“The time has come" the walrus said, "to talk of many things. Of FOISA/DP interface and Scottish mis-givings”.
Because of a recent Supreme Court judgment concerning the Freedom of Information (Scotland) Act (FOISA), the approach of Scottish Information Commissioner (SIC) towards the data protection/FOISA interface is set infect FOIA Tribunal Decisions for the rest of the UK (see references for full details about relevant cases).
I will put my cards on the table at the risk of a boycott of our BCS DP qualification course in Edinburgh next year (places still available!): I think the SIC has the DP/FOISA interface wrong, so I better explain why.
I referred to this problem in passing in a blog about two years ago (see references), but because of the Supreme Court judgement, now is the time to alert specialists to an interpretative issue that could become a major headache. It occurs when there is a FOI/FOISA request for third party personal data (i.e. when the FOISA/FOI applicant for personal data is not the data subject).
Both the English Information Commissioner (ICO) and SIC have lengthy Guidance on this interface. The two sets of Guidance are contradictory on one important consideration.
Both sets of Guidance state that FOI (and FOISA) require that the public authority concerned to consider whether or not the disclosure of the requested personal data would satisfy the grounds stipulated by Schedule 2, paragraph 6 of the DPA.
According to the SIC, this ground reads as follows:
“The processing (in this case, disclosure in response to an information request under FOIA or FOISA) is necessary for the purposes of legitimate interests pursued by the data controller, or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects”.
Did you spot the plural “data subjects” in the end of the above. The SIC’s FOISA guidance has the plural; by contrast the ICO’s FOIA Guidance has the singular “data subject” (which is of course the correct formulation of Schedule 2, paragraph 6). The ICO’s view involves consideration of the legitimate interests of each and every data subject; not all data subjects as a group as implied by the SIC’s position.
This divergence of view gets worse as we delve deeper into the DP/FOI or DP/FOISA interface.
When meeting a request for third-party personal data, the ICO Guidance states that the ground in paragraph 6 requires the public authority to apply a three-part test:
• “there must be a legitimate interest in disclosure to the public;
• the disclosure must be necessary to meet that legitimate interest; and
• the disclosure must not cause unwarranted harm to the interests of the individual.”
The ICO then adds:
“The private interests of the requester, or even of a small group of people, are not relevant in this context. Section 40(3) refers to “the disclosure of the information to a member of the public”, not disclosure to the requester specifically” (my emphasis of para 82).
The SIC’s guidance on this interface comes to a different conclusion.
The SIC asks the Scottish public authority to ask itself:
“1. Does the applicant have a legitimate interest in obtaining this personal data?” (The SIC adds “In some cases, the legitimate interest might be personal to the applicant– e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as scrutiny of the actions of public bodies or public safety”). (my emphasis)
2. If yes, is the disclosure necessary to achieve these legitimate interests?
3. Would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects? (Note: plural data subjects rather than individual data subject)".
So, there you have it. If there a FOIA request to third-party personal data south of the border, the interests of the requestor are irrelevant; north of the border, they are very important. Both ICO and SIC can’t be right. Which one is correct?
Enter the Supreme Court Judgment
In May 2010, there were a number of FOISA requests for information to South Lanarkshire Council about the number of employees who were placed at 10 particular points on the Council’s pay scales in specified posts. The Council refused the request on the grounds that to comply with the request would contravene the First Data Protection Principle; in particular, following SIC, it argued that the specific FOISA requestor had no legitimate interest in disclosure.
The SIC determined that the particular requestor had a legitimate interests, and upon performing the other two tests (see above), decided that the Council should release these statistics derived from personal data. There was an Appeal to Inner House of the Court of Session which agreed with the SIC’s position, and a further Appeal to the Supreme Court which did not disagree with the SIC.
The Supreme Court judgement concerned the meaning of “necessary” as used in “necessary for the purposes of legitimate interests pursued by …. the third party or parties to whom the data are disclosed”. It focused on (a) whether there was an individual private interest to protect and (b) whether a disclosure was “necessary” to deliver the “legitimate interest” goal.
The Court determined that as there was no private interest to protect, then the disclosure could proceed. In coming to this position, the Supreme Court did not promote the SIC’s view that the particular interest of the FOISA requestor (the third party) was key consideration; nor did they follow the ICO’s view that the interest had to be a general public interest (i.e. the interests of third parties in general; paragraph 18 of the judgement). The Court merely stated what the ground was and then primarily focused on issues (a) and (b) as described in the last paragraph.
The Supreme Court concluded that as there was no interest that related to private and family life to protect; it followed that the SIC “was entitled to reach the conclusion that he did” and could require disclosure. Note they carefully avoided comment on the conflicting ICO and SIC approaches.
In summary, the Supreme Court judgement reflects the SIC’s responsibility to balance conflicting interests in requests for third party personal data (i.e. privacy versus disclosure), and then come to a decision. This judgement did not confirm that the methodology used to arrive at that decision is correct (i.e. whether or not the particular third party interest is a valid reason for disclosure).
The infection: obiter remarks as virus
However, two obiter remarks in the Supreme Court judgment have been interpreted by two FOIA Tribunals to imply that the interest of a particular “third party” can be considered in terms of Schedule 2, paragraph 6. As I said, I think this is wrong (at end of this blog).
For instance, paragraph 24 of the judgment refers to a “legitimate interest, which may be a purely private interest” (i.e. of a third party). However, I think this statement is not intended to be a considered analysis of whether the interests of the “third party requestor” is a correct consideration, as “may” in the context of the quote could easily mean a “may not”.
Paragraph 27 states that “pursuing a legitimate interest in seeking the information ... is not at issue in this case”. This is unhelpfully ambiguous: the phrase “is not an issue in this case” could be construed as “this point is not contested and all parties agree of the validity of the use of third party consideration” (this supports the SIC’s approach) or “is not an issue that the Court has to determine” (which doesn’t).
However, in the recent Henderson Tribunal (a FOIA request for third party personal data), the Tribunal, referring to the Supreme Court said:
"The Commissioner accepted that Mr Henderson had a legitimate interest in obtaining the information he was requesting (a conclusion with which we agree) but he was apparently of the view that, because that interest was of a purely private nature, it was not relevant for the purposes of paragraph 6 of Schedule 2".
" We disagree with that view: there is nothing in paragraph 6 to suggest that the “legitimate interest” of the person to whom the data is to be disclosed has to be of a public nature” (referring to the paras ,  and  quoted above).
It then said “this decision is not intended to lay down any precedent” (as the Tribunal set one) and concluded that the ICO had misapplied the DP/FOI Interface. It remitted the request back to the public authority to sort out the mess saying that the section 40(2) exemption could not be applied.
The recent Ferrand Tribunal said something similar:
“The Commissioner submitted that in the light of the wording of section 40 FOIA (disclosure to “… to a member of the public otherwise than under [FOIA]”) the only legitimate interests that can be considered in relation to condition 6 in Schedule 2 to the DPA are public interests and not the private interests of the person seeking the information.
"We do not read the relevant provisions in that way. More importantly, it is clear from the decision of the Supreme Court … (in the case above) … that they do not either” (my emphasis).
In other words, whereas I think the Supreme Court avoided a determination of whether the particular interest of a third party was a valid consideration, these Tribunals have concluded that it has.
However, I can comment on that the Tribunal’s argument on the lines that “there is nothing in paragraph 6 to suggest that the “legitimate interest” of the person to whom the data is to be disclosed has to be of a public nature” to show it is invalid.
In summary, the function of Schedule 2, paragraph 6 in data protection terms is to provide one ground in six that could apply to legitimise any disclosure in terms of the First Principle; it simply cannot refer explicitly to FOI considerations suggested by the Tribunal because a disclosure to meet FOI requirements is only one type of disclosure in many.
Put it another way: assume the Tribunal’s wishes were true and Schedule 2, paragraph 6 had said something like:
“The processing is necessary for the purposes of legitimate interests pursued by …. the third party or parties to whom the data are disclosed (where the legitimate interest of the third party or parties is of a public nature)….. .
You can see now that this ground would not apply to many non-FOI disclosures of personal data.
Why I think the SIC is wrong
The argument goes like this. I start from the premise that requests under FOI and FOISA, in theory, are applicant and purpose blind. If you accept this premise, then SIC has to be wrong!
First assume the SIC is correct and the grounds to be considered with respect of a disclosure of third-party personal data has to be “necessary for the purposes of legitimate interests pursued by …. the third party...” (singular).
Then it follows to understand this "legitimate interest", the identity of the particular requesting third party and the specific purpose behind the request are both essential if a public authority is to properly understand the context of the requestor’s “interest”.
So, it follows that the SICs approach to FOI requests for third-party personal data cannot be applicant or purpose blind. This negates our premise and therefore cannot be correct.
It is easy to see that the alternative hypothesis is correct as the use of “third parties” results in the realisation of both blind objectives. Both FOIA and FOISA can be applicant and purpose blind if the plural “third parties” is preferred because the purpose relates to a general public interest purpose and the interest is that of "third parties" in general (i.e. any third party or any member of the public).
Mathematicians call this “proof by contradiction”.
Hypothetically, suppose also that there is a FOISA request that is of general interest to the public but of no specific interest to the particular third party requestor. It follows that under the SIC’s interpretation, it is possible for such a FOI request to be refused because there is no specific interest on the part of the particular requestor.
This would be the opposite of what one expects: the wider the general public interest in some third-party personal data, the more chance of it being disclosed to the public. Because the SIC’s approach runs counter to the expected, it also suggests, by contradiction, that the SIC’s approach is wrong.
This is supported by the phrase “the disclosure of the information to a member of the public” in the DP/FOIA or FOISA interface (at S.40(3) of FOIA or S.38(2) of FOISA). These sections take the standpoint of a FOI disclosure to “any requestor” (i.e. in the interests of members of the public in general) rather than the disclosure to a specific requestor for his particular interests.
Finally, the SIC has no remit over the interpretation of Data Protection Act; the regulator for the DPA in the UK is the ICO. So, until there is a “yes” vote in the Scottish referendum, one would expect data controllers in the UK (including the SIC) to follow the ICO, when he offers advice on the application of the DPA (i.e. in particular the interpretation of Schedule 2, paragraph 6).
Where there is disagreement, and one so fundamental as described above, one would expect there to have been discussions between the ICO and SIC.
Clearly this has not happened! The result is a train crash waiting to happen.
The blog where I first raised the different view of the DP/FOI interface: https://amberhawk.typepad.com/amberhawk/2010/07/some-foi-requests-for-personal-data-are-not-purpose-blind.html
ICO’s DP/FOI interface guidance: (https://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Freedom_of_Information/Detailed_specialist_guides/personal-information-section-40-and-regulation-13-foia-and-eir-guidance.pdf)
SICO’s DP/FOISA interface guidance: a pdf accessible from https://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx
Supreme Court Decision  UKSC 55 : South Lanarkshire Council (Appellant) v The Scottish Information Commissioner (Respondent). On appeal from:  CSIH 30. The relevant SIC Decision 056/2011.
Henderson v ICO, Appeal No: EA/2013/0055 from Decision Notice No: FER0462894
Farrand v ICO , Appeal EA/2013/0051 from Decision Notice FS50463724