Line to take - LTT124 - Multiple data subjects

From FOIwiki
Jump to navigationJump to search
  • Section/Regulation: s40
  • Issue: Multiple data subjects
  • Source: Information Tribunal
  • Details: Nicholas George Fenney (26 June 2008)
  • Related Lines to Take: n/a
  • Related Documents: EA/2008/0001, Data Protection Technical Guidance — ‘Determining what is personal data’
  • Contact: HD
  • Date: 16/01/2009
  • Policy Reference: LTT124
  • © Copyright Information Commissioner's Office, re-used with permission
  • Original source linked from here: LTT

Line to take

Where the requested information constitutes the personal data of more than one individual, then both individuals are data subjects for the purposes of s40 as there is no basis for suggesting that the individual whose data is more extensive or significant is the only data subject.

In this situation, where a request is made by one of the data subjects, the information in its entirety should be considered under s40(1). The public authority should not deal with the third party’s data under s40(2), apart from where there is distinct information which is the personal data of only the third party and not the applicant.

Further Information

Section 40 of the FOIA states as follows:

40.-(1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject

In the case of Nicholas George Fenney & the Information Commissioner, the complainant had been engaged in long running correspondence with the Avon & Somerset Constabulary relating to the investigation of various allegations against him for sexual harassment and of complaints he made about certain police officers. His requests related to various elements of those investigations including the police complaint file.

The police refused the requests under s40(1) where it was Mr Fenney’s personal data and the Commissioner agreed this was correct.

On appeal, Mr Fenney argued that the police complaint file could not be his personal data as the police officers were the “principal data subjects”. The Tribunal rejected this argument indicating that there is no basis for arguing that the only data subject to be considered when assessing a document containing data on more than one individual is the one whose data is more extensive or significant.

At paragraph 13, the Tribunal stated:

"There is no basis for arguing that the DPA intended that the only data subject to be considered when assessing a document incorporating data on more than one individual is the one whose data is more extensive or more significant. If information incorporates the personal data of more than one person the data controller is not required to attempt an assessment as to which of them is the more significant and to then recognise the rights to protection of that individual and ignore any others. Its obligations are set out in sections 7(4) to 7(6) DPA, which require it to consider whether the information requested includes information relating to a third party and, if it does, to disclose only if that third party consents or it is reasonable in all the circumstances (by reference to the particular matters identified in subsection (6)) to comply with the request without his or her consent.

This suggests that whilst in the past where the requested information contained the personal data of the applicant and a third party, the applicant’s personal data would have been isolated under s40(1) and dealt with as a subject access request and the third party data dealt with under s40(2), the Commissioner can now consider information containing mixed personal data under s40(1).

The Commissioner’s view is that where a document contains the personal data of several data subjects including the applicant, but some information within that document relates only to third parties and not to the applicant, for example, where a document contains personal data that is separated into distinct sections on the different parties, then he would expect the applicant’s data to be dealt with under s40(1) and information that is only third party data to be dealt with under s40(2). This is because it would not be correct to say that s40(1) applies to the information that clearly relates only to the third party(ies) and not to the applicant.

However, where information constitutes the personal data of both the applicant and a third party, for example where the data of the two parties is inextricably linked, as in Fenney, then s40(1) will apply.

This is because the fact that the information is also the personal data of a third party does not stop it being the personal data of the applicant, which he has a right of access to under the Data Protection Act (subject to its provisions).

Further examples of information which may contain the personal data of more than one individual can be found in the Commissioner’s guidance on ‘Determining what is personal data’ (see Appendix A, page 18).