FOI Man looks at whether a named individual’s FOI requests should be published or disclosed.
Guardian writer Ben Goldacre asked on Twitter whether public authorities are able to publish or disclose the names of FOI requesters. This is an interesting question which is difficult to explain in 140 characters.
First off, my basic rule on this is “no”. Fundamentally, I just don’t think its ethical. Most FOI Officers are even nervous about circulating the details of a requester internally, let alone outside the organisation. But here’s the legal argument.
I could spend a long time telling you about a chap called Durant, and case law involving him which established the current legal definition in the UK for what counts as personal data. But I won’t. Suffice to say that information about an individual that has a “biographical” element will be personal data.
The fact that you as an individual make an FOI request about a particular subject is enough information in my view to be considered personal information. All personal information is covered by the Data Protection Act, which sets out conditions for the processing (including disclosure) of that information. The most important is that any processing should be fair and lawful.
Clearly it’s unfair if a public authority announces that you’ve been making FOI requests to them without your consent. Most people wouldn’t expect that to happen, so it would be a nasty surprise if it did. Which is exactly what happened to one requester to a GP’s surgery recently.
But, as Ben Goldacre asked, what if you’re a big multi-national tobacco company making an FOI request? Well, in theory, that’s different. A tobacco company is a “person” from the point of view of FOI, but it is not a “data subject” in Data Protection terms.
But in practice, it might not be that simple. Even an FOI request from a company is usually signed by an individual employee. So is the request from the company or the employee? It will depend on the context, and may not be clear.
If someone makes an FOI request for a named individual’s FOI requests, that information would still be personal data, and in theory, a public authority could argue (and in my view would rightly argue) that section 40(2) of FOI applies – ie the exemption for personal data. The exception might be if they had been given consent by the original requester (the data subject) to disclose their requests. Indeed, the section 45 Code of Practice (also known as the Lord Chancellor’s Code), recommends that public authorities consult third parties (and that would include corporate bodies) if they are asked for information provided by those third parties. So in theory, at the very least, a public body should consult a requester before disclosing their requests.
This can lead to a spiral of requests. I remember one request for correspondence between the Mayor of London and an individual. I then consulted the individual, who made an FOI request for the identity of the first requester. So…then I had to ask the first requester for consent to disclose his identity. It can become rather complicated, and the FOI Officer has to keep his wits about him in these cases!
Another exception might be if there was a public interest in disclosing the requests made by a named requester. This might well be another argument for disclosing the requests made by, say, a tobacco company. At a stretch, it might be feasible for a public body to argue that there was a public interest in disclosing the requests made by an individual who had made excessive use of FOI to tie up the resources of an organisation. But that’s a dangerous road to go down. I can imagine the Commissioner or Tribunal arguing in response that the Act provides alternative mechanisms for dealing with such situations.
It would be different if a requester asked for, say, all requests on a particular subject, and the requests could be disclosed without identifying the requester. In effect, the information ceases to be personal data so can be disclosed. Similarly, a public body can publish requests as long as they don’t name the requester. Indeed this happens all the time with Disclosure Logs.
So, in summary, public authorities shouldn’t publish or disclose the requests made by a named individual without their consent, unless there is a strong public interest in doing so.