Tag: section 40 FOIA

FROM NAKED PHOTOS TO NUCLEAR ENRICHMENT: ROUNDUP OF NEW TRIBUNAL DECISIONS

Posted on | by Robin Hopkins

The past week saw a slew of new decisions from the First-Tier Tribunal. Here is Panopticon’s highlights package.

Sections 41 (information obtained in confidence) and 43 (commercial prejudice)

In DBIS v IC and Browning (EA/2011/0044), the requester (a Bloomberg journalist) had sought information from the Export Control Organisation in connection with licences issued for the exporting to Iran of “controlled goods” – explained by the Tribunal as “mainly military, dual use (potentially military), equipment designed for torture or repression or sources of radio-activity”. The relevant public authority, the Department for Business, Innovation & Skills, refused the request, relying on sections 41 and 43. The IC found for the requester on the narrow basis that, whilst disclosure would result in a breach of confidence, no commercial detriment would be suffered by the licence applicants as a result. Subsequent evidence from the Department persuaded the IC to change position and support the appeal, which was resisted by the applicant. In a decision which turned on the evidence, the Tribunal allowed the appeal, and found both sections 41(1) and 43(2) to be effective.

Section 42 (legal professional privilege)

Two recent decisions on this exemption. Both saw the Tribunal uphold the refusal, applying the established approach under which this exemption has a strong in-built public interest. Szucs v IC (EA/2011/0072) involved an FOIA request about an earlier FOIA request (the appellant requested the legal advice and associated documents provided to the Intellectual Property Office about how to deal with a previous FOIA request made by the appellant’s husband). Davis v IC and the Board of Trustees of the Tate Gallery (EA/2010/0185) is eye-catching primarily because it concerned the Tate’s legal advice concerning the inclusion in an exhibition of a photograph of the actress Brooke Shields, aged ten, naked, entitled “The Spirit of America” (the Tate had initially proposed to include this in an exhibition, but ultimately withdrew the photograph).

Section 40 (personal data)

Beckles v IC (EA/2011/0073 & 0074) concerned the identifiability of individuals from small sample sizes, in the context of information about dismissals, compromise agreements and out-of-court settlements. The appellant asked Cambridge University for information on (among other things) the number of employees who received post-dismissal settlements. The answer was a low number. He asked for further details concerning the settlement amounts, rounded to some appropriate non-exact figure. This, said the Tribunal (applying the Common Services Agency/Department of Health approach to identifiability from otherwise anonymous figures) was personal data, the disclosure of which would be unfair. Its reasoning is summed up in this extract:

“Information as to the settlement of a claim made by an identified individual relating to his or her employment is undoubtedly personal data. The question is whether the four individuals or any of them could be identified if the information requested were disclosed, even in approximated form…. Cambridge University is made up of a large number of much smaller academic or collegiate communities. It is likely that a number of colleagues or friends will be aware that a particular individual settled a claim with the University within the time-scale specified. They will be aware of the general nature of that person`s employment. This is a small group of claims in a relatively short period. In the form originally requested it is readily foreseeable that one or more of the four will be identified.”

Sections 24 (national security) and 27 (international relations)

Burt v IC and MOD (EA/2011/0004) concerned information gathered by staff of the UK Atomic Weapons Establishment on an inspection visit to a United States atomic energy facility, as a learning exercise regarding the proposed development of an enriched uranium facility at Aldermaston. The US had expressed its desire to maintain proper confidence in what it regarded as a sensitive area. The MOD refused the request, relying on sections 27 and 24. By the time of the appeal, only a small amount of information had not been disclosed. This was primarily of a technical nature, containing observations about the operation of plant, machinery, procedures and processes at the US facility.

The Tribunal upheld the MOD and Commissioner’s case as regards the outstanding material. As regards section 27, the Tribunal applied the principles from Campaign against the Arms Trade v IC and MOD (EA/2006/00040). It observed, however, that confidential information obtained from another country would not always be protected by section 27: it was “perhaps axiomatic that the foreign State will take the United Kingdom as it finds it including but not limited to the effect of its own domestic disclosure laws. It follows that there may well be cases where information otherwise imparted in confidence from a foreign State to a United Kingdom authority would need to be considered on its own merits as to whether some form of disclosure should be made or ordered whether under FOIA or under similar analogous legislation or principles such as the UK data protection principles.”

As regards section 24, the Tribunal applied Kalman v IC and Department of Transport (EA/2009/0111) (recourse to the exemption should be “reasonably necessary” for the purpose of safeguarding national security), and Secretary of State for the Home Department v Rehman [2003] 1 A 153 (the threat to national security need not be immediate or direct).

Burt is also an example of a “mosaic effect” case: taken in isolation, the disputed information may appear anodyne, but the concern is with how it might be pieced together with other publicly available information.

Section 14(1) FOIA (vexatious requests)

Dransfield v IC (EA/2011/0079) is an example of the Tribunal overturning the Commissioner’s decision that section 14(1) had been engaged (for another recent example, see my post here). As with many such cases, the history and context were pivotal. Given that it is the request, rather than the requester, which must be adjudged to be vexatious, how should the context be factored in? The Tribunal gave this useful guidance:

“There is, however, an important distinction to be drawn between taking into account the history and context of a request, as in the cases referred to above, and taking into account the history and context of other requests made by a requester or other dealings between the requester and the public authority. The former is an entirely proper and valid consideration. The latter risks crossing the line from treating the request as vexatious, to treating the requester is vexatious. That line, in our view, was crossed in the present case.”

Robin Hopkins

IS FOIA ALWAYS MOTIVE BLIND? TRIBUNAL DECISION ON SEX OFFENDERS’ SENSITIVE PERSONAL DATA

Posted on | by Robin Hopkins

In Colleen Smith v IC and Devon & Cornwall Constabulary (EA/2011/0006), the requester asked for information on the number of school teachers in specified towns who had been investigated, cautioned and charged under the Sexual Offences Act 2003 between January 2005 and November 2007. The Constabulary eventually relied on the personal data at section 40(2) FOIA.

The Commissioner found that, where the answer was “zero”, this was not personal data and should be disclosed; otherwise, the information could be withheld under section 40. The Tribunal has upheld this decision, albeit for different reasons.

This decision is worth noting on a number of grounds.

First, this is a good illustration of the approach from Department of Health v IC [2011] EWHC 1430 (Admin) (the “abortion statistics” case – see my post here) to the definition of “personal data” in the context of apparently anonymous statistics. Here the Tribunal considered both the disputed information concerning numbers of alleged sex offenders and the “other information” held by the Constabulary, and was satisfied that living individuals could thereby be identified. Furthermore, for obvious reasons, this constituted “sensitive personal data”.

Secondly, the Tribunal turned to fairness of disclosure. As regards reasonable expectations of data subjects, it concluded (for confidential reasons, and notwithstanding that one can generally assume sensitive personal data will not be disclosed) that the data subjects in these circumstances could have had no reasonable expectation that these statistics would not be disclosed at the relevant time, i.e. late 2007.

Thirdly, the Tribunal also disagreed with the Commissioner that disclosure created a risk of harm to the suspected offenders at the relevant time.

Fourthly, the Tribunal considered whether a condition from Schedule 3 of the DPA 1998 would be met. It did so by asking itself whether paragraph 3 of the Schedule of the Data Protection (Processing of Sensitive Personal Data) Order 2000 applied. That concerns, inter alia, disclosure of information concerning alleged unlawful acts for “special purposes” such as journalism. Disclosure must, however, be “in the substantial public interest”.

The “special purpose” of journalism highlights the following important reminder. It is by now axiomatic that FOIA is “motive blind”. However, the cases of Ferguson v IC (EA/2010/0085) (on which, see my post here) and Brett v IC (EA/2008/0098) imposed an important gloss on that principle. The Tribunal in Ferguson summed up the point thus:

“It is often stated that requester’s rights under FOIA are purpose-blind, in the sense that an applicant’s personal identity and motives for requesting information are irrelevant. This generalisation can mislead. There are some cases in which the applicant’s identity and motives may shed light on the public interests involved. More significantly, the applicant’s identify and motives can be of direct relevance to the exemption in FOIA s40(2) because of the provisions of DPA disclosure and to the interests pursued by the persons to whom the disclosure would be made. For example, a journalist or author may be able to outflank the s40(2) exemption by reliance upon DPA Schedule 3 condition 10 and paragraph 3 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000, where it is in the substantial public interest that wrongdoing should be publicised.”

The Tribunal in Smith agreed. The appeal, however, failed because disclosure of this information would not be “in the substantial public interest”.

The Tribunal thought it “reasonable to assume… that the public had an ongoing need for reassurance as to the level of activity by sexual offenders in particular localities and transparency and accountability in what the police were doing about it”. The threshold of “substantial public interest”, however, required a certain level of urgency in the need to reassure the public. That threshold was not met here.

In reaching this conclusion (which the Tribunal described as “finely balanced”), the Tribunal took into account: the evidence as to the machinery for the monitoring and supervision of sex offenders in the community; the risk of vigilantism, which can force suspects to “disappear”, which in turn increases the risk of reoffending. It added that:

“It was not enough, in the Tribunal’s view, that sexual offences by teachers or others in positions of trust was a matter of keen interest to the public. This, on its own, did not make disclosure “in the substantial public interest”. It was the Tribunal’s task to weigh against the wholly understandable concern felt by members of the public on this subject, the detrimental effects that disclosure could have.”

The upshot was that, although disclosure would be fair, section 40(2) took effect because no Schedule 3 condition would be met.

Robin Hopkins

CONSTRUCTION WORKER ‘BLACKLISTING’ DATABASE – NEW TRIBUNAL DECISION

Posted on | by Robin Hopkins

The Tribunal has this week given its decision in Ritchie v IC (EA/2010/0041). The case involved a “blacklist” which had been compiled and maintained by an organisation called the Consulting Association. The database consisted of the names and personal details of workers in the construction industry who had engaged in trade union or other activities in furtherance of employment rights. A number of major companies in the construction industry paid annual subscriptions and, as potential employers, were able to access individual records for a fee. The ICO investigated the matter, successfully prosecuted the proprietor of the Consulting Association and seized the database. It invited potentially affected workers to make subject access requests whereby they could receive information about them held in the database.

The General Secretary of the union UCATT subsequently requested from the ICO all files containing references to a number of named trade unions. This was one of the (relatively rare) cases in which the ICO was both the public authority and the regulator.

The ICO refused the request, relying on section 44 FOIA (disclosure prohibited under an enactment) in combination with section 59(1) DPA, which (to paraphrase and summarise) prohibits disclosure of information obtained by the Commissioner “under or for the purposes of the Information Acts” unless there is “lawful authority” for that disclosure. The Tribunal has upheld that refusal.

No commentary from me on this one, given my involvement in the case. I shall, however, point out that the decision covers the following issues: scope of the request; whether information is “publicly available”; the meaning of “lawful authority” under section 59(1) DPA; whether requests by unions are made with the “consent” of members; whether disclosure would be “necessary in the public interest”; personal data; Articles 9, 10 and 11 of the ECHR.

Robin Hopkins

“SANDSTORM” PERSONAL DATA AND THE BCCI COLLAPSE

Posted on | by Robin Hopkins

The Tribunal’s recent decision in Sikka v IC and HMT (EA/2010/0054) is a good illustration of how FOIA exemptions (here concerning prejudice to international relations and personal data) may be trumped by the overwhelming interest in the public being informed about corporate wrongdoing on a massive scale – including the public knowing the names of those involved in that wrongdoing. Some topical resonance perhaps.

It is also another useful illustration of how personal data should not be assessed on a “one size fits all” basis, but should (where appropriate) be analysed by category. In other words, distinguish between, for example, companies, senior management, employees and customers.

Background

In March 1991, the Bank of England instructed Price Waterhouse to undertake an audit of The Bank of Credit and Commerce International. Price Waterhouse submitted a draft of its report, known as the “Sandstorm” report. The report was never finalised, but the Bank of England relied on the draft to justify its decision to order BCCI immediately to close down its activities in the UK. That led to the collapse of BCCI into insolvency, owing creditors around the world something in the region of US$10 billion.

By the time of the request for a copy of this report (March 2006), an almost complete copy of the Sandstorm Report had been published on the internet, even though it had never been formally published by the Bank of England, albeit with certain names redacted and certain sections missing. The Bank of England relied upon section 40(2) (personal data) and section 27(1)(a) (prejudice to international relations) in refusing to disclose this remaining information. The Commissioner agreed. For the most part, the Tribunal did not.

Prejudice to international relations

The Tribunal agreed that section 27(1)(a) was engaged, but decided that the public interest favoured disclosure. At paragraph 31, it said this:

“Although the material proposed to be redacted under this exemption comprises just a few sentences in a 44 page report, it does contribute a very relevant element to the story as a whole. And we do not think that the public interest is materially reduced by the appearance of much of the same information in other published reports. The public has an interest in seeing how each of those who carried out an investigation illuminated the facts and assessed the actions of those who were involved, whether they contributed to the problems, tried to resolve them or played a neutral role. The weight we apply to this element of public interest has been heavily influenced by our view of the importance of the events surrounding the collapse of BCCI, the serious ramifications it had for many innocent people caught up in it and the questions it raised about the regulation and auditing of a large international institution.”

Personal data

A number of categories of allegedly personal data were identified. An interesting category was the names of companies, from which it was argued that individuals could be identified. The Tribunal was not persuaded by the evidence as to the risk of identifiability.

In any event, as regards senior management, it took the view that “those having [such] positions in either BCCI or other organisations that were closely involved in the unlawful elements of its activities should be identified”, given the seriousness of the issue.

The Commissioner had decided that the names of employees should not be disclosed, whether or not their involvement with BCCI had previously been raised in the course of criminal proceedings. He argued as follows. If they had been convicted, it might be unfair to raise their involvement again some 15 years or more after the event. If they were acquitted, or faced no criminal action, there would be unfairness in blighting future employment prospects by disclosing, in 2007, their involvement with BCCI some years previously. The Tribunal disagreed in part. Its view was that the question of disclosure in these circumstances should turn on the seniority of the employee. At paragraph 44, it said this:

“As regards the potential impact on future employment prospects of those who were acquitted or never prosecuted, we believe that any truthful job application and curriculum vitae will, in any event, include mention of time spent in the employment of BCCI. We do not think that those individuals mentioned in the confidential schedule, whose names we say should be disclosed, should be encouraged to omit or misrepresent this part of their career history, given the criticism voiced in the Sandstorm Report and the importance of employee competence and honesty to future employers in the banking sector.”

As regards the personal data of BCCI customers, the Tribunal distinguished between those whose hands were clean with respect to the BCCI fraud (do not disclose) and those whose hands were not (disclose).

Much turned on the gravity and public profile of the BCCI collapse. In these circumstances, the Tribunal found that information aired in a public trial was likely to remain in the public domain (contrast Armstrong v IC and HMRC (EA/2008/0026)), and that the passage of time undermined rather than strengthened the argument in favour of individual privacy.

Robin Hopkins

PERSONAL DATA: CRUCIAL POINTS FROM THE ‘ABORTION STATISTICS’ CASE

Posted on | by Robin Hopkins

Judgment in Department of Health v IC [2011] EWHC 1430 (Admin) – the ‘abortion statistics’ appeal – was handed down on 20 April this year. Cranston J’s judgment has now been made available. The following salient points from that judgment may be of use to those interested in the concept and extent of ‘personal data’ under s. 40 FOIA and the DPA – especially when looking at the grey area of statistics or other anonymous data which is rooted in or derived from other data which is more overtly personal. The judgment is also essential reading for anyone grappling with the application of the leading House of Lords decision on this subject, Common Services Agency v Scottish Information Commissioner [2008] UKHL47, [2008] 1 WLR 1550 (‘CSA’). (‘Grappling’ is probably apt: even Cranston J conceded that “it would be wrong to pretend that the interpretation of the CSA case is an easy matter”).

Briefly by way of background: the Department refused a request for detailed statistics on the number of late-term abortions carried out on prescribed grounds. It relied on s. 40 FOIA, basing its case on the risk that, given the ‘low cell counts’ in these categories, the relevant patients and/or doctors might be identified by those sufficiently motivated to do so. The Commissioner found that these statistics were not personal data. The Information Tribunal agreed with the Department that they did constitute personal data, but was not satisfied that s. 40 was effective, as there was insufficient risk of identification.

On the Department’s appeal to the High Court, Cranston J agreed with the Commissioner that these statistics are not personal data.

One route to that conclusion was that advocated by the Commissioner, namely to adopt the approach of Baroness Hale in CSA: anonymised statistics remain personal data and therefore subject to the protection of the DPA in the hands of the data controller (who possesses the underlying data from which individuals could be identified) but not in the hands of the general public (who do not). This approach commended itself to the Upper Tribunal in the recent case of All Parliamentary Group on Extraordinary Rendition v Information Commissioner [2011] UKUT 153 AAC (on which, see my post here).

Cranston J, however, rejected that route, as it was the reasoning of Lord Hope rather than Baroness Hale in CSA which had attracted the majority’s support in that case. Lord Hope’s approach can be paraphrased as follows. The definition of personal data under s. 1 DPA provides for two means of identification: either from the data itself (inapplicable in the case of anonymous statistics) or from “from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. Lord Hope’s approach to situations such as this is to ask: does the ‘other information’ (if provided to the hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals? If the answer is no, the statistics are not personal data. The underlined words are important: if identification can be achieved from the ‘other information’ in isolation (rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data. The statistics in this case failed Lord Hope’s test, and were thus not personal data.

Cranston J’s conclusion was that the Tribunal had been correct to conclude that the data was ‘truly anonymised’ – but it had erred in treating this as personal data which had been truly anonymised. The Department contended that, because it held the underlying identification data, the abortion statistics remained personal data in all circumstances. Cranston J rejected this submission, stating that:

“If that were the case, any publication would amount to the processing of sensitive personal data…  Thus, the statistic that 100,000 women had an abortion in a particular year would constitute personal data about each of those women, provided that the body that publishes this statistic has access to information which would enable it to identify each of them.  That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics”.

In going on to dismiss the Department’s other grounds of appeal, Cranston J made a number of other points of general application. For example, in rejecting the criticism that the Tribunal had failed adequately to engage with the Department’s expert evidence, Cranston J said this:

“To begin, the issue before the Tribunal was one of assessment: the likelihood that a living individual could be identified from the statistics.  That was in my judgment only partly a question of statistical expertise, as regards matters such as the sensitivity of the data.  Partly, also, it was a matter of assessing a range of every day factors, such as the likelihood that particular groups, such as campaigners, and the press, will seek out information of identity and the types of other information, already in the public domain, which could inform the search.  These are factors which the Tribunal was in as good a position to evaluate as the statistical experts, a point which one of the Department of Health’s experts conceded.  The analysis also applies to the evidence of senior civil servants.”

As regards the Department’s contentions that conditions from Schedules 2 and 3 of the DPA were not met, their points were “wounding” to the Tribunal’s judgment, but not “fatal”, in light of the evidence at the Tribunal hearing. Finally, Cranston J described the Department’s argument based on Article 8 ECHR as “very much a jury argument”.

Interestingly, on the same day as judgment was given in this case, the High Court (Kenneth Parker J) gave judgment in R (BT & Anor) v The Secretary of State for Business, Innovation and Skills [2011] EWHC 1021 (Admin)  – BT’s unsuccessful application for judicial review of the Digital Economy Act 2010 (on which, see my piece here). One of the grounds of challenge was alleged non-compliance with the Data Protection Directive. In that judgment, IP addresses (anonymous strings of numbers linked to internet subscribers’ accounts) were treated as personal data even in the hands of copyright owners who possessed only those IP addresses. This was by application of the definition of personal data under the Directive: here copyright owners were deemed likely to come into possession of the underlying personal data when taking legal action against the individual internet subscribers who downloaded content in breach of copyright. This conclusion was reached independently of the Lord Hope test. Note, however, that it seems from the judgment that this question – are IP addresses always personal data or not – was not argued in full before Kenneth Parker J. There is talk of a potential appeal, so the application of these principles to IP addresses might be considered in the courts again before too long.

Robin Hopkins

EXTRAORDINARY RENDITION UPPER TRIBUNAL APPEAL: LATE RELIANCE, PERSONAL DATA & OTHER ISSUES

Posted on | by Robin Hopkins

The All Party Parliamentary Group on Extraordinary Rendition (APG) requested information from the Ministry of Defence on (i) memoranda of understanding between the UK and the governments of Iraq, Afghanistan and the USA regarding the treatment of prisoners detained in the conflicts in Iraq and Afghanistan, (ii) a copy of the Detentions Practices Review, (iii) a copy of the UK’s policy on capture and joint transfer, and (iv) statistics on detainees held in Iraq and Afghanistan. The MOD refused the requests, relying on a number of exemptions under FOIA. For the most part, the Commissioner agreed. APG’s appeal was expedited to the Upper Tribunal and heard by Blake J, Andrew Bartlett QC and Rosalind Tatam.

Except as regards request (iii), its appeal has succeeded, to a limited but substantial extent. The Upper Tribunal has ordered disclosure or significantly more information than that ordered by the Commissioner.

Its judgment (available here) is complex. Some of the key points of interest are as follows.

Late reliance

The Upper Tribunal was mindful of the decision of a differently constituted Upper Tribunal in the DEFRA/Brikett appeals, where it was held that public authorities may rely on exemptions as of right at any stage in proceedings. In this case, the Upper Tribunal did not need to decide the issue of late reliance, but it did confess to having “some general concerns” about such an approach, which threatens to “turn the time limit provisions of ss. 10 and 17 almost into dead letters”, and “can also create a strong sense of injustice”. The internal review mechanism provides sufficient time for the public authority to make its mind up; if new points are taken thereafter, “then fairness requires that the requester should be allowed to add to the terms of his complaint under s. 50(1)”.

Cost of compliance under s. 12 FOIA

The Upper Tribunal approved principles from Urmenyi v IC and LB Sutton (EA/2006/0093) concerning the Commissioner’s enquiries into the assumptions behind the public authority’s estimate, and from Roberts v IC (EA/2008/0050) about the activities falling within s. 12 and the reasonableness of estimates.

Late reliance on s. 12 is a different matter to late reliance on exemptions under Part II of FOIA. Delay by a public authority robs the requester of the opportunity to split the request into parts separated by 60 days, thereby avoiding s. 12. The cost exemption “only has meaning if the point is taken early on in the process, before substantial costs are incurred” – it looks at whether costs would exceed, not whether they have been exceeded.

In the present case, the MOD’s estimate was not reasonable because it was based upon a search for a broader class of information than that which was actually requested.

Prejudice to international relations under s. 27 FOIA

The Upper Tribunal was not persuaded that this exemption was effective: “since the maintenance of the rule of law and protection of fundamental rights is known to be a core value of the government of the United Kingdom, it is difficult to see how any responsible government with whom we have friendly relations could take offence at open disclosure of the terms of an agreement or similar practical arrangements to ensure that the law is upheld”.

Legal professional privilege under s. 42 FOIA

This exemption was engaged, and the public interest in favour of disclosure of the UK’s Detention Practices Review did not outweigh the public interest in maintaining the exemption.

Bodies dealing with security matters under s. 23 FOIA

The MOD successfully relied on this exemption – including where it was relied on “late”.

Personal data under s. 40 FOIA and the conditions in Schedule 2 DPA

Information on the dates and locations of individual cases of detention and prisoner transfer would not enable identification of those individuals, and was thus not personal data. If it had been personal data, condition 6(1) from Schedule 2 DPA would have been met.

APG in fact submitted that conditions 4, 5(a), 5(d) and 6(1) would be met by disclosure of statistics on detainees. The MOD submitted that a number of these conditions could not be relied on in the context of a request under FOIA because the public at large (to whom disclosure under FOIA is deemed to be made) cannot fulfil these conditions. The Upper Tribunal disagreed: at least some of these conditions can be fulfilled by a member of the public, and that is sufficient.

APG further relied on s. 35(2) DPA, which provides an exemption from the non-disclosure provisions of the DPA where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. The Upper Tribunal confirmed that “establishing” for these purposes had the sense of “vindicating” rather than merely determining what the relevant rights are.

Where data is anonymised, it continues to attract the protection of the data protection principles insofar as it is in the hands of the data controller (who holds the key to identification of the otherwise anonymous data subjects). “But outside the hands of the data controller, the information is no longer personal data, because no individual can be identified… the best analysis is that disclosure of fully anonymised information is not a breach of the [DPA] because at the moment of disclosure the information loses its character as personal data”. The publication of truly anonymised or other “plain vanilla” data therefore does not involve “processing of personal data” for DPA purposes.

Related judgments

On the late reliance issue, permission to appeal to the Court of Appeal is being sought in the DEFRA/Birkett case.

On the s. 40 FOIA issue, the Upper Tribunal’s decision needs to be read in conjunction with the High Court’s decision (also handed down very recently) in the Department of Health’s “abortion statistics” appeal.