Update on recent Tribunal decisions part 3: personal data of public officials and relating to court proceedings

November 13th, 2012 by Robin Hopkins

I posted a few days ago about some recent decisions of the First-Tier Tribunal on requests under FOIA and the EIR for personal data. There have been a number of decisions on this issue of late. The following are of note, as they illustrate the types of issues very frequently encountered by public authorities. They also illustrate the nuanced and forensic approach taken by some Tribunals. There may not be a presumption in favour of disclosing personal data, but public authorities should beware assuming that Tribunals will be equally cautious about disclosing all types of personal data.

Chief Constable appointments: partial disclosure ordered

The Appointments Committee of Dyfed Powys Police Authority assessed and interviewed the candidates for the office of Chief Constable. There were two candidates. The Committee was advised by a representative from HM Inspector of Constabulary who was very critical of one of the candidates, leaving the Committee feeling that it had no option but to appoint the other. Committee members complained about the HMIC representative, including to the Home Office. The issue entered the public domain. The unsuccessful candidate requested copies of relevant correspondence.

The issues in Roberts v IC and Dyfed Powys Police Authority (EA/2012/0032) were whether s. 40(1) or alternatively s. 40(2) applied.

The IC raised s. 40(1) belatedly, arguing that the withheld documents were the requester’s own personal data: the lateness “vexed” the Tribunal, and in any event the s. 40(1) argument was rejected, as the Durant conditions of biographical significance and focus were not met. The IC had sought to apply the definition of “personal data” too widely in a way that went beyond the Durant restrictions.

The s. 40(2) argument concerned the personal data of (a) members of the Appointments Committee (the Tribunal’s answer: disclosure would breach the data protection principles, as they were unpaid public representatives who were not at fault), and (b) the HMIC representative (the Tribunal’s answer: disclosure was for the most part ordered, given the representative’s role, the publicised allegations about her conduct and the fact that disclosure would result in minimal incremental distress).

The case illustrates the ongoing dominance of Durant, the need to distinguish between types of data subject and the relevance of well-founded allegations of wrongdoing or poor conduct by public officials.

Redacting officials’ names: lack of legitimate interest in disclosure

Armit v IC and Home Office (EA/2012/0041) is one of two appearance by the UK Border Agency in this post. The request was for copies of guidance relating to which light vehicles/drivers should be stopped and interviewed and what circumstance should lead to the vehicle being detained whilst a search is undertaken and identity checks undertaken, as well as for statistics about such ‘stops and searches’ carried out at Dover Port. UKBA’s refusal was based in part on s. 40(2): it sought to redact the names of the officials in a document entitled ‘Tourist Selection Indicators and Selection Techniques’. The Tribunal was not very impressed by the arguments that officials would not have expected public disclosure of their names. However, fatal to the requester’s case was the failure to identify a legitimate interest in public disclosure of the names of those officials. The Tribunal concluded that:

“We do not accept the argument that the officials would not have expected their names within the document to be made public and were not given compelling evidence of this. We were given no information as to their specific grading but they were described in the document as ‘lead contributer’ and ‘lead postholder’. They clearly have some responsibility in relation to the work.  We were given no compelling evidence that disclosing their names would result in victimisation, insult or any form of danger.  However, we do accept that the officials would prefer not to have their names identified and that might in itself represent a certain right and freedom or legitimate interests in itself. In any event, to process personal data, it needs to be necessary to pursue the purposes of legitimate interests pursued by others.  In this case, we do not find that the Appellant has shown any legitimate interest in the names of the officials being disclosed to the public under FOIA. We conclude that the information is therefore exempt from disclosure.”

The case illustrates the importance of requesters making out a legitimate public interest in knowing the identity of officials whose names appear in requested documents where those officials are not obviously senior enough for a general accountability argument to suffice.

Neither confirm nor deny: involvement in court proceedings

In Mahajan v IC (EA/2011/0240), the requester sought information about the conduct of criminal proceedings in which he was involved, in particular relating to note-taking, recording, legal aid payments, contributions made by the judge during the hearing and communications between the requester and the court’s administrative staff.

The IC found that the request could be refused on the grounds of s. 40(5) FOIA, the “neither confirm nor deny” exemption for personal data. The argument was that the individuals identified in the requested information would have a legitimate expectation that information that might or might not confirm whether they had been part of an investigation and/or court proceedings would not be released.  A confirmation or denial would, it was argued, reveal some information which was not already in the public domain and was not reasonably accessible to the general public. It would also publicise the existence or otherwise of an investigation and court proceedings involving those named parties.

For some parts of the request, the Tribunal agreed: any answer would reveal personal data the public disclosure of which would breach a data protection principle. For the most part, however, the Tribunal disagreed with the IC. A major aspect of its reasoning was that much of the information related to a public court hearing: therefore, disclosing that an individual had been a judge in that hearing, or had appeared as an advocate would not breach any of the data protection principles. In addition, some of the “data subjects” were in fact not living individuals but commercial entities.

This case illustrates the importance, when taking a “neither confirm nor deny” stance, of assessing why mere confirmation or denial of whether the requested information is held (as opposed to disclosure of that information itself, if held) would breach a data protection principle.

Interestingly, while the Tribunal disagreed with the IC on a number of the s. 40(5) FOIA arguments, it went on to agree with the public authority that those parts of the request were plainly vexatious and could be refused on s. 14(1) FOIA grounds.

Qualifications of legal advisor

In Hodson v IC (EA/2012/0084), the Tribunal decided that information about the professional qualification of an individual fulfilling the role of Legal Adviser to Scunthorpe Magistrates’ Court should be disclosed but that he was not entitled to receive information about the Adviser’s other academic qualifications. Its nuanced approach (i.e. approaching different types of personal data differently) is summarised at its paragraphs 18 and 19:

“In view of the functions performed by Legal Advisers in a Magistrate’s Court, and the impact they are capable of having on those appearing before the court, we believe that there is a strong public interest in knowing that anyone fulfilling the role has the qualification of barrister or solicitor. That is to say the qualification that the Ministry of Justice holds out Legal Advisers as possessing. We believe that, were that information not to be a matter of public record, there would be strong public interest in its disclosure and that this would outweigh the individual’s right to privacy.

It follows that, were the position of Legal Adviser to be held by a person having any other qualification, there would be an equally strong public interest in that qualification also being publicly known. And that would apply whether the qualification was a non-legal one or a legal one that was less than full qualification as a barrister or solicitor. Examples of the latter would include a law degree, Chartered Institute of Legal Executives qualification, or completion of a Legal Practice Course or Bar Professional Training Course. But if the Legal Adviser holds the professional qualification of barrister or solicitor then the public interest in information about any other qualification, whether legal or non-legal, academic or professional, is greatly reduced. Disclosure, in those circumstances would constitute an unwarranted interference with the individual’s rights and freedoms.”

Nationality of opponent in litigation

Someone referred to as AF brought legal proceedings against Mr Philip Brown. Mr Brown incurred considerable costs as a result. He hoped to recover those costs if he won the case. In practice, he could only do so if AF was a British national; if he was a Nigerian national, he was thought likely to return there, putting him effectively beyond the reach of UK jurisdiction for enforcing any costs order. Mr Brown asked the UK Border Agency for “official information showing whether or not [Mr AF] is a UK citizen, or whether he is a Nigerian citizen who is in the UK on some sort of temporary permission”. The request was refused on s. 40(2) FOIA grounds; the Commissioner agreed.

The Tribunal in Philip Brown v IC (EA/2012/0094) also agreed. The requester argued that this was not “personal data”: Mr AF cannot be identified by his immigration status alone since that simply discloses whether he is one of 60  million people (if he is a UK national), or one of 120 million people (if he is a Nigerian national). The Tribunal rejected this as misconceived:

“What he is saying, in effect, is that if an individual is already known to the requester and

can be identified by him through information already held, then any additional information such as his immigration status, cannot be personal data because that does not identify him. Taken to its logical conclusion, it would mean that the Appellant could ask a public authority to disclose a range of information about Mr AF (for example, whether he is gay or straight, a Christian or a Muslim, divorced or single), on the basis that such information would only disclose the category of people to which Mr AF belongs and would not itself identify him.”

The requested information was “personal data” in Durant terms.

The requester also sought to rely on s. 35(2)(a) of the DPA, arguing that disclosure is “necessary for the purposes of, or in connection with, legal proceedings” and therefore that the data protection principles would not be breached. He said he needed the information in order to seek a protective costs order in accordance with the CPR.

The Tribunal considered the meaning of “necessary” in this context: it rejected the IC’s argument that “necessary” means “relevant and proportionate”, preferring Mr Brown’s view that it meant “indispensable, requisite, needful, that which cannot be done without”. The problem was that the requested information would not help with any application for a protective costs order. Condition 6(1) would not be met and s. 40(2) was upheld.

Robin Hopkins


Update on recent Tribunal decisions part 2: personal data of “low inherent sensitivity”

November 8th, 2012 by Robin Hopkins

The “personal data” provisions under s. 40(2) FOIA and regulation 13 EIR can often be very difficult to apply, particularly in light of the Durant “notions of assistance”, namely biographical significance and focus. It is correspondingly difficult to predict how such arguments will fare before the Tribunal. Two recent cases offer good illustrations. Both saw the Tribunal order disclosure of property-related personal data which was deemed to be of “low inherent sensitivity”.

Council housing

Exeter CC v IC and Guagliardo (EA/2012/0073) concerned a request for the addresses of all residential properties owned by or leased or rented to the Council. The Council refused the request. It was accepted that addresses constitute “personal data”, but the Commissioner considered it to be personal data of “low inherent sensitivity”. He found that disclosure would not breach any of the data protection principles. He ordered disclosure, subject to an exemption for addresses of properties allocated for housing those in need of protection.

The decision notice was upheld on appeal. The following aspects of its decision are notable (Tribunal comments appearing in italics).

As to the Council’s arguments for withholding the addresses:

  • The Council had conducted a survey of residents’ attitudes to such disclosures, but the particular questions and answers did not assist the Tribunal.
  • There was no clear evidence on the extent to which Council properties were already visually identifiable as such.
  • “The Tribunal observes that who owns property is not a private  matter. It has to be publicly recorded and available by way of Land Registry Records (although there is a fee for this information). There are many other ways that the ownership becomes public (e.g. local knowledge, press articles when properties are constructed, news articles and planning records).The Tribunal is satisfied that a tenant cannot therefore have a legitimate expectation that this information would not be disclosed.”
  • The Council argued that disclosure of the list of addresses would identify the residents as Council tenants and, as such, vulnerable, for example to being targeted by those wishing to prey upon individuals who were in financial difficulty. There was, however, no evidence before the Tribunal that disclosure would add to the pre-existing risk of such behaviour.
  • The only information (additional to the fact of the address) that can be discerned about any particular data subject by the disclosure of the disputed information was that they or their predecessor may have been financially unable to meet their housing needs at some time.

As to the arguments for disclosure:

  • “Additionally we are satisfied that there is a proper distinction to be drawn between those living in a Council owned asset and private accommodation, because the Council are accountable to the public for the way  they manage those assets and execute housing policy whereas a private landlord has no such additional public responsibility and that this must impact upon the reasonableness of any expectation that the Council would not publish this information.”
  • Disclosure would enhance transparency in allowing the public to be aware of the Council’s assets (i.e. its housing stock). By knowing how many properties the Council owns and where, the public would be enabled to scrutinise the distribution of Council properties between localities, analyse whether factors (such as levels of educational attainment) are correlated with the extent of Council owned housing in a given area.
  • Knowing the individual addresses would enable the public to see how Council properties are maintained, their state of repair and assess whether areas are under or over provided for.
  • “The Tribunal adds that such disclosure would also enable the public to review the type of housing stock owned and used by the Council and ascertain whether it could be used more efficiently to meet better the      needs of those in housing need. Analysis of the extent to which private      rentals are over or under used and whether this provides value for money      would also be enabled by disclosure of this information.”

Overall, the Tribunal agreed that addresses constitute personal data of “low inherent sensitivity”.

This is the second such case before the Tribunal. The Tribunal in Neath Port Talbot v IC (EA/2011/0037) ordered disclosure of the same type of information in another, less fully reasoned decision last year. While no First-Tier Tribunal decision is binding, the case for withholding such information seems nonetheless increasingly difficult to make out.

Building control applications

Martin and Karen Sharples v IC (EA/2012/0076) is a second recent case in the disclosure of personal data has been ordered in light of its “low inherent sensitivity”. The requesters sought information about building control applications made to Bolton MBC relating to roof conversions to residential properties in a specific cul-de-sac. The Council refused to provide the building control records and site visit notes, relying upon regulation 13 EIR (personal data). The issue was whether the residents/owners involved in those applications could be identified from the redacted records and notes and, if so, whether disclosure would breach any of the data protection principles.

The requesters argued that while they knew enough to identify the property owners from the requested information, a member of the public would not. The Tribunal was satisfied, however, that the owners could be identified – particularly given the availability of Land Registry searches, Google Earth and other ways to find out who lives where.

Like the Council residence addresses in the Exeter CC case however, this application information was considered to be personal data of “low inherent sensitivity”. Disclosure would not breach the data protection principles, in light of the following factors:

  • The information was similar to the sort of information routinely provided to estate agents and in planning applications (which are made public)
  • It would be discernible to a surveyor when the house changes hands
  • Some of the information was visible to the naked eye
  • Much of the information constituted confirmation of normal practice of construction to a fixed standard
  • The data subjects had not been told they could expect confidentiality
  • There was a legitimate public interest in transparency, in particular in being assured that the Council had properly assessed compliance whether the relevant regulations had been complied with

Many requests for personal data fail because the requester has not made out any or any sufficient legitimate interest in public disclosure of information impacting upon privacy. Sharples is interesting in that the emphasis worked the other way: the public interest does not appear to have been very pressing, but the personal data was sufficiently anodyne for disclosure to be the order of the day.

Robin Hopkins