Tag Archive for Personal information

The Exemption Index: Section 40 – the exemption for personal data

Exemption Index logoFOIMan looks at how the exemption at section 40 of the Freedom of Information Act should be applied.


Accessing information is a good thing. We’re all pretty agreed on that as a general principle. But there are some exceptions. Perhaps the most obvious need for an exception is where disclosing information would impact someone’s right to privacy. This is where section 40 of the Freedom of Information Act comes in.

Information relating to living, identifiable, individuals – or personal data – is protected by the Data Protection Act (DPA). That legislation established a framework for the handling of this data. Furthermore, it also gave individuals a right of access to information relating to themselves. Section 40 acts as the fulcrum around which FOI and DPA rights revolve – it prevents them from being in conflict.

This exemption, and the issues around personal data, are extremely complex. It is the most cited exemption, and there are many decisions relating to it. It is therefore impossible to provide a comprehensive description in this format. What follows is an attempt to highlight the key considerations and signpost other sources of guidance.

Information affected

Information falling within the definition of personal data in the DPA – ie information relating to living identifiable individuals.

Things that FOI Officers need to know

  • The first thing to consider is whether the information is personal data. Without getting into a long technical discussion, this has often been a source of debate, not least since the (in)famous Durant ruling, which suggested that personal data should be narrowly defined. This year’s Edem case, looking at whether the names of two officials were personal data, has offered some comfort by establishing that names can be personal data, at least in specific contexts.
  • Clause 1 of Section 40 exempts information relating to the requester from disclosure under FOI. It is still accessible via the subject access right of DPA. If you can do so, handle it as a subject access request. Strictly speaking, you still have to answer a request made under FOI within 20 working days, so the ICO advise letting the requester know what you are doing within this timeframe (even if you then use the full 40 calendar days available for subject access requests). Before answering a subject access request you need to be assured as to the requester’s identity (so you may need to ask for proof of identity), and if your organisation charges a fee for DPA requests, you will want this before taking action.
  • Requests for personal information relating to other individuals may be refused if disclosure would breach any of the Data Protection principles listed at Schedule 1 of DPA; or if an individual has exercised their DPA section 10 right (to prevent processing likely to cause damage or distress); or if the information is exempt from subject access rights under an exemption in Part IV of DPA. In the latter two cases, section 40 is a qualified exemption, so a public interest test would need to be carried out.
  • In practice, the most common reason for applying section 40 is that disclosure would breach the first Data Protection principle. This principle requires that anything you do with the data is “fair and lawful” and also that it can be justified using one of the conditions in schedule 2 of DPA, and if falling within the definition of “sensitive personal data” at section 2 of DPA, a condition at schedule 3. What does this mean?

o   lawful means that if there is an Act of Parliament, or a common law duty (such as a duty of confidence), to the effect that such information should not be disclosed, then that must be obeyed

o   fair means considering the expectations of the affected individual(s) and the potential impact of disclosure on them

o   if the information is sensitive personal data (for example, information about a person’s health, religion or ethnicity), it can only be disclosed with their explicit consent or if they have already made it public

o   consent is a possible justification for disclosure if it is personal data not falling under the definition of sensitive personal data. Alternatively, disclosure could also be justified if it is necessary in pursuing the legitimate interests of the public body, or the requester (and potentially any wider audience), as long as it would not cause unwarranted prejudice to the rights and freedoms or legitimate interests of the affected individual – in effect (in an FOI context), this is like a public interest test, balancing the rights of the individual against the requester and the public.  Note, though, that the information can only be disclosed when relying on this condition if disclosure is necessary to meet the interest in disclosure.

  • Most of the time, personal data will not be disclosed. However, the Information Commissioner, the Government and others have over time made clear that some personal information relating to public employees’ public roles in particular should be disclosed. For example, the latest version of the Local Government Transparency Code requires salaries of council staff earning over £50,000 to be made public. Clearly there is a consensus that accountability of (especially senior) public officials is a legitimate interest. Interestingly the Code only requires salaries to be disclosed in £5,000 bands – disclosure of specific salaries is not thought necessary to achieve this accountability. In one case, though, the First Tier Tribunal ruled that disclosure of a Chief Executive’s specific salary was necessary.
  • Even senior officials have a reasonable expectation of confidentiality when it comes to severance arrangements, unless there is a good argument to the contrary.

Things that requesters need to know

  • If data has been successfully anonymised to the extent that the requester would not be able to identify the individual(s) (even if the public authority could still identify them using other data in its possession), then the data is not subject to the exemption and can be disclosed. So it may be worth pressing a public authority that refuses a request using section 40 to see if they can release data in an anonymised form.
  • The more senior and/or public facing an official, the more likely it is that personal information relating to their public role should be disclosed. This is relevant in relation to public employees, but also in respect of politicians. This might be salary information, expenses information or contact information, for example.
  • A legitimate interest can be a private interest.

Essential Case Law

Corporate Officer of the House of Commons v Information Commissioner & Leapman, Brooke & Thomas, EA/2007/0060-63, 0122-23 & 0131

Trago Mills (South Devon) Limited v Information Commissioner, EA/2012/0028

Edem v Information Commissioner & Financial Services Authority [2014] EWCA Civ 92

Recommended Reading

Information Commissioner’s guidance on personal information, v1.3, August 2013

Information Commissioner’s guidance on requests for personal data about public employees, v1.2, May 2013

What’s in a name? Court of Appeal gives judgment in Edem, Panopticon Blog, February 2014

FOIMan says…

Should a public body disclose details of requests made by a named individual? April 2012

Exact salary should be disclosed says Tribunal, April 2013

Exact salary should be disclosed says Tribunal

FOI Man reports on a Tribunal decision that could change the way that public authorities treat requests for salary information of senior officials.

A new decision from the First Tier Tribunal threatens to overturn conventional thinking on disclosure of salary information by public authorities. In the decision, which relates to NHS Surrey, the Tribunal upholds an appeal against the Information Commissioner’s decision which supported the right of the public body to provide salary information relating to their Chief Executive only within a £5,000 band.

The decision contradicts the Commissioner’s current guidance which promotes the £5k band approach. The key issue in cases like these is that of balancing the requirement for openness in FOI with the protection that the Data Protection Act gives to individual employees.

The Tribunal cannot see how expressing a salary as an exact figure is any more risky than expressing it within £5k bands. It agrees that even very senior public employees are entitled to a private life, but comments:

“The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

When FOI first came into force, even publishing in £5k or £10k bands would have seemed radical, so this is just the latest development in the evolution of transparency around salaries. Secrecy around salaries has always seemed odd to me – after all most jobs are advertised with some indication of salary, and certainly if you can publish information within £5k, I can’t see what possible harm could result from publishing an exact salary in most cases. In my view a decision along these lines was inevitable at some point.

That doesn’t mean that there won’t be some resistance to disclosure of exact salaries of senior officials in the coming months. And there may well be circumstances in which it is justifiable. But I suspect that sooner or later this will become the accepted norm.


FOI Man reports on the ICO’s new Code of Practice on anonymisation.

FOI Officers tend to be caught between a rock and a hard place on a pretty much continual basis. If it isn’t navigating between the Scylla of senior management and the Charybdis of requester ire, then it’s trying to balance the often competing demands of the Freedom of Information and Data Protection Acts (DP).

So new guidance from the Information Commissioner on the important subject of anonymisation is very welcome. Though at over 100 pages, some FOI and DP Officers may struggle to find the time to read it between fielding requests and CMP notices. But, ever at your service, I attempt to extract the key points for you here.

The Code notes DPA does not require anonymisation to be completely risk free – the role of the Code is to help organisations mitigate the risks involved with anonymisation. Similarly, it points out that – in line with R (on the application of the Department of Health) v Information Commissioner [2011] EWHC 1430 (Admin) – anonymised information ceases to be personal data. So if your data is truly anonymised, section 40 of FOI won’t apply to it, and the sort of large datasets that that nice Mr Maude likes Government departments to publish can be unleashed without concern.

But that’s the trick. We’ve got to be very careful that what we put out there is truly anonymised. The Code summarises the problems with that neatly – firstly, there are a number of ways that an individual could be identified, so just taking a name out may not be enough. And secondly, we have no way of knowing what information you folks out there might already have access to.

There are well documented examples of how individuals have been identified from supposedly anonymised datasets once put together with information available on the internet or with personal knowledge. The ICO point out that organisations aren’t omniscient – they can’t know for sure what is, and what will be, available to people. So what do they say about how FOI and DP Officers should reach the judgment as to whether or not it is safe to disclose an anonymised dataset?

Effectively – and I hate to throw a buzz word at you – it’s a risk assessment. They cite a Tribunal concept of the “motivated intruder”. Basically this is someone who will do anything short of commit crime to identify individuals where there is some motive, eg the information is newsworthy, of interest to the village gossip, perhaps politically sensitive. We need to consider whether someone like that could identify people using libraries, archives, the internet, social media. In other words, we’re talking about those people who you see on TV sometimes tracking down people for an inheritance. Or the producers of Who Do You Think You Are. Could they identify individuals from the data?

Of course, this is better than nothing, but it still relies on FOI and DP Officers or their colleagues to have the time to work out whether someone could be identified from all of these sources. If they haven’t got that time, then there is a risk that the Code just leaves us where we started – with authorities reluctant to release information for fear of individuals being identified.

Thankfully the ICO do recognise the difficulty of this with large datasets – the desire for publication of which is pretty much what prompted this Code. They say:

“It will often be acceptable [with larger datasets] to make a more general assessment of the risk of prior knowledge leading to identification, for at least some some of the individuals recorded in the information and then make a global decision about the information.”

But it still means that many FOI and DP Officers will be left feeling uncomfortable whenever considering disclosure of anonymised datasets. Have I checked enough sources? What if I’d tried that other search engine? Should I subscribe to that genealogy site to check what someone could find there? It’s difficult to see what else the ICO could have advised, but FOI Officers will take limited comfort from the Code on this point.

There is some useful practical advice in the Code such as the best ways to present personal and spatial data (eg in crime maps). The case studies that form the last half of the publication will be helpful as well.

Overall, the Code is a useful guide to the issue of anonymisation for FOI and DP Officers and anyone working with datasets containing personal data. But it won’t be the last word and it will be interesting to see what comes out of the new UK Anonymisation Network announced yesterday by the Information Commissioner.


Should a public body disclose details of requests made by a named individual?

FOI Man looks at whether a named individual’s FOI requests should be published or disclosed. 

Guardian writer Ben Goldacre asked on Twitter whether public authorities are able to publish or disclose the names of FOI requesters. This is an interesting question which is difficult to explain in 140 characters.

First off, my basic rule on this is “no”. Fundamentally, I just don’t think its ethical. Most FOI Officers are even nervous about circulating the details of a requester internally, let alone outside the organisation. But here’s the legal argument.

I could spend a long time telling you about a chap called Durant, and case law involving him which established the current legal definition in the UK for what counts as personal data. But I won’t. Suffice to say that information about an individual that has a “biographical” element will be personal data.

The fact that you as an individual make an FOI request about a particular subject is enough information in my view to be considered personal information. All personal information is covered by the Data Protection Act, which sets out conditions for the processing (including disclosure) of that information. The most important is that any processing should be fair and lawful.

Clearly it’s unfair if a public authority announces that you’ve been making FOI requests to them without your consent. Most people wouldn’t expect that to happen, so it would be a nasty surprise if it did. Which is exactly what happened to one requester to a GP’s surgery recently.

But, as Ben Goldacre asked, what if you’re a big multi-national tobacco company making an FOI request? Well, in theory, that’s different. A tobacco company is a “person” from the point of view of FOI, but it is not a “data subject” in Data Protection terms.

But in practice, it might not be that simple. Even an FOI request from a company is usually signed by an individual employee. So is the request from the company or the employee? It will depend on the context, and may not be clear.

If someone makes an FOI request for a named individual’s FOI requests, that information would still be personal data, and in theory, a public authority could argue (and in my view would rightly argue) that section 40(2) of FOI applies – ie the exemption for personal data. The exception might be if they had been given consent by the original requester (the data subject) to disclose their requests. Indeed, the section 45 Code of Practice (also known as the Lord Chancellor’s Code), recommends that public authorities consult third parties (and that would include corporate bodies) if they are asked for information provided by those third parties. So in theory, at the very least, a public body should consult a requester before disclosing their requests.

This can lead to a spiral of requests. I remember one request for correspondence between the Mayor of London and an individual. I then consulted the individual, who made an FOI request for the identity of the first requester. So…then I had to ask the first requester for consent to disclose his identity. It can become rather complicated, and the FOI Officer has to keep his wits about him in these cases!

Another exception might be if there was a public interest in disclosing the requests made by a named requester. This might well be another argument for disclosing the requests made by, say, a tobacco company. At a stretch, it might be feasible for a public body to argue that there was a public interest in disclosing the requests made by an individual who had made excessive use of FOI to tie up the resources of an organisation. But that’s a dangerous road to go down. I can imagine the Commissioner or Tribunal arguing in response that the Act provides alternative mechanisms for dealing with such situations.

It would be different if a requester asked for, say, all requests on a particular subject, and the requests could be disclosed without identifying the requester. In effect, the information ceases to be personal data so can be disclosed. Similarly, a public body can publish requests as long as they don’t name the requester. Indeed this happens all the time with Disclosure Logs.

So, in summary, public authorities shouldn’t publish or disclose the requests made by a named individual without their consent, unless there is a strong public interest in doing so.


Why I will be filling in my Census form

This coming Sunday, 27 March 2011, is Census Day in the UK. FOI Man explains why he’ll be completing his census and why he feels uneasy about calls to boycott it.

Slightly off-topic I know (and I’m not an expert on this in any way, so I stress that this is an opinion piece), but I wanted to talk about the census. Or more properly the commentary that it receives. If Twitter and the blogosphere are any indication nobody is going to fill in their census form this year, online or otherwise. Apart from me.

First off, here’s why I will be completing the census this year:

  • local authority government funding is based on the information collected in the census; Islington Borough Council in London calculates that it will miss out on £7500 worth of funding over the next ten years for every person who isn’t picked up in the census. Given the pressures that local authorities are under already, this is funding that they can’t really afford to miss out on.
  • future planning by central and local government, and other public bodies is heavily based on the census data. It influences the number of schools, hospitals, roads, houses that will be provided. The census data for London as a whole feeds into pretty much all strategy and planning by the Mayor of London and the various bodies that report into him, such as Transport for London.
  • but it’s not just the public sector that relies on it. Islington point out that voluntary and community groups use its data to attract funding for projects. Supermarkets use it to work out where to open new stores.
  • If you’ve ever watched Who Do You Think You Are? or researched your family or local history, you’ll know that the census from 100 years ago is an essential tool. All this information that you resent providing now will be incredibly interesting for your descendants or future historians.
  • And finally, if you need a stick, there’s a £1000 fine and a criminal record if you don’t complete your census form – it’s a legal requirement.

Which is all fair enough, but people have legitimate concerns about the census itself and the way the data will be used afterwards.

One of the concerns is that the Government has appointed Lockheed Martin, a company which also manufactures arms, to run the census operation this year. This is prompting calls to boycott the census or to complete forms in a way that will cause difficulties for Lockheed Martin. Of course, there are plenty of other companies that are also involved in the arms industry that supply goods and services that we use everyday without thinking about. Do you even know who made the engines on the jet you flew abroad on last summer? And while some may argue that awarding a contract for the census confers some level of undeserved respectability on this company, surely the ultimate point of any campaign against the arms trade is for business to stop supplying military hardware and provide harmless civic services to the people of the world. Like…well, like running censuses.

Then there are those who say that having a census at all is outdated. Surely Government should be able to use all that other data that is lying around to cobble together a picture of the country? But the same people will scream loudest whenever the Government talks about using or sharing data across departments for any other purpose than originally collected for. You can’t have it both ways.

The privacy concerns, as outlined in this excellent post from Chris Pounder at Amberhawk, are to me much more persuasive. But it can’t always be wrong for Government to collect personal information. I think that’s my main concern with the tone of the debate on the census – it seems to suggest that Government can never be trusted. That there is absolutely no exercise worth carrying out if it requires the collection or sharing of personal data. Instinctively I just don’t think that’s true. And I think that the Government, as well as finding ways to better protect our information has to argue more effectively the case for collecting and using it to improve our lives.