Archive for the 'Freedom of Information' Category

Improving public records: the Public Records (Scotland) Act 2011

Published October 13, 2011 Contract Law , Data Protection , Freedom of Information Leave a Comment

Last Tuesday I attended the Public Records Conference in Edinburgh, and delivered a presentation on the potential legal implications of the new Public Records (Scotland) Act 2011 (the “PRSA”).

The PRSA is intended to “make provision about the management of records by certain authorities”. The theory is that there is a moral imperative to improve record keeping in Scotland, and that the data protection law and freedom of information regimes are only as good as the records which are kept.

In his keynote address, the Keeper of the Records of Scotland Mr George MacKenzie mentioned that records keepers hate the stereotype of “dusty archives”. When it came to my turn to speak, my opening line was, pointing to my grey suit – “I worked at the Registers of Scotland for 4 years – when I started at the Registers, this suit was white”.

After that it was down to serious law, and the headlines of my presentation were as follows:

  • The public authorities to which the PRSA applies are set out in the Schedule. The voluntary sector will only be involved in complying with the PRSA when and where they are contracted by a public authority to perform a public function. The concept of “public function” isn’t defined in the PRSA and could prove controversial. Should the public sector start making provision in contracts for private providers to comply with the PRSA?
  • Public records are those created by a public authority in carrying out its’ functions. They’re also records created by or on behalf of a contractor in carrying out the authority’s functions (this is not intended to include persons who provide goods or services, but does however mean that authorities must arrange for managing contractors’ records as well as their own). Finally they’re also records created by any other person that have come into the possession of the authority or a contractor in carrying out the authority’s functions (examples include correspondence, reports, evidence or statistics which relate to the function).
  • Authorities must create records management plans, ”agreed” with the Keeper. The issue here is about selecting someone at senior enough level to be taken seriously in driving this forward. This is a resource burden for public authorities and others and may require investment in training.
  • By the end of 2011 the Keeper will issue guidance to authorities about the form and content of records management plans. s. 5 of the PRSA provides that a plan will be reviewed not earlier than 5 years after the date of last review. However under s. 6 at any time Keeper may carry out a records management review to check on compliance. The triggers for this ad hoc checking of a plan aren’t clear.
  • If the authority fails to comply with any of the requirements of the PRSA, the Keeper may take such steps as Keeper considers appropriate to publicise the failure. Unlike the Data Protection Act, there are no monetary penalties for failure to comply. There is therefore a suggestion that the PRSA may be “toothless”.
  • The PRSA is intended to be complimentary to the Freedom of Information (Scotland) Act (“FOISA”).  FOISA is a model publication scheme, while the PRSA is a model records management plan. The list of organisations to which FOISA and PRSA apply are different.  The PRSA seeks to support FOISA, but it will not in any way impinge on FOISA or bring about a change in Schedule 1 of FOISA.

The full guidance notes for the PRSA can be read here.

It became clear during the conference that, at the outset at least, the PRSA is going to be enforced in a collaborative fashion. I don’t think we will see authorities being publicly censured for failures to comply, in the short term at least. It is scheduled to come into force at the start of 2013.

If you’d like more information, or are interested in some training on the PRSA for your organisation, then please email me or your usual TIO Group contact.

ICO confirms that Twitter is a valid method of making a request for information under FOI

Published August 5, 2011 Freedom of Information Leave a Comment

The UK Information Commissioner’s Office (ICO) has confirmed its view that tagging a public authority’s Twitter account in a tweet can be sufficient to constitute a request for information under the Freedom of Information Act 2000 (FOIA).

This may come as a surprise to a number of public authorities already struggling to manage and monitor requests for information under FOIA.

Making a request
Unlike a subject access request under the Data Protection Act 1998, a request for information does not need to be made in a particular form, or even identify itself as a request for information. It must simply be made in writing and identify the name of the applicant.

The ICO states that provided the applicant’s Twitter ID or profile gives its real name, that will be sufficient.

Monitoring of @mentions
In many instances, Twitter will be used by public authorities just for information dissemination to the public (for example, for realtime information), and not for engaging in conversations with other Twitter users.

However, given the ICO’s guidance, it is important that public authorities maintaining Twitter accounts monitor their @mentions for potential requests for information. This will apply not just to a public authority’s main Twitter account, but also (potentially) to Twitter accounts maintained by indvidual departments within that authority or (even) individuals, if they Tweet in the capacity of their job.

Note that the ICO’s guidance only applies to FOIA. It does not apply to the Freedom of Information (Scotland) Act 2002, which applies to Scottish public authorities. It’s not clear what the Scottish Information Commissioner’s view on this is.

ISPs fail to overturn Digital Economy Act

Published April 27, 2011 Data Protection , Freedom of Information , In the Media , Intellectual Property Leave a Comment

BT and Talk Talk have failed in their attempt to overturn certain provisions of the Digital Economy Act (“DEA”) by judicial review.

Justice Kenneth Parker rejected arguments led by the ISPs that the contested provisions of the DEA will breach key pieces of European Union legislation. In Justice Parker’s opinion:

  • The Technical Standards Directive will not be breached because the DEA is not currently legally enforceable against individuals or ISPs, and therefore it is perfectly acceptable for the Government to notify the DEA to the European Commission at the same time that it notifies the forthcoming draft Initial Obligations Code (which is being prepared by Ofcom);
  • The E-Commerce Directive (and its “mere conduit” protection for ISPs) will not be breached because the DEA will not impose liability on ISPs for copyright infringement; and
  • The Data Protection Directive will not be breached because, although the “relevant data” to be processed by copyright owners (ie IP addresses) will, in Justice Parker’s opinion, constitute “personal data”, the processing will be relevant and lawful for the purposes of preventing copyright infringement.

Justice Parker had more sympathy with the ISPs’ objection to bearing 25% of the costs incurred by Ofcom in carrying out functions under the contested provisions of the DEA. He ruled that these were administrative costs breaching Article 12 of the Authorisation Directive, and were therefore unlawful. (Nothing in the actual DEA will be changed, but the government will have to reapportion these costs. Note also that ISPs will still be required to pay 25 per cent of the costs of sending out letters to alleged infringers.)

Justice Parker then addressed the claim that the provision represented a disproportionate restriction on the free movement of services and/or the right to privacy and/or the right to free expression or to impart and receive information. He was reluctant to tamper with the legislation, saying: “the issues in this judicial review…are classically of the kind that Professor Lon Fuller famously described as ‘polycentric’ where it is hard enough for the legislature to seek to think through, and to weigh all the possible implications of a range of policy choices that are theoretically open, but it is nigh impossible for a judge…this Court must accord Parliament a wide margin of discretion in weighing the competing rights in this case.”

Despite this reticence, Justice Parker interestingly endorsed the DEA’s controversial “3 strikes and you’re out” regime, stating that it represented “a more efficient, focused and fair system than the current arrangements”. Justice Parker also noted that in any court actions against infringers the burden of proof will be on the rights holders to show that the accused is the party which has actually infringed copyright (as opposed to the party which has, for example, provided wi-fi access). He concluded by stating that he did not believe that any useful purpose would be served by referring to the European Court of Justice the questions of European Union law raised by the judicial review.

In contrast, BT and Talk Talk have announced that they are considering their options, and have not ruled out an appeal to the Court of Appeal, or a request that the Court of Appeal make a reference to European Court of Justice.

Personally, I’d disagree with Peter Bradwell from the Open Rights Group’s claim that “it is not a judgement about whether or not the Digital Economy Act is right in policy terms.” I think that close reading of the decision from paragraph 203 onwards leaves little doubt that Justice Parker tacitly approves of the reasoning behind the DEA.

The full text of the judicial review can be read here.

A Freedom Too Far?

Published January 7, 2010 Freedom of Information Leave a Comment
Tags:

It’s as if Mel Gibson shouted “FREEDOM (of information legislation)!” at the end of Braveheart. The Scottish Government is proposing that Freedom of Information legislation should be extended to cover a wider range of bodies which deliver public services in Scotland, making Scotland the most “open” country in the UK.

Further bodies can be “designated”, or brought under the scope of the Freedom of Information (Scotland) Act 2002 through powers set out in section 5 of the Act. According to the Scottish Government, bodies should only be considered for inclusion in a section 5 order where they undertake significant work of a public nature or receive significant public funding.

The specific bodies so far identified are building contractors on large public projects; private prison operators; leisure and culture trusts set up by local authorities; the Glasgow Housing Association; and the Association of Chief Police Officers in Scotland. Consultation with these bodies will take place in spring 2010.

In most cases it’s a fair cop (geddit).

However, the addition of “building contractors” private prison operators and leisure trusts seems uneccessary because information they have/generate in relation to a public sector contract is probably already caught under existing FOI legislation.

Freedom of information and privacy – finding the right balance

Published September 25, 2009 Data Protection , Freedom of Information Comment

Yesterday I attended a very interesting seminar at the University of Dundee’s Centre for Freedom of Information.

The topic under consideration was the interaction between freedom of information and data protection legislation, and in particular how the law seeks to balance the “right to know” (the basic premise of freedom of information) and the privacy rights of the individual.

Christine O’Neill, Head of Brodies’ Public Sector Services Group, gave an excellent presentation on key case law to date, looking at where the law stands following the House of Lords’ decision last July in the case of Common Services Agency v Scottish Information Commissioner.

There was general consensus that the law in the UK on this issue is badly in need of clarification, in particular given the importance of the competing interests at stake.  The interaction between freedom of information and data protection legislation relies heavily on how we define “personal data” – the personal information to which data protection legislation applies. Broadly speaking, personal data is any information about a living individual from which that individual can be identified. However the decision in the CSA case (which dealt with statistical information about the incidence of childhood leukaemia in Dumfries and Galloway) has left information lawyers struggling to understand precisely how the “identifiable” element of the statutory definition should be interpreted, in particular in cases where an organisation tries to anonymise personal information in order to permit its release.

Comments from David Banisar of Privacy International supported a general view that the problems currently being encountered in the UK, in seeking to reconcile these two bodies of legislation, stem mainly from the wording of the UK’s Data Protection Act 1998. Many other jurisdictions around the world have both freedom of information and data protection legislation, but appear to have succeeded in achieving a smoother and more effective interaction between the two regimes than we have to date.

More developments are in the pipeline, with the Scottish Information Commissioner preparing to give his further decision on the CSA case in the coming months and another case (this time on the incidence of registered sex offenders living in certain postcode sectors) heading to the Court of Session.  This looks set to present more difficult issues, both from a policy and a technical, legal perspective.

Ultimately, it is looking increasingly likely that a satisfactory level of clarity will be achieved only through suitable amendments to the DPA. However, any light which further case law can shed on the issue in the meantime would be very welcome indeed.

Eleanor Peterkin

Twitter: @BrodiesTechBlog feed

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Follow

Get every new post delivered to your Inbox.

Join 135 other followers