Should a public body disclose details of requests made by a named individual?

FOI Man looks at whether a named individual’s FOI requests should be published or disclosed. 

Guardian writer Ben Goldacre asked on Twitter whether public authorities are able to publish or disclose the names of FOI requesters. This is an interesting question which is difficult to explain in 140 characters.

First off, my basic rule on this is “no”. Fundamentally, I just don’t think its ethical. Most FOI Officers are even nervous about circulating the details of a requester internally, let alone outside the organisation. But here’s the legal argument.

I could spend a long time telling you about a chap called Durant, and case law involving him which established the current legal definition in the UK for what counts as personal data. But I won’t. Suffice to say that information about an individual that has a “biographical” element will be personal data.

The fact that you as an individual make an FOI request about a particular subject is enough information in my view to be considered personal information. All personal information is covered by the Data Protection Act, which sets out conditions for the processing (including disclosure) of that information. The most important is that any processing should be fair and lawful.

Clearly it’s unfair if a public authority announces that you’ve been making FOI requests to them without your consent. Most people wouldn’t expect that to happen, so it would be a nasty surprise if it did. Which is exactly what happened to one requester to a GP’s surgery recently.

But, as Ben Goldacre asked, what if you’re a big multi-national tobacco company making an FOI request? Well, in theory, that’s different. A tobacco company is a “person” from the point of view of FOI, but it is not a “data subject” in Data Protection terms.

But in practice, it might not be that simple. Even an FOI request from a company is usually signed by an individual employee. So is the request from the company or the employee? It will depend on the context, and may not be clear.

If someone makes an FOI request for a named individual’s FOI requests, that information would still be personal data, and in theory, a public authority could argue (and in my view would rightly argue) that section 40(2) of FOI applies – ie the exemption for personal data. The exception might be if they had been given consent by the original requester (the data subject) to disclose their requests. Indeed, the section 45 Code of Practice (also known as the Lord Chancellor’s Code), recommends that public authorities consult third parties (and that would include corporate bodies) if they are asked for information provided by those third parties. So in theory, at the very least, a public body should consult a requester before disclosing their requests.

This can lead to a spiral of requests. I remember one request for correspondence between the Mayor of London and an individual. I then consulted the individual, who made an FOI request for the identity of the first requester. So…then I had to ask the first requester for consent to disclose his identity. It can become rather complicated, and the FOI Officer has to keep his wits about him in these cases!

Another exception might be if there was a public interest in disclosing the requests made by a named requester. This might well be another argument for disclosing the requests made by, say, a tobacco company. At a stretch, it might be feasible for a public body to argue that there was a public interest in disclosing the requests made by an individual who had made excessive use of FOI to tie up the resources of an organisation. But that’s a dangerous road to go down. I can imagine the Commissioner or Tribunal arguing in response that the Act provides alternative mechanisms for dealing with such situations.

It would be different if a requester asked for, say, all requests on a particular subject, and the requests could be disclosed without identifying the requester. In effect, the information ceases to be personal data so can be disclosed. Similarly, a public body can publish requests as long as they don’t name the requester. Indeed this happens all the time with Disclosure Logs.

So, in summary, public authorities shouldn’t publish or disclose the requests made by a named individual without their consent, unless there is a strong public interest in doing so.

 

10 comments

  1. Tim Turner says:

    The best way to deal with this situation is to leave it alone. Beyond vexatious and cost-based refusals, the identity of an applicant is irrelevant. The fuss caused by the cigarette company’s requests showed a fundamental lack of understanding of how FOI works. Either information should be known or it should not. FOI public authorities should not be allowed to pick and choose who they disclose information to, but equally, they should be allowed to refuse to disclose information if its release into the world would cause real harm. Releasing the name of an applicant in many cases is a distraction, and in some cases, it could be bullying. Better to concentrate on making robust and defensible decisions than trying to personalise the process.

  2. Jon Baines says:

    Hi Paul

    I should start off by saying I agree, as a general principle and on a practical basis that a public authority should not publish names of requesters.

    However, I’m not *entirely* in agreement with you.

    Firstly – on the implication that consent is needed for disclosure of individual requesters’ names. If someone is prepared to disclose, through the media, or through self-publication, the fact that they have made a request, would it be unfair to disclose their name? Is it unfair for me to state that George Foster made a request to the Information Commissioner for his data breach log (http://www.whatdotheyknow.com/request/data_breach_log#incoming-264617). George hasn’t given consent, but he has, by using whatdotheyknow.com, publicised the fact that he has made the request. If it’s not unfair for me to state that fact, would it necessarily be unfair for the ICO to do so? I think it’s interesting, in the article about the GP surgery you link to, that it names the patient itself, and is accompanied by what looks like a posed picture of her. Requesters are often very keen for the fact that they have made a request to be known (e.g. this chap: http://2040infolawblog.com/2012/04/21/a-game-of-noes/). In those circumstances, while I still wouldn’t advocate the authority publishing the names, I cannot see that it would be a breach of the Data Protection Act 1998 to do so.

    The DPA says

    Schedule 2(6) of the Data Protection Act says that personal data must be processed fairly and lawfully, but, for these purposes, Schedule 2(6) provides a gloss which legitimises the processing if it

    “…is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

    Where the prejudice to the rights and freedoms or legitimate interests of the data subjects is small, or non-existent, and the legitimate interests pursued by the data controller are not insignificant, then the “necessity” test will be made out. At least, this is the approach favoured by both the Information Tribunal in Corporate Officer of the House of Commons v The Information Commissioner and Others, later approved by the Divisional Court:

    “… [Sch2(6)] involves a balance between competing interests broadly comparable, but not identical, to the balance that applies under the public interest test for qualified exemptions under FOIA. Paragraph 6 requires a consideration of the balance between: (i) the legitimate interests of those to whom the data would be disclosed which in this context are members of the public (section 40(3)(a)); and (ii) prejudice to the rights, freedoms and legitimate interests of data subjects which in this case are MPs. However because the processing must be ‘necessary’ for the legitimate interests of members of the public to apply we find that only where (i) outweighs or is greater than (ii) should the personal data be disclosed.”

    However, I should qualify that with the observation that in the Divisional Court it was accepted that the legitimate interests under (i) must be in pursuance of a pressing social need. I accept that there are not likely to be many cases in which naming requesters can be classed as being in pursuance of a pressing social need. This, by the way, shows up a drafting error in the DPA: if we are talking about *sensitive* personal data, then paragraph 5 of Schedule 3 legitimises processing where “The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”. I’ve never understood why this isn’t also contained in Schedule 2 as well.

    Secondly (yes, I’m not finished) the special purposes exemption at section 32 DPA exempts processing from the non-disclosure provisions where it is processed with a view to journalistic publication, and the data controller believes that publication is in the public interest. So, if a public authority gave a journalist a list of, say, vexatious requesters, section 32 *might* provide a shield. However, section 32 would have to be read in light of Article 8 of the ECHR, and it would be a risky move by a public authority (see Clift v Slough Borough Council).

    Sorry, that was a bit of a ramble (you did ask…) and might be better suited to a blog post of my own. Now to find the time…

    So, what I’m saying is I agree with you, but with some caveats.

  3. Jon Baines says:

    And I agree with Tim. Of course ;-)

  4. Phil Bradshaw says:

    I concur, and would add that it was always my practice to anonymise internally – not even the Chief Exec in some cases! This was not just because of the likely potential DP breach (identifying clearly not NECESSARY when the applicant blind principle applies) but experience showed that, in may cases, it coloured the response and attitude of those I needed to get the information from, making the whole process more difficult and time consuming

  5. Where the requestor is not an individual, the section 41 (Breach of Confidence) exemption may be used to refuse disclosure of the identity of the requestor.

    You may be interested in the following Information Commissioner decision:

    Case Ref: FS50187314
    Date: 09/03/2009
    Public Authority: Department for Business, Enterprise and Regulatory Reform

    The complainant made a request to the Department for Business, Enterprise and Regulatory Reform for information on the number of freedom of information requests it had ongoing; a description of each request; and, for requests submitted by organisations, the name of each organisation.

    The public authority provided the complainant with a list of requests it had received which were ongoing, as per the request. However it refused to disclose the name of a special interest group that had submitted one of the requests that featured in the list. The public authority explained that the request was made in confidence and that therefore the information was exempt under section 41 of the Act (information provided in confidence).

    The Commissioner agreed with this approach. He took account of the fact that the special interest group had specifically stated, at the time of making the request, that it was making it in confidence first glance. Normally though, the fact that an organisation has submitted a particular freedom of information request to a public authority does not seem sufficiently important that it would attract the necessary quality of confidence. However in this case the Commissioner agreed with the special interest group that, were its identity disclosed it would impact on its right to make representations without fear that those representations may be released. This would undermine its future activities.

  6. Andrew says:

    I think you chaps might have kittens if you read page 2 of this edition of the NZ Ombudsmen’s Quarterly Review.

    http://ombudsmen.parliament.nz/imagelibrary/100092.pdf

    Of course NZ does’t have the UK’s DPA, but it does have a Privacy Act that has been judged (I think) to be ‘adequate’ in terms of extra-EU data transfers.

    I may or may not have argued against the line espoused in the newsletter above (I couldn’t possibly comment, etc). I think it is heavily coloured by the fact that if the agency did not disclose the identity of the requester to the 3rd party, the 3rd party might make a complaint to the Ombudsman under the Ombudsmen Act, alleging that the public authority made an unreasonable decision to disclose if it (the 3rd party) could not make a fully informed decision on the harm that may arise from disclosure. Not quite ‘reverse FOI’ as it exists in the US, but nearly.

    But I do think the experience in NZ is more valid when it comes to saying that insisting on an ‘applicant blind’ approach can be too broad. There will be occasions where disclosure to the requester is appropriate, but not to the world at large. There have been UK cases like this too, and I can remember Richard Thomas referring to one at ‘FOI Live’ in 2006, where disclosure to the world at large was not appropriate, but disclosure to the particular applicant was. I think it related to the circumstances in which the applicant’s child had died in a railway accident. NZ has taken this, and possibly extrapolated too far (IMHO). This is in part spurred on by explicit provision in the NZ OIA for disclosure subject to conditions. Conditions may only be applied if there is a valid exemption (good reason for withholding, in NZ-speak), but it does imply that the Ombudsmen can look at the identity of the requester, and say ‘Yes, this information should be disclosed to this person, but not to the world at large.’

    Returning to the main topic, I think disclosure of the requester’s identity can be very problematic. One only has to look at examples from Mexico and India where FOI requesters have been killed for making requests to see that it is not drawing too long a bow to suggest that people may be penalised in less extreme ways too for making a request.

  7. Foi Officer says:

    I would agree with this and say no to disclosure of individuals’ names but yes to disclosure of organisations making requests. One problem with this of course is that you don’t always know for certain if someone is making a request on behalf of their organisation or just happens to be using their organisation’s email address to make a personal request.

  8. Richard Dowling says:

    Many several government departments in Ireland publish the names and addresses of those who make FOI requests on a professional basis, eg journalists, businesses. They also publish the requests and their response to them….. including any records that are being released! Clearly FOI is not applicant blind in Ireland.

  9. Rodney Breen says:

    What about the other side of the equation? Given that a company name is not personal data and cannot therefore be covered by Data Protection, what about other grounds. Could disclosing the fact that a tobacco company have been asking about an issue not be seen as prejudicing their commercial interest? Eg tobacco company B might be interested to know what tobacco company A is asking about? (I mean, you would hope the would have the wit to get an individual to ask the question on their behalf, but you can’t be sure) Is there a presumption of confidentiality?