Tag Archive for FOI Section 40

Propping open the gate

FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.

One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.

The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.

The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.

Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.

FOI: this time it’s personal

FOIMan brings you the latest in his series of articles for PDP’s Freedom of Information Journal.

freedom-of-information-graphic-smallOne of the more difficult aspects of dealing with freedom of information (FOI) requests is knowing how to handle personal information. How do you decide whether the information can be disclosed? If you decide not to disclose it, how do you apply the section 40 exemption correctly? What happens if the requester asks for information about themselves?

I’ve previously tackled this in the Exemption Index here on this site, but in my latest piece for PDP’s Freedom of Information Journal, I’ve attempted to bring more clarity to this complex subject aided by the latest case law. The next of my PDP pieces indulges in a little time travel to explore an interesting nugget of FOI history, and you’ll be able to read it here later in the autumn. You can also subscribe to the Journal if you want to read more helpful FOI updates and articles.

The Exemption Index: Section 40 – the exemption for personal data

Exemption Index logoFOIMan looks at how the exemption at section 40 of the Freedom of Information Act should be applied.


Accessing information is a good thing. We’re all pretty agreed on that as a general principle. But there are some exceptions. Perhaps the most obvious need for an exception is where disclosing information would impact someone’s right to privacy. This is where section 40 of the Freedom of Information Act comes in.

Information relating to living, identifiable, individuals – or personal data – is protected by the Data Protection Act (DPA). That legislation established a framework for the handling of this data. Furthermore, it also gave individuals a right of access to information relating to themselves. Section 40 acts as the fulcrum around which FOI and DPA rights revolve – it prevents them from being in conflict.

This exemption, and the issues around personal data, are extremely complex. It is the most cited exemption, and there are many decisions relating to it. It is therefore impossible to provide a comprehensive description in this format. What follows is an attempt to highlight the key considerations and signpost other sources of guidance.

Information affected

Information falling within the definition of personal data in the DPA – ie information relating to living identifiable individuals.

Things that FOI Officers need to know

  • The first thing to consider is whether the information is personal data. Without getting into a long technical discussion, this has often been a source of debate, not least since the (in)famous Durant ruling, which suggested that personal data should be narrowly defined. This year’s Edem case, looking at whether the names of two officials were personal data, has offered some comfort by establishing that names can be personal data, at least in specific contexts.
  • Clause 1 of Section 40 exempts information relating to the requester from disclosure under FOI. It is still accessible via the subject access right of DPA. If you can do so, handle it as a subject access request. Strictly speaking, you still have to answer a request made under FOI within 20 working days, so the ICO advise letting the requester know what you are doing within this timeframe (even if you then use the full 40 calendar days available for subject access requests). Before answering a subject access request you need to be assured as to the requester’s identity (so you may need to ask for proof of identity), and if your organisation charges a fee for DPA requests, you will want this before taking action.
  • Requests for personal information relating to other individuals may be refused if disclosure would breach any of the Data Protection principles listed at Schedule 1 of DPA; or if an individual has exercised their DPA section 10 right (to prevent processing likely to cause damage or distress); or if the information is exempt from subject access rights under an exemption in Part IV of DPA. In the latter two cases, section 40 is a qualified exemption, so a public interest test would need to be carried out.
  • In practice, the most common reason for applying section 40 is that disclosure would breach the first Data Protection principle. This principle requires that anything you do with the data is “fair and lawful” and also that it can be justified using one of the conditions in schedule 2 of DPA, and if falling within the definition of “sensitive personal data” at section 2 of DPA, a condition at schedule 3. What does this mean?

o   lawful means that if there is an Act of Parliament, or a common law duty (such as a duty of confidence), to the effect that such information should not be disclosed, then that must be obeyed

o   fair means considering the expectations of the affected individual(s) and the potential impact of disclosure on them

o   if the information is sensitive personal data (for example, information about a person’s health, religion or ethnicity), it can only be disclosed with their explicit consent or if they have already made it public

o   consent is a possible justification for disclosure if it is personal data not falling under the definition of sensitive personal data. Alternatively, disclosure could also be justified if it is necessary in pursuing the legitimate interests of the public body, or the requester (and potentially any wider audience), as long as it would not cause unwarranted prejudice to the rights and freedoms or legitimate interests of the affected individual – in effect (in an FOI context), this is like a public interest test, balancing the rights of the individual against the requester and the public.  Note, though, that the information can only be disclosed when relying on this condition if disclosure is necessary to meet the interest in disclosure.

  • Most of the time, personal data will not be disclosed. However, the Information Commissioner, the Government and others have over time made clear that some personal information relating to public employees’ public roles in particular should be disclosed. For example, the latest version of the Local Government Transparency Code requires salaries of council staff earning over £50,000 to be made public. Clearly there is a consensus that accountability of (especially senior) public officials is a legitimate interest. Interestingly the Code only requires salaries to be disclosed in £5,000 bands – disclosure of specific salaries is not thought necessary to achieve this accountability. In one case, though, the First Tier Tribunal ruled that disclosure of a Chief Executive’s specific salary was necessary.
  • Even senior officials have a reasonable expectation of confidentiality when it comes to severance arrangements, unless there is a good argument to the contrary.

Things that requesters need to know

  • If data has been successfully anonymised to the extent that the requester would not be able to identify the individual(s) (even if the public authority could still identify them using other data in its possession), then the data is not subject to the exemption and can be disclosed. So it may be worth pressing a public authority that refuses a request using section 40 to see if they can release data in an anonymised form.
  • The more senior and/or public facing an official, the more likely it is that personal information relating to their public role should be disclosed. This is relevant in relation to public employees, but also in respect of politicians. This might be salary information, expenses information or contact information, for example.
  • A legitimate interest can be a private interest.

Essential Case Law

Corporate Officer of the House of Commons v Information Commissioner & Leapman, Brooke & Thomas, EA/2007/0060-63, 0122-23 & 0131

Trago Mills (South Devon) Limited v Information Commissioner, EA/2012/0028

Edem v Information Commissioner & Financial Services Authority [2014] EWCA Civ 92

Recommended Reading

Information Commissioner’s guidance on personal information, v1.3, August 2013

Information Commissioner’s guidance on requests for personal data about public employees, v1.2, May 2013

What’s in a name? Court of Appeal gives judgment in Edem, Panopticon Blog, February 2014

FOIMan says…

Should a public body disclose details of requests made by a named individual? April 2012

Exact salary should be disclosed says Tribunal, April 2013