Line to take - LTT169 - Information that is exempt from a data subject�s right of access: Difference between revisions

• FOI/EIR: FOI
• Section/Regulation: s40(4), s40(2)
• Issue: Information that is exempt from a data subject’s right of access
• Source Policy team, Information Tribunal
• Details: Guardian News & Media Ltd / MOJ
• Related Lines to Take: N/A
• Related Documents: EA/2008/0084
• Contact: LA
• Date: 17/02/2010
• Policy Reference LTT169
• © Copyright Information Commissioner's Office, re-used with permission
• Original source linked from here: LTT

Line to take

Section 40(4), read in conjunction with section 40(2), provides an exemption from FOIA for information that a data subject would not be able to gain access to under the Data Protection Act via their section 7(1)(c) DPA right of access.

Although the DPA provisions which prevent a data subject from gaining access to their own personal data under the DPA are not subject to a public interest test, section 40(4) FOIA is subject to a public interest test.

Section 40(4) should only be considered in cases where it has been claimed by a public authority. There is no expectation that case officers should pro-actively consider this exemption if it has not been claimed.

Further Information

Section 7(1)(c) DPA provides that, subject to exemptions contained within the DPA, an individual is entitled

(c) to have communicated to him in an intelligible form —

(i) the information constituting any personal data of which that individual is the data subject, and

(ii) any information available to the data controller as to the source of those data

Section 40(4) FOIA provides that, subject to the public interest test, information is exempt from disclosure under FOIA if it constitutes third party personal data and the information is exempt from section 7(1)(c) of the DPA.

The Commissioner considers that, although it may appear contradictory for FOIA to potentially allow the disclosure of personal data into the public domain when the data subject to whom the data relate would not be able to gain individual access to the same information via the Data Protection Act, in fact this situation accords with the provisions of both pieces of legislation.

Where a data subject requests access to their own personal data, the DPA allows the data controller to refuse such access if a DPA exemption applies. In this situation, because the potential disclosure is only to the data subject and not into the public domain, the Commissioner considers that it is entirely appropriate that the data controller is not required to consider any potential public interest benefits of a disclosure into the public domain when deciding if the exemption will apply.

However, under FOIA, the potential disclosure will always be into the public domain. For this reason the Commissioner considers it appropriate for the potential public interest benefits of a disclosure to be taken into account when considering whether to disclose under FOIA.

One way of accounting for the potential difference in outcomes under the two pieces of legislation would be to think about the DPA as allowing information to be withheld from a data subject where the individual’s right to have their own personal data communicated to them is considered secondary to the need to protect whatever is inherent in the DPA exemption. However, under FOIA, it is not just the access rights of the individual that are relevant. So whilst the access rights of the individual may be secondary to the need to protect whatever is inherent in the DPA exemption, under FOIA there is the potential for the need to protect whatever is inherent in the exemption to become secondary to the wider public interest benefits of disclosure into the public domain.

In reality, we would anticipate that the circumstances in which there will be a public interest in disclosure strong enough to allow the prejudice of whoever’s interests are served by the DPA exemption will be relatively rare.

An example of a Decision Notice where the Commissioner found that this was the case is FS50197952 which concerned a request for the undertaking related to the awarding of a life peerage to Michael (now Lord) Ashcroft. The Decision Notice comments (at paragraph 69) that “The Commissioner considers that there is a greater public interest in placing the requested information into the public domain than, in respect of the specific circumstances of this case, to the public interest in protecting the interest which the honours and dignities exemption of the DPA is designed to protect. This is because there is a strong public interest flowing from the need for greater transparency in Lord Ashcroft’s controversial ennoblement.”

It should also be remembered that where information is disclosed into the public domain, then the data subject will also be able to gain access to their own personal data via this route. Whilst it is likely that a data subject would prefer to know what personal data about them is held prior to it being released into the public domain, the Commissioner considers that in practical terms, at the point at which the information is released into the public domain, then the subject access refusal to some extent becomes academic anyway.

When is it necessary to consider the DPA exemptions in FOI case work?

Section 40(4) should only be considered in cases where it has been claimed by a public authority. There is no expectation that case officers should pro-actively consider this exemption (and by implication pro-actively consider whether any of the numerous DPA exemptions would apply if the data subject were to request the information) if it has not been claimed.

Where section 40(4) has been claimed by a public authority it may also be appropriate to refer it to the Commissioner’s guidance on this issue “Awareness Guidance 1 — Personal Information” which states that

“Section 40(2) together with the condition in section 40(4) provides a qualified exemption where the information would be exempt under the DPA from a subject access request. The relevant provisions are set out in Part IV of the DPA and examples include information protected by legal professional privilege, or information used in the prevention and detection of crime. However, in such cases it will usually be easier to apply the equivalent FOIA exemption”

This may lead to the public authority withdrawing its reliance on section 40(4). If it continues to claim section 40(4) however, then this exemption will need to be considered (unless of course another exemption has already been upheld).

If it is appropriate to consider s40(4), then how detailed does the analysis of the DPA exemption need to be?

If a public authority cannot be persuaded to withdraw its reliance upon section 40(4) in favour of applying an FOIA exemption equivalent to the DPA provision then, as stated above, it may be necessary to consider section 40(4).

As part of the section 40(4) analysis it will be necessary to establish not just that an exemption under the DPA exists, but also that the exemption would actually apply to the information in question.

In essence the depth of analysis required will be similar to that applied to FOI exemptions and is likely to entail

• If class based DPA exemption — establishing information falls within the class
• If prejudice based DPA exemption - establishing that the prejudice would be likely to occur
• Applying the public interest test as set out in section 2 FOIA.

What is the public interest inherent in section 40(4)?

In cases where section 40(4) has been claimed then it will be necessary to consider the public interest test.

In the Commissioner’s view one public interest factor relevant to maintaining the exemption at section 40(4) is the public interest in data subjects not only finding out what information is held about them via public disclosure . This recognises that it is preferable for data subjects to be as well informed as possible about their own personal data, and supports the upholding of other data protection principles such as ensuring that personal data is accurate and up to date (the fourth principle).

In more general terms, where a data subject is denied subject access rights in order to protect the interests specified in a DPA exemption, then this raises inherent privacy issues that need to be weighed against the public interest in disclosure before releasing the same information to the public under FOIA.

There will also be a public interest in protecting whatever interest is being protected by the relevant DPA exemption. For example, where a public authority has claimed that the information is exempt from subject access because a disclosure to the data subject would prejudice the detection of crime, then the public interest in preserving the ability to detect crime will need to be taken into account. In this respect the test will be very similar to considering the public interest in maintaining s31 of FOIA (hence the recommendation in ICO guidance that it may be more appropriate to claim a relevant FOI exemption instead of relying upon section 40(4)).

If the relevant DPA exemption is a prejudice based exemption then the public interest test will need to take account of the extent, severity and frequency of the prejudice that would be likely to result from the disclosure under FOI. This will entail considering the prejudice that would result from a disclosure to the world, rather than to the data subject.

When considering the public interest test in such cases, if the public authority is able to confirm as a matter of fact that the data subject has been refused access to the information in question under a DPA exemption, then this is likely to support the arguments in favour of maintaining this exemption.

As with any qualified exemption the public interest inherent in the exemption will need to be balanced against the public interest in disclosure of the information in question

Proactive application of section 40(2)

If it is appropriate to consider a public authority’s s40(4) claim, but it is found that s40(4) does not apply, then, in light of the Commissioner’s role as regulator of the DPA, it may still be necessary to pro-actively consider section 40(2).

In this situation the argument may be made that releasing personal into the public domain under FOIA, when a data subject cannot gain access to the same information under the DPA, is unfair processing and thus contravenes the first data protection principle.

The Commissioner accepts that this will often be the case, but considers that it is also possible for the processing to be fair in the particular circumstances of the case. In the Lord Ashcroft case FS50197952 he found the processing to be fair, and to meet schedule 2 condition 6 of the DPA even though the information in question was not available to the data subject under the DPA.

Duty to confirm or deny

It should be noted that as section 7(1)(c) DPA only relates to the right of the data subject to have information communicated to them. Therefore section 40(4) FOIA will not apply where a public authority wishes to refuses to confirm or deny if information is held.

Use of FOIA by an applicant wishing to gain access to their own personal data

In a situation where a data subject insists on pursuing access to their own personal data via FOIA, then we should follow our normal approach of treating the request as a subject access request under the DPA.

Footnote

Whilst not integral to this line to take, the Commissioner has also considered the question of why there is an explicit public interest test when applying section 40(4) in conjunction with section 40(2), when there isn’t one when applying section 40(2) in conjunction with other section 40 subsections.

In the Commissioner’s view there is no need for a separate public interest test under section 40(2) in conjunction with these other subsections because, in a potential FOIA disclosure context, the consideration of the first data protection principle takes into account public interest arguments (whether this is done under a schedule 2 condition 6 balancing exercise, or via a more general assessment of fairness) in any case.

However, as section 40(4) does not require specific consideration of the data protection principles, then a separate public interest test under FOIA serves this purpose (albeit that the default position if the factors on both sides are equal will be disclosure for 40(4) and withhold for 40(2).

There is no expectation that case officers should give consideration to whether a data subject would be able to gain access to the information in question when considering section 40(2) cases. The Tribunal in Guardian News & Media Limited v the ICO & the Ministry of Justice did consider this as a factor in a section 40(2) case but the Commissioner will not follow this lead.