The Exemption Index: Section 40 – the exemption for personal data

Exemption Index logoFOIMan looks at how the exemption at section 40 of the Freedom of Information Act should be applied.

Summary

Accessing information is a good thing. We’re all pretty agreed on that as a general principle. But there are some exceptions. Perhaps the most obvious need for an exception is where disclosing information would impact someone’s right to privacy. This is where section 40 of the Freedom of Information Act comes in.

Information relating to living, identifiable, individuals – or personal data – is protected by the Data Protection Act (DPA). That legislation established a framework for the handling of this data. Furthermore, it also gave individuals a right of access to information relating to themselves. Section 40 acts as the fulcrum around which FOI and DPA rights revolve – it prevents them from being in conflict.

This exemption, and the issues around personal data, are extremely complex. It is the most cited exemption, and there are many decisions relating to it. It is therefore impossible to provide a comprehensive description in this format. What follows is an attempt to highlight the key considerations and signpost other sources of guidance.

Information affected

Information falling within the definition of personal data in the DPA – ie information relating to living identifiable individuals.

Things that FOI Officers need to know

  • The first thing to consider is whether the information is personal data. Without getting into a long technical discussion, this has often been a source of debate, not least since the (in)famous Durant ruling, which suggested that personal data should be narrowly defined. This year’s Edem case, looking at whether the names of two officials were personal data, has offered some comfort by establishing that names can be personal data, at least in specific contexts.
  • Clause 1 of Section 40 exempts information relating to the requester from disclosure under FOI. It is still accessible via the subject access right of DPA. If you can do so, handle it as a subject access request. Strictly speaking, you still have to answer a request made under FOI within 20 working days, so the ICO advise letting the requester know what you are doing within this timeframe (even if you then use the full 40 calendar days available for subject access requests). Before answering a subject access request you need to be assured as to the requester’s identity (so you may need to ask for proof of identity), and if your organisation charges a fee for DPA requests, you will want this before taking action.
  • Requests for personal information relating to other individuals may be refused if disclosure would breach any of the Data Protection principles listed at Schedule 1 of DPA; or if an individual has exercised their DPA section 10 right (to prevent processing likely to cause damage or distress); or if the information is exempt from subject access rights under an exemption in Part IV of DPA. In the latter two cases, section 40 is a qualified exemption, so a public interest test would need to be carried out.
  • In practice, the most common reason for applying section 40 is that disclosure would breach the first Data Protection principle. This principle requires that anything you do with the data is “fair and lawful” and also that it can be justified using one of the conditions in schedule 2 of DPA, and if falling within the definition of “sensitive personal data” at section 2 of DPA, a condition at schedule 3. What does this mean?

o   lawful means that if there is an Act of Parliament, or a common law duty (such as a duty of confidence), to the effect that such information should not be disclosed, then that must be obeyed

o   fair means considering the expectations of the affected individual(s) and the potential impact of disclosure on them

o   if the information is sensitive personal data (for example, information about a person’s health, religion or ethnicity), it can only be disclosed with their explicit consent or if they have already made it public

o   consent is a possible justification for disclosure if it is personal data not falling under the definition of sensitive personal data. Alternatively, disclosure could also be justified if it is necessary in pursuing the legitimate interests of the public body, or the requester (and potentially any wider audience), as long as it would not cause unwarranted prejudice to the rights and freedoms or legitimate interests of the affected individual – in effect (in an FOI context), this is like a public interest test, balancing the rights of the individual against the requester and the public.  Note, though, that the information can only be disclosed when relying on this condition if disclosure is necessary to meet the interest in disclosure.

  • Most of the time, personal data will not be disclosed. However, the Information Commissioner, the Government and others have over time made clear that some personal information relating to public employees’ public roles in particular should be disclosed. For example, the latest version of the Local Government Transparency Code requires salaries of council staff earning over £50,000 to be made public. Clearly there is a consensus that accountability of (especially senior) public officials is a legitimate interest. Interestingly the Code only requires salaries to be disclosed in £5,000 bands – disclosure of specific salaries is not thought necessary to achieve this accountability. In one case, though, the First Tier Tribunal ruled that disclosure of a Chief Executive’s specific salary was necessary.
  • Even senior officials have a reasonable expectation of confidentiality when it comes to severance arrangements, unless there is a good argument to the contrary.

Things that requesters need to know

  • If data has been successfully anonymised to the extent that the requester would not be able to identify the individual(s) (even if the public authority could still identify them using other data in its possession), then the data is not subject to the exemption and can be disclosed. So it may be worth pressing a public authority that refuses a request using section 40 to see if they can release data in an anonymised form.
  • The more senior and/or public facing an official, the more likely it is that personal information relating to their public role should be disclosed. This is relevant in relation to public employees, but also in respect of politicians. This might be salary information, expenses information or contact information, for example.
  • A legitimate interest can be a private interest.

Essential Case Law

Corporate Officer of the House of Commons v Information Commissioner & Leapman, Brooke & Thomas, EA/2007/0060-63, 0122-23 & 0131

Trago Mills (South Devon) Limited v Information Commissioner, EA/2012/0028

Edem v Information Commissioner & Financial Services Authority [2014] EWCA Civ 92

Recommended Reading

Information Commissioner’s guidance on personal information, v1.3, August 2013

Information Commissioner’s guidance on requests for personal data about public employees, v1.2, May 2013

What’s in a name? Court of Appeal gives judgment in Edem, Panopticon Blog, February 2014

FOIMan says…

Should a public body disclose details of requests made by a named individual? April 2012

Exact salary should be disclosed says Tribunal, April 2013

Comments are closed.