Decision 079/2023: Whether requests were vexatious
Authority: Fife Council
Case Ref: 202200382
The Authority was asked for information regarding a data protection breach involving its claims handler Gallagher Bassett, as well as for information about Privacy Shield. The Authority informed the Applicant that it considered the requests to be vexatious, and so it was not obliged to respond.
The Commissioner investigated and found that the Authority was not entitled to refuse to comply with the requests on the basis that they were vexatious.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 14(1) (Vexatious or repeated requests); 47(1) and (2) (Application for decision by Commissioner)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. The Applicant made six requests for information to the Authority in December 2021 and January 2022. Details of the three requests that will be dealt with in this decision notice (those identified in the Applicant’s application to the Commissioner) are outlined below.
2. This request was made on 27 December 2021. The Applicant asked the Authority to confirm;
(i) If Gallagher Bassett confirmed to “Privacy Shield” standards and what due diligence took place to ensure this?
(ii) What is [the Authority’s] position now that “Privacy Shield” can no longer be relied on?
(iii) How can [the Authority] prove their due diligence that they are satisfied with the organisational and technical measures are in place with Gallagher Bassett re Data Protection?
(iv) Can [the Authority] provide a copy of the documented position and risks in relation to Data Protection with Gallagher Bassett?
(v) In relation to poor take up of (the Authority’s] employees training: From Minutes: “(2) provided comment on the performance detailed in this report acknowledged concern in relation to the low number of employees in some [Authority] Services who had not completed the data protection training;”
(a) Can you provide what commentary was added?
In reference to the Information Requests Annual Report 2020-21:
(vi) “2.1 Personal Data Breaches must be reported to the Information Commissioner’s Office within 72 hours where it is likely to result in a risk to people’s rights and freedoms. Where a data protection concern has been reported but does not comprise a breach, this is recorded as a Data Protection Incident. We record both Incidents and Breaches however, it has been concluded that reporting on breaches is more useful to the organisation.`”
(a) In relation to the Gallagher Bassett Ransomware Data Breach (June 2020- notified June 2021), what action is [the Authority] taking to the 2,880 identified claimees that had their data protection breached?
(b) Has the ICO been notified of this incident?
3. This was made on 14 January 2022. The Applicant asked the Authority;
(i) What actions should be taken to contact the 2,880 potentially impacted persons?
(ii) How do we get (redacted) details on [the Authority] notification IC-116529-Y7D4?
4. This was made on 24 January 2022. The Applicant asked the Authority for;
(i) Copies of the completed CSPST (Cyber Security Procurement Support Tool) document, completed for Gallagher Bassett?
(ii) If not the whole document, the completed answers given to specified questions as part of the Gallagher Bassett CSPST?
(iii) Can [the Authority] confirm what audits (internal and external) have taken place over the last 3 years for
(a) Information Security
(b) Cyber Security
(c) Third Party or Vendor Management ICT
(iv) What is the structure of [the Authority’s] Third Party/Vendor Management review team?
5. The Authority responded to all six requests on 3 February 2022. It notified the Applicant that it was refusing to comply with these requests as it considered them to be vexatious, in line with section 14(1) of FOISA. The Authority argued that the requests were designed to cause disruption or annoyance to the Authority, without having a serious purpose.
6. On 3 February 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because there was merit in his requests (highlighting the seriousness of data security, in particular) and the public interest favoured disclosure. He also accused the Authority of stonewalling.
7. The Authority notified the Applicant of the outcome of its review on 3 March 2022, upholding its original decision and providing more arguments supporting its view that section 14(1) applied to all of the requests.
8. On 31 March 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not consider any of his requests to be vexatious, complex or unwieldy. He explained why he considered them to be justified. The Applicant also confirmed that he only wanted the Commissioner to investigate the Authority’s handling of requests 1, 2 and 3.
9. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
10. On 22 April 2022, the Authority was notified in writing that the Applicant had made a valid application. The case was later allocated to an investigating officer.
11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to its reasons for relying on the provisions contained in section 14(1) of FOISA.
Commissioner’s analysis and findings
12. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 14(1) of FOISA - Vexatious or repeated requests
13. Under section 14(1) of FOISA, a Scottish public authority is not obliged to comply with a request for information if the request is vexatious.
14. FOISA does not define the word "vexatious". The Commissioner's general approach, as set out in his guidance on section 14(1), is that the following factors are relevant when considering whether a request is vexatious. These are that the request:
(i) would impose a significant burden on the public body
(ii) does not have a serious purpose or value
(iii) is designed to cause disruption or annoyance to the public authority
(iv) has the effect of harassing the public authority
(v) would otherwise, in the opinion of a reasonable person, be considered to be manifestly unreasonable or disproportionate.
15. This is not an exhaustive list. Depending on the circumstances, other factors may be relevant, provided the impact on the authority can be supported by evidence. The Commissioner recognises that each case must be considered on its merits, taking all circumstances into account. The term "vexatious" must be applied to the request and not the requester, but an applicant's identity, and the history of their dealings with a public authority, may be relevant in considering the nature and effect of the request and surrounding circumstances.
16. The Authority submitted that the Applicant was unhappy with the outcome of Gallagher Bassett’s investigation into a claim he made to the Authority. It argued that this outcome had led the Applicant to display obsessive behaviour to discredit the Authority and Gallagher Bassett, and it suggested that this was the reason behind his FOI requests on this subject.
17. The Authority argued that the Applicant was attempting to carry out an audit into how Gallagher Bassett complied with their contracts and conducted their business, along with the Authority’s management of a data breach that was investigated within the Data Protection team. It noted that this breach was reported to the Information Commissioner’s Office (ICO) and an outcome was provided by them. In addition, the Authority argued that the Applicant’s investigation had since moved to interrogate the Authority’s ability in carrying out its legal duties relating to data protection. The Authority believed this was due to his dissatisfaction with its response to his concerns in sharing his data with Gallagher Bassett.
18. The Authority submitted that it had previously attempted to provide the Applicant with information and explanations under advice and assistance within its correspondence to him. However, it had found evidence of a pattern of obsessive behaviour aimed to cause disruption and harm to the Authority and its claim handlers. Additional evidence of this behaviour had been provided when the Applicant provided inaccurate and harmful information to two newspapers. In this article he also advised other members of the public wishing to make a claim to refuse their information to be shared with the Authority’s claim handlers, which would leave the Authority vulnerable and unable to carry out this function.
19. The Authority explained that it was continuing to respond to all other FOI requests made by the Applicant that did not relate to the specific subject of the security breach, Gallagher Bassett and data protection functions.
20. The Authority noted that, since his FOI request in January 2021, 14 further information requests and eight requests for review had been completed, with information provided to the Applicant. These requests related to various subjects and were not related to the information asked for in requests 1, 2 or 3.
21. The Authority submitted that its staff had continually advised the Applicant of his rights and directed him to contact the relevant regulatory body to carry out a detailed investigation on his behalf. However, due to the level of information that could legally be released into the public domain, the Authority continued to have concerns in relation to the damage the Applicant’s behaviour and the dissatisfaction of his claim outcome would have, on the Authority and the wider public.
22. Given this, the Authority decided to treat requests made for information relating to this matter as vexatious. The Authority determined that the requests were designed to cause disruption or annoyance, had the effect of harassing the Authority and represented a significant burden on its resources.
Designed to cause disruption or annoyance
23. The Authority argued that there was evidence that the disruption being caused to its services in relation to this matter was due to the Applicant’s claim and review of the decision being refused. It submitted that the Applicant had continued to make requests on a continual basis after receipt of a response to a complaint or information request. The Authority referred the Commissioner to a spreadsheet showing the level of requests made on this specific matter over a relatively short time period.
24. Furthermore, despite knowing that the ICO had already reviewed the data incident involving Gallagher Bassett, the Authority argued that evidence suggested the Applicant’s intention was to carry out a personal investigation into the compliance of Gallagher Bassett and compliance with data protection legislation within the Authority.
25. The Authority referred to correspondence from the Applicant, in which he notes that if his original claim is agreed he will not take court action. The Authority argued that this demonstrated that requests were being made on this subject in order to cause disruption to the Authority and had no real purpose or value.
Having the effect of harassing the Authority
26. The Authority referred to the Applicant making “continual requests” and it claimed the Applicant’s behaviour was relentless and, whether it was his intention or not, it was having a direct impact on the employees and services trying to carry out their duties on behalf of the Authority for the public. The Authority contended that the perspective of a reasonable person would consider this behaviour to be vexatious.
27. The Authority also referred to comments that were made relating to the abilities of staff and the processes being carried out by the Authority, which was also viewed to be a direct harassment of individual employees of the Authority.
28. The Authority argued that further evidence of this harassment and the Applicant’s intentions was demonstrated by the Applicant contacting two newspapers, where he provided them with inaccurate information and directed future claimants on how not to progress their claims.
29. The Authority acknowledged that, in the main, a requester was not considered as vexatious, as the provision in section 14(1) relates to a request not the requester. However, in relation to this specific matter, the Authority argued there was a clear pattern of obsessive behaviour, along with evidence of the grievance and personal campaign being set up by the Applicant to damage the reputation of the Authority and its claim handlers.
30. The Authority noted that, during the period from March 2020 to 27 December 2021, the Applicant had made 45 requests to the Authority for information. It explained that these related to various concerns with a local park, antisocial behaviour and a local football team as well as the related requests for Gallagher Bassett contract information, data protection and security details.
31. Before the receipt of request 1, the Authority submitted that it had issued responses to 10 requests that had been received between 26 October 2021 and 16 December 2021. These 10 requests directly related to Gallagher Bassett, information security and data protection. It submitted that these requests were being received alongside other requests and further communication to the Risk Management and Data Protections Teams. Due to the core work priorities and the size of the teams involved, it considered the impact the requests had on their resource and duties to be substantial. This impact also had a further effect on the whole Authority, as these teams were responsible for providing Authority-wide support and guidance within their areas of expertise.
32. The Authority noted that request 1 was received on 27 December 2021, at which point all Services involved had raised individual concerns about the impact these requests and communications were having on the authority. The Authority noted that, prior to making a decision on request 1, four subsequent requests (including requests 2 and 3) were also received from the Applicant.
33. The Authority stressed that its decision relating to the Applicant’s claim was final and it had been confirmed that it was not found to be negligent, and the data breach reported to the ICO did not require it to take any further action. This, along with the above findings on the particular factors relevant when determining if a request is vexatious, confirmed the Authority’s view that continuing to respond to further requests would be unlikely to satisfy the Applicant and his campaign.
34. The Authority argued that the Applicant’s requests were being made to cause the Authority disruption and aimed to harass the Authority and its employees to reconsider their decision relating to his claim. It contended that, if it continued to respond to his requests, it would be likely to have a negative impact, which would cause further requests to be made along with a concern of further incorrect information being released into the public domain due the misinterpretation of the information being provided to him.
35. The Applicant argued that disclosure of the information he had requested was in the public interest, and that he was not involved in a personal campaign against the Authority.
36. The Applicant provided the Commissioner with background information about the data breach involving Gallagher Bassett, and he referred to the judgment in the Schrems II case issued by the European Court of Justice on 16 July 2020, which found that the Privacy Shield framework no longer provided adequate safeguards for the transfer of personal data to the United States from the European Economic Area (EEA).
37. The Applicant explained that he was alarmed at how his data (which he submitted as part of a claim) was transferred to Gallagher Bassett, without his permission, as part of what the Authority called “legal obligation”. He argued that this “legal obligation” removed the right of the data subject to remove, request alteration and removal of data, where necessary. He noted that the data was transferred from the Authority, to be hosted on servers in the USA. The Applicant contended that, since the removal of “Privacy Shield”, there could be no safety net for subject’s data transferred to the USA in this way.
38. He submitted that both the Authority and Gallagher Bassett stood by their “Privacy Notices”, and at no stage were the public informed of what was happening to their data, or their true rights over “legal obligation”.
39. The Applicant submitted that the Authority was refusing to provide the information requested in this case, as its disclosure would end up causing embarrassment and reputational damage to the Authority. He argued that embarrassment should not be used as a reason to refuse a small number of reasonable requests.
40. He noted the importance of applying an objective standard, the starting point being that a vexatious request should have no reasonable foundation: there should be no reasonable foundation for believing the information sought should be of value to anyone. He considered he had demonstrated the importance of his requests, noting the seriousness of data security in particular..
41. The Applicant noted the Authority’s arguments that his requests had placed a significant burden on its resources, and he referred to statistics, published on the Authority’s website, indicating that in 2020 the Authority received an annual total of 1,724 requests, with a monthly high in November of 206. In 2021, the Authority received an annual total of 1,801 requests, with a monthly high in November of 195, while in 2022, the number of requests received by the Authority each month never exceeded 171. He argued that, given the monthly highs of 2020 and 2021, the number of requests the Authority received in 2022 appeared to be well within its operational capabilities.
42. In the Applicant’s view, using the terms “vexatious”, “unreasonable” or “harassment” did not tally up with the figures provided above.
The Commissioner's view on section 14(1)
43. The Commissioner has carefully considered the submissions made by the Authority, intended to demonstrate that dealing with the Applicant's request would be unduly burdensome, that it was having a detrimental impact on its staff, and that he was using FOISA as part of an obsessive campaign to cause detriment to the Authority and its claim handler.
44. In this case, the Commissioner is limited to considering whether the Authority has provided sufficient evidence and submissions to support its claim that the application of section 14(1) was appropriate in the circumstances.
45. Even if a requester does not intend to cause inconvenience or create a significant burden, if a request has the effect of harassing a public authority and/or its staff, it may be deemed vexatious when considered from the perspective of a reasonable person.
46. The Authority has argued that the previous requests made by the Applicant on the same subject matter were numerous and took up a significant amount of staff time and resources. The Authority has noted that, prior to request 1, the Applicant made 10 information requests between 26 October 2021 and 16 December 2021, related to Gallagher Basset or the data breach, all of which were complied with. The Authority has also submitted that, between March 2020 and 27 December 2021, the Applicant made 45 information requests to it, on a range of different subjects.
47. The Commissioner notes that, while the Authority has referred to the 45 information requests the Applicant made in a 22-month period, it has also indicated that it does not consider the Applicant’s general run of information requests to be vexatious, only the Gallagher Basset / data breach ones. The Commissioner notes the relatively short time-frame for the 10 Gallagher Basset / data breach requests received prior to request 1, but he does not consider 10 requests in seven weeks to be particularly excessive. The Authority has submitted that these requests were handled by its Risk Management and Data Protection teams, and that the impact on their resource and duties was substantial.
48. However, the Authority has not provided the Commissioner with details of this “substantial” impact. It has not indicated how many working hours were required to respond to the requests, and what duties were neglected as a result of complying with the Applicant’s FOI requests. In relation to requests 1, 2 and 3, the Authority has estimated that compliance with all three of the Applicant’s requests, would take no more than six hours. Furthermore, it noted that compliance with request 2 would only take 10 minutes. If the previous ten requests were of a similar nature, and required similar resource, the Commissioner cannot see how compliance could be deemed a significant burden.
49. The Authority has also argued that the requests were designed to cause disruption or annoyance. It has referred to the Applicant’s decision to provide information to two newspapers (information it considers to be inaccurate) as part of what it sees as his campaign to punish the Authority for its decision to refuse his claim and for sharing his personal data with Gallagher Bassett. It notes that the Applicant has also advised other members of the public, wishing to make a claim against the Authority, to refuse permission for their personal data to be shared with its claim handlers: if this occurred, the Authority argued it would leave it vulnerable and unable to carry out this function.
50. The Commissioner would note that an individual’s decision to approach a newspaper with a story, which is subsequently published, does not necessarily indicate a pattern of vexatious behaviour or a desire to inconvenience the Authority. If the Authority considers the substance or facts within the article to be incorrect, there are mechanisms for such inaccuracies to be addressed, not least by the Authority contacting the newspaper and asking for a correction to be made. The Authority may consider the Applicant’s concerns about its data protection practices to be unfounded, but that does not mean they are unreasonable or designed solely to disrupt the Authority’s abilities to carry out its functions. The Commissioner notes that the ICO has investigated the issue, but again, he does not accept that the involvement of a regulator means that an individual’s concerns are necessarily laid to rest or that they should lose interest in the matter.
51. The Authority has alleged that the Applicant intends to carry out a personal investigation into the compliance of its claim handler, and its own compliance with data protection legislation. It contends that, since the ICO has already investigated this issue, the Applicant’s actions are suggestive of obsessive behaviour designed to cause it harm. The Commissioner disagrees with this view. The Commissioner notes that the Applicant has a stated interest in technology risk management, including security and resilience. It seems reasonable to the Commissioner that, given his personal interests, the Applicant wants further information about the Authority’s arrangements with its claims handler and its procedures for ensuring that personal data is properly protected.
52. The Commissioner acknowledges that the ICO is the regulatory body for ensuring compliance with data protection legislation, but that does not mean that individuals cannot seek to understand more about an Authority’s practices and procedures relating to data protection, particularly when, in this case, there was an alleged breach of that legislation. There may be further remedies an applicant wishes to consider – and, in this case, it has not been suggested that all potential remedies have been exhausted.
53. The Authority also submitted that the Applicant notified it that he would not take court action against the Authority if it settled his claim, which (it argued) suggested he would stop making information requests on this subject. The Authority argued that this demonstrates the requests he was making were designed to cause disruption and had no real purpose or value.
54. The Commissioner considers it likely that the Applicant only started making information requests about Gallagher Bassett and data protection procedures as a direct result of his claim being denied. However, following on from that refusal, the Applicant then discovered that the company handling claims for the Authority was involved in a data breach, and he became concerned about the safety of personal data shared with that company.
55. The Commissioner does not consider that any motivation behind the Applicant’s original information requests means that all of the following requests on that subject were designed to cause irritation and disruption to the Authority. It is clear that the Authority’s responses to some of the earlier requests made by the Applicant, following his claim, revealed a data breach by Gallagher Basset. The Applicant was clearly concerned by this discovery and has continued to request further information on this subject.
56. The Commissioner acknowledges that the Applicant may reduce the number of FOI requests he makes in future, if the Authority were to settle his original claim, but he also notes that the Applicant is a regular user of FOI legislation and has sought information from other authorities, regarding his personal interests in technological risk management. The Applicant will always be entitled to seek recorded information from Scottish public authorities. The Commissioner notes that the issue of concern in these requests is about how the Authority is sharing the personal data of claimants with a company processing personal data in another country, outwith the EEA. The Commissioner considers this subject to be of wider public concern than just the Applicant (it is an issue acknowledged by data protection legislation, for which adequate safeguards are required), processing in the USA being of particular concern) and he is not satisfied the requests had no purpose or served only to annoy the Authority.
57. The Authority has also argued that the requests made by the Applicant have had the effect of causing harassment. It has argued this his behaviour is “relentless” and that the perspective of a reasonable person would consider this behaviour to be vexatious. The Authority has also indicated that the Applicant has made comments regarding the abilities of its staff, which it considers to be direct harassment of individual Authority employees. The Authority again referenced the two newspaper articles that were initiated by the Applicant, and where he provided the newspapers with what it considered to be inaccurate information.
58. The Authority has not provided the Commissioner with any evidence of the “comments” it refers to, so the Commissioner has been unable to consider them. He notes that the Authority has not argued that the comments were in any way abusive, simply that the comments “related to the abilities of staff and the processes of the Council”. The Commissioner considers that there are many ways in which Authorities have influence over the lives of individuals, and sometimes individuals are unhappy with the processes and policies that affect them. It does not seem necessarily unreasonable for such an individual to question the validity of those processes.
59. In relation to employees, the Authority has a duty to ensure that staff work in a safe environment and that they are not subjected to unjustified levels of stress or abuse. The Authority has a duty of care to its staff and it must consider their wellbeing. However, the Authority also has responsibilities under FOISA, and it cannot deny the Applicant his right to access recorded information without just cause. The Commissioner notes that the Authority has an “Unacceptable Actions” policy which sets out the actions it can take if an individual’s behaviour is deemed to be unacceptable. The Commissioner therefore considers the Authority has other tools at its disposal to deal with persistent or abusive behaviour, other than simply refusing to comply with an information request under section 14(1) of FOISA (although such a course of action may be appropriate, depending on the circumstances and provided these can be evidenced).
60. In its submissions to the Commissioner, the Authority commented that it had identified (and provided the Commissioner with) what it considered to be the most relevant information. However, it stated that if the Commissioner required further evidence, it wanted to be consulted before the Commissioner issued his decision. The Commissioner notes that FOISA does not require him to go back to an Authority and give it a second or a third opportunity to provide evidence to support its position.
61. Section 49(3) of FOISA, requires the Commissioner to give an Authority notice in writing of receipt of an application, and invite its comments. Authorities must ensure that their response to the Commissioner’s request for comments is comprehensive and that it contains all of the necessary evidence that underpins their arguments. While the Commissioner may question an Authority further to obtain enough information for him to reach a decision, he does so at his own discretion, not at the request of the Authority. Authorities who fail to provide the Commissioner with sufficient information at the first time of asking (particularly where it should be obvious to the Authority what is required, as here), cannot expect to be given a second or third chance to make their case.
62. In all the circumstances, the Commissioner is not satisfied that the Authority was entitled to refuse to comply with the Applicant’s requests for information, on the ground that they were vexatious. He notes that compliance with all three requests would take less than six hours, the requests made by the Applicant have merit beyond that acknowledged by the Authority, and the Authority has not demonstrated the time or resource it has spent complying with previous requests, or evidenced the “comments” that it considers to be a form of harassment.
63. The Commissioner therefore finds that the Authority was not entitled to refuse to comply with the requests on the basis that section 14(1) of FOISA applied. He requires the Authority to carry out a review in respect of the Applicant's requests, and to respond to him otherwise than in terms of section 14(1) of FOISA.
The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. He finds that the Authority was not entitled to refuse to comply with the Applicant's requests on the basis they were vexatious. In doing so, it failed to comply with section 1(1) of FOISA.
The Commissioner therefore requires the Authority to carry out a review, in terms of section 21(4)(b) of FOISA, by 11 September 2023.
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Head of Enforcement
26 July 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
(6) This section is subject to sections 2, 9, 12 and 14.
14 Vexatious or repeated requests
(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information if the request is vexatious.
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).