Line to take - LTT176 - When does the public interest test apply to the exclusion from the duty to confirm or deny whether personal data is held

From FOIwiki
Jump to: navigation, search
  • FOI/EIR: FOI
  • Section/Regulation: s40(5)
  • Issue: When does the public interest test apply to the exclusion from the duty to confirm or deny whether personal data is held
  • Source: Information Tribunal
  • Details: Rt Hon Frank Field MP v ICO (25.01.2010); Tony Wise v ICO (03.02.2010); Young v ICO (10.02.2010)
  • Related Lines to Take:
  • Related Documents: EA/2009/0055 (Field), EA/2009/0088 (Wise), EA/2009/0057 & EA/2009/0089 (Young)
  • Contact: RM
  • Date: 30/04/2010
  • Policy Reference: LTT176
  • © Copyright Information Commissioner's Office, re-used with permission
  • Original source linked from here: LTT


Line to take

s40(5)(a) will be treated as being absolute i.e. where the information requested constitutes the personal data of the applicant.

In respect of third party personal data;

  • s40(5)(b)(i) will be treated as being absolute where confirmation or denial whether of third party data is held would contravene the data protection principles or would do so if the exemptions provided by s33A(1) of the DPA were disregarded.
  • s40(5)(b)(i) is qualified where confirmation or denial would contravene s10 DPA.
  • s40(5)(b)(ii) is qualified where by the virtue of any provision of Part IV of the DPA the information would be exempt from s7(1)(a) of that Act. i.e. where there would be no obligation for the data controller to inform the data subject that it’s processing personal data about him because an exemption to subject access under the DPA applies.


Further Information

In broad terms section 40(5) means that a public authority does not need to confirm or deny whether it holds personal data in a number of situations;

  • where the information requested is the personal data of the applicant,
  • where the information is third party personal data and confirmation or denial would contravene the data protection principles,
  • where confirmation or denial would contravene a DPA s10 notice, and
  • where, if the data subject made a subject access request, he would not be entitled to be told whether the data controller if it held information about him.

The uncertainty as to which parts of s40(5) are subject to the public interest test has arisen because section 2 of the Act, which sets out which provisions are absolute, makes no reference to s40(5) being absolute. As a consequence there has been some debate as to whether s40(5) is subject to the public interest test, and if so to what extent. To compound the confusion there have been a number of contradictory Tribunal decisions on the subject.

The first case to consider the issue was The Rt Hon Frank Field MP v ICO. In this case the request related to a third party who may have been implicated in a fraud investigation. The ICO’s DN found that to confirm or deny whether the information was held would contravene the data protection principles and hence s40(5)(b)(i) would apply. We did not go onto consider the public interest test. The Tribunal upheld our decision and reasoned that as the equivalent exemption from the duty to provide the information was absolute, then so too, was this element of 40(5).

In a later case, Tony Wise v ICO, the applicant had requested information relating to his involvement with Lancashire Police. The ICO found that this was his own personal data and as such the correct response under FOI would have been to refuse to confirm or deny whether the information was held under s40(5)(a). Again we did not apply any public interest test. The Tribunal upheld our decision but in foot note to para 11 explained that it was a moot point whether s40(5)(a) confers an absolute exemption. It went to note that in any case, because of the interaction between s40 and s7 (subject access rights) of the DPA, it could see no basis for finding that the public interest in maintaining the exclusion would not outweigh the public interest in confirming whether the information was held.

Finally in Young v ICO the applicant sought all information on complaints that had been made against two named police officers. The Tribunal found s40(5) was engaged and then addressed the public interest test. The Tribunal noted that the ICO had not considered the public interest but stated that the test should be considered (para 13). In a footnote the Tribunal commented that the “... omission of s40(5) from the list in s2(3) [the list of absolute provisions] may well have been a legislative oversight but the Tribunal can see no way round it.”

The Commissioner’s approach

In light of these conflicting decisions the Commissioner has decided to continue with his established approach, i.e. s40(5) should be treated as absolute in respect to situations where the request is for the personal data of the applicant or where the confirming or denying would breach the data protection principles. In situations where confirmation or denial would contravene a s10 DPA notice or, where the operation of one of the exemptions in the DPA would mean that the public authority was not required to deal with a SAR for the same information, s40(5) should be treated as being qualified.

It is intended that when a suitable case goes to appeal the ICO will take the opportunity to resolve the issue once and for all but until then, it’s a case of continue as before.

The Commissioner’s view is that this will not disadvantage applicants. Developing the point made by the Tribunal in Wise, an applicant wishing to access their own personal data will still be able to pursue this right under the DPA and it’s appropriate that any decision as to whether or not a data subject is entitled to be told whether personal data about them is being processed, should be made in accordance with the scheme of that Act.

In relation to situations where confirming or denying whether the information is held would breach the data protection principles the Commissioner considers that it is difficult to conceive of a situation where breaching legislation aimed at protecting the privacy of an individual would be in the public interest, particularly when it is recognised that the main issue to be resolved in such cases would be the application of the 1st principle. Therefore in determining whether confirmation or denial would be fair, and in considering the 6th condition, the public interest in the disclosure would already have been weighed against the intrusion into the data subject’s privacy.

Approach in DNs

In those situations where our approach is that s40(5) is absolute, case officers are advised to complete their analysis of the exemption when they have concluded whether or not it applies and that the DN should remain silent as to whether it is subject to the public interest test.

Environmental Information Regulations

The situation under the Regs is different to that under the Act.

Firstly under reg 5(3) there is no requirement for a public authority to make available personal data of which the applicant is the data subject. Furthermore there is no requirement to provide a refusal notice under reg 14 stating that the information will not be disclosed under the Regs. The presumption must be that the public authority will simply get on and deal with a subject access request under the DPA.

Third party personal data is dealt with as an exception. Reg 12(3) takes third party personal data out of reg 12 and makes it clear that it should only be disclosed in accordance with reg 13. So although all the exceptions under reg 12 are subject to the public interest test, the provisions under reg 13 are only subject to the public interest test where it is explicitly states so in that provision.

Reg 13(5)(a) provides that where the disclosing whether third party personal data is held would contravene either the data protection principles or a s10 notice a public authority can respond to a request by neither confirming or denying whether the information is held. Similarly reg 13(5)(b) provides that where the information is exempt from the DPA’s subject access provisions the public authority may, again, respond to a request by refusing to confirm or deny whether the information is held.

There is nothing within reg 13 to state that these provisions are subject to the public interest test and so they are to be treated as being absolute.