BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

First-tier Tribunal (General Regulatory Chamber)


You are here: BAILII >> Databases >> First-tier Tribunal (General Regulatory Chamber) >> Little v Information Commissioner [2023] UKFTT 169 (GRC) (22 February 2023)
URL: http://www.bailii.org/uk/cases/UKFTT/GRC/2023/169.html
Cite as: [2023] UKFTT 169 (GRC)

[New search] [Printable PDF version] [Help]


Neutral Citation Number: [2023] UKFTT 169 (GRC)      

Case Reference: EA/2022/0177

 

First-tier Tribunal

General Regulatory Chamber

Information Rights

 

Decided without a hearing 

 

On: 2 February 2023

Decision given on: 22 February 2023

 

Before

 

TRIBUNAL JUDGE HAZEL OLIVER

TRIBUNAL MEMBER JO MURPHY

TRIBUNAL MEMBER ROSALIND TATAM

 

Between

 

 

DAVID LITTLE

 

Appellant

 

 

- and –

 

 

 

THE INFORMATION COMMISSIONER

 

Respondent

 

 

 

 

Decision: The appeal is Dismissed

 

 

 

REASONS

 

Background to Appeal

 

1.          This appeal is against a decision of the Information Commissioner (the “Commissioner”) dated 7 June 2022 (IC-145737-T1N8, the “Decision Notice).  The appeal relates to the application of the Freedom of Information Act 2000 (“FOIA”).  It concerns a copy of an email and attachments requested from Datchworth Parish Council (“DPC”).

 

2.          The parties opted for paper determination of the appeal. The Tribunal is satisfied that it can properly determine the issues without a hearing within rule 32(1)(b) of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (as amended).

 

3.          On 16 March 2021, the Appellant wrote to DPC and requested the following information (the “Request”):

 

         “…Under the Freedom of Information Act 2000, I am here making a formal request for any correspondence (e-mails and attachments) between the chair of DPC and the RFO bearing a date of 23 September 2020.”  (The RFO is an abbreviation for the Council’s Responsible Finance Officer).

 

4.          DPC responded 19 March 2021 but failed to reply to the Request.  Following an internal review, DPC wrote to the Appellant on 25 May 2021. It revised its position to apply section 14 FOIA (vexatious requests) to refuse the Request.

 

5.          The Appellant complained to the Commissioner on 24 March 2021.  During the course of the Commissioner's investigation DPC said that it no longer wished to rely upon section 14, and instead wished to rely upon section 21 FOIA (information easily accessible to the requestor).  Following further discussions with the Commissioner, DPC accepted that it should disclose the information, subject to the redaction of some information under section 40(2) of FOIA (personal data).  DPC provided the Commissioner with copies of the information highlighting the redactions it was intending to make.

 

6.          The Commissioner decided that DPC was entitled to rely on section 40(2) to withhold the redacted personal information.  It was personal data.  Although disclosure would be for legitimate interests and necessary for those interests, this was outweighed by privacy rights of the individuals in relation to certain types of personal information.  DPC was required to disclose the withheld information to the Appellant, subject to the redactions which DPC informed the Commissioner that it intended to make under section 40(2) FOIA.

 

The Appeal and Responses

 

7.          The Appellant appealed on 1 July 2022.  His appeal is based on one redaction in the disclosed information.  He takes issue with the redaction of two words in a specific paragraph in an email.  He says that the inclusion of these words in context would not enable the identification of any individual or breach the privacy rights of any person.  He questions the extent to which the detail of DPC’s proposed redactions were endorsed by the Commissioner.

 

8.          The Commissioner’s response maintains that the Decision Notice was correct and that the redacted words are personal data.   The Commissioner says that, taking into account the small size of the council involved, and when read in the context of the remainder of the email, it is reasonably likely that if the withheld information were disclosed, the data subject who is the subject of this information would be identified by a member of the public who is motivated to find out.  The information clearly relates to a particular individual.

 

9.          The Appellant submitted a reply which maintains that section 40(2) FOIA was applied to too much information, and it has not been explained how a motivated intruder could identify the relevant individual from the relevant words.

 

Applicable law

 

10.       The relevant provisions of FOIA are as follows.

 

         1       General right of access to information held by public authorities.

(1)     Any person making a request for information to a public authority is entitled—

(a)     to be informed in writing by the public authority whether it holds information of the description specified in the request, and

(b)     if that is the case, to have that information communicated to him.

         ……

2       Effect of the exemptions in Part II.

…….

(2)     In respect of any information which is exempt information by virtue of any provision of Part II, section 1(1)(b) does not apply if or to the extent that—

(a)     the information is exempt information by virtue of a provision conferring absolute exemption, or

(b)     in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

         ……..

         40     Personal information.

(1)     Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.

(2)     Any information to which a request for information relates is also exempt information if –

         (a)     it constitutes personal data which do not fall within subsection (1), and

         (b)     the first, second or third condition below is satisfied.

(3A)   The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—

(a)        would contravene any of the data protection principles

…….

         58     Determination of appeals

         (1)     If on an appeal under section 57 the Tribunal considers—

(a)     that the notice against which the appeal is brought is not in accordance with the law, or

(b)     to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,

the Tribunal shall allow the appeal or substitute such other notice as could have been served by the Commissioner; and in any other case the Tribunal shall dismiss the appeal.

(2)     On such an appeal, the Tribunal may review any finding of fact on which the notice in question was based.

 

11.       Section 3(2) of the Data Protection Act 2018 (“DPA”) defines “personal data” as “any information relating to an identified or identifiable living individual”.  Section 3(3) defines this further as a living individual who can be identified “directly or indirectly”.  This can be by reference to an identifier such as a name, or “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

 

12.       Recital 26 of the General Data Protection Regulation (GDPR) (which remains part of the UK General Data Protection Regulation) says, “The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments…” 

 

13.       It is not necessary for a person to be named in order for them to be identifiable.  Account should be taken of all means reasonably likely to be used to identify an individual, including the use of information already held or which could be obtained from another source.  As stated by the Upper Tribunal in Information Commissioner v Magherafelt District Council [2013] AACR 14, “…a person who starts without any prior knowledge but who wishes to identify the individual or individuals referred to in the purportedly anonymised information and will take all reasonable steps to do so”.  This is often referred to as a test of whether a “motivated intruder” could identify an individual from anonymised information.  In NHS Business Services Authority v Information Commissioner and Spivack [2021] UKUT 192 (AAC), the Upper Tribunal confirmed that this is a binary test which does not look at remoteness or likelihood - if a living individual can be identified, directly or indirectly, data is personal data; if not, it is not personal data. This test should be applied “on the basis of all the information that is reasonably likely to be used, including information that would be sought out by a motivated inquirer” (derived from recital 26 of the GDPR).   

 

14.        The “processing” of such information includes “disclosure by transmission, dissemination or otherwise making available” (s.3(4)(d) DPA), and so includes disclosure under FOIA.

 

15.       The data protection principles are those set out in Article 5(1) of the UK General Data Protection Regulation (“UK GDPR”), and section 34(1) DPA.  The first data protection principle under Article 5(1)(a) UK GDPR is that personal data shall be: “processed lawfully, fairly and in a transparent manner in relation to the data subject”.  To be lawful, the processing must meet one of the conditions for lawful processing listed in Article 6(1) UK GDPR. 

 

16.       These conditions include where “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6(1)(e)).  This involves consideration of three questions (as set out by Lady Hale DP in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55):

(i)          Is the data controller or third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?

(ii)         Is the processing involved necessary for the purposes of those interests?

(iii)       Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The wording of question (iii) is taken from the Data Protection Act 1998, which is now replaced by the DPA and UK GDPR.  This should now reflect the words used in the UK GDPR - whether such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

 

Issues and evidence

 

17.       The specific issue raised by the Appellant in his appeal is a narrow one.  Although he raises some general points about the redactions, his actual appeal is about the redaction of two words.  This is described as “The particular example that gives rise to this appeal”, and later the appeal document says, “It appears to me that the simple question is whether the inclusion, within the public domain and within the overall context of a Parish Council’s business, of the words: ‘[redacted] …. [redacted]’ enables the identification of any individual or breaches the privacy rights of any personIf the answer to that question is ‘Yes’, then this appeal must fail.”  The Appellant’s reply also confirms what he is asking for - “I would ask the Tribunal to consider making a Substituted Decision, allowing the words [redacted] and [redacted] not to be redacted.” 

 

18.       The issue for this appeal is therefore whether DPC was entitled to withhold a particular part of the requested information under section 40(2) FOIA. There is a dispute that two redacted words are personal data.

 

19.       By way of evidence we had an agreed bundle of open documents, and a closed bundle containing unredacted copies of the requested information.  We were somewhat surprised by some of the content of the open bundle as it contains unredacted versions of the information in both the appeal document and some of the supporting documents (this information will need to be redacted if there is any request from the public to see documents from the open bundle). 

 

Discussion and Conclusions

 

20.  In accordance with section 58 of FOIA, our role is to consider whether the Commissioner’s Decision Notice was in accordance with the law.  As set out in section 58(2), we may review any finding of fact on which the notice in question was based.  This means that we can review all of the evidence provided to us and make our own decision.

 

21.  This is a somewhat unusual case as the Appellant has already seen the requested information in full, as he was a Councillor at DPC at the relevant time (and the Request arises from information sent to him as a Councillor).  This means that he has referred to the detail of the redacted information in his appeal documents.  We have been careful in our open decision to not provide any details that could reveal the withheld information, bearing in mind the information that has already been released under FOIA.  We have provided a short closed annex to this decision to the parties only, which explains our reasoning in more detail.

 

22.  The particular paragraph that the Appellant is concerned about is as follows (with the disputed redaction shown in bold capitals):

 

“We have allocated this item to the new Policy Group to look through. Bearing in mind

that an [REDACTED] cost us money with the [redacted], this is something that we

need to bear in mind. [Redacted] advice was not as expected and did not help the

situation at all, hence why we went to [redacted].”

 

23.  Is the redacted information personal data?  The Appellant says that it is not, as these two words would not enable the identification of any person.  He says that even a motivated intruder would not be able to make the leap from these two words to identify an individual, and the context of the email does not seem to facilitate this.  He also says that the information needs to have the putative data subject as its focus.  He also points to other inconsistent failures to redact other information in the same document.

 

24.  The Commissioner maintains that it is personal data, because “it is reasonably likely that if the withheld information were disclosed, the data subject who is the subject of this information would be identified by a member of the public (including the Appellant) who is motivated to find out.”  We note that this is not the correct test, based on the recent Upper Tribunal decision in Spivack.  The test is whether a living individual can be identified or not, based on all information that is reasonably likely to be used. 

 

25.  No individual is directly named or identified by the redacted words.  However, as stated in the Commissioner’s guide on what is personal data, “The key point of indirect identifiability is when information is combined with other information that then distinguishes and allows for the identification of an individual.”  We have taken into account other unredacted information in the email which puts the redacted information in context.  We have taken into account the small size of DPC and the community it serves, and the high likelihood that other information will be held that would allow the identification of a particular individual from the redacted words.  We also find that information could be obtained from other sources (including but not limited to the remainder of the email) and put together with the redacted information by a person who wished to identify the individual.  In context, we find this is more than a possibility.  Applying the test as set out in the recent decision in Spivack, we find that a living individual could be identified from the redacted information, based on all the information that is reasonably likely to be used and including information that would be sought out by a motivated inquirer.

 

26.  We note the Appellant’s point that some of the other redactions in the document are inconsistent.  However, we are looking at the specific words that the Appellant says should be unredacted, and are satisfied that they are personal data.  It may be that some of the other redactions arguably do not go far enough in protecting the personal data of other individuals, but that is outside the scope of this appeal. 

 

27.  The appeal is based on whether or not the information is personal data, and does not provide any reasons for challenging the Commissioner’s findings on the balancing test under Article 6(1)(e) UK GDPR.  We therefore consider the remainder of the test briefly.

 

28.  Is the data controller or third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?  The Commissioner accepts that there are legitimate interests here, including in particular the public knowing about spending of public money and decisions taken about use of public money, and we agree.

 

29.  Is the processing involved necessary for the purposes of those interests?  The Commissioner accepts that disclosure would be reasonably necessary to meet these interests.  Although there may be other ways of finding out some information about how DPC spends public money, we agree that additional detail would be provided by disclosure of the requested information.

 

30.  Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?  The Commissioner says that the data subject would not reasonably expect this information to be disclosed under FOIA, and it would be likely to cause distress.  We agree that individuals would expect personal data contained in internal DPC emails to be redacted before being released under FOIA, particularly when it relates to the topic involved here.  This may also cause distress to the individual.  We agree with the Commissioner that, although there are some legitimate interests in disclosure, they are outweighed by the individual’s privacy rights. 

 

31.  We therefore find that DPC was entitled to rely on section 40(2) to withhold the two redacted words.   The Commissioner’s decision was in accordance with the law and we dismiss the appeal.

 

Signed       Judge Hazel Oliver                                                                            Date:   6 February 2023


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/cases/UKFTT/GRC/2023/169.html