Personal data and fitness to practice investigations – Tribunal overturns ‘neither confirm nor deny’ position

January 17th, 2014 by Robin Hopkins

When an identifiable individual has been the subject of a formal complaint about their competence or conduct, that fact constitutes their personal data. In terms of privacy/publicity decisions, such situations are often approached in this way: where the complaint is well founded or at least merits serious consideration, publication is warranted, but otherwise confidentiality is maintained, lest unjustified aspersions be cast against that person.

In that respect, the process outlined by the Tribunal in Foster v IC (EA/2013/0176) – which concerned a complaint to the Nursing & Midwifery Council – is typical:

“The complaints procedure administered by the NMC has two stages. The first stage is designed to determine whether or not the matter should be referred to the NMC’s Fitness to Practice Panel. If it is, then the Panel will meet in public and its decision will be made publicly available. But if the complaint does not proceed beyond the first stage, (either because a decision is made not to investigate or because the NMC’s Investigating Committee Panel concludes that the complaint does not justify a reference to the Fitness to Practice Panel), then the process remains confidential. The rationale appears to be that an individual’s professional reputation should not be undermined by the publication of allegations that are found not to have sufficient merit to justify being referred to the Fitness to Practice Panel”.

The Appellant, whose son died following his participation in a drug trial, considered that the NMC investigation in this case – which did not pass the first stage – may have been inadequate. She asked for information about its investigation into her complaint about a named practitioner.

The NMC adopted a ‘neither confirm nor deny’ position under section 40(5), i.e. it considered that to say whether or not it held information on a complaint about this individual would be to tell the world at large whether or not that person had been the subject of a professional complaint of this description. The ICO agreed, but the Tribunal overturned that decision, ordering the NMC to confirm or deny whether it held the requested information.

In reaching that view, the Tribunal – while not passing judgment on the merits of the complaint or the NMC’s investigation – considered the criticisms that had been made:

“If it were to be the case that any member of the care team had realised the error earlier, but had not raised the alarm until after its very sad consequences had become clear, then there would seem to us to be strength in the Appellant’s argument that the evidential basis for the decision of the NMC’s Investigating Committee Panel required investigation”.

In those circumstances, the Tribunal thought the fairness balance favoured confirming or denying whether the requested information was held:

“In reaching that conclusion we reject the Information Commissioner’s argument that it is always unfair, and therefore in breach of the Data Protection Principles, to make a statement that discloses the existence of a complaint of professional misconduct against an individual, where there has been no finding of wrongdoing or malpractice. That would create an inflexible test which prevented all relevant circumstances being taken into account. Nor do we accept the Information Commissioner’s argument that the limited degree of disclosure involved in a “confirm or deny” response would constitute unwarranted interference into X’s privacy, without satisfying a legitimate public interest in disclosure”.

Public authorities who routinely adopt a default ‘neither confirm nor deny stance’ of the type outlined at the start of this post will wish to note that, at least in some circumstances, that approach can be called into question.

Robin Hopkins @hopkinsrobin


Section 40 FOIA, NCND and the public interest

June 1st, 2012 by Robin Hopkins

The requester (anonymised for the purposes of the decision) in Mr A v IC and The Health Professions Council (EA/2011/0223) asked for information about the response given by a named registrant to an investigation allegedly being carried out by the HPC into that registrant’s fitness to practice. The IC found that a ‘neither confirm nor deny’ response was appropriate, given that to confirm or deny (NCND) whether or not the HPC held the information requested would in and of itself disclose to the public whether there a complaint as to the registrant’s fitness to practise had been made. This would breach the first data protection principle. Section 40(5)(b)(i) FOIA therefore applied.

The Tribunal agreed. Curiously, it approached its task under section 58 FOIA thus: “The Tribunal does not take the IC’s decision again, rather its task is to consider the Decision Notice and to consider whether it can be impugned on legal grounds.”

Its decision turned largely on the usual features of a request for personal data: privacy implications, reasonable expectations and so on. The Tribunal’s decision does, however, contain a number of points of interest concerning the correct approach to section 40.

First, when judging whether, for section 40(5) purposes, confirmation or denial would breach any of the data protection principles, the appropriate reference point was disclosure to the public, not disclosure to the individual requester, given the overall wording of section 40 and the ‘motive blind’ approach to FOIA. The Upper Tribunal in All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 (AAC) appeared to think otherwise, but its observation was obiter, and the Tribunal in the present case declined to follow it.

Secondly, it followed that for the purposes of condition 6(1) of Schedule 2 to the DPA (which refers to the “legitimate interests of the … third party or parties to whom the data are disclosed”), the appropriate reference point was again the public. Public rather than private interests are what count for condition 6(1) purposes.

Finally, the NCND provisions of section 40(5) do not appear in the list of absolute exemptions at section 2(3)(f) of FOIA. Does this mean the public interest test must be applied, even where – as the Tribunal had found – disclosure would breach the first data protection principle? The Tribunal agreed with the IC and the HPC that the answer is ‘no’. It followed Heath v IC (EA/2009/0020) in finding that the word ‘provision’ at section 2(1) FOIA is sufficiently ambiguous (as to whether it means a section of FOIA as a whole, or rather subsections) to admit of a purposive interpretation. In these circumstances, this allowed for data protection principles to be given primacy; no public interest question under section 2(2) of FOIA arose.

Robin Hopkins



April 12th, 2012 by Robin Hopkins

I blogged yesterday (see below) on APPGER’s litigation in the US courts concerning information about security bodies and their role in extraordinary rendition. The UK’s First-Tier Tribunal has today promulgated its decision on a separate set of requests made by APPGER to the Foreign & Commonwealth Office. The decision deals primarily with sections 23, 27, 35, 42 and the ‘neither confirm nor deny’ provisions under sections 23(5) and 24(2) of FOIA.

One of my fellow Panopticonners will post some commentary on the case shortly. In the mean time, here is the hot-off-the-press decision: