundamental. The rule of law is what ensures that the state doesn’t become too over-bearing, it is what ensures that consumers are protected in their dealings with companies, it is how employees are protected against bad employers and employers are protected from bad employees, it is how companies are protected in their dealings with one another and so on. The morality rests, in my view, in the need to ensure maintenance of the rule of law.

This feeds into the notion that every person is entitled to representation. The cab-rank rule ensures that this is the case. Representation for lots of people could be declined on the basis of conscious: those accused of abusing children; those accused of acts of terrorism; those accused of murder – especially that of vulnerable groups such as children; those accused of neglecting their children in cases where the State is trying to remove the children and so on. Where would that leave our justice system? Some might say better off, but I disagree. People without representation means that they have to represent themselves. If you consider yourself to be victim-focussed that is a bad thing: it would mean alleged domestic abusers directly cross-examining those they are accused of abusing; it would mean those who have allegedly committed harrowing assaults on children cross-examining those same children where they are old enough to give evidence; it would mean those accused of rape cross-examining those who they are said to have raped.

Furthermore, it risks injustice in the system. Lawyers exist to serve several functions within the justice system. One of those is to ensure that the process is fair and conducted in line with the rules applicable to the case. In the criminal sphere you could have innocence people wrongly convicted because they were at a disadvantage; it also ensures that the public can have confidence that those convicted were done so fairly. Courts make mistakes and that’s why we have appellate courts and ultimately bodies such as the Scottish Criminal Cases Review Commission. Outside of the criminal sphere, again, you could have children wrongly removed from parents because they are at a disadvantage due to a lack of representation. Our society is better off as a result of ensuring that those accused of the most reprehensible things are dealt with fairly.

Now, these lawyers are only talking about refusing prosecution cases in the criminal context, not defence cases. However, as soon as you introduce the concept of lawyers refusing cases on the basis of the lawyer’s own personal principles, you open the gates to other areas of work being refused on the same basis. The system starts to break down and society, as a whole, is poorer for it.

It has also been pointed out that many of those reported to be signing the declaration are unlikely to actually ever receive instructions of that nature, but that is, in my view, an irrelevance. The performative nature of the decision still undermines the fundamental principles I outlined at the start of this post. It opens the door to associating lawyers with their clients, it undermines the principles supported by the cab-rank rule and it opens the door to people actually being refused representation because of the principles of the lawyer.

The legal profession is facing unprecedented and, in my view, unwarranted attacks from government for acting for those deemed unworthy by them, by sections of the media and ultimately sections of the public. Actions like this from members of the profession play right into those narratives, they make it harder for the vast majority of the Bar who stand by the principles at the centre of our profession. They will increase the pressure on counsel to stop acting for other groups deemed unworthy of representation by the government and by parts of society. The decision by these lawyers might have no actual effect on their own practice or on the ability of people to actually obtain representation, but what they are doing is damaging the profession as a whole and risking principles which are fundamental to our democracy.

In short, it is my view that if you feel as though your personal principles mean that you cannot properly do what is expected of you as counsel then, perhaps, the profession is not for you. We don’t expect, for example, doctors not to treat a patient because of who the patient is, what they have done, or the lifestyle choices made by that patient. Sometimes putting our own moral position to one side and serving a higher, more fundamental principle can be the hardest thing to do, but ultimately, we need people to do that to ensure the proper functioning of our democracy. It is not a choice for counsel to do so, it is a fundamental part of the job.

***

This post was updated on 24 March 2023 to add in a missing “not” in the second paragraph.
Appropriate steps and section 166

November 4th, 2022

Last month I highlighted an interesting decision from the First-Tier Tribunal on the much-litigated section 166 of the Data Protection Act 2018 (a section which often results in data subjects being disappointed as to its scope). Yesterday, the Tribunal gave another interesting decision in relation to section 166.

In August 2021, the applicant made a subject access request to a company called Contactout Limited. In November 2021, the applicant complained to the Information Commissioner as the company had not responded to their subject access request. In February 2022, the Commissioner responded to the applicant essentially telling the applicant that there was nothing that the Commissioner could do as the controller was based in the USA. Another fact of key importance is that the applicant was based in the Netherlands and that nothing had been put forward to connect either the applicant or the controller to the UK.

As the Commissioner had provided a response to the applicant, he asked the tribunal to strike out the application as having no reasonable prospect of success. The Tribunal declined to do this (but ultimately dismissed the application). The applicant argued that no adequate explanation had been provided as to why the Commissioner was not the relevant supervisory authority. The Tribunal considered that such an argument had, at least, the potential to fall within the scope of section 166 application [para 14]. The Tribunal was somewhat critical of the Commissioner’s submission which “failed to engage with the applicant’s actual pleaded case.” [para 14] The Tribunal went on to state that it was not going “so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is.” [para 14]

The Tribunal found that the wording of the Commissioner’s response letter to the applicant (quoted in its decision), when taken in isolation, risked misleading the reader of the letter that the commissioner was unable to take regulatory action against a controller based in a third country; Article 3 of the UK GDPR and section 207 of the Data Protection Act 2018 create, at least, some scope for such regulatory action. However, the Tribunal decided that the phrase “In relation to your case” within the decision letter from the Commissioner was sufficient to clear-up any misunderstanding. The complaint disclosed that there was nothing linking the applicant, their personal data or the controller to the United Kingdom and it was for that reason that the Commissioner had no jurisdiction. So, with that misunderstanding cleared up there was nothing left that the Commissioner could do that could form the basis for the Tribunal issuing an order under section 166.

The application was dismissed.

Section 166 continues to be a disappointment to data subjects; the limited scope of its terms has been affirmed repeatedly by both the FtT and Upper Tribunal. It does not afford a mechanism for appeal for a data subject who is unhappy with the outcome of their complaint to the Commissioner. It is clear, however, that where there remains scope for the Commissioner to take reasonable steps to address the complaint, then there may be some scope for orders under section 166. There is a fine line between considering whether appropriate steps have been taken to respond and whether the response itself was appropriate. The Tribunal is tasked with casting “a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.” (Killock and ors v Information Commissioner [2021 UKUT 229 at [87]).