The Information Tribunal has just adjudged that the names of three junior members of staff who had a part in an applicant’s complaint to the Financial Services Authority (FSA) can be disclosed as part of a Freedom of Information (FOI) request. The Information Rights Tribunal, following Durant, concluded that the names of these staff were not personal data.
As every data protection aficionado knows, mentioning Durant is rather like swearing in public, as its application can result in bizarre conclusions; this Tribunal determination, I think, is one of these. So this blog explains where I think the Tribunal went wrong and suggests what should happen with such FOI requests.
The Tribunal Decision
The appeal concerned a request made by an applicant to the FSA for a copy of information it held about his complaint. Paragraph 21 of the Information Commissioner’s Decision Notice confirms that the requested information included the names of “the staff in question (who) worked on the complainant’s complaint” (see references).
In its decision (see references) the Information Rights Tribunal said that these employee names were not personal data because the name did not "affect the individuals' privacy, whether in their personal or family life, business or professional capacity". This overturned the ICO’s Decision Notice which concluded that the FSA was right to withhold these details because:
“21 The Commissioner notes that while the staff in question worked on the complainant’s complaint, they did not correspond with him about it. He also notes that the public authority has confirmed that they were not in public facing roles and that these individuals were of a grade below that of manager. It is the Commissioner’s view that these members of staff would have had no expectation that their names would be released into the public domain.
22. The Commissioner is also satisfied that disclosure of their names would not add anything further to the way in which the complainant’s complaint had been dealt with. Therefore any legitimate interest in the disclosure of the names of these individuals is outweighed by the prejudice disclosure would cause to the rights and freedoms of the individuals concerned”.
By contrast, the Information Rights Tribunal said that the three names "may well be sufficient" to identify the individuals when taken together with information that they were employed by the FSA in certain positions on a given date, however it did not follow that the names themselves were personal data even if the individuals could be identified as the information must also be "such as to affect the person's privacy".
Slavishly following Durant, the Tribunal concluded that "In our view the Disputed Information (these are the names of employees) is not biographical in any significant sense" and that in this case "The information does not go beyond the recording of the data subjects' involvement in a matter that has no personal connotations. It simply concerns a transaction or matter in which the individuals in question were involved".
The Tribunal was careful to say that this would not always be the case. For instance, "there are a number of organisations, the nature of whose activities are such that information that a particular individual was employed by them, might well amount to personal data" and that disclosing the name of an individual who was employed by an organisation licensed to conduct experiments on animals "may disclose something about his likely opinion on the often contentious subject of animal rights, and could lead to harassment by so-called animal rights activists".
In such cases, the Tribunal said this information would be personal data that were exempt under FOI as the requested details were "biographical" and did indeed impact on an individual's privacy.
Where the Tribunal went wrong
We can now see what has happened? The Tribunal has asked:
a. Is the requested information “data”? Answer “yes”
b. Does it relate to a living individual? Answer “yes”
c. Does it relate to a living individual in a biographically significant way? Answer “No”
d. Is there a context that makes it biographically significant? Answer “No – we can’t see one” (despite the fact that “the staff in question worked on the complainant’s complaint”!)
The problem is at questions (c) and (d) – so the question has to be asked “How does a public authority know what is biographically significant for a data subject and what is not”?
For the Tribunal, consideration of the “two notions” put forward by Auld LJ. in Durant is suffice (e.g. “biographical significance” and “continuum”). In other words, it is the public authority who determines these matters in every instance. However, I think this is a too simplistic approach to the three possible scenarios concerning “biographical significance”.
These scenarios are:
• The public authority knows for certain the personal details are biographically significant;
• The public authority knows for certain the personal details are not biographically significant; or
• The public authority does not know whether the details are biographically significant or not.
I think we can agree that the essential problem is with the last issue (i.e. the public authority does not know).
This issue of “not knowing” was actually resolved in the Durant judgement. In section 7(4) of the Data Protection Act, the data controller is faced with the dilemma of whether it is reasonable in all the circumstances to release (or not to release) the identity of other individuals identified in personal data that have been requested by a data subject.
In paragraph 61 of Durant, Auld LJ. states that where the data controller cannot resolve this dilemma, “The data controller .... should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in or identifiable from personal data to which he is otherwise entitled...”. In other words, if in doubt, ask the requestor why he wants the name. This was not suggested by the Tribunal.
This “ask the requestor” idea is reinforced by interpreting the balance of interest tests in Schedule 2, paragraph 6 of the DPA which is used to justify release of personal data by FOI requests. This sets out the balance of interest as follows:
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject”. (my emphasis)
So how does one know what weight to place on the “legitimate interests of the data subject” when you don’t know? Use a crystal ball? Employ Tarot Cards? Throw dice?
If you just ask “Who is in the best position to know what weight to place on the data subject’s legitimate interests?”, then I think the answer is obvious. So my conclusion: ask the requestor for why he wants the personal data and then, if needed, ask the data subject for a view? There is nothing in the FOI Act that I can see that stops this kind of approach.
Of course, the public authority after consideration of the data subject’s legitimate interests can still decide to release the personal data. In addition, there might be standard conditions when there is no need to ask the data subject for his view (these have been established by cases before the Tribunal such as those dealing with expenses of senior managers).
I should add that the Scottish Information Commissioner already asks this question of the FOISA applicant when he can’t fathom "the legitimate interests of the Third Party to whom personal data are disclosed" (see above). I raise this just to show that asking the requestor is not an alien FOI concept just made up by me for this blog (see references below).
Reverting to Durant, it is interesting to note that Mr Durant did not get the details of the individual handling his complaint at the FSA because, according to the judgment Auld LJ says “.....the name of an FSA employee which, in itself, can have been of little or no legitimate value to Mr. Durant and who had understandably withheld his or her consent because Mr. Durant had abused him or her over the telephone” (para 67 of Durant).
Note that it is this "little or no legitimate value" sentiment finds expression in the Commissioner’s Decision Notice, where he says “...The Commissioner is also satisfied that disclosure of their names would not add anything further to the way in which the complainant’s complaint had been dealt with. Therefore any legitimate interest in the disclosure of the names of these individuals is outweighed by the prejudice disclosure would cause to the rights and freedoms of the individuals concerned” (para 22 of the Decision).
So that is why I think that when a public authority receives a request on the lines outlined above and has difficulty in deciding what to do, it is perfectly proper for it to ask modest questions of the requestor AND/OR the data subject about his or her legitimate interest so that the correct balance can be struck. Indeed, I am brave enough to say that when a public authority does not know where the balance of interests lies, this is the only way for that authority to determine the correct balance of interests.
This is where the Tribunal went wrong. It has decided that the public autrhority in all instances should have a punt at arriving at the correct balance whereas it should have promoted the obvious mechanism which actually arrives at the correct balance.
Note that there is a sting in the tail for the FOI requestor who misleads the public authority as to his legitimate interest; such a requestor could be committing an offence under Section 55 of the Act if the public authority were to disclose personal data on the wrong basis.
This assures the public authority that the FOI requestor is unlikely to tell porkies.
Download the ICO’s Decision Notice: Download Fs_50312938_durant_names not personal data
Download the Tribunal Notice in this case:Download Fs_50312938_APPEAL_names not personal data
“Some FOI requests for personal data are not purpose blind” (this includes the SIC Decision Notice referred to above): http://amberhawk.typepad.com/amberhawk/2010/07/some-foi-requests-for-personal-data-are-not-purpose-blind.html