Tag Archives: Section 38 (FOISA)

Personal data and FOI: the conflict continues

The interaction between freedom of information and data protection laws is one which often results in conflict. On the one hand there is a legislative scheme that operates to promote transparency, while on the other there is a legislative scheme that operates to protect personal data. FOI law essentially provides that information should be released unless there is a good reason not to; while data protection law says that personal data should not be processed unless there is a good reason to. Both have their complexities and those brief explanations do not adequately encapsulate them.

The decision of the Upper Tribunal in Information Commissioner v Halpin [2019] UKUT 29 (AAC) is an example of where the First-Tier Tribunal got it badly wrong when dealing with the legitimate interests ground for processing under the Data Protection Act 1998. The Respondent in this appeal, Mr. Halpin, had requested information from Devon Partnership NHS Trust concerning the training that two named social workers had undergone in respect of the Care Act 2014. When deciding whether to release personal data under FOI law there is essentially a three staged test which must be satisfied before the personal data can be disclosed; this test was set out clearly by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner.

Firstly, is a legitimate interest or interests being pursued by the controller, third party or parties to whim the personal data is to be disclosed? Secondly, if a legitimate interest has been identified, is the processing (by way of disclosure under FOI law) necessary for the purposes of those interests? Finally, if there is a legitimate interest and the processing is necessary for that legitimate interest, then the processing cannot be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

The first ground of appeal for which permission was granted was in respect of the FTT’s treatment of the effect of disclosure of the information to the world at large; in particular that the FTT had not deal with this matter in substance. This is an issue that needs to be carefully considered: disclosure under FOI is not simply a disclosure to the individual requester; it is a disclosure to the whole world. This is an important factor in determining the necessity of the processing in pursuance of the legitimate interest concerned. It is also important in considering whether the processing (by releasing the information under FOI) is unwarranted.

Once the information is disclosed under FOI law it is disclosed in circumstances where the public authority loses control of the information concerned; there is no duty of confidentiality owed. Therefore, there is nothing that can be done in order to prevent further dissemination of the information.

Upper Tribunal Judge Markus QC states, at paragraph 20, that Mr Halpin’s lack of motivation to publicise the information is irrelevant to the question of assessing the potential impact of disclosure to the world at large. The motivation of the requester is only relevant to the first of the three stages of the test set out in South Lanarkshire Council v Scottish Information Commissioner (whether a legitimate interest exist); it is not relevant to the question of necessity or the final question of balancing the legitimate interests against the rights, freedoms and legitimate interests of the data subject.

Public authorities, and those advising them, should therefore ensure that, when considering the release of personal data in response to a FOI request, they do not become focused on the individual requester; it is essential to consider the wider world when undertaking this assessment. The motivations of the requester might well be wholly benign, but there are others whose motivation may not be so benign and will utilise the information for other purposes. Requesters should also bear this in mind; an individual requester might have a perfectly legitimate interest in the personal data and the necessity test might very well be met in their individual case; that is not enough. Due consideration has to be given to the wider impact of releasing information to the world; this is why consideration has to be given to whether the personal data can be obtained in another way as part of the necessity test (although, the existence of other means of obtaining personal data, other than by way of a FOI request, will not necessarily be determinative of the issue).

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

The Tension Continues: GDPR, FOI and EIRs

An exemption that is frequently deployed by Scottish public authorities is the exemption in section 38 of Freedom of Information (Scotland) Act 2002 (along with its corresponding exception in the Environmental Information (Scotland) Regulations 2004, regulation 11) which relates to personal data; both the personal data of the requester themselves as well as the personal data of third parties.  Data protection law is changing later this month and as a consequence section 38 (as well as Regulation 11 of the Environmental Information Regulations) will also see some amendment.

The Data Protection Bill proposes amendments to both the Freedom of Information (Scotland) Act 2002 (“FOISA”) as well as the Environmental Information (Scotland) Regulations 2004 (“the Scottish EIRs”).  The Bill is still making its way through the UK Parliamentary procedure and is due to have its third reading later today (9 May 2018) and, subject to completing its passage through Parliament in time, will come into force on 25 May 2018.  There are currently no amendments tabled in the Commons ahead of the Bill’s third reading that would affect the relevant provisions in the Bill, but it is important to bear in mind that until the Bill completes its journey through the various stages of the legislative process it can be amended – even if it passes the Commons today, it still has to go back to the House of Lords and could become locked in a game of ping-pong between to the Commons and the Lords during which time it could be further amended.  However, it seems unlikely that there will be any changes to the relevant provisions within the Bill.

Schedule 18 to the Bill proposes the amendments that should be made to a wide range of primary and secondary legislation, both reserved and devolved.  Paragraphs 88-90 of Schedule 18 (as it stands at the time of writing) contain the amendments that will be made to section 38 of FOISA; meanwhile paragraphs 292-294 of Schedule 18 contain the amendments that will be made to the Scottish EIRs.

The Office of the Scottish Information Commissioner has published, in draft form, updated guidance on the application of section 38 to take account of the GDPR and the expected amendments to the relevant parts of FOISA and the Scottish EIRs. As it is still in draft form, anybody relying upon it (requester or public authority) should continue to monitor it to ensure that it has not been updated.

The proposed amendments to FOISA and the Scottish EIRs look, on the face of it, quite significant.  However, the addition of a lot of text to section 38 and regulation 11 does not necessarily mean that there will be a drastic change in practice on the ground.  One thing that public authorities should be aware of is the proposed subsection (5A) to section 38 and the proposed paragraph (7) of regulation 11.  These proposals will have the effect of re-instating the ‘legitimate interests’ condition for lawful processing where public authorities are considering the release of third party personal data under the FOISA or the Scottish EIRS.

In short, what this will mean is that public authorities will be able to consider legitimate interests in the same way as they do now under condition 6 of schedule 2 when dealing with FOI requests under either regime.  Had it not been for these proposed provisions then the GDPR might well have had a significant impact upon the release of third party personal data under FOISA and the Scottish EIRs; it would have had the effect of removing the processing condition mostly relied upon when releasing third party personal data in response to FOI requests.  It should be noted that Schedule 18 to the Data Protection Bill proposes re-instating the legitimate interests condition in respect of the release of third party personal data under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (see, as at the time of writing, paragraphs 58 and 289 of Schedule 18 respectively).

There is very little difference between condition 6 of Schedule 2 to the Data Protection Act 1998 and the legitimate interests condition in Article 6 of the GDPR and in practical terms there is almost no difference at all.  The only real area where there may be some difference is where the third party personal data is that of a child where Article 6(1)(f) of the GDPR instructs data controllers to have particular regard to the interests and fundamental rights and freedoms of data subjects who are children.  In reality, the fact that a data subject is a child is likely to always have been a factor that has been taken into consideration when undertaking the balancing exercise required by Condition 6 of Schedule 2 and so even to this extent there is unlikely to be much in the way of change.

Of course, the provisions are untested and the Commissioner and courts could take a different view, but in my view we are likely to see the release of the same sorts of third party personal data under FOISA and the Scottish EIRs after the GDPR as we do now.  Furthermore, there is the question as to whether the re-introduction of legitimate interests for FOI purposes is lawful in terms of EU law.  Article 85 of the GDPR does require Member States to reconcile the right to protection of personal data under the GDPR with the right to freedom of expression and information.  Whether the UK Government’s method of reconciling the two, by effectively disapplying the prohibition on public authorities relying upon legitimate interests in respect of the performance of their tasks, is permitted by EU law is something we might need to wait to discover (then again, the UK might not be in the EU long enough for that matter to be determined – but that’s a whole different issue).

In conclusion both requesters and public authorities should familiarise themselves with the amended section 38 and regulation 11.  In practice not much, if anything, is likely to change when it comes to the releasing of third party personal data under FOI laws (both Scottish and UK regimes). However, public authorities and requesters should keep a close eye on the decisions of both the Scottish and UK Information Commissioners as well as the First-Tier Tribunal, Upper Tribunal, English and Welsh Court of Appeal, the Court of Session and the UK Supreme Court.

Alistair Sloan

If you require any assistance with any Freedom of Information or Data Protection/Privacy law matter you can contact Alistair Sloan on 0141 229 0880 or by E-mail.  We also have a twitter account dedicated to information law matters from across the UK.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another.  One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested.  This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants.  The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed.  This position, however, is one that has never really had any scrutiny from the superior courts; that is until now.  On 6th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC).  Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa.  The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000.  His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region.  In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants.  The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal).  The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002).  Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles.  When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play.  This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

  1. Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
  2. Is the processing involved necessary for the purpose of those interests?
  3. Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374)  What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43]  If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations.  Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts.  Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

  1. When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
  2. The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
  3. FOI rights do not take precedence over privacy and data protection rights;
  4. When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner.  It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail.  We have a Twitter account dedicated to information law issues , which you are welcome to follow.