Tag: Personal Data

Disclosure of Staff Names under FOI

Most_Popular_Male_Names

When considering request for information under the Freedom of Information Act 2000(FOI) public authorities often face a dilemma about disclosing names of staff.

Names are generally considered to be personal data, being information relating to living identifiable individuals (as defined by the Data Protection Act 1998 (DPA)). (Although one Information Tribunal (as it was known then) decision, Harcup v Information Commissioner and Yorkshire Forward (EA/2007/0058), ruled they are not. (See episode 11 of my FOI Podcasts for a full discussion of this decision). Therefore the exemption under section 40(2) (third party personal data) will have to be considered.

For this exemption to be engaged a public authority must show that disclosure of the name(s) would breach one of theData Protection Principles. Most cases in this area focus on First Principle and so public authorities have to ask, would disclosure be fair and lawful? They also have to justify the disclosure by reference to one of the conditions in Schedule 2 of the DPA (as well as Schedule 3  in the case of sensitive personal data). In the absence of consent, most authorities end up considering whether disclosure is necessary for the applicant to pursue a legitimate interest and, even if it is, whether the disclosure is unwarranted due to the harm caused to the subject(s) (condition 6 of Schedule 2)?

The seniority of the staff, whose names are being requested, will of course be a key factor in deciding whether disclosure is fair. The first Information Tribunal decision on this issue, back in 2007, (Ministry of Defence v Information Commissioner and Rob Evans (EA/2006/0027)) concerned a request made by a journalist for a staff directory which included the names and contact details of individuals working for the Defence Exports Services Organisation. The MoD refused to disclose the information citing, amongst others, the exemption under section 40(2).

The Tribunal ruled that that the MoD could only withhold names of staff if they are particularly junior (below Civil Service B2 Level), not immediately responsible for the requested information and their name is not already available elsewhere (or would be expected to be through their performing a public-facing duty); or there is a clear and demonstrable threat to that individual’s health and safety if their name is made public.

As is clear from the MoD decision, seniority is just one factor to be taken into account. Public authorities should avoid the blanket non-disclosure of the names of all officers below a certain level of seniority. When it comes to the disclosure of names, what matters is what work the individuals are doing, rather than their seniority or grade. If a person is in a front facing role and his/her name is already in the public domain, then it will be difficult to withhold it.

In 2008 another Tribunal decision (The Department for Business, Enterprise and Regulatory Reform v Information Commissioner and Friend of the Earth (EA/2007/0072) examined whether names of private sector employees attending a meeting should be disclosed as well as those of civil servants. The request was for information about meetings and correspondence between Ministers and senior civil servants in the Department of Business, Enterprise and Regulatory Reform and employees from the Confederation of British Industry. Some of the documents relevant to the request included references to individuals who had attended such meetings as spokespersons or as note takers or bystanders. The Tribunal summarised the position as follows:

a. Senior officials of both the government department and lobbyist attending meetings and communicating with each other can have no expectation of privacy. The officials to whom this principle applies should not be restricted to the senior spokesperson for the organisation. It should also relate to any spokesperson.

b. Recorded comments attributed to such officials at meetings should similarly carry no expectation of privacy.

d. In contrast junior officials, who are not spokespersons for their organisations or merely attend meetings as observers or stand-ins for more senior officials, do have an expectation of privacy. This means that there may be circumstances where junior officials who act as spokespersons for their organisations are unable to rely on an expectation of privacy;

e. The question as to whether a person is acting in a senior or junior capacity or as a spokesperson is one to be determined on the facts of each case.

f. The extent of the disclosure of additional information in relation to a named official will be subject to usual test i.e. is disclosure necessary for the applicant to pursue a legitimate interest, and, even if it is, is the disclosure unwarranted due to the harm caused to the individuals by disclosure? This will largely depend on whether the additional information relates to the person’s business or professional capacity or is of a personal nature unrelated to business.

In January 2011, the First Tier Tribunal (Information Rights) considered disclosure of names in Dun v IC and National Audit Office (EA/2010/0060). The disputed information concerned the NAO’s enquiry into the FCO’s handling of employee grievances of a whistleblowing variety. The Tribunal was clear that no blanket policy should apply, and that fairness depends on the particular responsibilities and information with which the case is concerned. This decision is discussed in detail in episode 21 of my FOI Podcasts.

Where there is a risk to staff safety if their names are disclosed, then the public authority will be right to err on the side of caution. In Wild v IC and Chief Constable of Hampshire Constabulary (EA/2010/0132) the Appellant requested the dates of pre-hunt meetings in the last five years and the names of police officers attending pre-hunt meetings with organisers of the Isle of Wight Hunt. The Police responded, providing dates, but refusing to disclose the names of the officers in attendance.

The Commissioner considered the section 40(2) exemption and concluded that the disclosure would result in a breach of the First Data Protection principle.  He accepted that the disclosure may lead to the harassment of the officers identified and consequently the disclosure would be unfair to those officers. The Tribunal upheld the Commissioner’s decision.

Don’t forget condition 6 of schedule 2 of the DPA. A public authority will have to consider whether disclosure of a name is necessary for the applicant to pursue a legitimate interest, and, even if it is, whether the disclosure is unwarranted due to the harm caused to the individual by the disclosure.

A more recent Tribunal decision (January 2013), McFerran v IC (EA/2012/0030) involved a police search of a property owned by Shropshire County Council. At the police’s request, two junior council officers were present, but they had not been involved in any of the decision-making. The requester wanted the names of the council officers as well as their immediate superior. The council refused, relying on s. 40(2).

The Commissioner ordered disclosure of the name of the more senior officer, but not of the two juniors. The Tribunal agreed with this decision and dismissed the requester’s appeal, observing that:

“although… there is clearly a legitimate public interest in transparency of activity by public authorities, which impinges on the personal freedom of householders, there is insufficient information provided to add significant weight to the general public interest in transparency in public affairs. The Appellant has not satisfied us, either, that his attempts to have the matter investigated are being thwarted by the absence of the names of the individuals in question. If there is sufficient information about the event to interest those responsible for an investigation the absence of names will not deter them.”

This decision illustrates that, when it comes to junior officials, the requestor will have to show that there is legitimate interest in knowing the names of officers where they are junior. A general argument about openness and transparency will not suffice.

In Armit v IC and Home Office (EA/2012/0041) the UKBA redacted the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’ which fell within the scope of the request. The Tribunal agreed with this approach, taking account of the requester’s failure to identify a legitimate interest in public disclosure of the names of those officials:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

Another recent Tribunal decision on the disclosure of names is Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032).

The issue of disclosure of names pursuant to an FOI request is a difficult one. As can be seen from this discussion of Tribunal decisions, a number of different factors have to be weighed in the balance. A blanket approach will not work.

Whilst on the subject of names, does an FOI requestor have to give his/her real name? Read the answer here  as well as a really bad joke!

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshop  on 13th March 2013.

Do you want an international recognised qualification in FOI?                           The ISEB Certificate in Freedom of Information  starts in Birmingham on 26th March 2013.

Quantum Personal Data

It has been clear for some time that personal data leads a somewhat schizophrenic existence. So identical photographs can be personal data in the hands of the police, but not in the hands of a journalist. See the example on page 11 of the Information Commissioner’s technical guidance  “Determining what is personal data”, which leads him to conclude that “the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands”.

However it also now seems possible that determining whether something is personal data depends on what question you ask, even for the same data held by a single data controller. “Is this exempt from disclosure under FOI?” or “Is this disclosable to an applicant who makes a subject access request (SAR)?”. Like poor Schrödinger’s cat , until the question is posed the data may exist in an indeterminate ‘superposition of states’.  Similarly the answer to the first question may vary depending on whether the applicant was involved in the matter.

In a recent flurry of Decision Notices, of which FS50426097 is a typical example, the Information Commissioner (IC) asked the FOI question. The complainant had made a prior request to the police for detailed information about a forensic service provider, its machines and procedures. Subsequently, the applicant made a request for “any documentation in relation to communication with any third party in respect of the questions contained in my original FOIA request”. After internal review and upheld by the Information Commissioner in this and related decisions the police relied on s40(5)(a) and declined to confirm or deny whether it held the material, on the basis that if it did, it would be the personal data of the complainant. In effect saying that the complainant should have made an SAR, and presumably pay £10 for the privilege.

As the IC observed (my emphasis) “After careful consideration of the wording of the request, the Information Commissioner is satisfied that the complainant is, or would be, the subject of all of the information requested.” He concluded therefore that the authority was not required to comply with the obligation to confirm or deny whether it held the information, since this would itself involve the disclosure of personal data about the complainant – the s40(5)(a) exemption. Note that the IC appears to have made no examination of the information held, which appears to go against normal practice. There are a number of cases where authorities and their FOI officers have been criticised by the IC for making decisions on disclosure without ever looking at the material held.

Be that as it may, what will happen when the complainant, as it appears he has, makes his SAR? Pragmatically, having taken its stance and fee, the authority may well supply the requested information, subject to possibly removing any other person’s personal data under s7(4) Data Protection Act 1998. But step back a minute and assume that the police actually deal with the SAR in accordance with the strict legal position. What personal data is there ? Certainly information which identifies the complainant as the maker of the original FOI request. But what about all the content? The FOI request was not about a personal issue at all. The bulk of the material relating to such a request, particularly if dealt with on an applicant blind basis, will surely be about enquiries into what information was held, directly or on behalf of the authority, or about whether any such material (if it existed) was possibly exempt. That cannot be the personal data of the applicant even if, as the police indicated, it was “contained within files which are stored by reference to the applicant’s name”.

This would seem in SAR terms to be a classic Durant situation. To paraphrase Auld LJ from paragraphs 30-31 of the Durant judgement:

Just because the authority’s response to the request emanated from an FOI request by the complainant does not render information obtained or generated by that request, without more, his personal data. For the same reason, either on the issue as to whether a document contains “personal data” or as to whether it is part of a “relevant filing system”, the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act. In short the complainant does not get to first base in his claim against the authority because most of the further information sought, whether in computerised form or in manual files, is not his “personal data” within the definition in section 1(1). It is information about his FOI request and the objects of them, the authority and the forensic service provider respectively.

Now of course it may be that there is more personal data than this, particularly if the internal response to the request, ignoring the applicant blind principle, has focussed on the complainant, rather than the request, but the IC is in no position to make that judgement if he decides on the basis of the wording of the request, rather than a consideration of the information held. Possibly, considering the history of the complainant, the IC has assumed the purpose of the request is to find out how the authority was dealing with him, but there is no objective basis for that assumption.

A contrasting situation arises in the April 2012 Tribunal case of Efifiom Edem v IC . The Tribunal sought to apply the Durant criteria strictly in an FOI case. I will gloss over here the rather alarming addition of the word “adversely” to the Durant consideration of whether the processing affects someone’s privacy (paragraph 34), but would point out that if Edem is correctly decided it severely limits the ability of staff to access their ‘personal data’ under an SAR, as much of what may have been thought to be personal is not so, in fact . But for present purposes there is a huge gulf between the approach in Edem and in  FS50426097. Imagine for a moment that it was a third party, not the complainant, who made the second FOI request in  FS50426097 i.e. it was  typical meta-request about the handling of someone else’s earlier request. I do not believe for one moment one could argue that this request would fail under s40(2) as responding would disclose the personal data of the complainant. At worst the authority would redact the complainant’s identity and supply the rest of the information, and if that is done, the application of s40(5)(a) as a blanket when the complainant makes the request cannot be correct.

The definition of personal data is tricky enough as it is, but if the IC and Tribunal continue to determine the result based on the nature of the enquiry, data protection and FOI teams face some impossible dilemmas.

Philip Bradshaw is a former solicitor and local authority data protection officer. He now delivers our information law courses in Cardiff.