Line to take - LTT166 - Lawfulness
- FOI/EIR: FOI
- Section/Regulation: s40
- Issue: Lawfulness
- Source: Policy Team
- Details: n/a
- Related Lines to Take: LTT57. LTT59. LTT163. LTT165
- Related Documents: FS50128761. Guide to Data Protection
- Contact: HD
- Date: 21/01/2010
- Policy Reference: LTT166
- © Copyright Information Commissioner's Office, re-used with permission
- Original source linked from here: LTT
Line to take
In the context of freedom of information casework, it is likely that it will be unlawful to disclose personal data where it can be established that the disclosure would be a breach of a statutory bar, a contract or a confidence.
Schedule 1, part 1 of the Data Protection Act (the “DPA”) states that "personal data shall be processed fairly and lawfully...”
The DPA does not define what is meant by the term ‘lawful’ but the ICO’s Guide to Data Protection (published in November 2009) states as follows:
- “Lawful” refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation (para 31).
- If processing personal data involves committing a criminal offence, the processing will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence. Such a duty may be stated, or it may be implied by the content of the information or because it was collected in circumstances where confidentially is expected — medical or banking information, for example;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations” (para 32).
In the absence of any evidence of a breach of sections 41 or 44, the Commissioner is likely to conclude that the processing will be lawful unless the public authority has provided arguments which suggest that it would be unlawful to disclose the requested information as they will need to be considered accordingly.
Further, in the context of freedom of information casework, it may have already been established that disclosure would breach a statutory bar (s44), breach a contract or be a breach of confidence (s41); and if any of the these exemptions are engaged then it would be unlawful to disclose the requested information.
Casework example — List of residential addresses of ICO staff (FS50128761)
The requestor asked for a list of residential addressed for all current, salaried ICO staff The Commissioner found that s41 was engaged as his staff had provided their address details in confidence. The Commissioner went onto find that disclosure would also be unlawful under s40 as the processing would amount to a breach of confidence.