The Tribunal has this week given its decision in Ritchie v IC (EA/2010/0041). The case involved a “blacklist” which had been compiled and maintained by an organisation called the Consulting Association. The database consisted of the names and personal details of workers in the construction industry who had engaged in trade union or other activities in furtherance of employment rights. A number of major companies in the construction industry paid annual subscriptions and, as potential employers, were able to access individual records for a fee. The ICO investigated the matter, successfully prosecuted the proprietor of the Consulting Association and seized the database. It invited potentially affected workers to make subject access requests whereby they could receive information about them held in the database.
The General Secretary of the union UCATT subsequently requested from the ICO all files containing references to a number of named trade unions. This was one of the (relatively rare) cases in which the ICO was both the public authority and the regulator.
The ICO refused the request, relying on section 44 FOIA (disclosure prohibited under an enactment) in combination with section 59(1) DPA, which (to paraphrase and summarise) prohibits disclosure of information obtained by the Commissioner “under or for the purposes of the Information Acts” unless there is “lawful authority” for that disclosure. The Tribunal has upheld that refusal.
No commentary from me on this one, given my involvement in the case. I shall, however, point out that the decision covers the following issues: scope of the request; whether information is “publicly available”; the meaning of “lawful authority” under section 59(1) DPA; whether requests by unions are made with the “consent” of members; whether disclosure would be “necessary in the public interest”; personal data; Articles 9, 10 and 11 of the ECHR.