s.167 Data Protection Act 2018 - Compliance Order
Granted on 7 May 2025 at Inverness Sheriff Court against the Highland Council.
s.167 Data Protection Act 2018 Order
This claim was strictly to obtain a compliance order - to enforce data rights under the UK GDPR. Where a data subject considers that their rights under GDPR have been infringed, they have a right to an effective judicial remedy.
Right to an effective judicial remedy against a controller or processor.
(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with [F1 the Commissioner] pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
s.167 of the Data Protection Act 2018 sets out the UK's domestic remedy for enforcement of GDPR rights in a court.
In Scotland, that remedy is available is either the Sheriff Court or Court of Session in an action ad factum praestandum & as can be seen, it can be done using Simple Procedure for basic data rights enforcement.
The finer details of the elements of the order granted by the court.
I will dig in to a bit more detail & layout below exactly what was ordered & why and some comments on my rather recalcitrant opponent & what this entailed for them.
The s.167 compliance order was granted at Inverness Sheriff Court on 7 May 2025.
Elements of this order.
Release of a document unredacted. A private inspection of a redacted document occurred in this claim. This is a feature of data protection litigation wherein if the defender raises an exemption to withhold some data either wholly or partially (redacted), the claimant can use the “recovery of documents” procedure to request that the court examine those documents to determine whether they should be released.
Article 15 - Subject Access Request. Provide all of the information in Article 15(1) and a copy of all personal data under Article 15(3).
Provide documentary evidence of reasonable searches and a schedule of any exemptions raised. The burden of proof to demonstrate reasonable & adequate searches were conducted is on the data controller. An exemption must be raised for any withheld data and may be challenged by the data subject. The data controller must be able to discharge their burden to demonstrate the exemption has been properly applied. The Council returned an extensive list of withheld correspondence - some 160+ entries. These have not been challenged in the current action due to ongoing parallel proceedings and processes however, I absolutely plan to challenge a substantial amount of that correspondence in the very near future where the Council have raised “legal professional privilege” exemptions over the data that has been withheld.
Rectify records. The Highland Council misused inaccurate personal data of mine they found on their own website. Inaccurate data falls to be either rectified or erased by the data controller without undue delay under Article 5(1)(d). These were public records of planning committee agendas, reports & minutes therefore, rectification by way of supplementary statement was appropriate rather than erasure.
Restriction order. Given the amount of unlawfully obtained & retained data and weaponisation of my data by the Highland Council, the lawfulness of their processing was challenged on numerous occasions throughout this claim. The data controller must discharge the burden to demonstrate the processing was lawful which is a high bar to meet indeed. Under the terms of Article 18 and 21 GDPR, personal data falls to be restricted to storage only &/or for very strict & specific processing operations where that burden is not discharged. Restrictions are most often temporary measures to preserve the position until either the burden is discharged by the controller or the data subject exercises further rights like erasure over the contested data undergoing processing. This meant that to comply with the order, they were required to lock away all the data, remove it from the planning portal and IDOX database with strict access control, including purge data from email inboxes of staff and sequester it with the rest of the stored data. Restricted means.. restricted. No access, no use, no enchilada. Did they fully comply? Not really.. it's complicated but, I've now had to raise a 2nd claim against the Assessor of the Highland & Western Isles Valuation Joint Board as 1st respondent and the Highland Council as a 2nd respondent to that claim, INV-SM11-25.
More about that restriction order…
Ultimately, the only thing happening next with that restricted data, is the GDPR nuke button, Article 17(1)(d), however a few more processes need to play out before that can be executed.
A restriction order like this might seem extreme considering the order directly intervenes in their statutory planning functions, but it won’t sound extreme when you hear the rest of the story though…
That restriction order was initially granted for 6 months to preserve the current position however, I then raised a motion to extend that restriction order for a further 6 months which went unopposed by the Council & was duly granted by the Sheriff on 24 October 2025.
Further thoughts..
Did I just say weaponisation of data? Yes, I did. There will be a whole section on this Substack dedicated to the “badly behaved bureaucrats” at the Highland Council and data racketeering & laundering. They have certainly earned it. 🏆
