Information Rights
Appeal Reference: EA/2023/0307
Decided without a hearing
On 20 October 2023
Before
TRIBUNAL JUDGE HEALD
Between
JASHU VESTANI
Appellant
and
THE INFORMATION COMMISSIONER
Respondent
Decision
The application is struck out.
REASONS
Background
Jashu Vestani (“the Applicant”) was seconded to Capital Letters (London) Limited (“Capital”). On 2 November 2020 Capital wrote to the Applicant and said, “I am writing to you to notify you of a breach of Capital Letters’ data which included some of your personal data, and the steps the company has taken to contain the breach and manage any associated risks.” In the letter, as well as apologising, Capital provided an explanation as to what had happened, what personal data had been involved, the steps taken and their assessment of the risk. Additionally, they gave guidance to the Applicant about the need to be alert to the risk of the potential misuse of the data concerned.
Subsequently the Applicant was the victim of cyber-attacks and other fraudulent activity and concluded that this had occurred because of the data breach at Capital. There was correspondence about these concerns, but the matter was not resolved to the Applicant’s satisfaction.
On 4 January 2023 the Applicant submitted a complaint (“the Complaint”) to the Commissioner. On 14 March 2023 the Commissioner responded and in conclusion said: -
“I have considered the information available in relation to this complaint and though we appreciate you have experienced such unfortunate events it does not appear that you have provided sufficient evidence to support your concerns about Capital Letters (London) Limited’s data breach being the direct cause of the cyber attacks and fraudulent activities that you have experienced. As the ICO is an evidence-based regulator, we would require strong documentary evidence to support your concern before we would consider this matter further. At this stage as we are unable to consider your concerns further, we will now close this case.”
There then followed a series of exchanges between the Applicant and the Commissioner which concluded with the Commissioner indicating its position had not changed.
Procedure
On 23 June 2023 the Applicant submitted an application to the Tribunal (“the Application”). In it the relevant part of the outcome sought is: - “I seek fair justice with my appeal. I feel I have been unfairly treated since the start of my secondment…”
There was then a pause due to a concern that there had been some misunderstanding between the Commissioner and the Applicant. On 4 September 2023 the Commissioner apologised for the confusion but maintained its position as set out in the letter of 14 March 2023.
On 6 September 2023 the Commissioner provided its response to the Application including a request that the Application be struck out pursuant to rule 8(3)(c) of the 2009 Rules. As required by rule 8(4) of the 2009 Rules the Applicant was informed of the strike out request and asked to reply by 21 September 2023. On 15 September 2023 the Applicant provided a reply.
Strike out
Rule 8 of the 2009 Rules provides that:-
The Tribunal may strike out the whole or a part of the proceedings if (c) the Tribunal considers there is no reasonable prospect of the appellant's case, or part of it, succeeding.
In HMRC -v- Fairford Group (in liquidation) and Fairford Partnership Group (in liquidation) [2014] UKUT 0329 the Upper Tribunal summarised the task to be carried out by a Tribunal in these terms at (41): -
“. The Tribunal must consider whether there is a realistic, as opposed to a fanciful (in the sense of it being entirely without substance) prospect of succeeding on the issue at a full hearing……..A ‘realistic’ prospect of success is one that carries some degree of conviction and not one that is merely arguable…..the strike out procedure is to deal with cases that are not fit for a full hearing at all……. The tribunal must avoid conducting a ‘mini-trial”
In AW-v-Information Commissioner and Blackpool CC [2013] 30 ACC the Upper Chamber set out the principles governing the application of rule 8(3)(c) of the 2009 Rules. These included: -
More recent rulings from the superior courts point to the need to look at the interests of justice as a whole ….It is, moreover, plainly a decision which involves a balancing exercise and the exercise of a judicial discretion, taking into account in particular the requirements of Rule 2 of the GRC Rules.
Rule 2 of the 2009 Rules refers to the overriding objective of the 2009 Rules which is “to enable the Tribunal to deal with cases fairly and justly.” Rule 2(3) of the 2009 Rules provides that the Tribunal “must seek to give effect to the overriding objective when it (a) exercises any power under these rules or (b) interprets any rule or practice direction.”
The DPA
Section 166 of the DPA provides: -
This section applies where, after a data subject makes a complaint under section 165 or Article 77 of the GDPR, the Commissioner
fails to take appropriate steps to respond to the complaint,
fails to provide the complainant with information about progress on the complaint, or of the outcome of the complaint, before the end of the period of 3 months beginning when the Commissioner received the complaint, or
if the Commissioner’s consideration of the complaint is not concluded during that period, fails to provide the complainant with such information during a subsequent period of 3 months.
The Tribunal may, on an application by the data subject, make an order requiring the Commissioner
to take appropriate steps to respond to the complaint, or
to inform the complainant of progress on the complaint, or of the outcome of the complaint, within a period specified in the order.
An order under subsection (2)(a) may require the Commissioner
to take steps specified in the order;
to conclude an investigation, or take a specified step, within a period specified in the order.
Section 165(5) applies for the purposes of subsections (1)(a) and (2)(a) as it applies for the purposes of section 165(4)(a).
Relevant parts of Section 165(4) DPA provide: -
If the Commissioner receives a complaint under subsection (2), the Commissioner must
take appropriate steps to respond to the complaint,
inform the complainant of the outcome of the complaint,
inform the complainant of the rights under section 166, and
if asked to do so by the complainant, provide the complainant with further information about how to pursue the complaint.
The reference in subsection (4)(a) to taking appropriate steps in response to a complaint includes—
(a)investigating the subject matter of the complaint, to the extent appropriate…
Summary of the Commissioner’s position
The Commissioner’s position in summary is that a section 166 DPA application is not concerned with the merits of the original complaint and does not provide a forum for an applicant to challenge the substantive outcome of the Commissioner’s actions. It is an expert regulator, with a wide discretion to deal with complaints.
This is confirmed in Killock &Veale & others -v-Information Commissioner [2021] UKUT 299 (ACC) (para 76) in which it was held that:-
The Tribunal does not have the same expertise in determining the appropriate outcome of complaints. The Commissioner is the expert regulator. She is in the best position to consider the merits of a complaint and to reach a conclusion as to its outcome. In so far as the Commissioner’s regulatory judgments would not and cannot be matched by expertise in the Tribunal, it is readily comprehensible that Parliament has not provided a remedy in the Tribunal in relation to the merits of complaints.
Killock is also authority as to the role of the Tribunal when considering whether the steps taken (by the Commissioner) were appropriate. This is not determined by the Commissioner but: -
85…..in considering appropriateness, the Tribunal will be bound to take into consideration and give weight to the views of the Commissioner as an expert regulator. The GRC is a specialist tribunal and may deploy (as in Platts) its non-legal members appointed to the Tribunal for their expertise. It is nevertheless our view that, in the sphere of complaints, the Commissioner has the institutional competence and is in the best position to decide what investigations she should undertake into any particular issue, and how she should conduct those investigations.
The outcome of the Complaint
As seen above the Commissioner responded to the Complaint by a letter dated 14 March 2023 the content of which was repeated on the 14 April 2023 and 19 June 2023. It explained that the Commissioner’s decision was to “close this case.” The Commissioner’s letter of the 5 September 2023 said in summary: - “We are not denying that your personal data was affected by the data breach in 2020, however there is insufficient evidence to demonstrate that activity that occurred after this incident was due to the breach”. “Having reviewed the matter I can confirm that this is not something we intend to pursue further”.
Summary of the Appellant’s position
Th Appellant says “I am inexperienced in this matter and do not have a representative.” I took note of this when reviewing the Appellant’s submissions and other documents provided.
The Appellant remains very concerned about the original data breach, how it was handled, the relationship with Capital and the subsequent cyber-attacks suffered. The Applicant also remains dissatisfied with the Commissioner’s response both in terms of the outcome and process saying “I know I have suffered an injustice” and concludes with:-
“There is no solution. The steps taken so far have been inappropriate resulting in an unfair outcome. In this case the Commissioner cannot be trusted to reinvestigate. If this needs to be done my request is that it be followed up by an independent investigator”
Decision
Data breaches and cyber-attacks are of great concern. The Applicant has been the victim of cyber crime and the concerns expressed are understandable. However, the Tribunal can only review the actions of the Commissioner carrying out its obligations by section 165 DPA, as empowered to do so by section 166 DPA and based on the relevant authorities.
In light of this and having reviewed the position of the Applicant and the Commissioner and having considered the overriding objective I conclude that there is no reasonable prospect of the Applicant’s case succeeding and that it would therefore be right for me to exercise the discretion to strike out the Application.
Accordingly, the Application is struck out pursuant to rule 8(3)(c) of the 2009 Rules.
Signed Simon Heald
Judge of the First-tier Tribunal
Date:20 October 2023.