Data protection disputes are a growing area of litigation across the United Kingdom, yet Scottish court decisions remain relatively scarce compared to England and Wales. A recent judgment from Lanark Sheriff Court sheds important light not just on the outcome of a subject access dispute, but also on the distinct procedural and legal framework in Scotland, highlighting differences that can catch out practitioners accustomed to English data protection claims.
As the UK’s Data (Use and Access) Act comes into force, giving an incredibly broad right for public bodies to request personal data, we could see many more litigation cases against public authorities for the potential misuse of data. The following case from Scotland highlights the important differences that data controllers and processors either side of the River Tweed.
What happened in this case?
The pursuer, Mr Prentice, sued the Chief Constable of the Police Service of Scotland alleging repeated failures to respond properly to subject access requests. He sought:
- A declarator that the Chief Constable had breached statutory obligations under section 45 of the Data Protection Act 2018
- A compliance order under section 167 DPA 2018
- Damages of £5,000 for distress and financial loss.
The defender argued the entire action should be dismissed as bound to fail. After a legal debate (akin to a strike-out hearing in England), the court allowed only the compliance order aspect to proceed.
Declarators and remedies: Scots Law vs English Law
The key difference revealed by this case concerns the concept of a declarator — a uniquely Scottish remedy.
Under Scots law, a declarator is used to declare the existence or non-existence of a legal right where there is genuine doubt or dispute about that right. The court will not grant a declarator if the right is uncontested or is a mere restatement of legislation.
By contrast, in English law, a declaration can be used more flexibly to confirm a legal position, even where there is no live challenge, as long as there is a legitimate legal interest
In this case, the Sheriff found it was incompetent in Scots law to seek a declarator confirming the existence of subject access rights under section 45 DPA 2018 — because those rights were not genuinely disputed. That approach differs from English courts, which might have granted a declaration to confirm a controller’s obligations where there was persistent non-compliance.
This reflects the sharper focus in Scots law on practical effect and live controversy for declarators, compared to a broader English willingness to issue clarifying declarations.
Pleadings and specification
Another sharp divergence lies in the procedural culture of pleadings:
Scots civil procedure requires extremely detailed and specific averments. The party must plead how, when, where and why damage occurred, giving fair notice of the opponent’s case.
In England and Wales, while the Civil Procedure Rules (notably CPR Part 16) require particulars, the threshold for pleading distress or financial loss under the DPA is generally less strict. The court will often allow imprecise claims of distress to be expanded at later stages.
Here, Mr Prentice’s damages claim was struck out due to a lack of specification. He pled distress, frustration, and “detriment”, but failed to set out precisely when, where, and how these manifested, nor the amounts attributable to each loss. English judges would likely have taken a more pragmatic approach, permitting the claim to survive to trial provided there was at least a pleaded factual basis.
Compliance orders
The third area where Scottish and English courts part ways is compliance orders.
- Under section 167 of the Data Protection Act 2018, both Scottish and English courts may issue compliance orders to force a controller to comply with data rights. However, in Scotland, a “proof” (a full evidential hearing) is required unless the defender can show at debate that the claim is hopeless.
- In England, the court may resolve compliance order claims more swiftly using summary judgment under CPR Part 24, often on a short hearing and without proceeding to full trial, if there is no real prospect of success.
In this case, the Sheriff refused to dismiss the compliance order claim, holding it merited proof. In English proceedings, that question might have been decided more swiftly on paper.
Representation and fairness
Another procedural distinction is that Scottish courts more overtly stress fairness towards party litigants (self-represented individuals). The Sheriff in this case, referencing Barton v Wright Hassall LLP and Royal Bank of Scotland v Aslam, specifically considered how to treat an unrepresented pursuer. While English judges also have a duty to ensure fair treatment of litigants in person, Scottish courts arguably place a stronger procedural emphasis on balancing this against the opposing party’s right to fair notice.
Suing public bodies in Scotland vs England under the Data Use and Access Act
Another critical difference between Scotland and England lies in how data subjects can pursue claims against public bodies. In Scotland, actions against public authorities — including police forces, local authorities, or the NHS — must navigate a legal landscape rooted in both Scots common law and administrative law, which is more procedurally rigid than in England.
In Scotland, public bodies often benefit from specific statutory immunities or heightened defences under Scots administrative law principles. Judicial review is usually the route to challenge how a public body exercises its discretionary powers, with strict time limits (usually three months) and a requirement for standing. Raising damages actions, especially for data protection breaches, must still comply with the highly technical Scottish pleading standards described earlier.
In England, while judicial review also controls challenges to public bodies, there is a more developed culture of hybrid claims combining data protection issues and public law arguments. The English courts have historically shown greater willingness to allow damages claims for misuse of private information or under Article 8 ECHR to proceed in tandem with data protection claims, creating more flexible routes for claimants.
As public bodies increasingly rely on data-sharing to fulfil their functions, the new Data Use and Access Act adds another layer of risk. The Act gives public bodies essentially unrestricted rights to request personal data from private companies in order to carry out their statutory duties.
This will inevitably place public bodies under far more scrutiny, because:
- Individuals could claim that public bodies have overstepped or misused their expanded data-access powers, triggering fresh litigation.
- Private companies forced to share personal data might challenge the legality of public bodies’ requests, or face follow-on claims from affected data subjects.
In Scotland, the combination of complex administrative law routes (e.g. judicial review) and the demanding requirements for clear pleadings in damages actions means data subjects may struggle to test these new powers in court unless they have expert legal support. In England, where hybrid data protection and human rights claims are more routine, public bodies could face a heavier wave of litigation testing the boundaries of the Data Use and Access Act far earlier.
Practitioners on both sides of the border should therefore watch carefully for challenges to public-sector data-sharing requests under the Act, but bear in mind the far higher procedural hurdles — especially around competency and specification — that apply if the case is brought in Scotland.
Lessons for data protection litigation in Scotland
This Lanark Sheriff Court judgment is a reminder of how the same data protection rights can lead to differing litigation outcomes depending on whether a claim is raised in Scotland or England:
- Declarators in Scotland require a real and practical live issue of legal doubt, not merely a restatement of statute.
- Pleadings must be detailed and specific, or risk dismissal even at an early debate.
- Compliance orders will usually proceed to proof in Scotland unless the defender shows the case is obviously bound to fail.
- English courts, applying the Civil Procedure Rules, offer a somewhat more flexible and forgiving framework for claimants, with less emphasis on strict averment detail and more scope to amend claims as evidence emerges.
Practitioners handling data protection claims in Scotland cannot simply replicate English approaches. They must respect the Scottish focus on competency of remedies, high standards of pleading, and rigorous procedural hurdles — or risk having cases dismissed before they ever reach proof.
