Case Reference: EA/2023/0209
Information Rights
Heard by: CVP
Before
TRIBUNAL JUDGE SOPHIE BUCKLEY
TRIBUNAL MEMBER ROSALIND TATAM
TRIBUNAL MEMBER KERRY PEPPERELL
Between
G BRIDA
Appellant
and
THE INFORMATION COMMISSIONER
Respondent
Representation:
For the Appellant: In person
For the Respondent: Did not appear
Decision: The appeal is Allowed.
Substituted Decision Notice:
Organisation: The Information Commissioner
Complainant: Mr G Brida
The Substitute Decision – IC-219436-J1G5
1. For the reasons set out below the public authority was not entitled to rely on section 14(1) of the Freedom of Information Act 2000 (FOIA) to refuse to comply with the request for information.
2. The tribunal requires the public authority to take the following step:
Issue a fresh response to the complainant, which does not rely on section 14(1) FOIA.
3. The public authority must take this step within 35 calendar days of the date of this decision.
4. Any failure to abide by the terms of the tribunal’s substituted decision notice may amount to contempt which may, on application, be certified to the Upper Tribunal.
REASONS
Introduction
The public authority in this appeal is the Information Commissioner. I shall refer to the Information Commissioner as public authority as ‘the ICO’. I shall refer to the Information Commissioner as Regulator and party to these proceedings as ‘the Commissioner’.
This is an appeal against the Commissioner’s decision notice IC-219436-J1G5 of 17 March 2023 which held that the ICO were entitled to rely on section 14(1) of the Freedom of Information Act 2000 (FOIA).
The Commissioner did not require the public authority to take any steps.
Rule 4(3) application
By email dated 17 October 2023 Mr. Brida made an application under rule 4(3) of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 for his application for disclosure and directions made in his Reply and determined by the Registrar on 6 October 2023 to be considered afresh. This application was heard and determined at the start of the substantive hearing. For the reasons given orally in the hearing the applications were refused or not pursued by Mr Brida.
Background to the appeal
The appellant sets out the background to the appeal in his notice of appeal as follows:
“3. The Appellant made a Data Subject Access Request on 28th November 2022 for the evidence supporting an assertion regarding an earlier decision concerning the Appellant’s personal data that the Appellant understood to be incorrect and on the face of it the Commissioner’s representative was not in a position to make due to the Commissioner’s data retention policy. On 5th January 2023, he raised some questions about the information disclosed. Both sides worked collaboratively notwithstanding the various exemptions claimed to produce a mutually acceptable outcome.
4. As part of that email of 5th January 2023, the Appellant made his Freedom of Information Request in the following terms: “I would further like to request the ICO's internal case handling guidelines for DSAR's, ICO service complaints and case reviews to be provided to me under the FOIA. In order to minimise the work involved, I would be happy to receive the index/content to same at this stage and to advise which specific sections I require if that is more convenient.”
5. Upon receipt of the acknowledgement on 9th January 2023, he realised he had omitted the job descriptions of relevant staff from his request and asked the same day for those to be added to his existing request. It was intended to be the only one in this purported series of requests.
6. Instead the Commissioner processed the request for the job descriptions separately to avoid delay. The outcome was uncontentious. Following the equally uncontentious refusal of the remainder of the request under section 21, the Appellant again raised queries by way of his email of 18 th January 2023 in a similar fashion to the way he responded to the DSAR as he is perfectly entitled to do.
7. He had no intention whatsoever that this should amount to a further Freedom of Information Request or that his email should be interpreted as such. If anything, it should have been considered as a statement of non-compliance and a request for a review of the decision regarding his request of 5th January 2023.
8. The purported new request was rejected as being vexatious, a decision upheld at internal review and again by the Information Commissioner as Regulator.”
Request, Decision Notice, and appeal
The request
The appeal relates to the following request made on 18 January 2023:
In regards to the "ICO Operations Directorate Service guide: How we use public concerns, self-reported incidents and complaints to improve information rights practice V4 24/11/16" linked to in your email and available on the ICO website:
This is clearly out of date - is there a revised version or an equivalent or successor document? Kindly disclose or point me to it if available. If not, how are Caseworkers and other staff made aware of what they need to know to do their jobs?
I would also like copies of the latest versions of the documents referred to therein or to their successors/equivalents as follows:
"The keeping it Clear guide" (referred to at P.76)
"Opportunity assessment framework" (p.22, 77)
"Policy delivery knowledge base"; "Policy delivery legal group, Retention and disposal - preservation criteria - casework"; and the "Security manual" (all referred to on p.77)
"Security manual - use of email" (p.53)
the "need some policy advice? pages on ICON" and "policy delivery legal group pages on ICON" referred and linked to on p. 60
I would also like a copy of "Your personal information concerns (Request for Assessment) process" referred to at p. 10 of "Ways to progress a complaint case" in the disclosure log as linked to in your email.
If these documents no longer exist or are outdated, how are ICO staff to be made aware of the type of information they contain(ed)?
Can you confirm the ICO's policy on whether it will ask a data controller who seeks to rely on the disclosures of another data controller (NB: not processor) to meet its own DSAR obligations or fails to disclose personal data on the grounds that it reasonably believes it is already known to a data subject, to disclose the data it holds (i.e. whether these are acceptable reasons to fail to comply with a DSAR) and what criteria would influence such a decision? Kindly provide any relevant ICO documents that address these scenarios?
Further to my email of 09/01/2023, 22:25, can you confirm for the avoidance of doubt that your response has dealt fully with my request for "the full content of the internal guidance for handling DSAR cases and case reviews"?
I am still awaiting "the job description and person specification for the roles of Case Officer and Lead Case Officer" and, if different, Reviewing Officer also.”
The ICO’s reply
The ICO responded on 15 February 2023. They refused to comply with the request on the basis that it was vexatious. The ICO upheld its decision on internal review on 28 February 2023.
The appellant referred the matter to the Commissioner on 2 March 2023.
The decision notice
In a decision notice dated 17 March 2023 the Commissioner decided that the ICO was entitled to rely on section 14 FOIA.
The Commissioner acknowledged that the ICO considered that the motive of the requester is to cause undue disruption. He noted the frequency of the other requests and that the requests follow a similar theme. The Commissioner found that the ICO was correct to handle the request of 18 January 2023 as a new request.
The Commissioner noted that the complainant had requested a large number of different policies and documents referenced in a piece of guidance that was previously disclosed by the ICO, and that the ICO had already previously provided the complainant with enough information to provide a good understanding of its complaint handling process. He considered that this lessened the value of the request and supported the argument that the request was vexatious.
Having balanced the purpose and value of the request against the detrimental effect on the ICO, the Commissioner was satisfied that the request was not an appropriate use of FOIA procedure and concluded that the request was vexatious.
Notice of appeal
In essence, the grounds of appeal are:
The email of 18 January 2023 does not amount to a new FOI request.
If it was a request, the Commissioner was wrong to class the request as vexatious.
The appellant raises a number of issues relating to the Commissioner’s approach to assessing vexatiousness which can be subsumed in the tribunal’s full merits review.
The Commissioner’s response
The Commissioner remains of the view that the ICO was correct to process the 18 January 2023 request as a new request for information, because the 5 January 2023 request was fairly broad.
The Commissioner explained in his Decision Notice why he deemed the 18 January 2023 request to be vexatious:
“He notes that the complainant has indeed requested a large number of different policies and documents referenced in a piece of guidance that was previously disclosed by the ICO, and that the ICO had already previously provided the complainant with enough information to provide a good understanding its complaint handling process.” (DN 27)
The Commissioner acknowledged that there was purpose and value in the request (DN 29) but explained that the volume of specific further documents required in this case (and the burden this would impose to comply) set in the context of the resources already available to the appellant explaining and describing how the ICO handles DSAR's, ICO service complaints and case reviews, lessened the value of complying with this request.
The Commissioner acknowledged in his DN that, “the ICO considers that the motive of the requester is to cause undue disruption.” (DN 25). At the heart of this FOIA request is the appellant’s dissatisfaction regarding the Commissioner’s handling of a previous complaint he had made about a third party data controller’s handling of a subject access request, specifically its use of the legal professional privilege exemption. The appellant’s section 166 appeal under the Data Protection Act 2018 regarding this was not admitted as it was out of time and the First-tier Tribunal did not consider that his grounds were compelling enough to accept the late appeal. The appellant has sought permission to appeal to the Upper Tribunal against this refusal but this is currently outstanding.
Accordingly, noting Dransfield, taking a holistic view of the background and circumstances of this request, balancing its serious purpose and value against the impact of complying due to the burden this would impose, the Commissioner submits that the 18 January 2023 request was correctly categorised as vexatious under section 14(1) FOIA.
The Commissioner submits that the way in which the investigation is conducted is outside the tribunal’s jurisdiction, and any complaints about the way in which the decision was reached will be cured by the right to a full rehearing on the merits. Criticism of the Commissioner’s internal guidance falls outside the tribunal’s jurisdiction.
The Commissioner filed a supplementary response dated 11 August 2023. The Commissioner noted that some of the documents provided by the appellant post-dated the Decision Notice and would not have been taken into account. The Commissioner nevertheless reviewed those documents and confirmed that it did not alter the upholding of section 14 in the Decision Notice.
In relation to documents provided by the appellant pre-Decision Notice, the Commissioner identified two categories of document that he had not taken into account. The first were complaints about the service provided by ICO staff. They are outside the scope of the Decision Notice and outside the tribunal’s jurisdiction. The second were copies of requests made to other public authorities. These were not taken into account save for those requests that provided context.
In relation to the appellant’s Judicial Review pre-action protocol letter dated 31 May 2023 the Commissioner submits that the appellant appears to be using two separate legal processes to try to address his concerns. This ‘scattergun’ approach dilutes the value and serious purpose of his request, and is a duplication of judicial resource.
The Commissioner recognises the origin of the appellant’s concern was a subject access request complaint made to the ICO regarding a third party organisation’s application of the Legal Professional Privilege exemption under the Data Protection Act 2018. The ICO did not progress the appellant’s complaint because he had already been provided with the exempt material by another organisation. The Commissioner submits that as the appellant had obtained the required information (albeit from a different organisation than the one he had complained to the ICO about) this effectively rendered his complaint academic. The Commissioner submits that this amplifies the lack of serious purpose and value behind the request which is the subject of this appeal.
The appellants’ reply
The appellant’s reply contains an application for disclosure and further particulars and other directions. We have extracted the most relevant parts below, but have taken account of the entire reply where relevant to the issues we have to determine.
The appellant submits that his purpose in requesting the information is ‘to obtain the Commissioner’s internal operating guidance so as to hold him to account in the forum of legal proceedings concerning the way that guidance was applied to a DSAR complaint by the appellant’. Since the ICO was aware these documents were sought to be used in legal proceedings there can have been no question of vexatiousness.
The appellant contends that the ICO should have followed his own guidance and made appropriate enquiries by for example seeking out such evidence before making defamatory allegations. The Commissioner should have made his own enquiries rather than relying on the word of the ICO, and should have known in any event that the information was required for legal proceedings.
The appellant submits that:
The Commissioner acknowledges that the request has purpose and value, so it was not, for example frivolous
The documents were no more voluminous or difficult to comply with than the documents disclosed as a matter of routine by the other public bodies approached by the appellant and in many cases far less burdensome
The proper course would have been for the ICO to rely on section 12 (Cost of compliance) had the burden been unduly onerous
The information (“resources” according to the Commissioner) already in the appellant’s possession is not a relevant consideration to take into account when he is entitled to be put on a level playing field with the ICO
Neither the volume of documents nor the compliance burden can alter the absolute value of the information sought as asserted by the Commissioner
The factors referred to by the Commissioner cannot themselves have lessened the value of complying with the request as the Commissioner states because they would not have affected the value of the request to the rest of the world
Even if the request had no value whatsoever, that would not make it vexatious without more (see paragraph 34 below).
The appellant submits that the assertion that his motive was to cause undue disruption is shown to be false by the evidence and is unsustainable.
The appellant submits that his observations in regards to the ICO’s internal guidance are not only valid considerations as to the factual matrix but also go perfectly properly to the real reason for refusing the appellant’s FOIA request potentially being something other than vexatiousness.
The appellant submits that the need for multiple legal processes as well as involving other public bodies such as the Parliamentary Ombudsman, whilst regrettable, is the (direct) result of the Commissioner’s own (vexatious) conduct for example in seeking to deny the appellant his legal rights by refusing to issue a decision notice in regards to the FOIA request of 5 January 2023. It is entirely legitimate for a litigant to protect their position and to utilise every available avenue.
The appellant submits that the Commissioner is conducting himself unreasonably and vexatiously. Failing to accept his own decision on legal privilege in the DSAR case and failing to accept the compelling evidence that there was no vexatiousness or ulterior motive on the part of the appellant are but two examples.
The appellant submits that it is not true that the appellant had already had all the information requested in the SAR (see pA122, email from the appellant dated 20 September 2022).
Further written submissions from the Commissioner
The Commissioner acknowledged that he was aware that within the subject access complaint the appellant raised the issue that the data controller may have held further information over and above that which was already in his possession. The ICO did not establish the extent of any further information which may have been held by the data controller over and above that which was already accessible to the appellant however in any event he was satisfied that the Legal Professional Privilege exemption under the Data Protection Act 2018 had been correctly applied. The Commissioner remains of the view that this amplifies the lack of serious purpose and value behind the FOIA request which is the subject of this appeal.
Further written submissions by the appellant
The appellant submits that the legal professional privilege exemption cannot possibly have been complied with not least because that was the ICO's own view in the outcome of the appellant's complaint under reference RFA0809181 concerning the same data controllers and (at least some of) the same personal data.
Oral submissions by the appellant
The appellant made oral submissions at the hearing which the tribunal took into account where relevant.
Issues
The issue for the tribunal to determine is whether or not the requests are vexatious within section 14 FOIA.
Legal framework
S 14(1) Vexatious Request
Guidance on applying section 14 is given in the decisions of the Upper Tribunal and the Court of Appeal in Dransfield ([2012] UKUT 440 (AAC) and [2015] EWCA Civ 454). The tribunal has adapted the following summary of the principles in Dransfield from the judgment of the Upper Tribunal in CP v Information Commissioner [2016] UKUT 427 (AAC).
The Upper Tribunal held that the purpose of section 14 must be to protect the resources of the public authority from being squandered on disproportionate use of FOIA (para 10). That formulation was approved by the Court of Appeal subject to the qualification that this was an aim which could only be realised if ‘the high standard set by vexatiousness is satisfied’ (para 72 of the CA judgment).
The test under section 14 is whether the request is vexatious not whether the requester is vexatious (para 19). The term ‘vexatious’ in section 14 should carry its ordinary, natural meaning within the particular statutory context of FOIA (para 24). As a starting point, a request which is annoying or irritating to the recipient may be vexatious but that is not a rule.
Annoying or irritating requests are not necessarily vexatious given that one of the main purposes of FOIA is to provide citizens with a qualified right of access to official documentation and thereby a means of holding public authorities to account (para 25). The Commissioner’s guidance that the key question is whether the request is likely to cause distress, disruption, or irritation without any proper or justified cause was a useful starting point as long as the emphasis was on the issue of justification (or not). An important part of the balancing exercise may involve consideration of whether or not there is an adequate or proper justification for the request (para 26).
Four broad issues or themes were identified by the Upper Tribunal as of relevance when deciding whether a request is vexatious. These were: (a) the burden (on the public authority and its staff); (b) the motive (of the requester); (c) the value or serious purpose (of the request); and (d) any harassment or distress (of and to staff). These considerations are not exhaustive and are not intended to create a formulaic check-list.
Guidance about the motive of the requester, the value or purpose of the request and harassment of or distress to staff is set out in paragraphs 34-39 of the Upper Tribunal’s decision.
As to burden, the context and history of the particular request, in terms of the previous course of dealings between the individual requester and the public authority in question, must be considered in assessing whether the request is properly to be described as vexatious. In particular, the number, breadth, pattern, and duration of previous requests may be a telling factor [para 29]. Thus, the greater the number of previous FOIA requests that the individual has made to the public authority concerned, the more likely it may be that a further request may properly be found to be vexatious. A requester who consistently submits multiple FOIA requests or associated correspondence within days of each other or who relentlessly bombards the public authority with email traffic is more likely to be found to have made a vexatious request [para 32].
Ultimately the question was whether a request was a manifestly unjustified, inappropriate, or improper use of FOIA. Answering that question required a broad, holistic approach which emphasised the attributes of manifest unreasonableness, irresponsibility and, especially where there was a previous course of dealings, the lack of proportionality that typically characterises vexatious requests (paras 43 and 45).
In the Court of Appeal in Dransfield Arden LJ gave some additional guidance in paragraph 68:
“In my judgment the Upper Tribunal was right not to attempt to provide any comprehensive or exhaustive definition. It would be better to allow the meaning of the phrase to be winnowed out in cases that arise. However, for my own part, in the context of FOIA, I consider that the emphasis should be on an objective standard and that the starting point is that vexatiousness primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester or to the public or any section of the public. Parliament has chosen a strong word which therefore means that the hurdle of satisfying it is a high one, and that is consistent with the constitutional nature of the right. The decision maker should consider all the relevant circumstances in order to reach a balanced conclusion as to whether a request is vexatious. If it happens that a relevant motive can be discerned with a sufficient degree of assurance, it may be evidence from which vexatiousness can be inferred. If a requester pursues his rights against an authority out of vengeance for some other decision of its, it may be said that his actions were improperly motivated but it may also be that his request was without any reasonable foundation. But this could not be said, however vengeful the requester, if the request was aimed at the disclosure of important information which ought to be made publicly available...”
Nothing in the above paragraph is inconsistent with the Upper Tribunal’s decision which similarly emphasised (a) the need to ensure a holistic approach was taken and (b) that the value of the request was an important but not the only factor.
The lack of a reasonable foundation to a request was only the starting point to an analysis which must consider all the relevant circumstances. Public interest cannot act as a ‘trump card’. Rather, the public interest in the subject matter of a request is a consideration that itself needs to be balanced against the resource implications of the request, and any other relevant factors, in a holistic determination of whether a request is vexatious.
The role of the tribunal
The tribunal’s remit is governed by s.58 FOIA. This requires the tribunal to consider whether the decision made by the Commissioner is in accordance with the law or, where the Commissioner’s decision involved exercising discretion, whether he should have exercised it differently. The tribunal may receive evidence that was not before the Commissioner and may make different findings of fact from the Commissioner.
Evidence
We read and took account of an open bundle.
Findings of fact
We make the following findings of fact based on the evidence before us on the balance of probabilities. We have placed the request in issue in this appeal in bold, to show its position in the chronology of the course of dealings between the appellant and the ICO.
In about 2018 the appellant was involved in a consumer dispute with his mobile provider, which lead to a dispute with his legal expenses insurer. In 2018 the appellant made a complaint to the ICO about the way in which ARC Legal Services had acted in response to a subject access request.
On 12 October 2020 the ICO provided an outcome (p A254). They stated:
“Based on the information available to us it is our assessment that ARC Legal Services has infringed the Data Protection legislation, as it has failed to respond appropriately to your subject access request.
It is our opinion that the exemption of Legal and Professional Privilege does not apply in this case. We have written to ARC Legal Services and advised the ICO’s position in this case. We have asked ARC Legal Services to revisit your SAR and consider what personal information you are entitled to without further delay.”
On 26 November 2021 the appellant made a subject access request to Trowers & Hamlins LLP (‘Trowers’). This request was largely, but we accept not entirely, for information that had been provided by ARC Legal Services.
On 7 February 2022 the appellant contacted the ICO to complain that Trowers had breached its data protection obligations.
On 23 May, the appellant asked the ICO to clarify some points and to provide him with a copy of the ICO’s Accountability Checklist for controllers’ document. The ICO replied to him on 27 May 2022.
The appellant made some further points and asked additional questions of the ICO on 1 June. The appellant also referred to his complaint in 2020 and the ICO’s view on the exemption of legal privilege given in the outcome letter on 12 October 2020.
The ICO replied on 14 June. On the same day, the appellant emailed the ICO, attaching copies of previously unseen correspondence. The appellant suggested to the ICO case officer, that the ICO should use its enforcement powers, stating it is ‘a clear case of wilful non-compliance by a firm of solicitors which, as such, should know better.’
The ICO acknowledged receipt of the appellant’s concerns on 1 July and advised that the case officer would be looking into this matter further.
On 17 August 2022 the ICO provided an outcome to the complaint (p A123). They stated:
“We have considered the information regarding your complaint and it is my view that Trowers have handled your request reasonably.
I recently wrote to Trowers about your concerns, specifically regarding the use of legal professional privilege.
Where it appears you already have access to the information in question, it is unlikely the ICO would purse these concerns further. Trowers state you have already been provided with the information through your communications with Arc and therefore already have access to the data.
I understand you believe the privilege shouldn’t apply because the ICO have previously reached a decision that the privilege didn’t apply in your complaint about Arc.
Trowers still maintain the privilege applies between them and their client. The advice was provided by Trowers to Arc as their client and they still consider the information is subject to confidentiality and/or legal advice privilege. I do not believe it is suitable to instruct Trowers to release information they provided to their client based on this. As you have already been provided with this information I do not consider it appropriate or necessary for the ICO take any further action in this matter.”
The appellant replied to this letter by email dated 20 (or 30) September 2022. In that email he made two broad points:
Trowers is right that the information is still subject to lawyer client privilege and confidentiality. However, the firm well knows that the appellant was/is its joint client with Arc Legal Assistance. The (joint interest) privilege is a shared one between Arc and the appellant, so the relevant exemption does not apply as between themselves, as accepted by the ICO’s legal department in this specific case. It is irrational for the ICO to say that Arc Legal Assistance should disclose purportedly privileged information but refuse to do the same for Trowers when the privilege belongs to Arc and not to Trowers.
It was not true to say that he had already had all the information to which I have the right of access from Arc Legal Assistance. For example, Arc could not have provided something it did not have, so he could not have had access to internal communications relating to the appellant and/or his case within Trowers itself.
The ICO replied on 24 October 2022 as follows (p 1119):
“The reason we felt the information ought to be provided in RFA0809181 was because privilege had already been waived to part of the material involved.
Whether or not you have a joint interest in the specific information being withheld is a factor we have considered in relation to whether or not Legal Professional Privilege (LPP) is able to apply to the information withheld from you in this case.
We have investigated this aspect of this case already. We are satisfied that you do not have a joint interest in the specific information being withheld such that the claim of legal professional privilege for this advice between Trowers and Arc could be maintained in legal proceedings. We therefore consider the specific advice involved able to be withheld under LPP and do not consider you to be entitled to a copy of that information.”
In response to this the appellant wrote to the ICO on 28 November 2022 (p A118). In that letter he asked for disclosure of evidence to support the assertion that ‘The reason we felt the information ought to be provided in RFA0809181 was because privilege had already been waived to part of the material involved’ because his understanding was that the ICO’s legal department had considered that the exemption could not be relied upon because joint interest privilege applied. He asked for this request to be treated under the Data Protection Act and/or FOIA as appropriate. In this letter the appellant also asked for the letter to be treated as a case review ‘if we are unable to resolve this matter informally’.
On 30 November 2022 the case officer acknowledged the request for a case review. On 14 December 2022 the reviewing officer did not uphold the complaint and agreed with the ICO case officer’s conclusion.
The ICO treated the letter of 28 November 2022 as a subject access request and responded on 22 December 2022, providing some information and withholding some information (p E287).
On 5 January 2023 the appellant wrote to the reviewing officer in response to the outcome of 14 December and asked her to reconsider her decision. The reviewing officer replied on 6 January 2023 to say ‘we do not intend to enter into further correspondence about this matter’.
On 5 January 2023 the appellant also wrote to the ICO in response to the SAR response given on 22 December 2022. In that letter the appellant made a follow up request under FOIA (p A116):
“I would further like to request the ICO's internal case handling guidelines for DSAR's, ICO service complaints and case reviews to be provided to me under the FOIA. In order to minimise the work involved, I would be happy to receive the index/content to same at this stage and to advise which specific sections I require if that is more convenient.”
The appellant wrote to the ICO on 9 January 2023 asking to add the following to his request of 5 January 2023:
“To my request, I would also like to add the job description and person specification for the roles of Case Officer and Lead Case Officer and the full content of the internal guidance for handling DSAR cases and case reviews.”
On 13 January 2023 the appellant filed an application with the First-tier Tribunal under section 166 DPA in relation to his complaint to the Commissioner about Trowers (EA/2023/0039/GDPR). (On 13 May 2023 the First-tier Tribunal refused to exercise its discretion to extend time to admit the application and Mr. Brida has applied to the Upper Tribunal for permission to appeal this decision. That application has yet to be determined).
On 16 January 2023 the ICO responded to the request of 5 January (p E291). The ICO explained that the requested information was technically exempt from disclosure under section 21 FOIA as it was reasonably accessible to the appellant on the ICO’s website. The ICO however provided links to the relevant information.
On 17 January 2023 the appellant submitted a judicial review Letter of Claim to the ICO, complaining about the way in which the ICO had handled his subject access request complaint. In that correspondence he states:
“The correspondence between the Claimant and the Commissioner’s representatives and his disclosures pursuant to the Claimant’s DSARs which are in the possession of the Commissioner, including the job description and person specification for the Case Officer, Lead Case Officer and Reviewing Officer who represented the Commissioner and his internal casework guidance are the key documents upon which the Claimant proposes to rely in his claim against the Commissioner”
On 18 January 2023 the appellant wrote to the ICO (p C267). In that letter the appellant states:
“Thank you for your helpful reply to my FOIA request.
There are some issues that arise following your response:
In regards to the "ICO Operations Directorate Service guide: How we use public concerns, self-reported incidents and complaints to improve information rights practice V4 24/11/16" linked to in your email and available on the ICO website: This is clearly out of date - is there a revised version or an equivalent or successor document? Kindly disclose or point me to it if available. If not, how are Caseworkers and other staff made aware of what they need to know to do their jobs? I would also like copies of the latest versions of the documents referred to therein or to their successors/equivalents as follows:
"The keeping it Clear guide" (referred to at P.76) "Opportunity assessment framework" (p.22, 77) "Policy delivery knowledge base"; "Policy delivery legal group, Retention and disposal - preservation criteria - casework"; and the "Security manual" (all referred to on p.77) "Security manual - use of email" (p.53)
the "need some policy advice? pages on ICON" and "policy delivery legal group pages on ICON" referred and linked to on p. 60 I would also like a copy of "Your personal information concerns (Request for Assessment) process" referred to at p. 10 of "Ways to progress a complaint case" in the disclosure log as linked to in your email.
If these documents no longer exist or are outdated, how are ICO staff to be made aware of the type of information they contain(ed)?
Can you confirm the ICO's policy on whether it will ask a data controller who seeks to rely on the disclosures of another data controller (NB: not processor) to meet its own DSAR obligations or fails to disclose personal data on the grounds that it reasonably believes it is already known to a data subject, to disclose the data it holds (i.e. whether these are acceptable reasons to fail to comply with a DSAR) and what criteria would influence such a decision? Kindly provide any relevant ICO documents that address these scenarios?
Further to my email of 09/01/2023, 22:25, can you confirm for the avoidance of doubt that your response has dealt fully with my request for "the full content of the internal guidance for handling DSAR cases and case reviews"?
I am still awaiting "the job description and person specification for the roles of Case Officer and Lead Case Officer" and, if different, Reviewing Officer also.
Thank you for taking the time to provide the information requested. I am happy to clarify my requests if that would be of assistance. I look forward to your further reply.”
The ICO treated this a new request for information.
On 26 January 2023 the ICO responded to the 9 January 2023 request (p E294). The ICO provided the requested job description and person specifications and explained that it had already responded to the latter part of the request in its response of 16 January 2023 to the 5 January 2023 request.
On 10 February 2023 in response to the letter before action sent on 17 January 2023 the ICO informed the appellant that they had decided to undertake a further review of the ICO’s decision relating to the appellant’s data protection complaint about Trowers.
The ICO responded to the request of 18 January on 15 February 2023 (although the letter is dated 25 February 2023) (p C268) refusing the request on the basis that it was vexatious. The letter states:
“I note that we have responded to three recent information requests from you, two made in January and one in November 2022, in which you make repeated and overlapping requests for copies of policy documents, job descriptions etc relating to the way that the ICO handles certain complaint matters, which appear to relate directly to our handling of past complaints that you have made to us.
We have done our best, in responding to your previous requests, to provide you with the information that you require to assist you in understanding how we have dealt with your concerns and how the ICO handles complaints in general as part of our role as a regulator. However, the pattern of your correspondence indicates that your aim is to keep us engaged in perpetual dialogue with you with no intention of reaching a reasonable and satisfactory conclusion.
This is evidenced by your latest request in which you have trawled through a piece of guidance that we have provided to you, compiled a list of further documentation referred to in it and made a further request for that documentation. It seems highly unlikely after reviewing this list that you have any genuine interest in this information and no doubt should we provide it, you would find reason to make further requests based on that information.
Your contention that ICO staff are not properly trained because of the age of a piece of guidance provided to you is unfounded and not credible, ICO staff learn how to do their jobs in many ways including through training modules and on the job support from managers etc. That the guidance provided is not the sole source of training and guidance for ICO staff is a matter that we should not need to explain.
Your enquiries on this point indicate that this series of requests is aimed more at finding an avenue to make unfounded statements about the competency of ICO staff and express dissatisfaction with the way that we have dealt with your past complaints, than to obtain information that you genuinely require.
With regards to the last part of your request, the ICO does not hold such detailed and extensive guidance that it would specifically cover every possible scenario that may arise in a complaint case, such as the one that you have outlined. It would be unworkable for us to do so and instead we handle complaints on a case-by-case basis with reference to the legislation and general principles set out in our guidance etc.
Continuing to make such specific requests appears to be a means for you to continue to create work for our staff when we have already provided you with enough information for you to understand how we handle complaints.
We are therefore of the view that complying with this request would cause disruption and irritation which is entirely disproportionate to its value, and we are refusing it in line with s.14(1) FOIA.”
The appellant requested an internal review of this response on 21 February 2023 and the ICO upheld its position on 28 February 2023.
On 1 March 2023 the ICO wrote further to the appellant in response to his complaint about Trowers and the letter of claim dated 17 January 2023. The letter explained that the ICO had decided to undertake a further review, and stated that it was the reviewing officer’s view that ‘we could have dealt with your complaint differently and that further work is required’. The letter asked the appellant to send in a full, unredacted copy of any relevant supporting documents and stated that the ICO would contact Trowers to see if they wished to provide any relevant information.
On 1 March 2023 the appellant requested an internal review of the request made on 4 January 2023, asserting that the email of 18 January 2023 should not have been treated as a new information request.
On 21 March 2023 the ICO provided the outcome to this internal review, stating that the email of 18 January 2023 was requesting information outside the scope of the request of 5 January 2023 and so it was right to treat it as a new request.
On 24 March 2023 the appellant submitted a service complaint to the ICO complaining about the treatment of the 18 January 2023 email as a new request and asking the ICO to reconsider its decision on vexatiousness.
On 13 April 2023 the ICO replied, in essence stating that this had been dealt with in the Decision Notice under appeal and that the route of challenge was an appeal to the tribunal. The ICO stated:
“I will therefore close this case. If you’re content for me to do so you don’t have to take any action and, if we don’t hear from you by 27 April 2023, it will be closed.
Please note, section 50(2)I of FOIA states that the “Commissioner shall make a decision unless it appears to him that the application for a decision is frivolous or vexatious.”
What this means is, we can refuse to deal with complaints that are frivolous or vexatious. A frivolous complaint might be one where the Commissioner has already dealt with the matter and advised the complainant to appeal any previous decision, such as this which is why I’m advising you to withdraw this complaint.”
On 20 April 2023 the appellant informed the ICO that he was unwilling to withdraw the service complaint.
On 24 April 2023 the ICO informed the appellant that it had decided not to deal with the service complaint of 24 March 2023 under section 50(2)I (frivolous and vexatious complaints).
On 31 May 2023 the appellant issued a pre-action protocol letter of claim in a further Judicial Review action against the ICO. This judicial review relates to the decision by the ICO to invoke section 50(2)I FOIA to refuse to investigate the service complaint of 24 March 2023. The ICO responded on 13 June 2023.
Discussion and conclusions
Although the four broad issues or themes identified by the Upper Tribunal in Dransfield are not exhaustive and are not intended to create a formulaic check-list, they are a helpful tool to structure our discussion. In doing so, we have taken a holistic approach and we bear in mind that we are considering whether or not the request was vexatious in the sense of being a manifestly unjustified, inappropriate or improper use of FOIA.
Burden
Although the appeal relates only to this request, when assessing the burden on the ICO we must consider the context and history of the particular request, in terms of the previous course of dealings between the individual requester and the ICO in assessing whether the request is properly to be described as vexatious. Although this does take account of the previous actions of the individual requestor, this is in accordance with the approach of higher authorities, and therefore the approach that this tribunal should take.
That is why the examples provided by the appellant of other public authorities’ responses to similar requests are not of assistance.
In looking at the context and history, we take account of matters that had occurred by the time the ICO responded to the request, not matters that have occurred since. A significant amount of the matters set out in our chronology above occurred after the response and therefore are not part of the relevant context and history.
Aside from the three previous information requests (one under DPA and two under FOIA), the ICO and the Commissioner do not detail or rely on the previous course of dealings between the ICO and the appellant. In our view, at least some of the previous course of dealings is relevant to the overall burden on the ICO.
At the point at which the ICO responded to the request, the following had taken place which the tribunal considers to be ‘business as usual’ for the ICO:
The ICO had dealt with a complaint by the appellant about the way in which ARC Legal Services had acted in response to a subject access request. This occurred in 2018/2020 and the outcome was favourable to the appellant.
The ICO had dealt with a complaint made by the appellant on 7 February 2022 about the way in which Trowers had acted in response to a subject access request. The outcome was provided on 17 August 2022. The outcome was not favourable to the appellant.
We do not consider that the initial handling of these complaints is relevant to the overall burden on the ICO.
Thereafter we accept that there is some related burden on the ICO arising out of the appellant’s dissatisfaction with the outcome provided on 17 August 2022. Between the outcome provided on 17 August 2022 and the ICO’s response to the current request, the appellant had done the following, all arising out of that outcome:
Written to the ICO on 20 (or 30) September 2022 disagreeing with the outcome, to which the ICO replied.
Written to the ICO in response on 28 November 2022 and included a request for information which the ICO responded to as a subject access request (SAR) on 22 December 2022 and a request for a case review which the ICO provided on 14 December 2022.
On 5 January 2023 asked the ICO to reconsider its decision on the case review.
On 5 January 2023 made a follow up FOI request to the response to the SAR.
On 9 January 2023 made a further request for information.
On 13 January 2023 filed an application with the First-tier Tribunal under section 166 of the Data Protection Act 2018.
On 17 January 2023 submitted a judicial review Letter of Claim.
On 18 January 2023 made the request in issue.
In our view, it is legitimate to take all the above into account when assessing the burden on the ICO of the current request. All those matters relate to the appellant’s dissatisfaction with how the ICO dealt with his complaint about Trowers.
We deal first with the series of four requests for information, culminating in the current request, made between 28 November 2022 and 18 January 2023.
The subject access request of 28 November 2022 was for evidence to support the assertion that ‘(t)he reason we felt the information ought to be provided in RFA0809181 was because privilege had already been waived to part of the material involved’. It was replied to on 22 December 2022.
The FOI request of 5 January 2023 asked for the ICO’s internal case handling guidelines for DSAR’s, ICO service complaints and case reviews. The appellant stated ‘In order to minimise the work involved, I would be happy to receive the index/content to same at this stage and to advise which specific sections I require if that is more convenient.’
On 16 January 2023 the ICO replied to the request of 5 January 2023. Despite stating that the information was technically exempt under section 21, it provided links to specific sections of publicly available guidance on the ‘policies and procedures’ section of the ICO website.
The FOI request made on 9 January was an addition to that request, adding job descriptions and person specifications for ICO roles. The appellant also clarified that he wanted the ‘full content’ of the internal guidance that he had requested. The job descriptions and person specifications were provided in the response on 26 January 2023.
There is no evidence that responding to any of these three previous requests was particularly burdensome.
Having reviewed the information on the website, the appellant wrote the letter which is the subject of this appeal on 18 January 2023. We accept that the request of 18 January was properly treated as a separate request for information. It requests additional specific documents that were not requested in the earlier requests.
In the request of 18 January the appellant raises a number of queries about the information to which links had been provided.
First, the appellant notes that the version of the ICO Operations Service Guide online was last updated in 2016 and asks for the revised version. Whether or not there is a revised version, responding to this part of the request would not be burdensome.
Second, the appellant asks for copies of the following named policies/guidance referred to in those online documents:
The keeping it clear guide
The Opportunity assessment framework
Policy delivery knowledge base
Policy delivery legal group
Retention and disposal – preservation criteria – casework
Security manual
Security manual – use of email
The ‘need some policy advice?’ pages on ICON
The ‘policy delivery legal group’ pages on ICON
Your personal information concerns (request for assessment) process
Although there are 10 documents, most of them are hyperlinked from the ICO Operations Service Guide and the appellant identifies the specific page on which they are referred to. We presume that the ICO’s internal policies would be reasonably straightforward to locate. The ICO does not suggest in its response to the request that locating them would be difficult or would take a long time.
Third the appellant asks for any relevant documents that address this scenario:
“Can you confirm the ICO’s policy on whether it will ask a data controller who seeks to rely on the disclosures of another data controller (NB: not processor) to meet its own DSAR obligations or fails to disclose personal data on the grounds that it reasonably believes it is already known to a data subject, to disclose the data it holds (i.e. whether these are acceptable reasons to fail to comply with a DSAR) and what criteria would influence such a decision?”
Although the ICO treated the request as vexatious, in effect the ICO responded to this part of the request as follows:
“With regards to the last part of your request, the ICO does not hold such detailed and extensive guidance that it would specifically cover every possible scenario that may arise in a complaint case, such as the one that you have outlined. It would be unworkable for us to do so and instead we handle complaints on a case-by-case basis with reference to the legislation and general principles set out in our guidance I.”
We accept that the appellant has included assertions and questions in the letter of 18 January 2023 which are not requests for information, and this makes a request more difficult to deal with.
Overall, the evidence before us does not suggest that responding to the request of 18 January would be particularly burdensome, nor, on the evidence before us, would responding to the three previous FOI/SAR requests. It is possible that there may be more burden than is apparent to us, but we must make our decisions on the basis of the evidence before us.
We accept that the four requests all relate to the way in which the ICO handles certain complaint matters, and to that extent they are overlapping. Looked at in context, we would not class them as ‘repeated and overlapping requests’. Having regard to the terms of the requests and the responses, we accept that, taken together, the four requests for information referred to in the Decision Notice culminating with the current request place some burden on the ICO. However taking into account the number, breadth, pattern, and duration of those requests, we find that this was not a very heavy burden.
The appellant is not consistently submitting multiple FOIA requests or associated correspondence within days of each other or relentlessly bombarding the ICO with email traffic.
We accept that, at the time, there was some additional burden on the ICO from dealing with the letter from the appellant in September 2022 and with the case review and the challenge to that review. There was also some potential future burden from the related section 166 application to the First-tier Tribunal and the pre-action judicial review letter. At the relevant time this had yet to place any significant burden on the ICO.
We conclude that there was some burden on the ICO in dealing with this request, looked at in the light of the context and prior course of dealings. This would cause some disruption to the ICO.
Further, we accept that dealing with the request was causing the ICO some not unjustified irritation, taken in the light of the whole course of dealings.
Overall we find that the request, taken in context, would have caused some disruption and irritation, but that this was reasonably limited at the relevant time.
Motive
Having considered all the evidence in the bundle, we find that the appellant’s motive was to obtain information that he hoped would support his claims that the ICO had not handled his complaint about Trowers properly and his assertion that the outcome of that complaint was wrong given the outcome to his complaint about ARC Legal services.
We accept that he was hoping that the information would shed some light on how the perceived inconsistency might have arisen between the outcome of his complaint in 2020 and the outcome of his complaint in 2022. It is not for us to determine whether there was an inconsistency, but it was certainly not unreasonable for a lay person to perceive an inconsistency and to take at least some steps to try to understand how that came about.
It is not an inappropriate use of FOIA to ask for further information arising out of information disclosed in response to an initial request. The ICO’s internal case handling guidelines are contained in a large number of documents and policies. This would not be apparent to a member of the public unless they read the ICO Operations Service Guide. Having been provided with a link to that guide it is not an inappropriate use of FOIA to request those other documents.
We do not infer from the pattern of correspondence that the appellant’s aim, in early 2023, was to keep the ICO engaged in perpetual dialogue with no intention of reaching a reasonable and satisfactory conclusion.
We do not accept that the appellant had any vengeful motive in making the request in issue.
Harassment and distress
We accept that sometimes the appellant questions the competence of ICO staff and the adequacy of their training. We accept that sometimes the appellant expresses himself in ways that might be classed as impolite, for example in his email of 18 November 2022 he states ‘you have, with all due respect, adopted a nonsensical position and your final paragraph is unintelligible’. The tribunal notes that the ICO has claimed ‘irritation’ rather than asserting that there is any harassment or distress. We do not accept that, at the relevant time, the appellant had said or done anything that could reasonably be classed as harassment or could reasonably have caused distress.
Purpose or value
We accept that the purpose and value of the request is primarily personal to the appellant. We accept that he had a legitimate purpose, but it is of limited value to anyone other than the appellant. The appellant is interested in supporting his claims that the ICO handled his complaint about Trowers badly and that the outcome of that complaint was wrong. He is interested in illuminating the internal processes which enabled the ICO, in his view, to reach inconsistent decisions.
To the extent that the documents are required for legal proceedings, they can be obtained through those proceedings, although we accept that this is a legitimate purpose.
We accept that the publicly available documents already provide a lot of information about the ICO’s processes. This reduces the value of the request.
However, the ICO Operations Service Guide makes clear that employees are also guided by other documents and policies, many of which appear to be hyperlinked (presumably when accessed internally). Appendix 2 of the document is a list of ‘related polices, procedures and resources’ and states that all staff should ‘take time to familiarise themselves’ with those additional documents. (Footnote: 1)
We find that the other policies and procedures used by staff and requested by the appellant would be likely to assist the appellant to some extent in gaining a detailed understanding of how the ICO handles complaints. We have not seen those policies but we accept that they may not assist the appellant in relation to his specific concerns.
We do accept that there is value to the public in understanding the way in which the ICO handles complaints, and there is a general value in transparency in this area. Given that the ICO Operations Service Guide is already publicly available, the requested information is of fairly limited value to the public. However, as the published guidance refers extensively to unpublished documents/policies etc., we accept that publishing those documents would add, albeit to a fairly limited extent, to general transparency and to public understanding of the ICO’s operations.
Conclusions on whether the request is vexatious
Vexatiousness is a high hurdle consistent with the constitutional nature of the right. This is not a case where there is no reasonable foundation for thinking that the information sought would be of value to the requester or to the public or any section of the public. We note that annoying or irritating requests are not necessarily vexatious given that one of the main purposes of FOIA is to provide citizens with a qualified right of access to official documentation and thereby a means of holding public authorities to account.
We have accepted that the request, looked at in context, would have caused some disruption and irritation, but this was reasonably limited at the relevant time. The test under section 14 is not simply a balancing exercise of burden/irritation weighed against purpose and value. The tribunal takes a holistic approach and the request must reach the high hurdle of vexatiousness. Looked at as a whole, our conclusion is that this burden on the ICO was not, at the relevant time, disproportionate to the purpose or value of the requests.
We have taken a holistic and broad approach and have looked at the requests in the light of the past course of dealings between the appellant and the ICO. We have considered the burden on the ICO and the value and purpose of this request. We have looked at the appellant’s motive and any distress that is likely to be caused by the request. Looking at all these factors we find that the request was not vexatious in the sense of being a manifestly unjustified, inappropriate, or improper use of FOIA.
We conclude accordingly that the exemption in section 14 does not apply and the appeal is allowed.
Observations
In this appeal we are considering whether a request made in early 2023 was vexatious. It is clear from our findings of fact on the chronology of events that since the relevant date the appellant has continued to pursue his concerns via multiple avenues. This is placing an increasingly heavy and disproportionate burden on the ICO’s limited resources. Further we note that the terms in which the appellant describes the conduct of the ICO have become less temperate in recent correspondence and in this litigation.
If we were looking at the position today, we would have concluded that, when considered in the context of the full course of conduct, the appellant has, gradually, strayed some distance from his original purpose and that he has entered the territory of ‘vexatiousness by drift’. In our view, this course of dealing is now exhibiting the clear lack of proportionality that typically characterises vexatious requests.
We do not think that this had happened by the time of the current request, and each new request has to be determined on its merits, but we highlight to the appellant that in our view his behaviour since the request exhibits a number of the hallmarks of vexatiousness and we may well have reached a different conclusion if the request had been made today.
Signed Sophie Buckley Date: 8 November 2023
Judge of the First-tier Tribunal