After imbibing some Bavarian Lager and a number of Decision Notices (including some Scottish ones), I have come to the conclusion that FOI requests of the kind “Please provide, in electronic form, the email addresses of all members of staff” can be resisted until a public authority is certain that the balance of interest lies with disclosure. This blog explains why I think this is the case, so please argue with me if you think I am wrong.
I started down this path when I realised that the Scottish Information Commissioner (SIC) and the Sassenach equivalent (the ICO) take a different view of the balance of interest test in Schedule 2, paragraph 6 of the Data Protection Act (DPA). This is the Schedule 2 ground that is used to test whether the interests of the public in the publication of requested personal data under FOI prevails over the interests of the data subject in the non-publication of such data.
Schedule 2, paragraph 6 of the DPA sets out the balance of interest as follows:
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”.
First to the different approach between the ICO and SIC. In summary, the SIC considers whether the requesting “third party” has a specific legitimate interest in disclosure whilst the ICO considers whether the “third parties” in general have a collective legitimate interest. I prefer the ICO approach to this test, but this divergence of approach is not the subject of this blog.
So, for example, in a Decision Notice 018/2010 involving a “Ms Y” (see references), the SIC asks the question “Does Ms Y have a legitimate interest in being given this personal data” and if so “is disclosure necessary to achieve those legitimate aims?”. Indeed he asks this question as a matter of routine in relation to the application of the personal data exemption in FOISA (so I can reassure you that I am not picking on “Ms Y”!).
Now to the thought that occurred to me: if the SIC asks this question, why can’t it be asked by any public authority when it cannot identify the outcome of the “balance of interests” test? Note that my argument does not apply to requests where those interests are clear (e.g. “Please provide me details of the number of registered sex offenders in the same post-code area as so-and-so Junior School”) but does apply when the request is a general one (e.g. “for all email addresses”).
“Ah – but FOI is purpose blind”, I hear you say. I agree. However, I am not challenging that premise. All I am suggesting that where the balance between conflicting interests is uncertain (i.e. the legitimate interests of the public versus the legitimate interests of the data subject), questions can be asked of the requestor to help resolve the matter?
Strange as it might seem, this issue was also raised in the Durant decision in another guise. In section 7(4) of the Data Protection Act, the data controller is faced with the dilemma of whether it is reasonable in all the circumstances to release (or not to release) the identity of other individuals identified in personal data that have been requested by a data subject.
Para 61 of Durant states that where the data controller cannot resolve this dilemma “The data controller .... should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in or identifiable from personal data to which he is otherwise entitled...”. In other words, if in doubt, as the requestor.
Indeed the ICO in his recent Decision Notice (FS50164940 dated 4 March 2010; see references), implies this line. He writes that Schedule 2, paragraph 6 “establishes a three part test which must be satisfied”. These three parts are:
• “there must be legitimate interests in disclosing the information”,
• “the disclosure must be necessary for a legitimate interest of the public”, and
• “even where the disclosure is necessary, it nevertheless must not cause unwarranted interference (or prejudice) to the rights, freedoms and legitimate interests of the data subject”.
Remember the premise is that in an FOI request “for an electronic copy of all staff email addresses”, the outcome of the balancing test is not clear. So, I would argue that it would be helpful to ask the applicant why the legitimate interest in disclosure should prevail, especially as the FOI requestor (if he gets the personal data following the request) would have obligations as a data controller (when he gets an electronic list of emails).
Surely, the public authority is properly balancing the conflicting interests by ensuring that any disclosure of personal data is to a FOI requestor who is aware of his obligations as data controller? Isn’t it reasonable to ask such an FOI requestor for a copy of his notification under the Act (or to identify which exemption from notification he is relying on)?
I think it is reasonable for the public authority to seek confirmation that any personal data disclosed falls within the domestic purpose exemption (S.36) of the DPA. If the answer is “yes”, then requestor cannot use the personal data for a business purpose without taking a significant risk (see later).
In order to protect the rights of data subjects, you could ask the requestor whether the personal data are to be used for a marketing purpose and if so, how is he to meet the right to object to the marketing purpose? In fact, I suspect that the FOI requestor, as data controller, would be processing personal data in circumstances where the general right to object to the processing (S.10) would apply.
So you can ask whether it would be “helpful” to the requestor if individuals subject to his request were advised of their rights? Perhaps you can ask whether it would “help” to send data subjects the requestor’s fair processing notice and an email address where data subjects can register any objection to his processing or marketing purpose?
I think that this approach is also in accordance with the Interpretation of the Second Data Protection Principle. This states that “In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed”. How can the public authority release personal data about staff to an FOI requestor without having any regard to what the requestor’s purpose is?
And what about the Third Principle? How can a public authority know that the personal data is relevant to the legitimate purpose pursued by the requestor if that public authority cannot, with any certainty, identify what that legitimate purpose is?
If the requestor fails to assist the public authority in its decision making processes, then I would argue there are a number of Principles that could easily be breached. In such circumstances it is reasonable for a public authority to refuse such requests.
Now we come to last week's "Bavarian Lager" judgment by the European Court, following an appeal pursued by the Commission at the behest of the last UK “New Labour” Government (interesting that, isn’t it?). Paragraph 78 of that judgment (see references) determined that the names of civil servants who made decisions about guest beers in UK pubs were reasonably redacted by the Commission.
This was because “Bavarian Lager has not provided any express and legitimate justification or any convincing argument in order to demonstrate the necessity for those personal data to be transferred” and “the Commission has not been able to weigh up the various interests of the parties concerned”.
So there we have it. When European Court cannot decide where the balance of interest lies, it wants details as to why the requestor wants the personal data. When the SIC makes a decision, he asks about the requestor’s legitimate interest. When the ICO makes a decision he asks about “the disclosure being necessary for a legitimate interest of the public”.
That is why I have concluded that when a public authority receives a request on the lines outlined above, it is perfectly proper to ask modest questions of the requestor about his legitimate interest.
I would also add a sting in the tail. If I was a public authority on the receiving end of an “everybody’s email” request, and there were to be a disclosure to the requestor, I would tell the requestor that the personal data have been seeded with email addresses whose sole function is to identify misuse of personal data which of course could be an offence under Section 55 of the Act.
After all, I would argue that public authorities are protecting the legitimate interests of data subjects by protecting them from processing purposes, which if identified prior to disclosure, could have resulted in the refusal of the request. FOI requestors should know that there are penalties for misleading public authorities into disclosing personal data under a FOI regime.
Will the above work? Well I think it would; if it doesn’t, I promise to visit on a regular basis! At the very least, you can send the requestor a copy of this blog so he is aware of the problem.
References: Decision 018/2010: Ms Y and East Ayrshire Council; http://www.itspublicknowledge.info/applicationsanddecisions/Decisions/2010/200901769.asp. Durant: [2003] EWCA Civ 1746 (8th December 2003). ICO Decision Notice FS50164940: http://www.ico.gov.uk/upload/documents/decisionnotices/2010/fs_50164940.pdf. ECJ - Bavarian Lager - Case C 28/08P concerning the DP/FOI interface specified in Regulation (EC) No 1049/200.
Marketing: We have dates for our Data Protection Update sessions in Autumn where we discuss the DP/FOI interface (£95+VAT; book early as are very popular). Also, we have a set of Data Protection courses in Edinburgh commencing in late August and our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Details on www.amberhawk.com.
I'm FOI Officer for a county council. When we receive requests of the "email addresses and contact details for your head of Finance, head of IT, etc." we always ask the affected employees if they would like us to issue a s10 (DPA) notice on their behalf. Usually they say yes, as they don't want to be spammed with emails/tel. calls from companies trying to sell them stuff. So, when we send the response, we attach a s10 notice, addressed to the requestor, advising them that the individuals within the response are objecting to their personal data being used for marketing. Seems to work, as we've never had a colleague subsequently tell us that they've received marketing as a result of the disclosure.
Posted by: Martin | 08/07/2010 at 05:19 PM