|Line to take:|
The focus of any consideration of section 40 should be on fairness.
In considering whether a disclosure is fair under the First Principle of the Data Protection Act 1998 for the purposes of s.40 FOI, it is useful to balance the consequences of any disclosure and the reasonable expectations of the data subject with general principles of accountability and transparency.
(a) Fairness and sensitive personal data
(b) Consequences of disclosure
(c) Reasonable expectations
(d) Balancing the rights and freedoms of the data subject with legitimate interests
It is probably more difficult to define fairness than it is to recognise it in practice. However, in deciding what is fair, it is useful to balance the possible consequences of any disclosure on the data subject along with the data subject’s reasonable expectations of how the data controller will treat/use their personal data, the circumstances in which the data controller may disclose that data which will be shaped by, for example, the nature of the information itself, the circumstances in which it was obtained, the nature of the relationship between the data controller and data subject (i.e. issues relating specifically to the data subject) with the more general principles of the legislation under which the request was made i.e. freedom of information principles such as accountability and transparency as well as any legitimate interests which arise on the specific circumstances of the case.
However it is accepted that it can be artificial to separate out these individual factors as they are often so interlinked with others that any discussion ends up being very circular, for example, in considering the consequences of disclosure, regard should also be had to the nature of the information and the extent to which the information is, or remains, in the public domain which are both factors which would shape a data subject’s reasonable expectations.
Further, these factors have only been identified as a starting point in s.40 cases i.e. the line sets out a menu of factors that may impact on the assessment of what it fair and thus if a factor is irrelevant to the particular case then it need not be considered in the decision notice. Having said that however it is likely that each point will have an opposing argument which needs to be balanced against it, for example, there may be a legitimate interest in disclosing details of a disciplinary hearing of a senior employee but the countervailing argument is that most individuals would expect that these details would remain confidential.
Case-officers are referred to the process chart for section 40 cases from which it will be noted that where it is decided that the information should not be disclosed, then the decision notice will only need to refer to fairness. This decision to focus on fairness (rather than the Schedules) has been made as a result of joined-up DP and FOI policy thinking albeit that, in practice, it is accepted that there is a significant overlap between the balancing approach required under fairness and the three stage test as set out in Schedule 2, condition 6.
However, Schedule 2, condition 6 will still need to be considered where the information is to be disclosed although the analysis under fairness can be referenced to largely deal with the three stage test but the ‘necessity’ element will require a consideration of any alternative mechanisms for meeting the public interest (see LTT57). (Obviously a Schedule 3 condition will also need to be met where a decision has been made to release sensitive personal data although as this is likely to be extremely rare, it is advisable to get signatory approval before drafting a decision notice ordering the disclosure of sensitive personal data).
Note: The decision notices referenced below are not intended to be ‘template’ decision notices i.e. they have been selected to exemplify a point but may not represent the definitive approach.
(A) FAIRNESS & SENSITIVE PERSONAL DATA
Firstly, case-officers should determine whether the requested information is sensitive personal data which falls within any of the eight categories as set out at section 2 of the DPA:
The general premise behind this approach is that in most cases the very nature of sensitive personal data means it is more likely that disclosing it will be unfair. For example, it is almost self evident that to disclose someone’s medical records will be unfair as in our society there is a clear expectation that medical information will remain confidential both to preserve the relationship between doctor and patient and also because the disclosure will be damaging or distressing to the data subject. Thus, the reasonable expectation of the data subject is that such information would not be disclosed and that the consequences of any disclosure could be distressing to them.
However, as always, it remains important to consider all the circumstances of the case and in particular to consider whether the data subject has consented to the disclosure and/or whether the data subject has actively put some or all of the requested information into the public domain i.e. despite the data falling into the category of sensitive personal data, it is not sensitive to the data subject. If either factor is relevant, then it is likely that any disclosure would be fair. (Furthermore, this would also provide the grounds for satisfying a Schedule 3 condition and therefore this could be referenced to shorten any later Schedule 3 analysis).
However, in the majority of cases it is likely that the conclusion will be that it would be unfair to disclose the requested sensitive personal data and then the following standard wording can be used as the concluding paragraph:-
“The Commissioner notes that the information in this case falls under s2(complete)of the Data Protection Act 1998 as it relates to the data subject’s……..(complete). As such, by its very nature, this has been deemed to be information that individuals regard as the most private information about themselves. Further, as disclosure of this type of information is likely (*) to have a detrimental or distressing effect (*) on the data subject, the Commissioner considers that it would be unfair to disclose the requested information.”
(*) – It might be possible to be more specific or use stronger language in certain circumstances.
(B) CONSEQUENCES OF DISCLOSURE ON THE DATA SUBJECT
Before considering the consequences of any disclosure, it may be useful to look at LTT144 which considers the Commissioner’s position following the decision of the Tribunal in the abortion statistics case (EA/2008/0074) but in brief the Commissioner’s position is that truly anonymised data/statistics is not personal data and thus can be disclosed without reference to the Data Protection Act.
Further, the Commissioner does not accept that where a public authority holds information to identify living individuals from the anonymised data, that this turns the anonymised data into personal data but if a member of the general public could identify individuals by cross-referencing the anonymised data with information already in the public domain, then the information is personal data. Whether it is possible to identify individuals from the anonymised data is a question of fact based on the circumstances of the specific case.
In looking at the consequences of disclosure, it might be useful to firstly consider what those consequences might be and then look at other related factors.
It may be that the consequences of disclosure are obvious and/or evidenced by the public authority (e.g. disclosure may lead to the identification of informants, witnesses or members of a specific group which could lead to those individuals being subject to threats, harassment or disclosure of someone’s bank details may lead to them being the target of fraud or identify theft). However, it may also be unfair to disclose information where the consequences of disclosure are not evidenced or where the distress or damage is less obvious or tangible (e.g. disclosure may lead to unwanted communications, pose a risk to the data subject’s emotional wellbeing i.e. if their medical records were disclosed or pose a risk to the data subject’s chances of promotion or employment i.e. if a compromise agreement or job application were to be disclosed).
Thus, it is useful to consider the nature of the information itself and also the climate into which the information would be disclosed, for example, in the above case, it is useful to remember that a data subject’s colleagues, friends and family are amongst the general public to whom any disclosure is made. Further, the greater the distress or damage to be caused, the more likely it will be that disclosure will be unfair.
A point which is often raised by complainants is that the information has been or is already in the public domain and thus it would not be unfair to disclose it under the FOIA. However in dealing with the point, it is important to consider the following issues:-
(1) The authority of the source should be taken into account, for example, it may be unfair to disclose information where the information is in the public domain by way of a tabloid article although if related information/detail had been released in an official statement from the Prime Minister’s Office, then this may make any disclosure fair.
(2) The extent to which the past disclosure can be said to remain in the public domain may be relevant to a consideration of fairness e.g. a local news story may only stay in the public’s consciousness for a short period whereas if the information is placed and remains on any permanent and easily searchable/accessible source, then this may affect the decision on whether it would be fair to disclose related information. (See also LTT86 – personal data disclosed in open court).
(3) Consideration should also be given to whether the information is actually in the public domain or whether it is simply known to the complainant. If the information is only meaningful to the complainant because of his/her pre-existing knowledge or position but is likely to be meaningless to the rest of the world, it would still be unfair to disclose this information given that the complainant is a part of the world at large. However, just because the complainant is aware of certain details which would mean that a disclosure to him/her might be fair, this does not mean that a disclosure under FOI to the world at large would be fair, for example, a partial disclosure of medical information may be made to a data subject’s relative on a discretionary basis on compassionate grounds but this can be given little weight when considering whether a disclosure of the same or additional linked information can be made to the world at large.
(4) However it is important to note that we are looking at any additional damage or intrusion the disclosure would cause. Thus if the information is currently in the public domain (subject to the points above about the authority of the source, the extent to which it remains in the public domain etc), a further disclosure may not be unfair to the data subject although it may be useful to take into account whether the information has been put into the public domain through the actions of the data subject as this may make it more likely to be fair to disclose related information. Also, if related information is already obtainable from a public source, then it may be fair to disclose this information as it might be said that the data subject has no expectation of privacy given the existing availability of the information.
(C) REASONABLE EXPECTATIONS
Consideration should be given to two elements here – firstly whether the expectation is reasonable and secondly the nature of the expectation(s).
As it is accepted that some people give little, if any, thought to the uses to which their personal information may be put, case-officers should consider the expectations of the reasonable person who has given some thought to the issue of what might happen to their personal data.
It is accepted that there may be cases where the data subject has been informed or assured that the personal information they have provided will not be disclosed. However, this does not mean that if public authorities create a policy to say that no or only limited information will be disclosed, that this is determinative. Further, and as said above, the reasonableness of that expectation should be analysed so that even if a data subject accepts the public authority’s assurance, case-officers should consider whether the reasonable person would have such an expectation bearing in mind all other circumstances of the case. Thus, case-officers should consider whether the data subject’s expectation is objectively reasonable.
In any event, the data subject’s reasonable expectations is not the only factor to consider when looking at fairness as the decision should also take into account the consequences of any disclosure on the data subject and whether this can be balanced against any legitimate interests.
Note: Case-officers are reminded that they should consider the data subject’s expectations both at the time the information was collected and at the time of the request, as they may have changed in the intervening period. For example, this may involve consideration of assurances individuals were originally given and/or altered expectations due to public authorities developing their approach to disclosures in response to information requests.
A data subject’s expectations of what will or might happen to his/her personal data will be shaped by general and specific factors:-
A data subject’s general expectations are likely, in part, to be shaped by generally accepted principles of everyday interaction and social norms, for example,
It is accepted that every individual has the right to some degree of privacy and this right is so important that it is even enshrined in Article 8 of the European Convention on Human Rights which protects the right to a private and family life. Further, in an increasingly insular society there may be high expectations of privacy.
However, expectations are also shaped by society where personal information is often shared freely and widely on social networking sites as well as on blogs and internet chat-rooms (although this is not determinative as different people have different expectations of the standards of privacy they would expect even when using public forums). The transparency and presumption in favour of disclosure of the Freedom of Information Act is also a part of today’s culture. This was recognised by the Tribunal in the case of The Corporate Officer of the House of Commons v IC and Norman Baker MP (EA/2006/0015 &0016) where it was said that:
“….The existence of FOIA in itself modifies the expectations that individuals can reasonably maintain in relation to the disclosure of information by public authorities, especially where the information relates to the performance of public duties or the expenditure of public money.” (para 43).
(2) Private v Public Life
The Tribunal in the Norman Baker case also commented on the distinction between a data subject’s private and public life and commented that:-
“…where data subjects carry out public functions, hold elective office or spend public funds they must have the expectation that their public actions will be subject to greater scrutiny than would be the case in respect of their private lives…” (para 78) and further that “… the interests of data subjects, namely MPs in these appeals, are not necessarily the first and paramount consideration where the personal data being processed relate to their public lives” (para 79)
The Tribunal also found that this approach applied “….even where a few aspects of their private lives are intertwined with their public lives but where the vast majority of processing of personal data relates to a data subject’s public life.” (para 78). (This comment was made in response to the House of Common’s argument that disclosure of information relating to travelling arrangements would necessarily reveal family/domestic arrangements to some degree).
Thus, if the requested information relates to the public/professional life of the data subject rather than their private life then it is more likely that it will be fair to disclose this type of information. However even if the information does relate to an individual’s professional life, this does not mean that it will automatically be disclosed, for example, whilst there may be little expectation of privacy with regard to information relating to a data subject’s work duties there may still be an expectation that, for example, personnel details will not be disclosed. Although, in considering whether any information about a data subject’s public/professional life should be disclosed, it would be useful to consider the following factors:
It may also be useful to draw a distinction between public facing public sector employees and public figures as although disclosure of information in relation to public figures could not be said to be necessary for accountability reasons, the very fact of their public status may affect their expectations and thus whether it would be fair to disclose information about famous or public figures.
(3) Nature or content of the information
The nature of the information itself and the consequences of it being released will help shape the expectations of the data subject as to whether their personal data would be disclosed to the public. People have an instinctive expectation that a responsible data controller will not disclose certain information and that they will respect its confidentiality and in some respects the whole issue of fairness is an instinctive reaction as to whether it would be just or proper to disclose the information in question in the prevailing circumstances, for example,
(4) Circumstances in which the personal data was obtained
It may also be relevant to consider the circumstances under which the requested information was obtained as this may affect the expectations of the data subject, for example, it may be unfair to disclose information which has been obtained as part of a small consultation within one public authority or sector or where a member of the public has been canvassed for his/her views on the street. It is also possible that there will be situations where expectations have changed by the time of the information request.
(5) Fair processing notices
See LTT59 for further information.
Case specific considerations
(6) Details of what, if anything, the data subject was specifically told about what would happen to their personal data i.e. were they told it would be kept confidential? Conversely, it may be appropriate to consider the nature of the data subject’s expectations if they were not told anything about what could happen to their personal data as well as taking into account any change in expectations by the time of the request for information.
(7) Existing policies or customs within the pa which would shape data subject’s expectations of what would be done with their personal data. However, case-officers should refer to the points above in relation to the reasonableness of expectations. Policies and standard practices of the public authority regarding disclosure in response to information requests, which may have been developed by the time of the request, may also influence the expectations of the individual.
See LTT167 for further information.
(D) BALANCING THE RIGHTS AND FREEDOMS OF THE DATA SUBJECT WITH LEGITIMATE INTERESTS
Notwithstanding the data subject’s reasonable expectations or any damage or distress caused to them by disclosure, it may still be fair to disclose the requested information if it can be argued that there is a more compelling public interest in disclosure, for example, in the case involving the MP’s expenses the Tribunal said as follows:-
In the case of The Corporate Officer of the House of Commons v IC and Leapman, Brooke and Thomas EWHC 1084 (Admin), regarding a request for details of MPs’ ACA (Additional Cost Allowance) claims, the High Court, on appeal, said at paragraph 15 that this issue was not “…idle gossip, or public curiosity about what in truth are trivialities. The expenditure of public money through the payment of MP’s salaries and allowances is a matter of direct and reasonable interest to taxpayers.” Thus, it was felt that the need to demonstrate accountability and transparency in the spending of public funds outweighed the rights of the data subjects.
Thus in considering ‘legitimate interests’, such interests can include broad general principles of accountability and transparency for their own sakes as well as case specific interests, for example, there may be a legitimate interest in knowing how much public money was spent on the consultants who bid for the 2012 Olympics such that this would justify the disclosure of the consultant’s personal data (FS50182413) or there may be a legitimate interest in knowing who was responsible for making important decisions in connection with the spending of significant sums of public money on a national electronic fingerprint identity scheme (FS50125350).
In balancing these legitimate interests with the rights of the data subject, it is also important to consider a proportionate approach, i.e. it may still be possible to meet the legitimate interest by only disclosing some of the requested information rather than viewing the disclosure as an all or nothing matter.
Case-officers will note that this type of consideration has formerly been carried out under the Schedule 2, condition 6 test. As said at the outset, there is a significant overlap between fairness and Schedule 2 but the Office has made a joined up decision to focus on fairness. However, if it is necessary to analyse Schedule 2, condition 6 in a decision notice (i.e. where the information is to be disclosed), then the analysis of legitimate interests under fairness can be referenced to dispose of the first limb of the test and the remainder of the analysis should have disposed of the ‘unwarranted interference’ limb of the test. This therefore means that there only needs to be an analysis of ‘necessity’ under the Schedule 2, condition 6 test as per LTT57.
The Corporate Officer of the House of Commons / Norman Baker (16 January 2007)
The Corporate Officer of the House of Commons / Leapman, Brooke & Thomas (26 February 2008)
Creekside Forum / DCMS (28 May 2009)
|Related Lines to Take|
|LTT57, LTT59, LTT144, LTT164, LTT165, LTT167|
|EA/2006/0015 & 0016 (Baker),  EWHC 1084 (Admin) (Leapman), EA/2007/0060 etc (Leapman), EA/2008/0065 (Creekside) Guide to Data Protection, The exemption for personal information|
|Contact||HD / DC|