Disclosure Staff Names in FOI Requests  

chuttersnap-jchrnikx0tm-unsplash

One of the most popular search terms on our blog is “disclosure of names under FOI.”
A further question that we were recently asked on a course is whether FOI practitioners should provide their names when they respond to requests.

There have been some important developments since 2013 and our last two blogs on this topic. The provisions of S.40(2) of the Freedom of Information Act  (FOI) 2000 have been amended to take into the provisions of General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 (replacing the Data Protection Act 1998).
In addition we now have the benefit of  two rulings from the Upper Tribunal namely Information Commissioner v Halpin (GIA) [2019] UKUT 29 (AAC) and Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC). In addition, the Information Commissioner’s Office has issued revised guidance on requests for personal data about public authority employees which take into account the recent developments.

The FOI Section 40(2) Exemption

The names of staff working in public authorities are personal data as defined by Article 4 (1) of GDPR and S. 3 Data Protection Act (DPA) 2018. In addition organisational charts and internal directories that contain staff names are also personal data if they identify individual members of staff. FOI requests may not necessarily be couched as request for staff names. For instance, a requestor may wish to see “ all communications” about a certain subject, but these communications may include the names of those sending and receiving emails. They may wish to find out the names of staff present in specific meetings (which is what happened in the Cox case). The Cox case was the first occasion in which the Upper Tribunal was tasked with considering the principles governing the disclosure of the names of civil servants, but clearly it has wider application to all other public authorities.

When a public authority receives an information request that includes a request for the names of staff, it needs to consider the third-party personal data exemption in S. 40(2) FOI. This is an absolute exemption if:

  • Disclosure of the third-party personal data (in this case staff) would contravene any of the data protection principles; or

  • Disclosure would contravene an objection to processing under GDPR Article 21; or –

  • The personal data would be exempt if the data subject  (member of staff concerned) had made a subject access request.

An almost identical exception operates in EIR regulation 13.

The data protection principles are listed in GDPR Article 5. The first principle is the most relevant in this context. This requires that the processing of personal data must be lawful, fair, and transparent. Disclosing under the FOI constitutes processing.

Before disclosing any staff names the first question is whether the disclosure is lawful. There are six lawful bases for processing in GDPR Article 6, but only consent or legitimate interests are relevant to disclosure under the FOI or EIR. It may be possible to ask staff for their consent to disclose their names. However, given the particularly high threshold for consent to be valid (see GDPR Article 7) and the imbalance of power in an employer/employee relationship, any consent is not necessarily going to be valid.

Legitimate Interests

The alternative lawful basis is that disclosure is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data…” (GDPR Article 6 (1)(f)). Some readers may be concerned because the GDPR specifically states that public authorities cannot rely on the legitimate interests’ lawful basis when processing in the performance of their tasks. However, this restriction is lifted in relation to disclosure under the FOI or EIR by S.40(8) of FOI and Reg. 13(6) of EIR respectively.

The ICO guidance suggests that public authorities answer three key questions when considering this issue, namely:

Question 1: What is the legitimate interest in disclosure (or what is the purpose)?

This includes the legitimate interest of the public authority or a third party, which is likely to be the requestor.  A wide range of interests may be legitimate interests. The requestor may have  a personal and private reason for wanting to know staff names, but this makes it no less relevant. In the Halpin case, the Upper Tribunal confirmed that a purely private interest was capable of amounting to a legitimate interest. In this case Mr Halpin wanted details of the training undertaken by two social workers because their capacity and skills were relevant in any appeal against a Care Act assessment.

Question 2: Is it necessary to disclose staff names for that purpose?

This requires a public authority to ask whether it is “necessary” to disclose staff names in order to serve the legitimate interests of the requestor. It may be possible to provide the applicant with alternative information, such as the numbers of staff involved in a meeting and information about their roles and levels of seniority without providing names. For example, in McFerran v Information Commissioner EA/2012/0030,the requestor wanted to know the names of the council staff who were present during a police search of a council property. The Tribunal acknowledged that there was a legitimate interest in knowing that the search had been conducted properly but it was not necessary for the requestor to know the names of the council staff involved.

Question 3: Does the legitimate interest outweigh the interest and rights of the staff concerned? 

This involves a balancing exercise. Public authorities need to consider the likely impacts or consequences that disclosure of staff names will have on the staff themselves.
Names should not be disclosed if disclosure will cause unjustified adverse effects on the staff concerned. It is important to remember when making this assessment, that disclosure of names under the FOI is to “the world at large”. Again, the Upper Tribunal in Halpin was at pains to emphasise that even if the requestor indicates they have no intention of publicising the information, the public authority loses control of the information once it is disclosed. Disclosure under the FOI is not subject to any duty of confidence. This becomes a relevant factor in deciding whether the disclosure will cause unwarranted harm to the  named individuals.

The key question when it comes to disclosing names, is what is the harm that will arise from disclosure? There must be a connection between the disclosure and the harm.
Even if disclosure may cause distress to a member of staff  this doesn’t automatically trump the legitimate interests of the requestor; the public authority must undertake a balancing exercise. When a public authority carries out this balancing exercise it should take the reasonable expectations of the staff concerned into account. For example, just asking whether the member of staff concerned would have a reasonable expectation that their names would be disclosed to the world at large provides a useful starting point.
This also enables the public authority to address the question of fairness.
In deciding whether to disclose staff names it is important to think about the public facing nature of the role filled by the individual member of staff ; their seniority in the organisation; whether a public authority has a policy  on the disclosure of staff names that informs their expectations. The staff privacy notice should also provide staff with some understanding of when their names may be disclosed in response to FOI request.

Clearly a Chief Executive of an organisation should expect that their name is released into the public domain. As the ICO guidance advises:

The more senior an employee is and the more responsibility they have for decision making and expenditure of public money, the greater their expectation should be that you disclose their names.

On the other hand somebody with responsibility for cleaning offices will have a real expectation that their name remains confidential. FOI practitioners are familiar with this assessment, which is  based on ICO guidance and an earlier case of Home Office v Information Commissioner EA/2011/0203. This said that the names of junior civil servants are generally protected from disclosure unless they occupy a public-facing role. However the decision in the Cox case makes it clear that each case will depend on its own facts and context. There is no blanket presumption in favour of disclosure of the names of senior officials, each case must be considered carefully and with regard to the legitimate interests of the requestor.

Disclosing Names of FOI practitioners

The question of whether a public authority should disclose the name of a person handling an FOI request raises all of the above considerations. First, what is the legitimate interest in a FOI requestor knowing the name of the person who handled their request?
Second, is it necessary to know that person’s name to serve that legitimate interest? Finally does the legitimate interest of the requestor outweigh any harm that may be caused to the member of staff handling the request. There is no legal obligation to disclose staff names and a public authority could refuse under S 40(3) FOI if all of the above are satisfied.

In the interests of transparency many public authorities disclose the names of the person who has handled their request. Given the public facing role and the work that FOI practitioners do it is arguable that their expectation is that their names may be disclosed. However in some organisations FOI requests are dealt with by many different staff at various levels rather than via a single FOI point of contact. In these circumstances more junior staff who have handled requests may have a greater expectation of privacy.

This and other developments will be discussed in our  FOI and EIR workshops  which are now available as an online option. If you are looking for a qualification in freedom of information,  our  FOI Practitioner Certificate  is ideal. It will soon be available as an online option. Please get in touch to learn more.

online-gdpr-banner

 

Disclosure of Staff Names in FOI Refusals

canstockphoto0164766This is an FOI decision from the Information Commissioner that I have planned to blog about for some time, but have now only just got round to blogging about it.  On 11 March 2013 the ICO issued decision notice FS50468600 which involved the Department for Work and Pensions (DWP).  The content of the decision notice is not all that important until we turn to paragraphs 32-36, which are headed up as “other matters”.

In particular paragraph 35 is of note in which it states that his office experienced difficulty in actually speaking to those who were involved in the request at the DWP’s side of things.  It described the DWP’s practice of not providing telephone numbers or contact details within its responses and how this makes it very difficult for the appropriate contact to be located within the organisation.  The public authority advised the Commissioner that it did not include these details so as not to breach the privacy of the non-senior staff involved; it described the staff in question as not being in public-facing roles.

In Paragraph 36 of the decision notice the Commissioner states quite clearly that he does not agree with this approach.  The decision notice states that “if such staff are responding to requests made under the FOIA then he considers this to be a public-facing role which is unlikely to attract an expectation of privacy” (Paragraph 36).

The DWP are by no means the only public authority which has adopted similar processes in respect of FOI requests.  I can remember one time trying to get hold of a central Government department (I can’t remember exactly which one, but I have a feeling it was either the Home Office or a connected public authority) to discuss a response that had been issued by them (something that merely wasn’t very clear and, as it later transpired wasn’t in need of an internal review). However, there was no contact details provided for the individual.  I was informed that the FOI team were not public-facing and they wouldn’t speak to members of the public over the telephone.

It was very frustrating and actually resulted in a higher cost to the public authority in my case.  There was just one thing that I wasn’t clear about and I’m sure that had I been able to have a quick telephone conversation with the person who issued the decision then there would have been no need for them to conduct an internal review.  However, the Authority’s attitude and processes meant my only option to get the clarification was to request an internal review.  This will have then required a senior member of staff within the authority to review the entire handling of the request and issue a response to me; far more expensive than 5 minutes on the phone explaining something to the applicant.

Not publishing contact details for those responsible for FOI within the organisation also makes seeking advice and assistance from the public authority almost impossible.  My reading of the Act suggests to me that advice and assistance is not only something to be provided in a refusal notice, but something that should be available to prospective applicants.  I know that I’ve certainly phoned up a public authority and had a chat with them about a request before making it; as a consequence I have been able to frame my request in a way that has made it a much more efficient process for the public authority (and thereby reducing the cost to the taxpayer).  The FOI Officer, knowing the structure of their organisation and how information is generally held, was able to advise as to what information they were likely to hold and how it was likely to be held.

I tend to agree with the commissioner that anyone sending a response out to a FOI request is clearly public-facing; it might be that a particular role was not public facing pre-FOI, but in these post-FOI days anyone could, in theory, be a public-facing member of an authority’s staff.  It should be easy for applicants to contact public authorities, not least because the public authority is obliged to provide advice and assistance, but it can just save public authorities money.  It can help ensure more focused FOIs that are easier to deal with and can prevent expensive internal review requests (or perhaps even more expensive ICO investigations).(Ed – See also Ibrahim Hasan’s blog post on disclosure of staff names under FOI)

Hopefully the ICO’s criticisms of this approach in this decision notice will feed their way round any other public authorities who still adopt a practice of not giving out contact details for someone able to provide advice and assistance.

Alistair Sloan is a 4th year LLB student in Scotland, blogger (http://scotslaw.wordpress.com/about-2/) and FOI proponent. Follow him on Twitter (http://www.sloansonline.me.uk/

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 3rd June 2012 in London.

Do you want an international recognised qualification in FOI?

The ISEB Certificate in Freedom of Information  starts in Manchester and London in June.

Disclosure of Staff Names under FOI

Most_Popular_Male_Names

When considering request for information under the Freedom of Information Act 2000(FOI) public authorities often face a dilemma about disclosing names of staff.

Names are generally considered to be personal data, being information relating to living identifiable individuals (as defined by the Data Protection Act 1998 (DPA)). (Although one Information Tribunal (as it was known then) decision, Harcup v Information Commissioner and Yorkshire Forward (EA/2007/0058), ruled they are not. (See episode 11 of my FOI Podcasts for a full discussion of this decision). Therefore the exemption under section 40(2) (third party personal data) will have to be considered.

For this exemption to be engaged a public authority must show that disclosure of the name(s) would breach one of theData Protection Principles. Most cases in this area focus on First Principle and so public authorities have to ask, would disclosure be fair and lawful? They also have to justify the disclosure by reference to one of the conditions in Schedule 2 of the DPA (as well as Schedule 3  in the case of sensitive personal data). In the absence of consent, most authorities end up considering whether disclosure is necessary for the applicant to pursue a legitimate interest and, even if it is, whether the disclosure is unwarranted due to the harm caused to the subject(s) (condition 6 of Schedule 2)?

The seniority of the staff, whose names are being requested, will of course be a key factor in deciding whether disclosure is fair. The first Information Tribunal decision on this issue, back in 2007, (Ministry of Defence v Information Commissioner and Rob Evans (EA/2006/0027)) concerned a request made by a journalist for a staff directory which included the names and contact details of individuals working for the Defence Exports Services Organisation. The MoD refused to disclose the information citing, amongst others, the exemption under section 40(2).

The Tribunal ruled that that the MoD could only withhold names of staff if they are particularly junior (below Civil Service B2 Level), not immediately responsible for the requested information and their name is not already available elsewhere (or would be expected to be through their performing a public-facing duty); or there is a clear and demonstrable threat to that individual’s health and safety if their name is made public.

As is clear from the MoD decision, seniority is just one factor to be taken into account. Public authorities should avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. When it comes to the disclosure of names, what matters is what work the individuals are doing, rather than their seniority or grade. If a person is in a front facing role and his/her name is already in the public domain, then it will be difficult to withhold it.

In 2008 another Tribunal decision (The Department for Business, Enterprise and Regulatory Reform v Information Commissioner and Friend of the Earth (EA/2007/0072) examined whether names of private sector employees attending a meeting should be disclosed as well as those of civil servants. The request was for information about meetings and correspondence between Ministers and senior civil servants in the Department of Business, Enterprise and Regulatory Reform and employees from the Confederation of British Industry. Some of the documents relevant to the request included references to individuals who had attended such meetings as spokespersons or as note takers or bystanders. The Tribunal summarised the position as follows:

a. Senior officials of both the government department and lobbyist attending meetings and communicating with each other can have no expectation of privacy. The officials to whom this principle applies should not be restricted to the senior spokesperson for the organisation. It should also relate to any spokesperson.

b. Recorded comments attributed to such officials at meetings should similarly carry no expectation of privacy.

d. In contrast junior officials, who are not spokespersons for their organisations or merely attend meetings as observers or stand-ins for more senior officials, do have an expectation of privacy. This means that there may be circumstances where junior officials who act as spokespersons for their organisations are unable to rely on an expectation of privacy;

e. The question as to whether a person is acting in a senior or junior capacity or as a spokesperson is one to be determined on the facts of each case.

f. The extent of the disclosure of additional information in relation to a named official will be subject to usual test i.e. is disclosure necessary for the applicant to pursue a legitimate interest, and, even if it is, is the disclosure unwarranted due to the harm caused to the individuals by disclosure? This will largely depend on whether the additional information relates to the person’s business or professional capacity or is of a personal nature unrelated to business.

In January 2011, the First Tier Tribunal (Information Rights) considered disclosure of names in Dun v IC and National Audit Office (EA/2010/0060). The disputed information concerned the NAO’s enquiry into the FCO’s handling of employee grievances of a whistleblowing variety. The Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned. This decision is discussed in detail in episode 21 of my FOI Podcasts.

Where there is a risk to staff safety if their names are disclosed, then the public authority will be right to err on the side of caution. In Wild v IC and Chief Constable of Hampshire Constabulary (EA/2010/0132) the Appellant requested the dates of pre-hunt meetings in the last five years and the names of police officers attending pre-hunt meetings with organisers of the Isle of Wight Hunt. The Police responded, providing dates, but refusing to disclose the names of the officers in attendance.

The Commissioner considered the section 40(2) exemption and concluded that the disclosure would result in a breach of the First Data Protection principle.  He accepted that the disclosure may lead to the harassment of the officers identified and consequently the disclosure would be unfair to those officers. The Tribunal upheld the Commissioner’s decision.

Don’t forget condition 6 of schedule 2 of the DPA. A public authority will have to consider whether disclosure of a name is necessary for the applicant to pursue a legitimate interest, and, even if it is, whether the disclosure is unwarranted due to the harm caused to the individual by the disclosure.

A more recent Tribunal decision (January 2013), McFerran v IC (EA/2012/0030) involved a police search of a property owned by Shropshire County Council. At the police’s request, two junior council officers were present, but they had not been involved in any of the decision-making. The requester wanted the names of the council officers as well as their immediate superior. The council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The Tribunal agreed with this decision and dismissed the requester’s appeal, observing that:

“although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

This decision illustrates that, when it comes to junior officials, the requestor will have to show that there is legitimate interest in knowing the names of officers where they are junior. A general argument about openness and transparency will not suffice.

In Armit v IC and Home Office (EA/2012/0041) the UKBA redacted the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’ which fell within the scope of the request. The Tribunal agreed with this approach, taking account of the requester’s failure to identify a legitimate interest in public disclosure of the names of those officials:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

Another recent Tribunal decision on the disclosure of names is Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032).

The issue of disclosure of names pursuant to an FOI request is a difficult one. As can be seen from this discussion of Tribunal decisions, a number of different factors have to be weighed in the balance. A blanket approach will not work.

Whilst on the subject of names, does an FOI requestor have to give his/her real name? Read the answer here  as well as a really bad joke!

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 13th March 2013.

Do you want an international recognised qualification in FOI?                           The ISEB Certificate in Freedom of Information  starts in Birmingham on 26th March 2013.

Can Spiderman make a Freedom of Information request?

Has your public authority ever received an FOI request from Justin Case, Barb Dwyer or Stan Still? Would these even be valid requests? According to a survey of FOI officers published by the Constitution Unit, the average council receives 47 information requests a month. The media now make around a third of all requests but members of the public still account for the most number at 37%. Increasingly FOI officers come across unusual names when dealing with such requests.

Can the use of an apparently fictitious name or pseudonym invalidate an otherwise valid FOI request? Section 8 of the Act states that a request must be in writing, state the name of the applicant and an address for correspondence and must describe the information requested. Most FOI officers I have trained seem to think that they have the right to ask for the “real name” of the requestor. According to the Information Commissioner’s Guidance  this view is correct:

“…the use of a false or fictitious name is not acceptable. Therefore, where a public authority receives a request from a person using an obvious pseudonym, there is no obligation to comply with the request;”

The Guidance goes on:

“In most cases, it will be reasonable for a real name to comprise a name by which the person making the request is widely known and/or is regularly used by that person and which is not an obvious pseudonym or fictitious name.”

The Commissioner does explain later that a common sense approach should be taken. Even when an obvious pseudonym has been used, as good practice a public authority should still consider the request even though technically it can be regarded as invalid. He advises that this approach could be adopted in cases where identity is not relevant to the request and, in view of the general principle in FOI of disclosure to the world at large, where the authority is content to disclose the information.

I think the Commissioner’s guidance is flawed in that it encourages public authorities to focus too much on the identity of the requestor and not on the information being requested.  Let us go back to basics.

Section 8 only requires the applicant to state his/her name. I have always advised clients that a name is a just what the requestor chooses to call him/herself. The Commissioner’s guidance encourages the public authority to speculate whether a given name is a pseudonym or fictitious. How can a public authority be sure that a given name is so? Where can it check that a name is real? I am not aware of any comprehensive official register of names in the UK. And not everyone is on the electoral roll.

The names in the first paragraph of this article are real names uncovered by researchers from a parenting group after trawling through online telephone records. Other they found include Pearl Button, Jo King and Tim Burr.

In any event a public authority cannot insist on a real or “proper” name from an FOI requestor as there is no such concept in English Law. A person can call themselves anything. They are not restricted to what is on their birth certificate. People change their name by deed poll (though they do not have to use such a document) to fit in with their lifestyle or to emulate their favourite celebrity. If a public authority receives an FOI request signed “Amy Winehouse” or “Michael Jackson” are they going to reject it or ask for proof that the King and Queen of Pop have risen again? What about a request from Facebookdotcom Forwardslash Mountaindew UK? These are all real names of living people.  (Honest! Click Here )

When researching this article, I found some interesting (and real) names on The Monster Raving Loony Party’s list of 2010 election candidates . Step forward Mr Nick The Flying Brick Delves, Chinners Chinnery and Hairy Knorm Davidson. If the Commissioner’s advice is correct, it seems that these names are real enough to allow the user to stand for election to the Mother of All Parliaments but not real enough to make an FOI request (without providing documentary evidence).

In 2011 a council purportedly claimed that the Information Commissioner’s Office (ICO) had backed its stance of asking an FOI requester to prove his identity. Upon receiving a request from a Buck U. Fogal, for expenditure over £500 for the clearance of three streets, the council asked for two forms of identification.  In its response to the requestor, it seemed to be implying that the ICO had agreed with this approach. If this is true, it is not in accordance with the Act. Another council has it seems been implementing an equally dubious system of randomly seeking proof of identity .

FOI is applicant blind and so the identity of the requestor should not be an issue. There are 23 exemptions under Part 2 of the Act, which can be relied upon if there is a problem in disclosing the requested information. A public authority cannot and should not ask who is making the request. There are exceptions to this general rule of course. For example where the requestor is asking for personal data (section 40). Sometimes the use of a pseudonym together with other factors such as volume and frequency of requests many lead to a request being deemed to be vexatious under section 14 of the Act (see the Tribunal Decision in Duke v IC and University of Salford (EA/2011/0060 26th July 2011). But these are exceptions and not the rule.

My advice to public authorities is, if you get an FOI request giving a name which you believe is fictitious then treat it is a valid request and focus on whether a Part 2 exemption from disclosure applies.

So back to the question posed at the start of this article; can Spiderman make a Freedom of Information request?

The answer is no… but just tell him to the look on the Web! (boom boom!).

Ibrahim Hasan will be latest FOI developments and cases in his FOI Update workshop in Birmingham on 13th March. For those wanting an international recognized qualification in FOI, the ISEB Certificate in Freedom of Information  starts in Birmingham on 26th March

%d