News

Fraud litigation services for public authorities
The National Fraud Authority reported earlier this...
17th Aug at 03:25pm
Another top accolade for Incasso at Credit Today Awards
Incasso, one of the leading Debt Recovery law firms...
16th May at 01:24pm
Help the Hospices chosen as Incasso Charity of the Year
We are delighted to announce that our Charity of the...
3rd May at 12:08pm

Freedom of Information Act

Friday 11th February, 2005

Freedom Of Information Act 2005 Awareness Guide

Personal Information

The right under the Freedom of Information Act to request official information held by public bodies under (known as the right to know) comes into force in January 2005. The Awareness Guidance series is published by the Information Commissioner to assist public authorities and, in particular, staff who may not have access to specialist advise in thinking about some issues. Here we look at the exemption relating to personal information. The exemption is set out in section 40 of the Act. The aim of the series is to introduce some of the key concepts in the Act and to suggest the approaches that may be taken in preparing for implementation.

What does the Act say?

Section 40 of the Act sets out what appears at first sight to be a complicated exemption from the right to know where the information requested consists of personal data. Fortunately, the exemption is not as difficult as it first appears. It can be summarised as follows:

If the personal data is about the person requesting the information, then there is no right to know under the Freedom of Information Act. There is, in other words, an absolute exemption. However, any such requests automatically become subject access requests under the Data protection Act and must be treated as such. This means that despite the exemption under the Freedom of Information Act, the applicant has a right to his or her information under the Data Protection Act.
If the personal data is about someone other than the applicant, there is an exemption if disclosure would breach any of the Data Protection Principles. (This is the main issue explore in this guidance.) There are also some special rules to be applied in cases where the personal data are about someone who has formally objected to their disclosure. The term, “third party data”, is used to describe personal information about someone other than the applicant.

What is personal data?

The term personal data is defined in the Data protection Act, as amended by the Freedom of Information Act. Personal data is information about a living individual from which that individual van be identified. It may take any of the following forms

Computer input documents
Information processed by computer or other equipment (eg CCTV);
Information in medical, social work, local authority housing or school pupil records;
Unstructured personal information held in manual form by a public authority

The last of these categories was introduced into the data Protection Act by FOI. For public authorities it means that, in effect, any information held about living individuals is potentially accessible under the Freedom of Information Act. However, in the case of this last type, which is sometimes referred to as category e) data, there are some special rules designed to reduce the administrative burden which requests for information are likely to place on authorities. These are explained in the next section. For private sector organisations, the definitions in the Data Protection Act are unchanged.

Subject Access Requests

Subject access requests must be made in writing. The definition includes request made my email. There is no requirement made to refer to the Data protection Act and there will almost certainly be people who request information about themselves (ie personal data) while mistakenly citing the Freedom of Information Act. In any event, if the request is for personal data relating to the to the applicant, it must be treated as a request under the Data Protection Act.

If you calculate that you will be unable to response within the 20 working day period provided by the FOI Act and that you may need the full 40 calendar day period allowed for under the Data Protection Act, you should let the applicant know.

Under the FOI Act, an applicant must simply state his or her name, provide an address for correspondence and describe the information requested. Only in exceptional circumstances will you be justified in seeking to verify the applicants identity – for instance if you suspect that a request is a vexatious one, submitted under an assumed name. Under the Data Protection Act, by contract, you must avoid making disclosures of personal information, which would breach the Act. In sensitive cases or where you suspect that the application is not who they claim to be, you may therefore need to check signature or ask for proof of identity.

The usual subject access fee under the Data Protection Act is £10 (Exceptions are a fee of up to £50.00 for medical records and a sliding scale for school pupil records.) However, where the request is for unstructured personal information, charges can be made in accordance with the Freedom of Information Act rules, these will be set out in regulations.

It is also worth remembering, particularly in the case of unstructured information, which my be hard to locate, that public authorities need not respond unless they are given any information which they reasonably need to find the information requested.

The Data Protection Act contains a number of exemptions from the right of subject access. These are explained in the Data Protection Act 1998 Legal Guidance, also published by the Commissioner. The Commissioner has also published a large amount of information about subject rights which is available from the date protection are of his web site or may be requested from the Information Line (01625 545 745).

Requests for Third Party Data

The Data Protection Act contains 8 principles which, taken together, form the basic standard to which those processing personal data must operate. When an applicant asks for third party data, that request can only be refused if disclosure would breach any of the data protection principles.

The first principle requires personal date to be processed fairly and lawfully. In practice this will be the key issue when considering an application for third party data.

Disclosure would be unlawful if:

There would be a breach of confidence. The duty of confidence is the subject of Awareness Guidance No. 3. It is likely to arise where relatively sensitive information has been provided to an authority in the expectation that it would not be disclosed. Examples include medical information or personal financial details.
There is a law forbidding disclosure, for instance the Official Secrets Act.

The concept of fairness is harder to define, although in practice it ought not to be difficult to judge whether it would be unfair to someone to pass on their information without consent. The sorts of questions, which should be asked, include:

Would the disclosure cause unnecessary or unjustified distress or damage to the person who the information is about?
Would the third party expect that his or her information might be disclosed to others?
Had the person been led to believe that his or her information about be kept secret?
Has the third party expressly refused consent to disclosure of the information?

Private or Public Lives?

In thinking about fairness, it is likely to be helpful to ask whether the information relates to the private or public lives of the third party. Information which is about the home of family life of an individual, his or her personal finances, or consists of personal references, is likely to deserve protection. By contrast, information which is about someone acting in an official or work capacity should normally be provided on request unless there is some risk to the individual concerned.

While it is right to take into account any damage or distress that may be caused to a third party by the disclosure of personal information, the focus should be on damage or distress to an individual acting in a personal or private capacity. The exemption should not be used, for instance, as a means of sparing officials embarrassment over poor administrative decisions.

An issue, which will often arise, is whether the date Protection Act prevents the disclosure of information identifying members of staff. Applying the criteria suggested above, if the information requested consists of the names of officials, their grades, job functions, or decisions, which they have made in their official capacities, then disclosure would normally be made. On the other hand, information such as home addresses or internal disciplinary matters would not normally be disclosed, While it would be wrong to disclose bank account details of staff, it would be unlikely to be unfair to publish details of expenses incurred in the course of official business, information about pay bands, or, particularly in the case of senior staff, details of salaries. While this information clearly does relater to staff personally, there is a strong public interest in provision of information about how a public authority has spent public money.

These are not hard and fast rules. While names of officials should normally be provided on request, if there is some reason to think that disclosure of even that information about put someone at risk, for instance confirming the work address of a member of staff who has been physically threatened, then it may be right not to give out that information. It may also be relevant to think about the seniority of staff: the more senior a person is the less likely it will be unfair to disclose information about him or her acting in an official capacity.

Formal objections to disclosure

The Data Protection Act gives people the right to object in writing to the processing or disclosure of their personal data. Such written objections are often referred to as Section 10 Notices. An organisation receiving such a notice must comply unless there is some overriding justification for the processing. In some cases, although an organisation does not accept that there are valid grounds for objection, it may agree not to process or disclose data simply because those are the wishes of the person concerned.

If a request for the disclosure of information to which the third party has previously objected is received, then, under FOI, the public authority must review its decision to accept the objection and must provide a copy of the information unless is satisfied that the objection was in fact a valid one.

Key issues in preparing for implementation of the FOI Act

Many public authorities are used to dealing with subject access requests under the Data Protection Act and with the old definition of personal data. Staff need to be aware of the fact that the definitions have been broadened to include unstructured personal information.
It is often believed that the Data Protection Act prevents the disclosure of any personal data without the consent of the person concerned. This is not true. The purpose of the Data Protection Act is to protect the private lives of individuals. Where information requested is about the people acting in a work or official capacity then it will normally be right to disclose.
You should develop a policy as to what information will be routinely disclosed about staff and what might be withheld. Your policy is likely to be more effective and you will avoid unnecessary alarm if this policy is developed in consultation with staff.

More Information

Download PDF

Freedom of Information Act - Incasso LLP

Search the site

Subscribe for updates & news