Alistair Sloan, Advocate

Devolving Data Protection

November 13th, 2014

The Data Protection Act 1998 (DPA) applies across the whole of the United Kingdom and is enforced centrally by the Information Commissioner’s Office in Wilmslow (which also has offices in Belfast, Cardiff and Edinburgh). Anyone who has been following Scottish politics recently will be aware that a Commission has been established to make proposals on further devolution to Scotland following the Scottish Independence Referendum in September. It has been suggested by the Law Society of Scotland in their written evidence [pdf] to the Smith Commission that consideration should be given to devolving data protection to Scotland.

This was a proposal that caught my eye when I read the Law Society of Scotland’s evidence, and it is an interesting one. Is there any real reason as to why Data Protection ought not to be devolved?

The Law Society of Scotland narrate within their evidence the confusion that can arise with the Scottish Information Commissioner being approached in respect of enforcement action relating to Data Protection, a function that she does not presently undertake. The Scottish Information Commissioner enforces the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009. In their evidence, the Society makes reference to the way in which Freedom of Information (Scotland) Act 2002 and the DPA interact. They rightly point out that the Scottish Information Commissioner is required to make decisions in respect of whether it would breach the DPA to release personal data in response to a FOI request.

The interaction between DPA and FOI is a well known difficulty and there has been litigation surrounding it, such as in South Lanarkshire Council v the Scottish Information Commissioner (on which I have previously written here and here). Understandably it must be difficult for the Scottish Information Commissioner to take decisions on disclosure in respect of personal data when her office is not also responsible for enforcing the DPA – it risks her taking a decision with which the Information Commissioner in Wilmslow might well disagree with (and consequently result in a Scottish public Authority breaching its obligations under the DPA).

The law relating to Data Protection comes from the EU, but that on its own would not prohibit its devolution. The INSPIRE (Scotland) Regulations 2009 and the Environmental Information (Scotland) Regulations 2004 both give effect to EU Directives in Scotland. Ultimately, it is the UK Government that is accountable to the EU for the implementation of EU law within the United Kingdom. That fact though doesn’t appear to have stopped the UK Government from devolving to Scotland the power to implement EU law into Scots law in some areas already.

There is a difference between the DPA and the legislation that the Scottish Information Commissioner currently enforces. The DPA applies to the private sector to the same extent as the public sector. The legislation currently enforced by the Scottish Information Commissioner applies to public sector and bodies falling within certain definitions that provide functions of a public nature only. There is a degree of difference between them; for example, the bodies caught by the Environmental Information (Scotland) Regulations is wider than the bodies caught by the Freedom of Information (Scotland) Act 2002. What has this got to do with devolving Data Protection? It might not be of an immediately obvious nature; however, the bodies covered by the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009 are all largely based entirely within Scotland; there are almost no examples of where the Scottish law here applies to bodies carrying out functions elsewhere in the UK. Is this difference (i.e. the cross jurisdictional aspect of Data Protection) a sufficient reason not to devolve Data Protection to Scotland?

In terms of FOI, public bodies which have functions across the whole of the UK, or are part of the UK Central Government, are covered by the UK equivalent and not the Scottish law. Some examples include: the BBC, the British Transport Police, the Scotland Office, the Office of the Advocate General for Scotland, the Home Office, the Department for Work and Pensions and HMRC. In these cases the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply and it is the UK Information Commissioner in Wilmslow who enforces their compliance.

In terms of devolution, it is logical why the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply to UK wide bodies. It would undoubtedly present difficulties for those organisations if they had to comply with different requirements in different parts of the UK. However, in terms of FOI, some bodies already have that difficulty.

It does not appear to be widely known, but some of the UKs biggest businesses are covered by FOI law to a very limited extent. The likes of Tesco, Sainsbury’s, Asda and Boots are all subject to FOI law in respect of their NHS Pharmaceutical and Optometry services. These are the bodies that have the difficulty of complying with two separate FOI regimes. In respect of their services contracted by the NHS in Scotland it is the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 that apply (and the Scottish Information Commissioner is responsible for enforcement) while in respect of their services contracted by the NHS in England it is the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 that apply (and the UK Information Commissioner is responsible for enforcement). A request to one of those bodies for information on a UK wide scale would require them to deal with the request under two separate access to information schemes (potentially four if the information was environmental in nature). Outside of the world of access to information legislation there is a great deal of differences between the legal frameworks in which UK wide businesses operate across the UK. A contemporary example might be statutory charges for carrier bags. Wales, Northern Ireland and Scotland all have them while England does not. As a consequence businesses operating across the UK have to adopt difference practices on carrier bags to ensure legal compliance in those parts of the UK that do require charges to be made for carrier bags. This is a fairly minor example, but there are some which are much more substantial in nature.

In terms of devolving data protection to Scotland, if it were to be devolved at all, there are two options. The first would be to devolve it only in respect of data controllers domiciled in Scotland. This would mean Scottish domiciled data controllers would have to comply with a Scottish Data Protection Act while data controllers domiciled elsewhere in the UK would have to comply with a UK Data Protection Act. This is probably not a good option from the point of view of Data Subjects; some UK wide companies would be domiciled in Scotland and some would be domiciled elsewhere in the UK. This could cause confusion as to which Information Commissioner they ought to be dealing with in relation to a data protection concern. For example, in that situation customers of RBS might find themselves dealing with the Scottish Commissioner as RBS is a company registered in Scotland. This is the sort of confusion that the Law Society of Scotland mentioned within their response as to why consideration ought to be given to devolving data protection to Scotland. The other option is to simply devolve Data Protection and that would mean any UK-wide organisation operating in Scotland would have to comply with both the UK and the Scottish Data Protection Acts – it would be no different to multi-nationals who have to comply with the different Data Protection regimes across the world or the multitude of other areas where UK-wide businesses already have to comply with different laws north and south of the border.

Devolving Data Protection to Scotland wouldn’t end the UK Information Commissioner’s responsibilities in Scotland. He would still be responsible for dealing with Freedom of Information in respect of the many bodies covered by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 which operate in Scotland. His office would also still be responsible for enforcing the Privacy and Electronic Communications (EC Directive) Regulations 2003 (which overlap considerably with data protection) unless responsibility for implementing the E-Privacy Directive upon which they are based was similarly devolved to Scotland.

So, should Data Protection be devolved? Well, there is no good reason against it that I can see. There would be a good opportunity for devolution in the form of the Data Protection Regulation currently working its way through the EU legislative process. At that stage Data Protection law in the UK will have to change and if this were to be an area for devolution to Scotland that would seem like a sensible time to do it. However, given the nature of EU Regulations as opposed to EU Directives, the practical effect of devolving Data Protection to the Scottish Parliament would be limited. The question would become “what is the point?”. The arguments in favour of further devolution to Scotland centre around the Scottish Parliament taking decisions on matters for Scotland which do not need to be reserved; however, the practical effect of the new Data Protection Regulation would be that there would be almost no scope for the Scottish Parliament to take decisions on data protection; there would be an EU Regulation which has direct effect in all EU member states, without the need to pass domestic legislation. Any legislation, UK or Scottish, would simply be regurgitating the Regulation alongside some minor consequential and transitional matters.

The Law Society of Scotland argues that the new regulation means that there is less of a need for data protection to be a reserved matter; that would be true because from an EU compliance point of view there would be no risk to the UK Government. They also seem to place a lot of weight on the issue of confusion between the responsibilities of the two information commissioners; however, I’m not sure that would be resolved by devolving data protection – in fact there is real potential for it to be compounded rather than resolved. The only real argument is the one concerning FOI decisions involving third party personal data, but so far that doesn’t appear to have been an issue. Indeed, in the South Lanarkshire Council case mentioned above, the Supreme Court agreed with the approach of the Scottish Information Commissioner; although there is always scope for the Scottish Information Commissioner to get things wrong. That said, the UK Information Commissioner could equally get things wrong and wrongly order the disclosure of personal data under FOI.

Should data protection be devolved? There doesn’t seem to be strong case one way or the other. In the grand scheme of things there are far more important issues in the devolution debate than whether the Scottish Parliament should get power devolved over an issue that won’t actually amount to much power at all.
Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

October 26th, 2014
Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA. This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:
- That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
- The contravention was of a kind likely to cause substantial damage or substantial distress
- and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it
It looks complicated, and to an extent it is. However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:
1. do nothing
2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing
The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options). What has struck me though is what is missing from option three. The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it. However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me. It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk. It basically excuses negligence. It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS. I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.
Direct Marketing by E-mail and Text: the need for consent

October 17th, 2014
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them! The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means. Direct marketing means any form of advertising or marketing which is targeted at a specific individual.

The rules are really very simple, but are regularly not complied with by companies large and small. The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means. This post will focus on electronic mail only (such as text messages and E-mail).

What does not qualify as consent for the purposes of the PECRs? Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive. The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

It is very clear. Consent must be:
- Freely given
- Specific
- informed
When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements. One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent. That’s probably the most blatant and flagrant way of breaching the PECRs you can get. The consent is neither freely given nor informed. While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations. Consent isn’t consent unless there is an option not to consent. Refusing should also be free (except for the cost of transmitting the refusal). In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.

Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent. This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs. So far as electronic mail is concerned, the only option is a clear decision to opt-in.

Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail. Again, this is not compliant with the Regulations. Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply haven’t (for whatever reason) un-ticked the box.

All is not lost though if details have been obtained by stealth. There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs). However, there is another useful right open to individuals. That right is contained in section 11(1) of the DPA which states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing. This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like. The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks. These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.

This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide to Direct Marketing [pdf] which covers everything in more detail. I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are. These breaches are by big names. Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.
The death of the death penalty in the UK: 50 years on

August 13th, 2014

At 8am on 13 August 1964 at Strangeways Prison in Manchester Gwynne Owen Evans was hanged by executioner Harry Allen for the murder of John Allan West. At the same time 30 miles away in Walton Prison, Liverpool Peter Anthony Allen was hanged by Robert Leslie Stewart, also for the murder of John Allan West. Evans and Allen were to be the last two men executed by the State in the United Kingdom. The Death Penalty was effectively abolished in 1965; however, remained an option until 1998 in cases of Treason and Piracy with violence.

Fifty years on there comes with each high profile murder, and indeed other cases which prove the public’s revulsion, calls to re-instate the death penalty in the UK. Only 50 years ago crowds were taking to the streets in protest at the death penalty. The death of the death penalty in the UK came about from a number of shocking miscarriages of justice in which innocent people were wrongly convicted and executed by the State.

One of those cases was that of Timothy Evans who was executed on 9 March 1950 for the murder of his wife and daughter. His neighbour, John Christie, was later executed for the murder of Evans’ daughter as well as the murder of a number of others, including Christie’s own wife. John Christie had been a witness at Evans trial for the prosecution, and almost certainly saw Evans be sent to the Gallows. On 19 November 2004 the Court of Appeal accepted the Evans did not murder either his wife or his child, but refused to quash his conviction on the basis that the cost and resources of quashing them could not be justified. The case caused public outrage and was one of a number of cases which saw Capital Punishment being confined to history in the UK.
There were other cases that saw the end of the death penalty in the UK, but the Evans case highlights perfectly the very real dangers of Capital Punishment. It is a non-reversible form of punishment; no quashing of the conviction and no financial compensation from the Government can ever rectify an execution. If an innocent man is executed; he is dead and remains dead even after the mistake is discovered. While imprisoning an innocent person can have some devastating effects on that individual, th every fact that they continue to breathe means that they can, when mistakes are uncovered, be released.

There have, of course, been some exceptionally high profile miscarriages of justice over the years. Hugh Callaghan, Patrick Joseph Hill, Gerard Hunter, Richard McIlkenny, William Power, John Walker, Paul Michael Hill, Gerard Conlan, Patrick Armstrong, Carole Richardson and Sam Hallam are all individuals who have been convicted of Murder, and whose convictions were overturned long after they would have been executed had Capital Punishment remained in the UK.

Of course, investigative techniques have moved along and advances in science have drastically changed the way in which the police investigate crimes. We have also moved on from the days where murder trials are over in a matter of a few short days, with these trials often lasting considerably longer than a week – sometimes even running into months. However, to argue that forensic science, such as DNA, helps prove who is guilty and who is not of murder in a lot of cases is to overstate the value of DNA evidence. DNA evidence is not, as some may thing, the golden bullet in a criminal trial. It cannot, and is unlikely to ever, prove conclusively that the accused is guilty of the crime libled. It helps to build the picture and along with other circumstantial evidence might be able to convince a jury to beyond reasonable doubt; however, as with all systems that involve humans there is room for error. When the end result is going to be the State depriving an individual of their life, there can be no room for error.

The case of Shirley McKie highlights the errors that can be made in examining forensic evidence. Shirley McKie, a form er Detective Constable, was accused of perjury after testifying at the Murder Trial of David Asbury for the murder of Marion Ross that she had not been in the house of Marion Ross, where she had been killed. A scandal erupted following the case and it resulted in changes being made to the comparison and verification of fingerprints in Scotland.

Regardless of whether you take the view that morally someone who takes the life of another should lose their own life or not, or whether you believe executing people is a deterrent to others; the very fact that there is a risk of the State executing an innocent person should be reason enough not to return to the days of capital punishment. Executing an innocent person deters no-body, it’s not justice and should never be considered an acceptable price to pay for executing people who really are guilty.
Valid FOI requests via Twitter?

July 7th, 2014

The Information Commissioner’s Office (ICO) has issued a Decision Notice that the Metropolitan Police failed to comply with section 10 of the Freedom of Information Act 2000 (FOIA) which was made to it through Twitter. In November 2012 the ICO issued a one page document setting out its view on whether a valid request can be made via Twitter. In that document the ICO acknowledged that Twitter was not the most effective way to submit a FOI request; however, it went on to say that requests made via Twitter are not necessarily invalid.

The test for whether a request is a valid one or not is to be found in section 8 of the FOIA; it sets out the requirements as to what constitutes a valid request. The Act provides:

(1) In this Act any reference to a “request for information” is a reference to such a request which—

(a) is in writing,

(b) states the name of the applicant and an address for correspondence, and

(c) describes the information requested.

(2) For the purposes of subsection (1)(a), a request is to be treated as made in writing where the text of the request—

(a) is transmitted by electronic means,

(b) is received in legible form, and

(c) is capable of being used for subsequent reference.

Let us look at each requirement in turn:

The request is in writing

The starting point with statutory interpretation would normally be what is the literal meaning of the word? Here Parliament has given us some assistance in interpreting what is considered to be in writing. This does appear to be one of those ‘for the avoidance of doubt’ provisions and was most probably inserted to take account of E-mail. There is little doubt that when passing the Act Parliament did not think about Facebook or Twitter, indeed when the Act was passed Facebook was barely a thing and Twitter hadn’t been invented. However, as technology changes it is necessary for the law to move with it – whether it is capable of doing so without amendment by Parliament is a different matter!

Is a tweet transmitted by electronic means?

It is certainly sent and received by electronic means, but what does ‘transmitted’ mean? According to the literal rule of statutory interpretation we must look at the ordinary meaning of the word transmitted. Let’s turn to the online Oxford English dictionary and its entry for transmit. Only the first two definitions are relevant here. To transmit something is to “cause (something) to pass on from one person or place to another” or “broadcast or send out (an electrical signal or a radio or television programme).” So, is a tweet transmitted by electronic means? Sending a tweet is certainly causing something (the content of the tweet) to pass from one person (the sender) to the other (the recipient). It might also be said that it is being sent from one place (the sender’s computer) to another (the recipient’s computer). It could be said that sending a tweet is not too dissimilar to sending an E-mail. Is it by electronic means? I think that it is clear that it is, for obvious reasons such as without electronics there wouldn’t be the hardware to enable a tweet to be sent. Is a tweet being broadcast or sent out? The dictionary gives an example of an electronic signal or a radio/television programme. What is a tweet? It is essentially a series of digits which put together displays on the screen as an image – it might be said to be similar to a TV programme. Whether it meets the second definition or not, I do think that it is safe to say it meets the first.

Is it received in a legible form?

Well it’s certainly not going to be illegible because it is typeface rather than handwritten. One might be of the view that this was perhaps to cover a handwritten note sent by fax and so probably isn’t relevant here – I think we can tick this box as well.

Is it capable of being used for subsequent reference?

This is where things get slightly more difficult! The Act doesn’t say who has to be capable of referencing it subsequently. Obviously, the Public Authority will have to be able to reference it subsequently in order to check that it is complying with the request made. Furthermore, the requester has to be able to subsequently reference it should they need to make a complaint to the ICO – the ICO will usually want to see the request and where possible evidence of the request having been sent. However it does not seem to be as straight forward as that.

If I tweet a public authority’s official account, my tweets are not protected and I don’t do anything else then it is possible for both the public authority and I to subsequently reference the tweet. On the face of it, this would clearly meet the requirement. Whether or not they know it is there is probably an irrelevant question in the same way someone missing a request in their E-mail inbox doesn’t matter.

The issue becomes slightly more complicated if I protect my tweets later and the public authority is not following me – then only I can subsequently reference the tweet – or if I delete my tweet altogether. In the first of these two situations (protecting my tweets where the authority is not following me) the tweet is clearly capable of being referenced subsequently, but only by me. Does this meet the requirements of the Act? Well I would suggest that in order to establish that we need to understand why Parliament included it. What situations were Parliament envisaging when they enacted this part of the Act? The explanatory notes do not provide any illumination on that question. I don’t have time to, at this stage, wade through the many lines of debate in Handsard on the Bill in the hope that there is an explanation here. I can’t immediately think of a situation which Parliament would have had in its mind when enacting this section. On that basis I don’t think that really takes us any further forward.

The question that immediately springs to mind is for how long does the request have to be capable of being subsequently referenced by the authority? If I protect my tweets on the 20th working day following sending the request is that different to if I protect them immediately following the sending of the request? After all, by the 20th working day the authority should be in a position to respond, or at least have gathered all of the information in scope and simply be conducting the public interest balancing exercise. I’d suggest there is a difference. Quite where the ‘cut off is’ would most probably be a question of looking at the circumstances in each individual case – not an ideal situation though.

What about if I delete the tweet? That might cause problems when making an application to the Commissioner – although taking a screenshot of the tweet prior to deleting it might cure that. Again is it dependent upon when I delete the tweet – e.g. on the 20th working day or immediately after it was sent?

These are difficult questions and ones that don’t have clear answers. However, in at least one case (the first – where the tweet was and remains public after it is sent and is not at any stage deleted or becomes inaccessible to the public authority by way of an individual’s tweets become protected) a tweet appears to meet all of the requirements set out in section 8(2) of the Act.

However, as mentioned earlier section 8(2) does seem to be more of a ‘for the avoidance of doubt’ subsection – a request can be in writing in other ways and it would appear that this has most probably been included so as to ensure that public authority’s treat requests received by E-mail as being valid requests – it would not appear to be the ‘be all and end all’ of the matter.

At the end of the day, what does ‘in writing’ mean? I don’t think we could realistically argue that a tweet is not ‘in writing’ even if it does not meet all of those tests – after all, a letter sent by mail doesn’t meet the requirements of section 8(2) and nobody would sensibly argue or find that such a request is not ‘in writing’ and so section 8(2) is clearly not the complete definition of what is meant by ‘in writing’ within section 8(1).

The request states the name of the applicant and an address for correspondence

Assuming that we have a request made via twitter that meets the definition of being ‘in writing’ the next requirement is that the request must state the name of the applicant and an address for correspondence. If we accept that a public authority’s twitter accounts is an address capable of having correspondence (not necessarily just a FOI request, but any type of correspondence) sent to it, then equally an individual’s twitter account must also be an address for correspondence. If an individual does not need to, for example, include within the body of their E-mail their E-mail address (i.e. it appearing in the ‘From’ field is sufficient) then I don’t see why someone would have to include their own twitter handle in their request – it is there for the authority to see in its mentions.

However, the name issue is more problematic. It is the view of the Commissioner (and I believe that it is the correct one) that the name of the applicant must be their real name – lots of people don’t use their real name (or indeed any of the acceptable forms thereof for the purposes of FOI) in their twitter profile; so there we could have a problem. If it’s not on their profile, then it’s not a valid request – even if we’ve managed to overcome the ‘in writing’ issue.

Describes the information requested

The final requirement is that the request describes the information requested. That has to be in enough detail to enable the authority to identify what is sought. That could be difficult in 140 characters. However with services such as twitlonger it can be done. It could also be possible to send the request over a number of tweets (as was done in the Metropolitan Police case linked to at the outset of this blog post). I don’t see that as being any different to sending it in a number of letters or in a number of separate E-mails. Indeed, when an authority seeks clarification because it is unable to identify what information is being requested it is looking at a request over at least two pieces of separate correspondence, if not more, to create a valid request.

Conclusion

The ICO does not say in its guidance that all requests made via twitter will be valid, only that a request made via Twitter may not necessarily be invalid. I would certainly have to agree: it is possible to make a valid request by twitter. Is it a good idea? I would say that it’s not, and that it is probably best to stick to more conventional methods such as letter or E-mail.
The law and historic cases: sensible or bizarre?

July 5th, 2014

It has been reported by the BBC today that president of the ‘Association of Child Abuse Lawyers’ has said the way in which Rolf Harris was sentenced was ‘bizarre’. He is referring to the fact that in historic cases the judge passing sentence is limited to the maximum sentence that was available at the time of the offence. In the Harris case this was 2 years (or 5 years in the cases where the victim was under the age of 13).

There are a lot of historic sexual assault and abuse cases trundling their way through the justice system. It is right that, no matter how many years later, the perpetrators of these crimes face justice. However, there is a significant issue in such cases; whether it is a sexual offence or not. As time progresses and as Government’s change, the law too goes through change. If you’re prosecuting an individual 20 or 30 years after the offence was committed it is highly likely that the law has undergone several significant changes: that is true with the law surrounding sexual offences. In all cases historic offences will be prosecuted according to the law at the time the offence was committed. The other alternative is to prosecute them under the law at the time they are prosecuted.

Why do we prosecute historic cases at the time they were committed? Well, it’s about what is fair and just. Justice is not just about the victim, but it must equally be about the offender. It would be oppressive if the law were to treat offences committed decades ago as if they were committed today. It is a general principle of law in democratic countries around the world, especially in the realm of criminal law, that the law is not retrospective. That means that current changes in the law should not affect future consequences of past conduct. In other words, if you did something that was a particular criminal offence which attracted a particular maximum penalty, but by the time you are prosecuted the law has changed, you should be treated (as far as is reasonably practicable) as you would have been when you committed the crime. The same would be true if you committed a crime today, but the law changed substantially tomorrow: you would be dealt with as the law was today and not as the law changed tomorrow – even if there was no substantial delay in arresting, charging and prosecuting you.

In the Rolf Harris case he was prosecuted for the offences that he committed at the time. As such, the maximum penalty that was available to the court was that which would have been available at the time the offence was committed (2 years, or 5 in the case of offences relating to children under the age of 13). Specifically, in the case of Rolf Harris his sentence of 5 years and 9 months was made up of a mixture of concurrent and consecutive sentences for the various charges that he was convicted of. The sentencing remarks of Mr Justice Sweeny are available online and detail what the charges were and what the sentence was for each charge (and whether it was to be served concurrently or consecutively). You can read the sentencing remarks here.

When it comes to sentencing cases like this one where there has been such a delay in bringing the offender to justice, it is not the job of the court to try and fix the sentence that would have been given at the time. The judge must have regard to the sentencing guidelines that are currently in place; however, they cannot pass a sentence which would exceed the maximum available at the time the offence was committed. I blogged in this issue last year looking specifically at the law of England and Wales, you can read that blog here.

Sentencing is always a complex matter, but it is even more complex in these cases. While there will, quite understandably, be no sympathy for people like Rolf Harris; the law must be fair and it must be just. That applies to victim and offender and so the law must not be oppressive by prosecuting people for more serious offences than what they committed (while under the current law they may well have committed the more serious offence, they did not actually commit that offence because they offended at a time when the law was quite different) or by giving them a sentence that is in excess of the maximum that was available at the time they committed the offence.

I won’t make any comment on whether I think the sentence Rolf Harris received was too harsh, too lenient or about right. I understand that the sentence has been referred by someone to the Attorney General and it is now for him to decide whether he thinks that it is unduly lenient and whether it ought to be referred to the Court of Appeal. When he is doing so he will have regard to the sentences passed, the law as it was at the time the offences were committed the present sentencing guidelines and no doubt the totality of the sentence passed. My understanding of the law is that the Attorney General has 28 days to decide whether he is going to refer it to the Court of Appeal. Even if the Attorney General decides to refer it to the Court of Appeal they may refuse to hear the case or decide that the sentence should remain the same: a referral does not mean that the sentence will increase or that it was unduly lenient.
Costs in the FTT: Snee v Information Commissioner & Leeds City Council

May 28th, 2014

Under the Freedom of Information Act 2000 a decision by the Information Commissioner is capable of being appealed to the First Tier Tribunal (Information Rights) by either the public authority involved or the Complainant. There is no cost in brining an appeal and parties are generally responsible for paying any legal costs that they incur (public authorities will often be represented as will the Commissioner; sometimes by Counsel). Under The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 the Tribunal has, on the application of a party, the power to award costs. It can do so where the appellant has acted unreasonably in brining or pursuing the appeal.

Earlier this month the First Tier Tribunal issued a decision, Mark Snee v the Information Commissioner and Leeds City Council, in respect of an application for costs against an Appellant by Leeds City Council. The Council were seeking their £20,000 costs in full, having applied to be joined to the appeal and having been represented by Queens Counsel. The Appellant in the case, Mr Snee, was represented by Counsel. The Tribunal’s decision contains some useful information with regards to heir approach to such applications.

Mr Snee’s requests had been refused by the Council on the grounds that they were vexatious (section 14(1) of the Freedom of Information Act 2000). The Commissioner and the Tribunal agreed that they were vexatious, and it was at that stage the City Council applied under Rule 10(1)(b) of the Tribunal Rules for costs.

One of the Council’s arguments, which was not accepted by the Tribunal, would have had a fundamental effect upon an individual’s right to appeal to the Tribunal. It was argued that, because Mr Snee’s requests were vexatious he had acted unreasonably in bringing the case to the Tribunal. The Tribunal did not agree. It pointed out that the Commissioner had the opportunity to refuse to issue a decision notice where he found the complaint to be frivolous or vexatious, and the Tribunal had the power to Strike out an appeal upon the application of a party where it has no hope of succeeding. The Tribunal stated that it was right to remember these protections against vexatious or hopeless appeals. Automatically making appeals against a decision that requests are vexatious subject to the costs provisions where the appeal fails would have a significant impact upon the appeal rights of an individual. The Tribunal considered that “it must be possible, depending on the circumstances, for the maker of a request regarded by everyone else as vexatious, to defend his or her position on that point without automatically being treated under the costs Rules as behaving unreasonably.” In other words, it must be possible for an individual who makes a request which is considered to be vexatious to defend their position in the Tribunal.

In the Tribunal individuals who are appealing against the Commissioner’s decision in respect of their FOI request will often not have the benefit of legal advice. Thus, what might appear to a fully trained lawyer to be “futile or wrongheaded”, the Tribunal considered that “it would be wrong to assume that the challenge is inevitably an unreasonable one for the citizen to bring.” The comments had a much more general application than that and equally well apply to a range of other Tribunals within the First Tier Tribunal structure where Legal Aid is not available, or is available only in very limited circumstances.

It seems, from this decision, that the chances of an appellant facing a costs order for an Appeal against a decision of the Information Commissioner are unlikely; although it remains a possibility that costs will be awarded in exceptional circumstances; quite what those circumstances will be remains to be seen. It seems more likely that an unreasonable appeal will be struck out during the early case management stages than for it to progress to a full hearing, thus preventing the generation of significant costs for all involved.
‘Prisoners’ are people too

May 11th, 2014

There is rarely a day that goes by without there being some story in the press about prisoners or prisons. When we do, we often hear them described as ‘thugs’, ‘beasts’ and ‘monsters’ (among other things). There is a large (and sadly influential) section of the population who view prisoners as second-class citizens, as things which are not worthy of being considered as or respected as human beings. We see it clearly, first they are de-humanised and then it becomes possible to justify all sorts of abuses and ill-treatment upon them. Indeed, we can see certain sections of the population advocating treating prisoners in ways that we wouldn’t be allowed to treat animals. However, prisoners are people. Yes they are people who have done bad things, but they are people nonetheless.

As a group they are identified by what they have done wrong, and the fact that they are in prison. They’re considered as a homogenous group of people; something which they are not. Within the prison population you have some of the most vulnerable and broken people in society. You have people with multiple mental health problems, people who have suffered the most horrendous abuse as children (and often as adults too), you have people who were neglected by the adults who were supposed to have looked after them while they were children and I could go on. Of course, none of these reasons is an excuse for what they have done; though, it can offer an explanation as to why they offended in the way that they did. As well as those who are vulnerable and broken, there are people who have simply made bad choices in their lives or been caught up in situations that got out of hand (it’s not just “bad people” who end up in prison; anyone can, in the right circumstances, find themselves on the wrong side of the law). We’re not dealing with a homogenous group of people; we’re dealing with a wide variety of people who all have one thing in common: they’re in prison.

It is a legitimate aim of society to want to be safe, and to be free from crime. It is also a legitimate aim of society to punish those who offend against the community. The mess that can be left behind after a crime has been committed can be huge; and it will often be the community that’s been impacted who are left to pick up the pieces. However, punishment alone is not enough. We need to look at radical ways of dealing with crime if we are going to see the changes in society that we want to see. Simply warehousing people in prisons for set periods of time isn’t going to bring about the changes that we want to see.

When it comes to prison we seem to be confused, as a society, about what it is for. We are all agreed one of the justifications for prison is as a form of punishment. However, is prison itself the punishment or is prison a place that we send people to be punished. There is a subtle difference in wording, but in practice this makes a massive difference to how prisons are operated. We frequently hear the line that prisons are like holiday camps being trotted out (which, when you actually think of it is an absolutely ridiculous saying; prison is about as far from Butlins or Centre Parcs as you can get). We see regular calls for prisons to be unpleasant places (they already are) where harsh regimes are the order of the day. In England and Wales that view seems to be winning out as the prison regime is being continually made more harsh and more unpleasant by Justice Secretary Chris Grayling MP. Those who favour such policies say that if we make prison a harsh and unpleasant place then people won’t want to go back and thus when they’re released they won’t commit another crime. It’s utter nonsense and has little or no scientific backing to it whatsoever. In any event, in my experience, people who leave prison in the UK today genuinely don’t want to go back when they walk out the gates. The problem is though they often walk out of the prison gates into homelessness, unemployment and back into the chaotic lifestyles that they lived before they went to prison.

Let me tell you the story of Jimmy (not his real name). Jimmy was released from prison; while he was in prison he lost the home that he had been living in before he went into prison. However, a place for him to stay had been arranged. Due to failures in the prison system, he was released later than expected. It was a Friday afternoon. By the time he made it to the housing association the person who had the key for his flat had gone home and wouldn’t be back in until Monday morning. He was simply told to come back on Monday morning. He went to the Council to present as homeless and to try and get emergency accommodation. He was told that there we no places to give to him. Faced with spending the weekend sleeping rough, Jimmy committed a minor crime knowing that he would be held in the police station until court on Monday. So, he put a brick through the window of a shop and waited until the police turned up. He was duly arrested and held in police custody over the weekend.

This is the type of thing that happens time and time again. People undergoing methadone treatment for heroin addictions are released with a doctor’s appointment three days away; of course in that time there is nothing treating the cravings and they end up feeding their habit with heroin, which puts them back into the revolving prison gates. People are released from prison unemployed and often have to wait weeks to get any form of benefits payment, by which time they’re back in prison having either stolen to try and feed themselves or simply committed a crime to get back into prison where they know they’ll be fed. These situations are not uncommon either, they happen all the time. It’s particularly bad for people released from prison on a Friday because all of the services that they can turn to close for the weekend. Foodbanks, for example, often require you to have been referred to them from organisations like Social Work, the Job Centre, Citizens Advice etc. All services that either close down for the weekend, or are so overstretched that they can’t assist everyone that needs it.

As a society we need to begin to change our attitudes because as it currently stands we set up people coming out of prison to fail. We’re not willing them to give them a chance; we’re happy to discriminate against them in terms of employment opportunities and wonder why they commit further crime or label them layabouts because they remain on benefits long-term. We’ll let our prejudice and discrimination get in the way of policies known to work and to cut re-offending because they don’t give us the retribution that we consider to be just. The system is broken and its brokenness is creating fresh victims and costing us as a society dearly emotionally, physically and financially. The first thing that we need to do is recognise that people who have offended, regardless of how heinous their crime, are human beings. Only then will we be able to have sensible discussions about justice and penology; only then can we ensure that we have a justice system that ensures the public are protected long-term by transforming the lives of those who have caused harm to their communities.
Case Note: City of Edinburgh Council against a decision of the Lothian Valuation Appeal Committee

April 12th, 2014

On 9 April 2014 the Court of Session issued its decision in an appeal by the City of Edinburgh Council against a decision of the Lothian Valuation Appeal Committee. The Courts judgment can be read in full here. The case concerns liability for council tax while a property is uninhabitable as the result of renovation and construction works.

Facts

Mr Miller purchased a residential property in March 2007. The property was unfurnished and unoccupied. Following his purchase he requested that the Council assess the property to determine whether the property was habitable or uninhabitable. In May 2007 the Council duly carried out that assessment and found that the property was uninhabitable due to the major construction works being undertaken.

In December 2007 Mr Miller applied to the City of Edinburgh Council for a Building Warrant in order that he could construct an extension to the property. After delays, the Building Warrant was granted in November 2008. In July 2011 the City of Edinburgh Council determined that the property was still “unfit for human habitation…due to the extensive renovation work underway”. However, no statutory prohibition notice was served on Mr Miller.

In December 2012 the Lothian Valuation Appeal Committee held a hearing concerning the liability for Council Tax in respect of this property. Mr Miller’s solicitors argued that as it would have been an offence under section 21(5) of the Building (Scotland) Act 2003 for Mr Miller to inhabit the property, occupation of the property was prohibited by law and paragraph 7(a) of Schedule 1 to the Council Tax (Exempt Dwellings) (Scotland) Order 1997 was engaged. Mr Miller’s Solicitors argued that the property was exempt from council tax.

The Council argued before the Lothian Valuation Appeal Committee, and the Court of Session, that Section 21(5) of the Building (Scotland) Act 2003 was not engaged. It relied upon the fact that the works that the Building Warrant authorised had not been registered as having by the issuing of a Start of Works notice to the Building Standards department. The Council also argued that there had been no evidence that the works which the Building Warrant authorised (that is the construction of the extension) had commenced.

The Lothian Valuation Appeal Committee accepted Mr Miller’s argument and found that the property was exempt from Council Tax. The Council appealed.

Decision and reasoning of the Court

The Court of Session quashed the decision of the Lothian Valuation Appeal Committee.

The Court of Session accepted that the exemptions from the payment of council tax are located in Schedule 1 to the Council Tax (Exempt Dwellings) (Scotland) Order 1997 and that liability does not require there to be a person living in the property. The Court did not accept that section 21(5) of the Building (Scotland) Act 2003 was engaged in this case. However, the Court went on to say that even if section 21(5) of the Building (Scotland) Act 2003 was engaged it considered that occupation could include occupation for the purposes of carrying out renovations to a property. The Court did not accept that occupation could only mean habitation, indeed section 21(5) of the 2003 Act clearly draws the distinction by excluding occupation for the purposes of construction or conversion. The Court went on to say that paragraph 7(a) of the Council Tax (Exempt Dwellings) (Scotland) Order 1997 was not engaged as occupation was not prohibited by law; the property would have been occupied for the purposes of the renovation.

The Court also considered that the Council Tax (Exempt Dwellings) (Scotland) Order 1997 provided a specific exemption for the purposes of major repair work or structural alteration. These can be found in paragraphs 2 and 4 of Schedule 1. Paragraph 2 relates to dwellings which are under repair, and since 2000 has been limited to a period of 12 months since the day that the property was last occupied while paragraph 4 relates to dwellings which are both unfurnished and unoccupied. The Order places a restriction of 6 months since the last period of 3 months in which it was occupied. The Court considered that as there were specific statutory provisions, which were time limited, in respect of properties like that in this case, it would not be appropriate to read paragraph 7(a) in the way that the Lothian Valuation Appeal Committee had. The Court agreed with the City of Edinburgh Council that Parliament’s intention would be defeated with such an interpretation of the provisions.

Comment

This case deals with the statutory interpretation of the Council Tax (Exempt Dwellings) (Scotland) Order 1997. It is clear that properties that are undergoing substantial repair work, which prevents them from being inhabited, are entitled to an exemption from council tax only for a period of 12 months following the date at which they are vacated for the purposes of that work. It is not possible to escape the payment of council tax by simply obtaining a Building Warrant and then never obtaining the required Completion Certificate. While Section 21(5) of the Building (Scotland) Act 2003 prevents an individual living in a property which is undergoing conversion or construction and where no completion certificate has been accepted, it does not prevent its occupation in a way that would engage paragraph 7(a) of the Council Tax (Exempt Dwellings) (Scotland) Order 1997.
ICO to appeal HS2 veto

April 10th, 2014

It has been reported that the Information Commissioner is to make an application for Judicial Review of the decision by the Secretary of State for Transport to issue a certificate under section 53 of the Freedom of Information Act 2000 (‘the FOIA’) in respect of the Commissioner’s decision that the project assessment report pertaining to the HS2 project should be released under the Environmental Information Regulations 2004 (‘the EIRs’).

The Commissioner’s decision to make an application for judicial review is undoubtedly underpinned by the decision of the Court of Appeal in the case of R (Evans) v Attorney General and Information Commissioner in which the Court of Appeal decided that the use of the ‘veto’ under section 53 of the FOIA was unlawful in respect of information which is environmental in nature. I have written on the Evans decision here, and so don’t propose to repeat anything that is contained in that post.

In his decision dated 6 June 2013 the Commissioner found that the information contained within the report was Environmental Information, and consequentially it fell to be considered under the EIRs rather than the FOIA. The Cabinet Office, who were the public authority concerned, relied on Regulation 12(4)(e). The Commissioner found that the exemption was engaged, in that the information concerned amounted to internal communications. However, he decided that the public interest in maintaining the exemption did not outweigh the public interest in releasing the information. As a result the Information Commissioner ordered the Government to release the information contained within the report.

As the information amounts to Environmental Information, and following the decision of the Court of Appeal, the Secretary of State’s certificate under section 53 is unlawful. It should be noted that the Evans decision is subject to an appeal to the Supreme Court by the Attorney General. It is possible that the Supreme Court could over-turn the Court of Appeal’s decision in that case which states that the veto is unlawful in respect of Environmental Information.

Some interesting times ahead in the world of FOI.