Tag Archives: Information Commissioenr v CF and NMC

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.