Paul,

Thanks for the email. I was not making that assumption. On the contrary, I was trying to show that the SAR process could be "abused" in that someone could make an argument to refuse to consent to disclosure because of behaviour that would have made an FOIA request from the same applicant vexatious.



As we deal with human nature, an organisation (perhaps more so if we look at Philip Zimbardo's work the Lucifer effect) can abuse its position within a bureaucratic relationship and most certainly people who are aware of that power can use it for their own private purposes to great effect. As they say in Washington DC, there are bureaucratic assassins who never leave fingerprints even though they were involved with an issue.



That being said, the point still stands, if we look at it the other way, an applicant can *potentially* use the SAR process in a vexatious manner. However, that has not been proved through a decision notice nor has it been to the courts. Until it does, I would suggest we have to see it as hypothetical. I would not suggest that Durant was such a case although it does have some similarities.



Thanks again for the email. All the best for 2014.





Lawrence



-----Original Message-----

From: Paul C [mailto:[log in to unmask]]

Sent: 06 January 2014 16:29

To: Lawrence Serewicz; [log in to unmask]

Subject: RE: [data-protection] Can a SAR be a vexatious request without every saying that?



Hi Lawrence,



You seem to be assuming that the 'nasty piece of work' will not have been unlawfully targeted or treated unfairly by the "team" of public servants he "bears a grudge" against.



This approach, which falls into line with the ICO approach, (and just about each and every other ill-equipped set of bureaucrats entrusted with regulating public bodies and serving us the public), would be highly erroneous,



Best wishes,



Paul



-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Lawrence Serewicz

Sent: 06 January 2014 16:15

To: [log in to unmask]

Subject: [data-protection] Can a SAR be a vexatious request without every saying that?



Dear All,

Perhaps a Friday question, but one that has been nagging me for sometime. If FOI requests can be considered vexatious can a SAR be vexatious?



On the surface, this seems unlikely. The DPA guidance has stressed that cost is rarely an issue although the reasonableness of the search, which the organisation will have to evidence, is a possible factor to refuse (at least to refine a request). The issues around Ezias as well as more recently Elliott v Lloyds TSB http://www.panopticonblog.com/2012/04/25/subject-access-requests-%E2%80%93-mixed-motives-and-proportionate-searches/ look at the reasonableness of the request and the searches that need to be performed.



The test of reasonableness allows one to deflect requests, or at least focus them, so that the burden on the public purse (a criterion of the UTT definition of vexatious).



However, on deeper reflection, one can see SAR requests that could be considered potentially vexatious. For example, an applicant in dispute with a council may put in a SAR to see how the Council handled it. Even if their related FOIA was refused as vexatious, would the subsequent SAR from the same applicant for related information be vexatious?



Let's take it a step further. If the applicant was a "nasty piece of work" and was a "problem customer" or a "serial complainer" would their previous behaviour and their "intent", which are other possible indicators of vexatious would be a factor. For example, an applicant could have a grudge against a team or an officer and put in a SAR specifically targeting the team or the officer.  Also, the applicant, given their previous interactions, may be making the SAR to annoy the organisation or show a persistence, such as after each interaction putting in a SAR, which suggests a pattern.



Now, let's assume that a SAR cannot be considered vexatious, we still have the flip side to consider. Let's say an officer or officers who have been targeted by the applicant, who has made vexatious FOIA requests. They could claim, quite rightly given that it is a criteria under FOI vexatious, that they do not want to disclose their personal data because the applicant will target them.



The ICO guidance assumes, I think rather naively, that the relationship between applicant and organisation will occur in a benign environment. Page 33 of the guidance, when someone refuses to consent to disclosure of their personal data, suggests, I would argue a benign relationship.



• Information generally known by the individual making the request. If the third-party information has previously been provided to the individual making the request, is already known by them, or is generally available to the public, it will be more likely to be reasonable for you to disclose that information. It follows that third-party information relating to a member of staff (acting in the course of their duties), who is well known to the individual making the request through their previous dealings, would be more likely to be disclosed than information relating to an otherwise anonymous private individual. http://www.ico.org.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/subject-access-code-of-practice.PDF



Curiously, though, they seem to accept that the intent of disclosure under FOIA could be malevolent or with a possible negative context.  See their  there is also a basis for arguing that an officer is being or could be targeted by an applicant because they may be targeted. In their guidance on disclosing information about public sector employees they do mention the potential to be targeted. See for example paragraph 14 and paragraph 62.  http://www.ico.org.uk/~/media/documents/library/Environmental_info_reg/Practical_application/section_40_requests_for_personal_data_about_employees.ashx



Under FOIA, because the responses are published to the public, the possible effect of publishing personal data must be considered.



The issue, perhaps, boils down to whether condition 6 of Schedule 2 of the DPA is met. In that the officer who refuses can make the argument that the disclosure is an unwarranted  prejudice to their interests.They may also suggest that their privacy will be affected, even though they are in the public sector, because the applicant will use that information to target them.  If we explore what is warranted or unwarranted, we may find that the structure and intent of the FOIA vexatious request guidance does indicate factors that would bolster the officer's case as it would help them argue that their interests would be prejudiced.



The organisation would need to balance the interests of the the applicant (who is likely to be considered vexatious or at least a person who holds a grudge) against their employee. Given that balance, is it likely an organisation is going to go against the explicit wishes of their employee who can show that the applicant's intent in other areas, such as FOIA and their behaviour in other ways, was vexatious or at a minimum problematic?



In that regard, could a SAR be considered vexatious without ever stating it?



I would be interested in the list's view on this issue. Where and how would you decide the balance between applicant and employee?



Thanks



Lawrence



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^





________________________________





Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask]

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^