0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Forgotten your password?

FOIA and data protection: the difficult balancing exercise for public authorities when a request is made for third party personal data

17 January 2020

This article is taken from January's public matters newsletter. Click here to view more articles from this issue.


The Freedom of Information Act 2000 (‘FOIA’) allows members of the public to request information from public bodies. As guidance issued by the Information Commissioner explains, the main principle behind FOIA is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to. One such exemption is where the requested information concerns the personal data of third parties(1) and complying with the request would breach any of the data protection principles now contained in Article 5 of the General Data Protection Regulation (‘GDPR’).

The most common justification for withholding information under this exemption is that the processing (i.e. the disclosure of the information) would not be lawful, fair or transparent under Article 5(1)(a) of the GDPR(2). The interaction of FOIA and GDPR in this respect has two unusual consequences for public authorities. First, the public authority will in most cases need to apply the legitimate interests gateway contained in Article 6(1)(f) of the GDPR, which is permitted because section 40(8) FOIA overturns the usual position contained in Article 6 that prevents public bodies from relying on this gateway. Second, whilst there is usually a presumption in favour of disclosure under FOIA, the assumption is reversed and a justification is needed for the disclosure of personal data.

If the legitimate interests gateway is relied upon, the public authority must ask itself the following three questions (See South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 at [18]):

  • Is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?
  • Is the processing involved necessary for the purposes of those interests?
  • Is the processing unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The real difficulty for public authorities arises in relation to the third question. This is different from the usual public interest test that public authorities apply under FOIA. In many cases the outcome will not be clear cut and for those finely balanced cases the requestor or third party (or both) may be unhappy with the decision because either too much or too little personal data has been released.

The touchstone is one of proportionality; any disclosure must not cause an unwarranted interference with the third party’s rights. The Information Commissioner has set out in guidance some relevant factors for public bodies to consider when going about this task:

  • What potential harm or distress may disclosure cause?
  • Is the information already in the public domain?
  • Is the information already known to some individuals?
  • Has the individual expressed concern or objected to the disclosure?
  • What are the reasonable expectations of the individual?

In many cases the personal data in issue will be that concerning employees of the public authority. In this context the type of information will also be a critical factor and the Information Commissioner has also produced more detailed guidance here covering salaries and bonuses, termination of employment, organisational tasks, job descriptions, employee names in documents, registers of interests, and disciplinary files. In most cases, however, the level of seniority of the employee and the extent to which the information intrudes into the employee’s private life (for instance, exact salaries or performance information) will need to be given weight.

One final quirk about this area of FOIA is that the motive of the requestor can matter – a departure from the usual position which requires public authorities to disregard motive. The Information Commissioner’s position is that it is unlikely that a disclosure under FOIA based on purely private interests meets the final limb of the three part test set out above. Conversely, a requestor’s lack of motivation to publicise the information requested is not a relevant consideration – any disclosure under FOIA remaining a disclosure to the world at large (See Information Commissioner v Halpin [2019] UKUT 29 (AAC)).

Given that public authorities will not want to either breach their obligations under the GDPR or their statutory obligations under FOIA the balancing exercise required by the legislation can be a difficult task. Browne Jacobson has an experienced team of information lawyers on hand to guide public bodies through this process.


(1) In other words, the personal data of a person other than the requestor. If a person is requesting access to their own personal data the request should be treated as a subject access request made pursuant to the data protection legislation (see s.40(1) of FOIA)

(2) If the disclosure is lawful because it overcomes the legitimate interests hurdle then in most cases it will also satisfy the requirement of fairness due to the balancing exercise discussed below that needs to be undertaken by the public authority. However, it remains possible that the information could be withheld because its disclosure would not be fair or transparent (possibly, for example, because its release would be inconsistent with the public authority’s privacy notice)

Receive our latest government sector news

Choose the way you want to keep up to date with our latest updates and insights. Sign up to our monthly newsletter or join the conversation with our team on LinkedIn.

Sign up to receive updates >

Follow our LinkedIn showcase page >

<>

Training and events

11Nov

In house lawyers: our consumer future In-person

Bringing together experts in niche retail and consumer sectors we'll be looking at what the future holds for consumer facing businesses.

View event

6Jan

In house lawyers: our trading future In-person

What will rising debt, the end of furlough, Brexit and new global trade tensions mean for business over the next few years?

View event

Focus on...

Legal updates

Contract termination in Covid-19 times

The ‘new normal’ has brought with it a variety of different challenges and it has had an impact on nearly all facets of our lives, including the termination of contracts during these Covid-19 times.

View

Legal updates

Recovering monies from an individual? Don’t forget about the Pre-Action Protocol for Debt Claims

The PAPDC does not apply to business to business debt only if the debtor is a sole trader. Much more information is required under the PAPDC within a letter of claim and debtors should be given more time to respond along with an opportunity to make payment proposals throughout the pre-action process.

View

Legal updates

Mandatory directing off-site

On 17 September 2021, the High Court handed down judgment in the case that covers some important points in relation to directing pupils off-site and is one of the few cases that covers the powers of schools to do so.

View

Legal updates

Public Matters - September 2021

Updates include the UK Hydrogen Strategy and IPA assistance with PFI contract expiry.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up