Alistair Sloan, Advocate

The Black Spider Letters – Part I

March 27th, 2015

Yesterday, 26 March 2015, the UK Supreme Court issued its much anticipated decision (well, certainly within Information Law circles) in R (on the application of Evans) and another v HM Attorney General. I had intended to deal write just one blog post on this decision, but as I began to write I felt that it deserved to be split up into more than one post; so, there will be four parts. The first part will deal with the background to the case, including dealing with the relevant statutory provisions. The second part will look at the Supreme Court’s decision in respect of section 53 of the Freedom of Information Act 2000. The third will look at the decision as it relates to Regulation 18(6) of the Environmental Information Regulations 2004 while the final part will be a more general comment.

On 1 January 2005 the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIRs) entered into force. In the case of FOIA it provides individuals with a statutory right to receive information held by public bodies unless the information is specifically exempt under one of the statutory exemptions in Part 2 of the Act. The EIRs provide for a statutory right of access to ‘Environmental Information’ held by public bodies, subject to certain exceptions set out in the EIRs. The EIRs implement into UK law the provisions of Directive 2003/4/EC of the European Parliament and the Council of 28 January 2003 on public access to environmental information (the Directive). These Regulations in turn implement into European Law the provisions of the Aarhus Convention.

In April 2005 Rob Evans, a journalist at the Guardian Newspaper, wrote to a number of Government departments making requests for information. Those requests concerned letters that had passed between the Price of Wales and those departments. In each case the Departments withheld the information. FOIA provides that individuals who are dissatisfied with how their request for information has been handled can complain to the Information Commissioner and this right of complaint is extended to cover requests for information under the EIRs as well. The Information Commissioner issued a series of Decision Notices upholding the decision of each Department to withhold the information.

FOIA provides for a right of appeal, by either party, to the First-Tier Tribunal (Information Rights). Rob Evans appealed to the Tribunal. The appeals were joined together and transferred to the Upper Tribunal for consideration. On the 18 September 2012, almost 7 and a half years after the requests were made, the Upper Tribunal issued a lengthy judgment (which was accompanied by a number of lengthy annexes, some closed and some open) partially allowing Rob Evans’ appeal.

The judgment by the Upper Tribunal is an example of excellent judicial writing. It set out a clear and cogent argument as to why it was allowing Mr Evans’ appeal to the extent that it did. It is clear that the Tribunal took great time and effort in compiling it. At play here are a number of constitutional conventions; one of which is the convention enabling the heir to the throne to be instructed in the business of Government in preparation for becoming the reigning Monarch. Another important convention is that the Monarch should be politically neutral. The Monarch has a constitutional role as an advisor and confident to the Prime Minister of the day and political neutrality is an important aspect of that constitutional role.

It was well known, even before these protracted proceedings, that The Prince of Wales would write many letters to Government giving his opinion and advocating causes that he held dear to him. The Tribunal drew a distinction between this type of correspondence, to which they referred to as ‘advocacy correspondence’ and the correspondence which related to the Prince’s instruction in Government business in preparation for him becoming King.

The Tribunal decided that the advocacy correspondence ought to be disclosed while that which related to his preparation for kingship was correctly withheld and should not be disclosed under FOIA or the EIRs.

It was open to the Government to appeal this decision, but it chose not to. Section 53 of FOIA and Regulation 18(6) of the EIRs gives the power to an accountable person to, within twenty working days of a decision notice being served, to issue a certificate on the basis that he has on reasonable grounds formed the opinion that, in respect of the request or requests concerned, there was no failure to comply with the relevant disclosure provisions under FOIA and the EIRs.

In this case, as the information in question related to a previous Administration, it was the Attorney General who was the ‘accountable person’. This follows from the convention that only the Attorney General is entitled to see the papers of a previous Administration. As a consequence of this, the Upper Tribunal’s decision ceased to have effect; none of the correspondence would be released under FOIA and the EIRs.

Rob Evans lodged proceedings for Judicial Review of the Attorney General’s decision to issue a Certificate pursuant to section 53 and Regulation 18(6). The Administrative Court dismissed his appeal and he appealed again to the Court of Appeal. The Court of Appeal allowed his appeal and quashed the certificates, but gave leave to appeal to the Attorney General. The Attorney General appealed to the Supreme Court.

The Supreme Court, by a majority, dismissed the appeal by the Attorney General. As a consequence, the decision of the Upper Tribunal stands and the advocacy correspondence will now be released. The next two posts will look at the Supreme Court’s decision in respect of Section 53 and Regulation 18(6).
Police Service of Scotland and Information Management

February 18th, 2015

Friday 13th is a much disliked date on the calendar and is often said to be unlucky amongst the superstitious. It would seem that Friday 13th February isn’t turning out to have been a great day for Sir Stephen House, the Chief Constable of Scotland’s national police force. On 13th February the body that is responsible for holding the Chief Constable to account, the Scottish Police Authority, convened a Special Board meeting to discuss the growing disquiet amongst many groups over the use of stop and search tactics by the Police Service of Scotland (PSoS). The SPA questioned the Chief Constable and one of his two deputies, Deputy Chief Constable Rose Fitzpatrick on the issue. Information released by the Scottish Information Commissioner today adds another blow to the Chief Constable in what could be described as a very long round in an extremely long boxing match.

The PSoS has faced a great deal of criticism over its use of stop and search, particularly non-statutory (or “consensual”) searches and especially non-statutory searches on minors under the age of 12. Last year an undertaking was given to the Scottish Parliament’s Justice committee that the PSoS would effectively ban its officers from undertaking non-statutory searches on minors under the age of 12. Earlier this month the BBC published a huge volume of data that suggested that this had been ignored on a large scale.

It has transpired that the information was obtained by the BBC under the Freedom of Information (Scotland) Act 2002 (FOISA). We have learned that this came following an initial refusal by the PSoS to release the data allegedly over concerns as to its accuracy. When the Chief Constable appeared before the Scottish Police Authority he stated that he had been forced by the Scottish Information Commissioner to release the information. That, as it turns out, wasn’t quite the case. The PSoS released the information following external legal advice. From what is available it suggests that the legal advice obtained by the PSoS advised that not releasing the data risked an adverse decision notice and as a consequence of that, the PSoS released the information to the BBC journalist who had requested it.

FOISA gives a right to individuals to access information held by public authorities in a recorded format. There is no right in FOISA to be given accurate information, nor is there an exemption in FOISA to enable public bodies to withhold information that is, or is believed to be, inaccurate. This is not a new thing; it has been the position for some 10 years now. If a public authority holds information in a recordable format and none of the exemptions in FOISA apply, then a person who asks for that information is entitled to be given it.

If the information is inaccurate that is the public authority’s problem, not the requesters. If a public authority cannot have in place measures to ensure that the information it is recording is accurate, then that says a lot about the authority. This whole fiasco has raised some serious questions about information management within the PSoS. It would seem that police officers have been routinely entering incorrect information into the PSoS systems that record stop and searches. That is something that must be rectified, and not just from an FOI perspective. If the information that the PSoS holds is not accurate that will result in a significant knock-on effect across the whole organisation. It means that everyone, from the Chief Constable down, is working from dodgy information. Such a situation means that decision-making across the organisation is weakened.

What is even more astounding was the Chief Constable’s admission to the Police Authority that he could not give a 100% assurance over other data held by the PSoS. That is quite an admission to be made by the Chief Constable to the body that holds him to account. It casts doubt on the accuracy of all data held by the PSoS; including recorded crime.

FOI here has proved itself rather useful. We may not be wiser about the extent to which the PSoS is using stop and search in Scotland, but what it has revealed is failings in the ability of the PSoS to accurately record what it is doing. It has opened up to scrutiny the information management practices of the PSoS and in the furore over stop and search sight should not be lost of what is a significant admission by the Chief Constable of the PSoS. A debate over the use of stop and search in Scotland still has to be had, but sorting out the apparent mess of the systems used by the PSoS to record data has to feature highly on the list of priorities for the Scottish Police Authority and HMICS. We cannot have a situation where there is a lack of confidence in the data held by the PSoS.
The cost and burden of FOI…again

February 8th, 2015

The Chief Constable of Surrey Police has gone on the offensive against Freedom of Information on Twitter this evening (and the Assistant Chief Constable of Greater Manchester Police joined in). It follows a predictable pattern where a public authority (and technically the Chief Constable is the public authority – schedule 1 to the FOIA provides that “A chief officer of police of a police force in England or Wales” is a public authority) complains about the cost of FOI and how it impacts upon the delivery of front line services.

It is a well trodden path which has, over the years, generated lots of discussion in information rights circles. One of the frequent things to be picked up in these discussions is that, while public authorities are complaining about the cost and burden of FOI, they rarely mention any of the benefits. Those benefits are around openness, transparency and accountability.

FOI, I can imagine, is probably a right pain in the backside to public authorities sometimes; however, just because it’s a royal pain in the backside doesn’t mean that it is of no value. FOI is about allowing the citizen to set the agenda on the flow of information. No longer is the flow of information dictated by what public authorities are prepared to release. Now, if a member of the public wants to know something, they have the right to be given it if the public authority holds it and there is no good reason for not releasing it.

In times of shrinking budgets, FOI might be seen as an expensive luxury. However, I would argue that in times of shrinking budgets FOI is all the more important. As budgets shrink, public authorities have to take decisions about how they spend their ever shrinking budget. That will often mean cuts to some services (or perhaps withdrawing services altogether). It allows people who are directly affected by those decisions to go to the public authority and obtain the information that forms the basis of those decisions. It can help them to understand why decisions have been taken and more importantly can better enable them to challenge decisions where they are perceived to be the wrong ones.

When Parliament drafted the FOIA, it didn’t do so without having any consideration as to the burden that this new regime would have on public authorities. There are a number of provisions within the FOIA which help to control the burden of FOI.

First, there is section 12 of the Act which sets an appropriate limit on the costs of FOI requests. A public authority is not obliged to comply with a request where the cost of compliance is estimated to excced the appropriate limit. For a police force in England and Wales, the limit is £450 (indeed, it is £450 for all public authorities except Government departments or Scottish Public Authorities, where it is £600). This does only covers certain activities and it is possible for requests to cost more than the appropriate limit in practice and not be capable of being refused under section 12. This will be because the cost is incurred in an activity which cannot be taken into account in any cost calculations for the purposes of determining whether it exceeds the appropriate limit.

Sometimes, these requests will be the ones where the public interest is finely balanced and the authority is having difficulty establishing just where the public interest lies. Should such requests be refused because of this? I’d forcefully argue that they should not. If it was possible to refuse these requests it would actively work against the public interest: the public might not get information which it would be in the public interest for them to have simply because it is going to take a bit of time for the public authority to work out just where the public interest lies. However, sometimes the additional cost will be because there is a large volume of information to consider. While, a request that throws up a large volume of information will often end up breaching the “appropriate limit”, it is sometimes the case that there is a large volume of information held on a particular subject which is actually relatively quick and easy to locate and extract. What takes the time then is the applying of exemptions and the conduct of the public interest test. Section 12 isn’t an option in these requests, because the law doesn’t allow for it to apply. However, this does bring us on to the next provision of the FOIA which is there to prevent the burden from being too great.

Before I look at that, I thought it would worthwhile pointing out that in terms of section 12 the law has provision within it to ensure that it cannot be avoided. Simply breaking down a large request into a number of different requests will still likely engage the cost limit: public authorities can aggregate requests from the same individual received within a period of 60 consecutive working days which seek similar information. So, asking for information on a particular subject over a 10 year period broken down into 5 requests each covering a 2 year period will be aggregated together. All of the requests will be refused if the cost of complying with all of them is estimated to exceed the appropriate limit. This provision goes further than that though; it’s not possible to get four of your mates to help you make 5 requests for the information over a 2 year period either. The law provides that where “different persons who appear to the public authority to be acting in concert or in pursuance of a campaign” the public authority can again aggregate the cost and refuse all of the requests if they exceed the appropriate limit.

The second provision designed to help public bodies with the burden of FOI requests is section 14, which deals with both repeated and vexatious requests. In terms of repeated requests, if a public authority has complied with a request from someone, they do not have to comply with a request from the same person which is for the same (or substantially similar) information unless a reasonable time has elapsed between the requests.

Vexatious requests are a bit more difficult; however, public authorities have been greatly helped by the decision of the Upper Tribunal in Dransfield (although, Mr Dransfield has appealed this decision to the Court of Appeal). It is important to note that it is the request, not the person making it, which is vexatious. However, previous correspondence between the requester and the public authority can be relevant. This provision largely allows public authorities to ignore people trying to use FOI to keep open grievances that have been rumbling on for a long time, especially where they have been the subject of complaints and independent scrutiny. Section 14 also catches those who are making requests simply to annoy the public authority (quite possibly because of a previous complaint). However, it can also be used to deal with requests where there is an unacceptable burden to the authority; described as “grossly oppressive”.

This is a higher burden than would be applicable in section 12, but it is an option that is open to authorities where requests produce large volumes of information with a lot of potentially exempt information – especially where those exemptions are qualified ones where the PI might be difficult to determine. However, the ICO does consider it good practice to go back to the requester before claiming section 14 in these situations – and doing so would probably fall within a public authority’s duty to provide advice and assistance. So, where a request is overly burdensome and section 14 could be claimed instead of section 12, a public authority should probably go back to the requester and try and work with the requester to refine their request. Although requesters are not required to (and public authorities are generally discouraged from asking), trying to establish the motive and purpose of the request can help. Engaging with the requester might save a public authority a lot of time in the long run as it becomes clear that only a tiny proportion of the information that has been uncovered is what the requester is after – the public authority gets to consider a much more refined request and avoids the possibility of an Internal Review and ICO complaint over its application of section 14 (and possibly an adverse finding against it, either in respect of its use of section 14 or its failure to provide advice and assistance).

I note that Surrey Police operates a disclosure log on its website, but that it states it only publishes responses which might have wider interest. Disclosure logs can be a useful tool for public authorities. There is an exemption for information which is already reasonably accessible to the requester. Publishing all responses in a disclosure log on a website might enable public authorities to refuse requests under section 21 of the Act. This is a quick and simple process that shouldn’t take a huge amount of time. Most of the time will be spent ensuring that the request isn’t seeking additional information which is not already reasonably accessible to the requester.

This is where the WhatDoTheyKnow website comes into its own – all information released to requesters on that website ends up in the public domain automatically. Just because it’s not actually published on the authorities own website, doesn’t mean it’s not reasonably accessible to the requester and so section 21 can still be used. One public authority has even worked with WhatDoTheyKnow to utilise the technology behind WhatDoTheyKnow on their own FOI website, undoubtedly reducing the burden of operating a comprehensive disclosure log.

If public authorities notice trends in their requests, it might be worthwhile proactively releasing the information on a regular basis. Then the exemption at section 22 is available to the public authority because it is information which is intended for future publication. This exemption is subject to the Public Interest Test, but there will normally need to be compelling reasons for departing from a set date for publication. Of course, public authorities would need to consider the cost balance here: is it more costly to routinely publish the information than deal with the FOI requests as they come in? The UK provision on information intended for future publication is much more generous that the Scottish provision, where it only applies in cases where the intended publication is no later than 12 weeks following receipt of the request.

We often see complaints from public authorities about requests which are bizarre in nature, but as Jon Baines has demonstrated, those apparently bizarre requests do sometimes have a justification behind them. For the ones that don’t, Tim Turner explains that they can be quickly disposed of.

There are, of course, steps that requesters can take to relieve the burden to public authorities and to that extent I commend Paul Gibbons’ guide to making FOI requests, which includes 10 very good tips for requesters.

A fairly long blog post, so if you have reached this point: thank you and well done!

——
Useful Links:

ICO guidance on section 12
ICO guidance on section 14
ICO guidance on section 21
ICO guidance on section 22
West Lothian, EVEL and fudge

February 3rd, 2015

The ‘West Lothian Question’ continues to rage on following the Independence Referendum last year, and it has been exacerbated by the Smith Commission. What is the solution? A clear majority of Scots voted to remain part of the United Kingdom, whatever you believe about why people voted in that way is irrelevant; that is the situation we are in.

The Conservative Party has outlined a policy to deal with the West Lothian question which is, quite frankly, entirely unworkable. Trying to police exactly when Scottish MPs can and cannot vote on particular laws will be almost impossible. Even in devolved areas, legislation passing through Westminster can have a direct impact on Scotland (and not just via the Barnet Formula). Often, there will be parts – or even just a few sections – in a Bill passing through Westminster that extend to Scotland. It is entirely ridiculous to suggest that Scottish MPs should not be able to vote on legislation directly affecting their constituents, simply because the bulk of it deals with a devolved area. It would be a nightmare if you started removing those sections from Bills and putting them in separate Bills – you’d effectively be doubling the work of the UK Parliament.

It gets even more complicated when it comes to Cabinet positions. Will a Scottish MP be prevented from being Prime Minister because that would have them setting the agenda in devolved areas for England? What about Home Secretary? Policing is devolved to Scotland, but that is only part of the Home Secretary’s responsibilities: immigration and national security remain two of most significant elements of that role which are not devolved. What about Secretary of State for Health: the NHS is devolved, but the regulation of the health professionals (for example) is not. When it comes to Transport, much of that is devolved; however, there are areas (particularly around regulation) which are not. The list could go on. If it is not to apply to Cabinet positions, then why not? Is there any real difference between setting the policy that the legislation seeks to enact. What does this do for Collective responsibility in the Cabinet?

Then there is the Committees proposal: how will that actually work in practice? Will Scottish MPs be prevented from sitting on certain committees? Simply excluding them for the committee stages for certain Bills would be a nightmare situation. The make-up of committees is determined according to the make-up of the House of Commons. It could mean that Committees no longer represent the make-up of the Commons when you start excluding certain members from the Committees. Committees could become completely farcical; especially when it comes to Bills that include bits applicable to Scotland – would those MPs be allowed to participate in the Committee then? If not, why not? Will it mean that Committee sessions will have to stop and start frequently?

Moreover, this could not possibly apply only to Scottish MPs: what about MPs elected to represent Northern Irish constituencies or Welsh constituencies? The West Lothian question, as it is known, also applies to those situations. It certainly does appear as though the proposal put forward by William Hague would exclude those MPs as well as Scottish ones, but undoubtedly the reporting focusses on Scottish MPs. However, if you do extend this rule to Northern Irish and Welsh MPs as well things would become even more complicated and much more messy – the devolution settlements for Northern Ireland, Scotland and Wales are all very different. There are things which Scotland has (and will soon have responsibility for) which Northern Ireland and Wales do not, equally Northern Ireland has responsibility for matters that Wales and Scotland do not. As for Wales, from memory, it currently has the poorest devolution settlement; but it has responsibility for issues that its MPs vote on in the Commons for England. The same issues then arise with the Cabinet as discussed above. Keeping track it all will become nothing short of a nightmare!

In short, the proposal by the Conservative Party is a fudge (and an utterly terrible one at that!).

So, what is the answer? There is no going back to the pre-1999 situation; that much is certain. The legislative bodies for Northern Ireland, Scotland and Wales are here to stay. The only real answer is to move towards a more federal structure. There needs to be an entirely separate English legislative body and the powers of the national legislative bodies (those being the Welsh Assembly, Northern Irish Assembly, Scottish Parliament and the newly created English one) would have to be aligned so as not to have the ridiculous situation we currently have of different national legislative bodies having different areas of competence.

Whenever the question of an English Parliament is raised there are often cries of “we don’t need more MPs”; that’s probably true. However, if you were creating a separate legislative body for England with its own members, the number of MPs required in the UK Parliament would be significantly less: there would be absolutely no need for there to be 650 people elected to the House of Commons. They could easily represent much larger constituencies because they would be dealing with far fewer matters than is currently the case. Overall, there might be a slight increase in the number of elected representatives to ensure fairness, but that shouldn’t stop us from moving in that direction. It’s certainly not a quick fix, but it is a far fairer and much better solution that the fudge announced by William Hague today. Yes, it will take time and yes there will be a financial cost to it in the short term (a separate English legislative assembly would likely need its own place to meet – unless you abolish the Lords and have it sitting in there), but really this should have happened in 1998!

What exactly this would look like is a conversation that would have to be had. All parts of the UK would have to work together to work out what should be handled by the National legislative bodies and what should remain handled by Westminster. There are obvious things that would need to be handled at a UK level such as Foreign Affairs, Defence, National Security, Immigration and the currency. There may well be other areas where it would be beneficial to be handled at a UK level, but unless we have the conversation we will never know.

It was clear that whatever the result of the independence referendum in Scotland that there would be significant constitutional change in the UK; that remains the case and it is both a conversation and a process that we cannot walk away from; we certainly cannot try and fudge it!
Councillors, Erroneous Benefit Claims, FOI and DPA

January 5th, 2015

The relationship between FOI and Data Protection is one that causes frequent tension. Obtaining personal data on third parties held by public authorities under FOI is, rightly, a difficult task. On Sunday it was reported that Cornwall Council refused to release, in response to a Freedom of Information request, the name of a Councillor who had been advised by the Council that they had “erroneously claimed entitlement to Housing Benefit and Council Tax Benefit / Support” while they were a member of the Council, and that the amount involved was less than £5,000. The Council refused to disclose the name of the Councillor on the basis that it was exempt under section 40(2) of the Freedom of Information Act (which exempts the release of personal data where its release would be in contravention of the Data Protection Act (DPA)). This resulted in an interesting discussion between a few individuals on twitter relative to whether the Council was correct to withhold the Councillor’s name.

Lynn Wyeth concluded that it came down to the standard Data Protection Officer’s answer of “it depends” – and it really does; there is a whole heap of information missing which would be relevant to whether releasing the Councillor’s name would breach the DPA.

The starting point in respect of this one is establishing whether it is personal data, clearly it is; not only is it personal data, but it falls within the definition of sensitive personal data in section 2 of the DPA. The information concerned here is personal data concerning the alleged commission of an offence by an individual (claiming benefits to which you’re not entitled being a criminal act). This is an important point because the restrictions placed upon the processing of sensitive personal data are a lot more stringent than personal data which is not considered sensitive under the DPA.

The first Data Protection Principal is clear, that personal data must be processed fairly and lawfully. It goes on to provide that personal data should not be processed unless at least one of the conditions in Schedule 2 is applicable; in the case of sensitive personal data it is also necessary to ensure that one of the conditions in Schedule 3 applies as well.

When it comes to releasing personal data under FOI, the condition in schedule 2 that is most often (if not always) applicable is Condition 6(1). This condition provides:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

In other words, a person seeking the release of personal data about a third party under FOI must be able to show that he has a legitimate interest and that it is necessary for the personal data to be disclosed in pursuance of that legitimate interest. I would say that it would generally be the case that uncovering wrong-doing by an elected official while holding public office is a legitimate interest. Unless the matter was reported in the newspapers or in other media at the time the accusation was being pursued by the body concerned, it would be necessary for the data controller to release the personal data in order to enable the third party to pursue their legitimate aim (uncovering misconduct by a public official and holding them to account).

However, this is personal data that falls within the scope of sensitive personal data and as such the very fact that condition 6(1) of Schedule 2 to the DPA is likely to be satisfied it is not the case that releasing the personal data would be fair and lawful. There needs to be a condition in schedule 3 that is applicable as well.

In the normal course of things there wouldn’t, in my view, be a condition in schedule 3 which would apply – unless the data subject consented to the disclosure. However, in certain circumstances it may be possible to use the paragraph 3(b) of Schedule 3 which applies where the processing is necessary:

in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

There are a number of key words here. The first is “necessary”; if there was another way in which the vital interests of another person could be met without the data controller releasing the information then it wouldn’t apply (for example, if there had been a news report revealing the name – but then the FOI request wouldn’t have been necessary in the first place). The next is “vital”; there is not, to my knowledge, any case law on what exactly “vital” means in the DPA – it appears in a number of places within Schedule 3. It could reasonably be argued that uncovering the misappropriation of public funds by an individual elected to public office and holding that individual to account is a “vital” interest of a person other than the data controller (essentially everyone who the data subject is elected to represent). Finally, the data subject’s consent must be unreasonably withheld.

This is where this case becomes particularly complicated. It would seem that no criminal proceedings were ever brought against the councillor in question, and certainly it appears that there has been no conviction. There is a presumption at the very heart of the criminal justice system in each of the legal jurisdictions in the UK: innocent until guilt is established. As there would appear to be no criminal conviction in this case, the Councillor is an innocent member of the public holding elected public office. The fact that there is no conviction, in my view, makes it harder to argue that there are vital interests to be protected.

This isn’t that straightforward though; some weight needs to be given to the fact that this individual was accused of making erroneous claims for benefits while an elected official. Furthermore, it is necessary to give some weight to the fact that some form of procedure was carried out to reclaim overpayments made to the councillor. However, that alone might not be enough to make release of their name under FOI fair and lawful. There are other factors to be considered. For example, if there was a settlement agreement in place which proceeded upon the basis of no admission of liability then that, I suggest, would tend to count against disclosure; especially if this was exactly how an individual who didn’t happen to be an elected member of the council would be dealt with. That leads onto the next issue; was there any preferential treatment given to the Councillor? It would appear not, the Council has said that it was handled in accordance with the normal procedures. Had it not been handled in accordance with normal procedures (e.g. he was given special treatment because he happened to be a councillor) then that might tip the balance in favour of disclosure because it would suggest some level of impropriety over and above the allegation that there was an ‘erroneous claim’.

In essence, these decisions are finely balanced. I’m not going to say whether the Council was right or not to refuse to disclose because I’m not in possession of all of the relevant facts. I don’t know what has gone on behind the scenes here, I don’t know whether the consent of the data subject has been sought let alone withheld unreasonably. The journalist who made the request can make use of their right to request an internal review of the handling of the request and then complain to the Information Commissioner. What I would say though is that simply because an elected official has been accused of something which may or may not amount to a criminal offence is not, in of itself, necessarily a justifiable reason to process personal data by releasing it under the Freedom of Information Act.
FOI at 10

January 1st, 2015

On 1st January 2005 the Freedom of Information Act 2000, the Environmental Information Regulations 2004, the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 all entered into force. For the first time in the UK people had a right, backed by Statute, to ask for information held by public bodies and to be given that information unless it fell within the ambit of one of the exemptions in the Acts or Exceptions in the Regulations. Those rights were backed-up by independent regulators who had the power to order public bodies to release information where it had been incorrectly withheld by public bodies.

Today, is of course, the 10th anniversary of the coming into force of those rights and it has become so ingrained into our lives that we probably don’t notice it. Every year thousands of stories that we see on TV or in the newspapers or hear about on radio have been the result of information obtained under Freedom of Information; much of that information may well have remained hidden had it not been for the rights enshrined in law to obtain that information.

Freedom of Information has been used to uncover scandals around Parliamentary expenses, both in Westminster and in Holyrood. The late David McLetchie resigned as leader of the Scottish Conservative party following revelations that he had used taxpayers money to pay for taxis used in connection with party, rather than constituency, business. That information was obtained under Freedom of Information. At Westminster some politicians have served prison sentences as details of their expenses claims were revealed with help from FOI (and a leak to the Telegraph).

Over the last 10 years, Freedom of Information has become a powerful tool for local and national campaign groups to obtain information from the State as to how and why decisions have been taken. It has enabled public bodies to be held accountable much more easily and for the public to better understand decisions that have been taken by public bodies.

Of course, FOI has not come without its problems and difficulties. It does add an additional burden to public bodies – but the legislation does have limits to ensure that the burden doesn’t become too big or disproportionate. There are individuals who abuse their rights under FOI. There are a group of individuals who make use of FOI to try and keep open grievances that they have had with the public authority – some of which have been running for many years and been subjected to every form of scrutiny possible. There are also those who make requests about plans for dealing with a Zombie Apocalypse or how many red pens had been bought.

There have also been regular attempts to undermine Freedom of Information by representative bodies. These attempts have often cited ‘bizarre’ FOI requests. Many of these so called ‘bizarre’ requests have a perfectly legitimate basis as explored here by Jon Baines. The Prime Minister, David Cameron, also has some pretty strange ideas as to what Freedom of Information is.

FOI was a hard won right, with organisations such as the Campaign for Freedom of Information spending decades campaigning for access to information rights. As a consequence we have some of the best access to information rights in the world. Our rights are wide-ranging and simple to use whereas in other countries they are restrictive and contain a multitude of technical requirements making them difficult to use while others put the rights out of the reach of ordinary people by requiring fees to be paid in order to exercise those rights. However, while it is probably true to say that our FOI laws are some of the best in the world it is also true to say that they are in need of serious protection. As the way in which public services are delivered has changed, a lot of information has fallen out of the scope of FOI. The regular attacks from bodies representing public authorities also threaten FOI. These are important rights and it is right that on the 10th anniversary of FOI we remember their importance and how easy it would be for a Government to reduce, restrict or remove those rights. As a rule, politicians don’t like FOI – it can be embarrassing for them and leads to a much more informed electorate. A better informed electorate is a good thing, as is removing the Government’s total control over the flow of information.

The House of Commons Select Committee concluded that FOI ‘has been a significant enhancement to our democracy’ in a report following its post-legislative scrutiny of the Freedom of Information Act 2000. FOI has changed our democracy for the better, the 10th anniversary is a good opportunity to remind ourselves of how significantly things have changed in the last 10 years as a result of FOI and how valuable it has become.

The Campaign for Freedom of Information fought hard to get FOI onto the statute books and continues to work hard to promote it, campaign for its strengthening and protection; perhaps you would consider donating, even a small amount, to help them with this important work.
Beyond Reasonable Doubt: An unfair advantage to the accused?

December 9th, 2014

In the wake of the dismissal of the case against Shrien Dewani in South Africa, Dan Hodges has written a piece on the Telegraph website questioning the criminal standard of proof. I will write this blog post from a Scottish perspective, but the general points will apply equally to most ‘western’ legal systems.

There are two burdens of proof recognised before the courts: the criminal standard, which is “beyond reasonable doubt” and the civil standard, “on the balance of probabilities”. What we are concerned here with is the criminal standard of proof, and particularly whether it weighs the system too heavily in favour of the accused.

Before going further, it might be helpful to set out what beyond reasonable doubt means. In his comment piece, Mr Hodges, asserts that in order for the prosecution to secure a conviction against an accused they “must prove beyond question the guilt of the accused.” This is not the case, and overstates the standard of proof. The criminal standard of proof does not require there to be no doubt at all, only that there is an absence of reasonable doubt. What this means is that the accused is entitled to the benefit of any doubt which is based upon reason and commonsense following a careful and impartial consideration of the evidence (and the lack thereof) presented to the court. The doubt, as Lord Justice-Clerk Cooper put it in Irving v Minister of Pensions, should be something more than “a strained or fanciful acceptance of remote possibilities”; Lord Justice-Clerk Thomson said in McKenzie v HM Advocate that it is something “more than a merely speculative or academic doubt”. The finder of fact (the jury or the sheriff/Justice of the Peace) doesn’t have to be convinced beyond doubt that the accused perpetrated the crime alleged, only to the point where he has no reasonable doubt.

There are a variety of reasons as to why there is such a high standard of proof in criminal cases. One of those reasons is the consequence of a guilty verdict in a criminal trial. As Jones and Christie put it in Criminal Law (4th Edition), “conviction certainly entails more than a mere finding that, e.g. “A killed B”. This in itself is a legally neutral statement…The Prime function of the criminal law is that of articulating the circumstances under which it is justifiable to hold a person punishable for his conduct.” (para 1-13). In other words, with the criminal law we are going beyond a situation where we are simply ascribing liability to concluding that a person’s conduct renders them liable for punishment. That punishment can be severe, it could result in a person being deprived of their liberty for a lengthy period of time. A finding of liability in a civil case does not generally result in the liable party being punished; there may be a requirement to compensate the party that they have wronged to try and place them back into the position they were in before the wrong occurred (or to place them in the position they would have been in had the wrong not occurred), but that is manifestly different from punishment. The stakes are much higher and as such it has been the position that the standard of proof must also be higher as a consequence.

It seems unjust to punish someone, in the severe ways open to the criminal justice system, on the basis that it is merely more likely than not that they committed the crime alleged. A system whereby an accused person could be convicted merely on the balance of probabilities would inevitably result in the entire criminal justice system being brought into serious disrepute as individuals would routinely be convicted where there are sensible and logical alternatives to their guilt based on the evidence which was heard in court.

It has long been the case that the justice system has preferred to see guilty men walk free than an innocent man be unjustly punished. This is not some ‘liberal, leftard, hand-wringly nonsense’; it is a centuries old principle and can be found in times where liberal principles were about as far away from the justice system as was possible. We’re going back to the times of gruesome public executions for the most minor of crimes, to where transportation was still a sanction open to judges and to where prison conditions were probably more horrible than even the most right-wing member of society would care to suggest today. Moreover, is it’s a principal which is a recognised international standard and features in what most people would consider to be “decent” legal systems. This principle is another reason for the high standard of proof in criminal trials and is linked closely to the idea that a finding of guilt in a criminal trial opens up legitimate punishment upon the offender.

We’re probably all familiar with the concept of an accused person being innocent until proved otherwise (even if, as a society, we don’t always hold to that with our quick condemnations upon those suspected or accused of crimes). The burden is placed squarely upon the State for a number of reasons, not least an equality issue. The State is vastly better resourced than an individual and it can call upon those resources when trying to prove that someone “did it”. The State has professional investigators in the form of the police, and teams of specialist lawyers to prosecute the case in court in the form of the public prosecution service. While those services, in the UK at least, are suffering from a considerable cut to their funding, those resources continue to vastly outstrip the resources of the accused who has only his (small) defence team to counter the might of the State. Lowering the Standard of proof would inevitably lead to the accused having to prove things that he does not currently have to prove. Of course, it is presently the case that an innocent accused facing an overwhelming case against them would be sensible to offer evidence as to why the State is wrong; however, in a system where the standard of proof was merely whether it was more likely than not that the accused had committed the crime it would almost always be the case that the accused would have to be disproving the States case (or, to put it another way, prove his own innocence). It would eat away at the presumption of innocence and would result in a great inequality between the State and the accused.

Does the criminal standard of proof weight the system in favour of the accused? I suggest no. What it does, I suggest, is merely rebalance a system that without it would unfairly favour the State with its huge and specialist resources over the extremely limited resources of the accused.
Devolving Data Protection

November 13th, 2014

The Data Protection Act 1998 (DPA) applies across the whole of the United Kingdom and is enforced centrally by the Information Commissioner’s Office in Wilmslow (which also has offices in Belfast, Cardiff and Edinburgh). Anyone who has been following Scottish politics recently will be aware that a Commission has been established to make proposals on further devolution to Scotland following the Scottish Independence Referendum in September. It has been suggested by the Law Society of Scotland in their written evidence [pdf] to the Smith Commission that consideration should be given to devolving data protection to Scotland.

This was a proposal that caught my eye when I read the Law Society of Scotland’s evidence, and it is an interesting one. Is there any real reason as to why Data Protection ought not to be devolved?

The Law Society of Scotland narrate within their evidence the confusion that can arise with the Scottish Information Commissioner being approached in respect of enforcement action relating to Data Protection, a function that she does not presently undertake. The Scottish Information Commissioner enforces the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009. In their evidence, the Society makes reference to the way in which Freedom of Information (Scotland) Act 2002 and the DPA interact. They rightly point out that the Scottish Information Commissioner is required to make decisions in respect of whether it would breach the DPA to release personal data in response to a FOI request.

The interaction between DPA and FOI is a well known difficulty and there has been litigation surrounding it, such as in South Lanarkshire Council v the Scottish Information Commissioner (on which I have previously written here and here). Understandably it must be difficult for the Scottish Information Commissioner to take decisions on disclosure in respect of personal data when her office is not also responsible for enforcing the DPA – it risks her taking a decision with which the Information Commissioner in Wilmslow might well disagree with (and consequently result in a Scottish public Authority breaching its obligations under the DPA).

The law relating to Data Protection comes from the EU, but that on its own would not prohibit its devolution. The INSPIRE (Scotland) Regulations 2009 and the Environmental Information (Scotland) Regulations 2004 both give effect to EU Directives in Scotland. Ultimately, it is the UK Government that is accountable to the EU for the implementation of EU law within the United Kingdom. That fact though doesn’t appear to have stopped the UK Government from devolving to Scotland the power to implement EU law into Scots law in some areas already.

There is a difference between the DPA and the legislation that the Scottish Information Commissioner currently enforces. The DPA applies to the private sector to the same extent as the public sector. The legislation currently enforced by the Scottish Information Commissioner applies to public sector and bodies falling within certain definitions that provide functions of a public nature only. There is a degree of difference between them; for example, the bodies caught by the Environmental Information (Scotland) Regulations is wider than the bodies caught by the Freedom of Information (Scotland) Act 2002. What has this got to do with devolving Data Protection? It might not be of an immediately obvious nature; however, the bodies covered by the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009 are all largely based entirely within Scotland; there are almost no examples of where the Scottish law here applies to bodies carrying out functions elsewhere in the UK. Is this difference (i.e. the cross jurisdictional aspect of Data Protection) a sufficient reason not to devolve Data Protection to Scotland?

In terms of FOI, public bodies which have functions across the whole of the UK, or are part of the UK Central Government, are covered by the UK equivalent and not the Scottish law. Some examples include: the BBC, the British Transport Police, the Scotland Office, the Office of the Advocate General for Scotland, the Home Office, the Department for Work and Pensions and HMRC. In these cases the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply and it is the UK Information Commissioner in Wilmslow who enforces their compliance.

In terms of devolution, it is logical why the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply to UK wide bodies. It would undoubtedly present difficulties for those organisations if they had to comply with different requirements in different parts of the UK. However, in terms of FOI, some bodies already have that difficulty.

It does not appear to be widely known, but some of the UKs biggest businesses are covered by FOI law to a very limited extent. The likes of Tesco, Sainsbury’s, Asda and Boots are all subject to FOI law in respect of their NHS Pharmaceutical and Optometry services. These are the bodies that have the difficulty of complying with two separate FOI regimes. In respect of their services contracted by the NHS in Scotland it is the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 that apply (and the Scottish Information Commissioner is responsible for enforcement) while in respect of their services contracted by the NHS in England it is the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 that apply (and the UK Information Commissioner is responsible for enforcement). A request to one of those bodies for information on a UK wide scale would require them to deal with the request under two separate access to information schemes (potentially four if the information was environmental in nature). Outside of the world of access to information legislation there is a great deal of differences between the legal frameworks in which UK wide businesses operate across the UK. A contemporary example might be statutory charges for carrier bags. Wales, Northern Ireland and Scotland all have them while England does not. As a consequence businesses operating across the UK have to adopt difference practices on carrier bags to ensure legal compliance in those parts of the UK that do require charges to be made for carrier bags. This is a fairly minor example, but there are some which are much more substantial in nature.

In terms of devolving data protection to Scotland, if it were to be devolved at all, there are two options. The first would be to devolve it only in respect of data controllers domiciled in Scotland. This would mean Scottish domiciled data controllers would have to comply with a Scottish Data Protection Act while data controllers domiciled elsewhere in the UK would have to comply with a UK Data Protection Act. This is probably not a good option from the point of view of Data Subjects; some UK wide companies would be domiciled in Scotland and some would be domiciled elsewhere in the UK. This could cause confusion as to which Information Commissioner they ought to be dealing with in relation to a data protection concern. For example, in that situation customers of RBS might find themselves dealing with the Scottish Commissioner as RBS is a company registered in Scotland. This is the sort of confusion that the Law Society of Scotland mentioned within their response as to why consideration ought to be given to devolving data protection to Scotland. The other option is to simply devolve Data Protection and that would mean any UK-wide organisation operating in Scotland would have to comply with both the UK and the Scottish Data Protection Acts – it would be no different to multi-nationals who have to comply with the different Data Protection regimes across the world or the multitude of other areas where UK-wide businesses already have to comply with different laws north and south of the border.

Devolving Data Protection to Scotland wouldn’t end the UK Information Commissioner’s responsibilities in Scotland. He would still be responsible for dealing with Freedom of Information in respect of the many bodies covered by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 which operate in Scotland. His office would also still be responsible for enforcing the Privacy and Electronic Communications (EC Directive) Regulations 2003 (which overlap considerably with data protection) unless responsibility for implementing the E-Privacy Directive upon which they are based was similarly devolved to Scotland.

So, should Data Protection be devolved? Well, there is no good reason against it that I can see. There would be a good opportunity for devolution in the form of the Data Protection Regulation currently working its way through the EU legislative process. At that stage Data Protection law in the UK will have to change and if this were to be an area for devolution to Scotland that would seem like a sensible time to do it. However, given the nature of EU Regulations as opposed to EU Directives, the practical effect of devolving Data Protection to the Scottish Parliament would be limited. The question would become “what is the point?”. The arguments in favour of further devolution to Scotland centre around the Scottish Parliament taking decisions on matters for Scotland which do not need to be reserved; however, the practical effect of the new Data Protection Regulation would be that there would be almost no scope for the Scottish Parliament to take decisions on data protection; there would be an EU Regulation which has direct effect in all EU member states, without the need to pass domestic legislation. Any legislation, UK or Scottish, would simply be regurgitating the Regulation alongside some minor consequential and transitional matters.

The Law Society of Scotland argues that the new regulation means that there is less of a need for data protection to be a reserved matter; that would be true because from an EU compliance point of view there would be no risk to the UK Government. They also seem to place a lot of weight on the issue of confusion between the responsibilities of the two information commissioners; however, I’m not sure that would be resolved by devolving data protection – in fact there is real potential for it to be compounded rather than resolved. The only real argument is the one concerning FOI decisions involving third party personal data, but so far that doesn’t appear to have been an issue. Indeed, in the South Lanarkshire Council case mentioned above, the Supreme Court agreed with the approach of the Scottish Information Commissioner; although there is always scope for the Scottish Information Commissioner to get things wrong. That said, the UK Information Commissioner could equally get things wrong and wrongly order the disclosure of personal data under FOI.

Should data protection be devolved? There doesn’t seem to be strong case one way or the other. In the grand scheme of things there are far more important issues in the devolution debate than whether the Scottish Parliament should get power devolved over an issue that won’t actually amount to much power at all.
Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

October 26th, 2014
Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA. This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:
- That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
- The contravention was of a kind likely to cause substantial damage or substantial distress
- and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it
It looks complicated, and to an extent it is. However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:
1. do nothing
2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing
The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options). What has struck me though is what is missing from option three. The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it. However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me. It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk. It basically excuses negligence. It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS. I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.
Direct Marketing by E-mail and Text: the need for consent

October 17th, 2014
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them! The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means. Direct marketing means any form of advertising or marketing which is targeted at a specific individual.

The rules are really very simple, but are regularly not complied with by companies large and small. The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means. This post will focus on electronic mail only (such as text messages and E-mail).

What does not qualify as consent for the purposes of the PECRs? Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive. The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

It is very clear. Consent must be:
- Freely given
- Specific
- informed
When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements. One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent. That’s probably the most blatant and flagrant way of breaching the PECRs you can get. The consent is neither freely given nor informed. While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations. Consent isn’t consent unless there is an option not to consent. Refusing should also be free (except for the cost of transmitting the refusal). In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.

Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent. This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs. So far as electronic mail is concerned, the only option is a clear decision to opt-in.

Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail. Again, this is not compliant with the Regulations. Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply haven’t (for whatever reason) un-ticked the box.

All is not lost though if details have been obtained by stealth. There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs). However, there is another useful right open to individuals. That right is contained in section 11(1) of the DPA which states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing. This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like. The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks. These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.

This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide to Direct Marketing [pdf] which covers everything in more detail. I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are. These breaches are by big names. Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.