SARfare in Sheriff Court: How it all began...
Some context surrounding the initiation of court action against the Highland Council in INV-SM2-24.
The best place to start is by reading the “About” page and then come back here to read the rest.
How to Navigate this site:
Dispatches - Short Form Updates
Library - Data Protection & GDPR Resources
FOI Archive - “The Audit”.
Topics - Browse by topic.
A simple SAR request?
Not quite. I have quite a history with this Council, none of it good on their part which I will get to later. But, in January 2023, I received a letter from a planning officer at the Highland Council with an allegation that I was supposedly running an “unauthorised business”. This was news to me. I do not, nor ever have run an “unauthorised business” of any kind. Seemed just another spurious allegation I have been subject to by the Highland Council over the years, including once being accused of being a “religious cult” in 2007. 🤔 Even after numerous emails, this planning officer refused to state the nature of any “unauthorised business”. We came to find out later during INV-SM2-24 that the Council's solicitor himself had to admit that the Council did not know the nature of any such “unauthorised business” at the time and still did not. So, as I suspected from my previous experiences with this Council, the planning officer was on a fishing expedition. 🎣
Unfortunately for the Highland Council, the Town & Country Planning (Scotland) Act 1997 does not allow “fishing expeditions”. s.156 - s.158 of that Act clearly states that a planning officer must state their purpose and provide written authorisation if asked for entry into premises. Nor does it grant any magical powers only possessed by Highland Council to spy on its residents. As I already suspected it was merely a fishing expedition as he refused to even state the nature of this alleged “unauthorised business”, I told this planning officer all attempts of entry would be rightly refused and that unless he could state grounds for entry he wasn't getting in.
In March of 2023, I sent a SAR to the Council to try and understand what data they held that would prompt the letter of January 2023. The Council first invoked an Article 12(3) GDPR extension giving themselves 3 months to respond instead of the usual 1 month. Then they just ignored the SAR. I complained, they ignored that too. I lodged a complaint with the ICO. The ICO even had a hard time dragging anything out of them - eventually they handed over 13 whole pages, 9 of those pages my own emails.
Even during this complaint to the ICO, the Council's planning officer then tried use my SAR as a reason to exercise entry rights under the planning act. Don't make me laugh. I think you might have an idea what I had to say about that to this planning officer. 💀
The ICO then did what they seemingly do best, tick a box on a spreadsheet recording an infringement of Article 15(3) GDPR & closed the case telling me to seek a court order. As it turned out, that was an excellent idea.💡
Pursuing a court order.
I spent the next few months turning over every bit of relevant case law I could find about GDPR rights enforcement and data protection litigation. From this, I could see that these s.167 Data Protection Act 2018 compliance order claims were surprisingly rare in Scotland. In fact, I still don't know of a single other successful claim of this type in Scotland besides my own. As you can see, that didn't put me off one wee bit. Although not exactly common, these claims are quite a bit more prevalent in England though, both under the 1998 Act and the 2018 Act. I knew that given this was UK primary legislation, absent any Scottish case authority, English case law would be highly persuasive, as would European. In fact, CJEU case law prior to the Withdrawal Act is binding on Scottish courts.
One of the biggest areas I researched after that was how this was being done in English civil procedure and how that could be adapted to Scottish civil procedure. Which procedure in Scotland was appropriate? s.180 of the Data Protection Act 2018 makes clear a claim of this type may be raised in the Court of Session or the Sheriff Court. Sheriff Court was obviously the clear route ahead.
The more English case law I read, the more I realised that given the low value of a compliance order only claim, simple procedure seemed the most appropriate. These types of data protection claims in England raised in the higher courts are now regularly being transferred down to the small claims track in the County Courts there, therefore, it seemed to me, provided simple procedure had the appropriate tools and remedies and the value was under £5000, simple procedure was the clear route. Not only is simple procedure more amenable to party litigants, expenses are also capped in simple procedure, barring unreasonable conduct by a party (as the Highland Council found out), thereby protecting an individual wishing to raise an action to enforce their data rights from significant expenses if by chance the claim was rejected by the court.
Data Protection Litigation is Different Beast.
Data protection litigation involves procedural nuances and legal features that can differ quite a bit from a standard civil case. Given the lack of Scottish case authority, much of this nuance needed to be fleshed out by using comparative case law and submissions. Some of those features fleshed out included:
Forum - whether a claim of this nature was competent in simple procedure.
The Role of the Court - as adjudicator of the decisions of the data controller and not as the primary decision-maker.
Burden of Proof Shift - in most civil litigation, the claimant/pursuer bears the burden to prove their whole case. Not so in data protection litigation. The burden of proof shifts swiftly as it is for the data controller to demonstrate compliance with the Regulation (GDPR). That includes providing documentary evidence of searches & justifying every exemption raised.
Private Inspections of Data - addressed the statutory lacuna of the terms of s.15(2) of the 1998 Act not being carried over to the 2018 Act. X v. Transcription Agency. Interestingly enough, only months later, the Data Use and Access Act 2025 amended the 2018 Act on this point at s.180A.
Key Facts of the Claim INV-SM2-24.
The case lasted 20 months and in those 20 months we had 16 hearings. 1 in person at Inverness Sheriff Court on 10 January 2025 and all the rest were held online via WebEx.
Orders were granted compelling the Council to submit official decisions of the data controller on my requests for the court to adjudicate upon.
A private inspection of a redacted document was conducted by the Sheriff.
A 6 hour proof diet (evidential hearing) was conducted which included examination and cross-examination of myself and the Council's sole witness, their Data Protection Officer.
After the proof diet, written submissions were exchanged between parties and lodged with the court for determination on the legal points as they pertained to the facts at proof.
A compliance order under s.167 of the Data Protection Act 2018 was granted on 7 May 2025. That order included the disclosure of the document unredacted that was subject to the private inspection. It also included court orders enforcing my rights under Article 15(1) & (3) GDPR to disclose all data up to the current date included ordering documentary evidence of searches undertaken by the Council and a list of all data withheld wholly or partly under a raised exemption. Orders were granted under Article 16 GDPR, that the Council was to rectify inaccurate public records with supplementary statements. A restriction order under Article 18 GDPR was granted restricting the Council's processing of all my data in relation to planning to storage or defence of legal claims only. 🔐 The restriction order was later extended on an unopposed motion for a further 6 months.
The voluntary and ordered disclosures of personal data by the Council during the course of the claim ran into hundreds of pages. It included a historic paper case file that was not accessioned into any records management system and unlawfully retained many years past its retention period and contained a large number of questionable records and items.
My motion to uncap expenses for the whole of action under s.81(5)(a)(iii) and s.81(5)(b) of the Courts Reform (Scotland) Act 2014 was granted on 8 July 2025.
During the course of the claim, the ICO recorded three infringements of the GDPR against the Highland Council over complaints lodged with them concerning my SAR and also a large data breach at the website of WhatDoTheyKnow.com under Article 15(3), Article 5(1)(f) and Article 31 (failure to cooperate with the ICO).
During the course of the claim, systemic non-compliance with Chapter IV GDPR by the Highland Council was uncovered. These include clear infringements of Articles 24, 25, 28, 29, 30, 32, 33 and 38 GDPR all now having been reported to the ICO.
Shocking details to come…..
Given what was uncovered in INV-SM2-24, I considered this a worthwhile exercise.
This case started out as quite a contentious matter and continues to reveal even worse and continuing wrongdoing. Almost all of my suspicions were vindicated by the disclosures of my personal data that the Highland Council went to extraordinary lengths to obstruct my access to. True to Highland Council form of recent years, they continue to double down on their own mistakes & wrongdoing.
I will be releasing further details not only about my case but, about why their systemic non-compliance with data protection law including individual data rights is a real and present danger to everyone’s privacy in the Highlands.
I also continue to run what I call, “The Audit” - the audit covers data protection matters as well as other wider important issues at the Highland Council such as planning & planning enforcement, human rights & privacy, governance & legal matters and serious issues uncovered in the heart of the administration of the Council.