Cornerstone on Information Law 9781784514112, 9781784514143, 9781784514136

Citation preview

Cornerstone on Information Law

Cornerstone on Information Law Damien Welfare BA (Hons), MSc, FRSA, Barrister

BLOOMSBURY PROFESSIONAL Bloomsbury Publishing Plc 41–43 Boltro Road, Haywards Heath, RH16 1BJ, UK BLOOMSBURY and the Diana logo are trademarks of Bloomsbury Publishing Plc First published in Great Britain 2019 Copyright © BloomsburyProfessional 2019 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage or retrieval system, without prior permission in writing from the publishers. While every care has been taken to ensure the accuracy of this work, no responsibility for loss or damage occasioned to any person acting or refraining from action as a result of any statement in it can be accepted by the authors, editors or publishers. All UK Government legislation and other public sector information used in the work is Crown Copyright ©. All House of Lords and House of Commons information used in the work is Parliamentary Copyright ©. This information is reused under the terms of the Open Government Licence v3.0 (http://www.nationalarchives.gov. uk/doc/open-government-licence/version/3) except where otherwise stated. All Eur-lex material used in the work is © European Union, http://eur-lex.europa.eu/, 1998–2019. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN:

PB: ePDF: ePub:

978 1 78451 411 2 978 1 78451 413 6 978 1 78451 412 9

Typeset by Evolution Design and Digital Ltd (Kent) To find out more about our authors and books visit www.bloomsburyprofessional.com. Here you will find extracts, author information, details of forthcoming events and the option to sign up for our newsletters

Preface Openness and privacy are two of the big themes of our age, and they are often in conflict. We expect openness and accountability in the public realm, while demanding privacy for ourselves (and even sometimes for others) as individuals (notwithstanding the contrary attractions of social media for many). The tensions between disclosure and withholding information are at the heart of ‘information law’, a term and an area of law which is still in its infancy. Both’ information law’, and public awareness of data privacy and rights of access to public information, have changed out of recognition from the time when the Data Protection Act 1998 was enacted and the Freedom of Information Act 2000 (‘FOIA’) was being planned. Until very recently, data protection was a subject mainly for specialists, whereas now it is in the news on almost a daily basis; covering subjects ranging from data losses to the harvesting of individuals’ data, from identity theft and online fraud to the protection of children from online danger. Freedom of Information has become an accepted tool in the UK for journalists, politicians and many ordinary citizens; playing an important part in driving more information than ever before about government into the public domain. The environmental information regime is less well-known, but it has been given enormous scope; and rivals the FOIA in the range and the importance of the public sector information which it covers. The Information Commissioner (‘ICO’) has a leading role in all three regimes, and has become a significant public figure. The law has to find the right balance, between giving individuals their rights (both to transparency and to data privacy) and enabling public institutions to perform their roles effectively, without being overburdened by requests or hampered by undue public scrutiny. It similarly has to weigh the respective interests of individuals and the controllers who hold their personal data, and establish realistic standards of data protection with which controllers can comply. It operates principally through the three sets of legal mechanisms which form the main subjects of this book, covering the fields of Data Protection, Freedom of Information, and the Environmental Information Regulations (‘EIR’); and the nuanced rules and careful processes of adjudication which they contain. This book has a practical focus. It is aimed at data protection practitioners (including the new Data Protection Officers) and their legal advisers working in ‘controllers’ in the public, private and voluntary sectors; and, at those officials who deal with FOIA and EIR requests in public sector bodies. Both types of practitioners (and many combine both roles) face complex problems and a constantly busy workload, which is only growing. The book tries to draw together the main issues with which they are likely to be concerned. It is hoped that it may be useful in explaining the obligations placed on controllers and public authorities. It is hoped too that it may be of interest to individuals seeking to understand these fields, or to exercise their rights in them. v

Preface

In tackling all three regimes in one volume, the book aims to provide a practical handbook for practitioners and lawyers at a manageable size and depth; which seeks to demystify some of the concepts and jargon (particularly in data protection), to summarise the issues whilst giving enough detail to address some of the more difficult problems likely to arise, and to identify connections between what are often seen as distinct regimes. At the same time, a book of this length cannot cover all of the ground. It concentrates on the main themes of each of the regimes, and is intended to provide a first source of information (or a speedy initial answer), while pointing the way to further sources if they are needed. The main themes include (in relation to data protection) the ‘lawful bases’ for processing; whose correct identification is crucial to compliance, and yet the breadth of whose scope is sometimes not appreciated. Another theme, in relation to all three regimes, is an emphasis on the many exemptions which can apply in specific circumstances, both from requests for information and (in terms of data protection) from a number of the general obligations. In the author’s experience, the exemptions which may apply in a given case are often only incompletely applied or understood. Yet they play an important role in achieving the correct balance in relation to compliance. At the same time, it has been necessary to omit, or refer only briefly to, other issues. One of the latter is the development by the courts of the tort of misuse of private information; which has grown from breach of confidence, and can arise in parallel with claims for compensation for data protection breaches.

Outline of Parts 1-3 of the book The book is divided into three parts. The order is based on the premise that all information falls into one of: 1) personal data; 2) environmental information; or, 3) information to which the FOIA will apply. Since the first two relate to specific categories of information, and apply distinct rules to them, it is necessary in any given case first to identify the information falling into either personal data or environmental information. The FOIA, for all its high national profile, applies to what is left. As a result, it is dealt with in the final part of the book. The first Part (Part 1), is on the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 (‘DPA 2018’). The GDPR has had enormous attention, both before and since its coming into effect on 25  May 2018. The DPA 2018, in contrast, has had almost none; even, at first, from the Information Commissioner. (At the date of writing this Preface, there was still no updated guidance from the ICO on the Act as a whole, as opposed to the previous Bill; notwithstanding the Act being indispensable to a correct application of the GDPR). There were few sources elsewhere. This book examines many of the Act’s key provisions and, it is hoped, fills at least part of the gap. The Act has a key role in supplementing the GDPR, by supplying many of the new ‘lawful bases’ for processing ‘special category’ (formerly sensitive) personal data. It also provides all of the exemptions from data protection requirements, applying where appropriate to access requests, other individual rights (including new ones under the GDPR), and the general obligations of controllers. The interrelationship between the vi

Preface

GDPR and the Act is crucial in handling data protection. In the event of Brexit, the relationship is changed (albeit largely as to detail, rather than substance) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419 (the ‘DPPEC regulations’; see below). The early chapters in Section A describe the relationship between the GDPR and the Act, key definitions, and the data protection principles. Chapter 5 examines the lawful bases for processing. In Section B, the right of access (formerly the ‘subject access right’ or SAR) is examined in Chapter 7; and the other new or strengthened individual rights under the GDPR in Chapter 8. As well as the obligations, there are summaries in those chapters, at the end of the relevant text, of the exemptions applying to them; and leading into Chapter 9 and Section C, where the exemptions are described. Key data processing issues are covered in Section D, including: data sharing (Chapter 10) and cross-border transfers of personal data (Chapter 11). Section E looks at precautions, advice and enforcement, including: Data Protection Impact Assessments (‘DPIAs’) (Chapter 13); the new Data Protection Officers (Chapter 14); handling data breaches (Chapter 15); and, enforcement by the ICO and in the courts (Chapter 16). The processing of personal data for law enforcement purposes, which is a separate system under the DPA 2018, is examined in outline in Chapter 17. Appendices 1 and 2 are intended to assist in navigating the GDPR; respectively, by creating an (unofficial) list of its contents (which is normally lacking), and by correlating its Articles and Recitals (see below). Appendix 3 offers a list of key resources available to interpret the two measures, including (in the event of Brexit) the very useful ‘Keeling Schedules’ referred to below. Part 2 of the book focusses attention on the Environmental Information regime, which has often been overlooked or misunderstood in the past. This has been partly because many public authorities, with functions unconnected to the physical environment, have erroneously considered that it did not apply to their work. In fact, the EIR should be applied (according to the approach championed by the Commissioner, and endorsed by the tribunals and courts) to requests about a significant proportion of the information held by public authorities; including information which may have little apparent connection to the environment. This Part of the book also questions the frequent assumption that the EIR lead to more disclosure than the FOIA, for which the author sees little evidence; and, the practical significance of the express presumption in the EIR in favour of disclosure. Section A examines the breadth of environmental information (Chapter 18), and its definition (Chapter 19), including the troubled boundary with information which is subject to the FOIA. Chapter 20 looks at the similarities and differences between the two regimes. Tables in that chapter correlate (so far as practicable) the exemptions under the FOIA and the ‘exceptions’ under the EIR; and vice versa. In Section B, Chapter 21 looks at how to handle EIR requests. In Section C, Chapters 22 and 23 describe the exemptions (‘exceptions’) under the EIR. Part 3 of the book sets out the main features of the FOIA regime. After looking at the FOIA duties of public authorities, and the main processes applying to them in Chapter 24, the following two chapters (Chapters 25 and 26) maintain the focus vii

Preface

on exemptions, as in the first two Parts. A way of grouping FOIA exemptions is also suggested at the start of Chapter 25, which may assist practitioners in identifying connections between sometimes unfamiliar exemptions. The final chapter (Chapter 27) examines the rules on the disclosure of personal data in FOI (and EIR) requests (ie for the public disclosure of information about individuals); where the tension between disclosure and privacy is at its most acute, and where the contrary directions taken by the FOI/EIR and GDPR/DPA 2018 rules have to be harmonised. A summary of the suggested approach to such requests is set out in paragraph 27.7. Appendices 4–5 list key resources which may be helpful in handling EIR or FOIA matters respectively. The final Appendix (Appendix 6) looks at the Re-Use of Public Sector Information. Many of the arguments or examples in the text are drawn from experience in advising public authorities and others, representing clients, or presenting seminars to lawyers and practitioners. Some of the descriptions of exemptions or other aspects seek to distil points drawn from the Commissioner’s guidance, which is the obvious primary source for practitioners, and to which I  acknowledge my debt; although, as may become clear, I  do not always agree with the Commissioner’s approach. The Commissioner’s guidance is comprehensive, however, and represents the likely state of the law as it is applied day-to-day, and with which practitioners have to deal.

The impact of Brexit and the DPPEC regulations The book states the law as at the beginning of April 2019. It includes the effect of changes to the law designed to provide for the impact on data protection of the UK’s departure from the European Union (‘Brexit’). The ‘DPPEC’ Regulations’, enacted in February 2019, amend the GDPR and the DPA 2018 from the date of Brexit (save in relation to electronic communications, where the regulations came into effect on 29  March 2019). At the time of going to press, both the course of Brexit, and its timing, remained uncertain; with the UK due to leave the European Union on 31 October 2019, in default of any other development. The law on data protection is set out, therefore, as it has stood both before and up to Brexit (and as it would continue, in the event that Brexit did not proceed); and, where there are changes, as it will apply after Brexit under amendments made by the regulations. The text states the pre-Brexit law first; then sets out any changes made by the regulations, using terms such as ‘post-Brexit’ or ‘after Brexit’, as appropriate. The text should be read, therefore, in relation to whichever alternative is appropriate in the circumstances, or at the time of reading. In the period before Brexit, many legal regimes based on EU law have been expected to continue during any transitional (or ‘implementation’) period after the date of the UK’s departure. This is only partially the case with data protection. Under the EU/UK Withdrawal Agreement, as negotiated in 2018 (but not ratified by the UK at the time of writing), EU law was envisaged to continue to apply to the processing of personal data of individuals outside the UK, subject to certain conditions. The processing of the personal data of individuals within the UK was envisaged, however, to be subject to UK law from ‘exit day’; based on the GDPR viii

Preface

(as adopted into UK law by the EU (Withdrawal) Act 2018) as supplemented by the DPA 2018. In the event of exit from the EU without a withdrawal agreement, there would be no transitional period. In either event, therefore, the UK’s postBrexit data protection laws would apply immediately from the date of exit. Against this background, the DPPEC regulations were enacted: (a) to make changes to the GDPR in the UK context, at the point when the regulation moved (ie on ’exit day’) from having direct effect in UK law as an EU measure to being adopted into UK law; and to re-name it the ‘UK GDPR’; (b) to modify the DPA 2018 (from exit day), in parallel with the changes to the GDPR; and, (c) to make transitional provision in the DPA  2018, applying from exit day; notably for the handling of cross-border transfers of personal data (to the extent that these could be dealt with by UK, rather than EU, law). The changes made by the DPPEC regulations are drawn together at para 2.33, as well as being described at appropriate points in the text of Part 1 of the book (ie Chapters 1–17), or (in relation to FOI/EIR requests involving personal data) in Chapter 27.

‘Keeling Schedules’ Practitioners will need in relation to Brexit to refer either to the DPPEC Regulations themselves, or (more conveniently) to the versions of the GDPR and DPA 2018 in the format known as ‘Keeling Schedules’, which incorporate and show the changes as from ‘exit day’. Online references from which the Schedules may be downloaded are included in Appendix 3.

The ‘UK GDPR’ References to the GDPR should be taken, in the event of Brexit, to include also the ‘UK GDPR’ (as introduced after Brexit by the DPPEC  Regulations), as appropriate in the particular context; except where the ‘UK GDPR’ is referred specifically (see paras 2.3 and 2.33).

GDPR Recitals and guidance I have taken the view that references to the Guidelines produced by the Article 29 Working Party/European Data Protection Board (‘EDPB’) will remain helpful, in the event of Brexit, in interpreting the ‘UK GDPR’; and likewise that the Recitals to the GDPR should continue in those circumstances to be seen as a helpful aid to interpretation and understanding (see paras 2.31–2.32).

Style point in relation to ‘data’ On a point of style or grammar, the word ‘data’ is strictly speaking a plural noun, and (unlike the DPA  2018)  I  have tried to keep to that approach in the many ix

Preface

references to such information (eg  ‘personal data’) in Part 1 of the book and elsewhere.

Acknowledgements My wife, Lynn Gardner, and our children, Catherine and Jonathan, have put up with the demands on our time and my equanimity, made by the writing of this book, with kindness and understanding – even when it accompanied us on holiday. Its completion would not have been possible without them. A number of my colleagues in Cornerstone Barristers were involved in discussion of an earlier version of this project; notably Estelle Dehon. I express my gratitude to them for their comments and support at that stage, and encouragement since. In relation to the book’s publication, I am very grateful to: Leanne Barrett for supporting the proposal at the outset, and continuing to do so through multiple stages; Jane Bradford, Editorial Manager at Bloomsbury Professional, for overseeing it and setting it in the right direction; and, my editor, Vickie Day, for keeping it on a straight and narrow path to publication, while coping with my idiosyncrasies in working. I  express my personal appreciation to Bloomsbury Professional for their commitment to this project, and to the series of these books. Damien Welfare Cornerstone Barristers 7 June 2019 Note on case citations Citations in information law may be unfamiliar, and can be confusing, especially to non-lawyers. The main decision-making bodies, tribunals or courts dealing with information law are as follows, and they record their cases in the following formats (the cases being imaginary). Case names are shown in this work in italics. Information Commissioner Decisions

First–tier Tribunal Upper Tribunal High Court/Divisional Court (earlier appeals in this area) Court of Appeal House of Lords Supreme Court (replaced House of Lords) European Court of Justice

Noshire County Council FS1234567 (if an FOIA decision) Nonsuch Regulatory Authority FER 0987654 (if an EIR decision) Andrew Noone v ICO EA/2019/0001 Rachel Noone v ICO [2019] UKUT 123 (AAC) Emerson Noone v ICO [2006] EWHC 1234 (Admin) Polly Noone v ICO [2018] EWCA Civ 456 Harold Noone v ICO [2007] UKHL 67 Victoria Noone v ICO [2013] UKSC 78 Mary Noone v ICO Case C-123/01 x

Contents Table of Statutes Table of Statutory Instruments Table of European Legislation Table of Cases

xvii xxvii xxxi xxxvii

Part 1  Data Protection

1

Section A Data Protection – Main Provisions

1

1

Introduction and Key Points

3

2

GDPR and Data Protection Act 2018  The GDPR Data Protection Act 2018 The GDPR and the Act Structure and Main Provisions of the Act Recitals to the GDPR The DPPEC Regulations 2019

3

Definitions in the GDPR and Territorial Scope  20 Definitions20 Territorial Scope of the GDPR 42 Territorial Scope of the UK Provisions after Brexit 44

4

Data Protection Principles GDPR Data Protection Principles The New Accountability Principle

46 46 53

5

Lawful Bases of Processing Six Lawful Bases LIA Test – Preliminary Points Lawful Bases – Special Categories Exemptions/Lawful Bases in GDPR, Article 9 Substantial Public Interest Processing

56 56 74 83 84 89

6

Transparency and Privacy Notices 105 Transparency105 Privacy Notices 106

6 6 8 12 13 15 16

Section B Individual Rights

113

7

115 116 117

Right of Access Meaning of Access Request – In Summary Access Requests in Detail

xi

Contents

8

Other Individual Rights Right to Rectification – Articles 16 and 19 (and Recital 65) Right to Erasure – Articles 17 and 19 (and Recitals 65 and 66) Right to Restriction of Processing – Articles 18 and 19 (and Recital 67) Right to Data Portability – Article 20 (and Recital 68) Right to Object – Article 21(1) (and Recital 69) Automated Decision-Making, including Profiling – Article 22 (and Recital 71)

141 141 146 149 152 156 163

Section C Exemptions

167

9

169 169 173

Exemptions under the DPA 2018 Outline of Exemptions Exemptions in detail

Section D Types of Data Processing Activity

211

10 Sharing Personal Data ICO Data Sharing Code

213 214

11 International Transfers 230 ‘Adequate Level’ of Protection 231 USA Transfers – Safe Harbor and Privacy Shield 232 Appropriate Safeguards 234 Derogations237 Fallback: Non-Repetitive Transfer 239 Cross-Border Flows of Data after Brexit 240 12 Electronic Communications and Marketing Privacy and Electronic Communications Regulations

242 242

Section E Precautions, Advice and Enforcement 

247

13 Data Protection Impact Assessments Background and when to conduct a DPIA Conducting a DPIA Other issues, including exemptions

249 249 254 262

14 Data Protection Officer Designation of a DPO Position of the DPO Tasks of the DPO

265 265 268 270

15 Data Breaches Assessing Risk Notification to ICO (GDPR, Article 33) Notification to Data Subjects (GDPR, Article 34)

273 273 274 275

16 Enforcement and Appeals Information Notices Assessment Notices Enforcement Notices

278 278 279 281

xii

Contents

Powers of Entry Penalty Notices Complaints to ICO and Appeals to Tribunal Court Remedies

282 283 289 290

Section F Law Enforcement Processing 

295

17 Law Enforcement Processing (DPA 2018, Part 3) Competent Authorities Data Protection Principles Rights of Data Subjects International Transfers Article 10 Processing (by persons other than ‘competent authorities’)

297 297 298 300 302 304

Part 2  Environmental Information

307

Section A Introduction, Definition and Comparison with Freedom of Information

307

18 The Breadth and Importance of Environmental Information Background to the EIR Relationship of EIR with the FOIA

309 310 311

19 Definition of Environmental Information 314 Regulation 2(1)(a) – Elements of the Environment 315 Regulation 2(1)(b) – Factors Affecting the Elements 316 Regulation 2(1)(c) – Measures Affecting (or Protecting) the Elements or Factors 317 Regulation 2(1)(d) – Reports on the Implementation of Environmental legislation322 Regulation 2(1)(e) – Cost-benefit and Other Economic Analyses 322 Regulation 2(1)(f) – The State of Human Health and Safety etc 323 20 Similarities With, and Differences from, FOIA 2000 Summary of how EIR and FOIA compare

330 330

Section B Handling EIR Requests

335

21 Handling EIR Requests 337 Who is Subject to EIR 337 Mixed EIR/FOI Requests 339 DEFRA Code341 Aggregation of Public Interest Factors 343 Presumption in Favour of Disclosure – Article 12(2) 344 Costs and Charges 344

Section C Exemptions

349

22 EIR Exceptions 1: Regulation 12(4) Information not Held – Regulation 12(4)(a) Request Manifestly Unreasonable – Regulation 12(4)(b)

351 351 352

xiii

Contents

Request too General – Regulation 12(4)(c) Material In Course of Completion etc – Regulation 12(4)(d) Public Interest Test – Regulation 12(4)(d) Internal Communications – Regulation 12(4)(e)

357 358 359 366

23 EIR Exceptions 2: Regulation 12(5) and Personal Data 373 Harm Test 373 Harm to International Relations, Defence, National Security or Public Safety – Regulation 12(5)(a)  374 Course of Justice – Regulation 12(5)(b) 382 Intellectual Property Rights – Regulation 12(5)(c) 387 Confidentiality of Proceedings – Regulation 12(5)(d) 390 Confidentiality of Commercial or Industrial Information – Regulation 12(5)(e)393 Interests of Voluntary Provider of Information – Regulation 12(5)(f) 400 Harm to the Environment – Regulation 12(5)(g) 403 Personal Data and EIR Requests – Regulation 13 405

Part 3  Freedom of Information

407

24 Duties and Process 409 FOI Duties409 Datasets413 Section 45 Code 413 Application of Act: Public Authorities 414 Charging for Requests: (I) Publication Scheme 420 Charging for Requests: (II) Information Requests 421 No Duty to Comply: (I) Cost Limit for FOI Requests 423 No Duty to Comply: (II) Vexatious or Repeated Requests 425 Handling Exemptions and the Public Interest Test 429 Internal Review and Appeals 433 25 Freedom of Information Exemptions 1 Grouping of FOI Exemptions FOI Exemptions (sections 21–29)

437 437 438

26 Freedom of Information Exemptions 2 FOI Exemptions (sections 30–44)

474 474

27 Personal Data in Information Requests 533 Introduction533 Outline of FOIA 2000, s 40 535 Requester’s Own Data, and Joint ‘Third Party’ Data 536 Third Party Data which are not the Data of the Requester 537 First condition 538 Second condition 555 Third condition 557 EIR and Personal Data 559 FOI/EIR Requests to ‘Competent Authorities’ 560

xiv

Contents

Appendices

561

Appendix 1 – GDPR – (informal) List of Provisions

561

Appendix 2 – Correlation Table between GDPR Recitals and Articles

567

Appendix 3 – Data Protection Resources

575

Appendix 4 – Environmental Information Regulations (‘EIR’) Resources 579 Appendix 5 – Freedom of Information Act (‘FOIA’) Resources

583

Appendix 6 – Re-use of Public Sector Information

585

Index589

xv

Table of Statutes

Access to Health Records Act 1990 s 3(1)(f)....................................25.16 Audit Commission Act 1998 s 15...........................................25.16 Children Act 1989 s 24D, 26..................................9.40 Children’s Hearings (Scotland) Act 2011.....................................9.160 Communications Act 2003 s 151.........................................12.14 Constitutional Reform and Governance Act 2010 s 46(2), (3)................................25.72 Consumer Credit Act 1974 s 159.........................................7.15 Contempt of Court Act 1981........26.236 Copyright, Designs and Patents Act 1988.....................................23.67 Crime and Disorder Act 1998 s 115.........................................10.14 Criminal Justice Act 1982 s 37(2)......................................24.105 Data Protection Act 1998.... 1.6; 2.2, 2.4, 2.5, 2.18; 3.4, 3.5, 3.10, 3.20, 3.36, 3.39, 3.46, 3.55; 4.1, 4.4, 4.7, 4.18; 5.54, 5.82, 5.88, 5.99, 5.106; 6.4, 6.6; 7.1, 7.7, 7.13, 7.34, 7.36, 7.46, 7.53, 7.73; 8.54; 9.1, 9.24, 9.36, 9.38, 9.55, 9.66, 9.85; 10.3, 10.9; 11.2, 11.6; 16.9, 16.42, 16.49; 17.1, 17.27, 17.28; 27.1, 27.13, 27.22, 27.25, 27.35 s 1(1)........................................3.16 2.............................................3.12 7(2)(a)....................................7.13 (4)................................7.10, 7.11, 7.53; 9.60 (5)........................................ 7.53; 9.60 (6).................................7.10, 7.53; 9.60 8(2)(a)....................................7.34 (3)........................................7.34 (7)........................................ 7.53; 9.60 9A..........................................7.49 12...........................................2.2 27(2)......................................9.33 30...........................................9.65, 9.115

Data Protection Act 1998 – contd s 31........................................... 9.40, 9.47 (5A)...................................9.47 32...........................................9.100 33...........................................9.105 34...........................................9.29 35...........................................9.29 52E.........................................10.8  55A........................................12.20 Sch 1 Pt I........................................3.13 Pt II.......................................3.13 Sch 2......................................4.4; 5.1, 5.83 para 3....................................5.13 5....................................5.29 (a)–(c).........................5.27 (d)............................... 5.27, 5.29 6............................5.33, 5.47, 5.54; 27.35 Sch 3.........................................4.4 para 4(c)...............................5.99 Sch 4.........................................11.26 Sch 7 para 1....................................9.85 5....................................9.78 6....................................9.75 7....................................9.82 9, 8................................9.91 11..................................9.72 Data Protection Act 2018.... 1.6; 2.1, 2.3, 2.4, 2.5, 2.6, 2.7, 2.9, 2.10, 2.11, 2.12, 2.13, 2.15, 2.16, 2.17, 2.19, 2.20, 2.33; 3.4, 3.6, 3.14, 3.15, 3.17, 3.20, 3.36, 3.37, 3.39, 3.49, 3.58; 4.1, 4.4, 4.7, 4.8, 4.14; 5.29, 5.89, 5.106, 5.112, 5.113, 5.114, 5.116; 6.19; 7.2, 7.53, 7.71; 8.6, 8.15, 8.33, 8.48, 8.67, 8.71; 9.1, 9.47, 9.65; 10.1, 10.47; 12.1, 12.2, 12.20; 16.7; 17.27; 24.2, 24.7; 27.1, 27.4, 27.9, 27.15, 27.24, 27.79, 27.83 Pt 1 (ss 1–3)..........................2.7, 2.8, 2.20 s 1.............................................2.8 (3)........................................2.23

xvii

Table of Statutes Data Protection Act 2018 – contd s 2.............................................2.8 3............................................. 2.8, 2.26 (2)........................................ 3.1; 18.12 (3)........................................3.1 (a), (b).............................3.5 (4)........................................3.15 (5)........................................3.1 (7)........................................ 3.36, 3.37 (9)........................................16.49 (11)...................................... 2.23, 2.33 Pt 2 (ss 4–28).......................2.7, 2.8, 2.20; 3.67 s 4............................................. 2.8, 2.21 (3)(b)....................................2.23 5.............................................2.8 (7)........................................3.15 Pt 2 Ch 2 (ss 6–20).......... 2.21, 2.24, 2.25; 3.15 s 6.............................................2.8 7.............................................2.8 (1)........................................14.2 (b)(ii), (iii).......................7.63 (c)(ii)...............................7.63 8..............................2.8, 2.21; 5.27, 5.30, 5.40, 5.80; 8.54 (c).........................................5.32 (d)........................................5.40 9............................................. 2.8; 3.6 (a).........................................3.51 (b)........................................3.52 10.....................................2.8, 2.21, 2.33; 3.10, 3.13; 5.42 (1)......................................5.109 (a)..................................5.94 (d)..................................5.112 (e)..................................5.113 (3)......................................5.106; 8.79 (4)......................................2.14; 17.27 (5)..........................2.14, 17.27; 27.67, 27.68 11......................................2.8, 2.33; 3.10 (1)......................................5.109 (2)......................... 2.14; 17.26, 17.27; 27.67, 27.68 12...........................................2.8 13........................................... 2.8; 7.15 14........................................2.2, 2.8; 8.76 (1)–(8)................................8.76 15........................................2.8, 2.21; 9.2 (2)–(5)................................9.2 16.................................. 2.8; 9.5, 9.6, 9.8 (1)(a)..................................2.25 (c)..................................16.40 17...........................................2.8 17A..................................2.21; 6.9, 11.4, 11.6, 11.9

Data Protection Act 2018 – contd s 17B........................................ 2.21; 11.8  17C........................................2.21; 11.25 (1)....................................11.15 18...........................................2.8 (1)......................................11.28 (2)......................................11.29 19............................. 2.8, 2.21, 2.33; 4.2; 5.113; 9.4, 9.103, 9.111; 10.27 (1)......................................5.113 (2)............................. 4.8; 5.113; 8.66, 8.67, 8.68; 9.103, 9.107 (3)............................. 4.8; 5.113; 8.66; 9.103, 9.107 (4).............................4.8; 5.113; 9.103 (5)...................................... 4.8; 5.113 (6)......................................4.8 20...........................................2.8 Pt 2 Ch 3 (ss 21–28)........ 2.22, 2.23, 2.24, 2.25, 2.26; 3.15 s 21......................................2.8, 2.26; 3.15 (2)...............................3.36, 3.37; 7.46 22......................................2.8, 2.26; 3.67 (1)......................................2.23 (2), (3)................................2.24 (4)......................................2.25 23........................................... 2.8; 2.26  24........................................... 2.8; 2.26 (3)......................................7.47 (4)......................................7.27 (a)..................................7.47 (5), (6)................................7.47  25........................................... 2.8, 2.26 26.....................................2.8, 2.26, 2.27, 2.33; 7.76; 9.7, 9.162; 27.76 (2)......................................9.162 27........................................... 2.8, 2.27 (1), (3)................................9.163 28........................................... 2.8, 2.27 Pt 3 (ss 29–81).................... 2.5, 2.7, 2.22; 3.15, 3.32, 3.67; 16.16, 16.20, 16.46, 16.50; 17.1, 17.2, 17.3; 27.84, 27.85 s 29...........................................9.16 (2)......................................3.15 30...........................................17.3 (7)......................................17.3 31...........................................17.4 (2), (3)................................9.33 (4)...................................... 3.32; 9.33 32...........................................3.16 33(7)......................................17.21 Pt 3 Ch 2 (ss 34–42).................17.5 s 34(1)......................................27.84 35...........................................4.1

xviii

Table of Statutes Data Protection Act 2018 – contd s 35(2)......................................17.5 (4), (5)................................17.5 (8)......................................17.6 36...........................................4.1 (1)–(3)................................17.5 37–40..................................... 4.1; 17.5 42...........................................17.7 44...........................................17.9 (4)......................................17.9 45...........................................17.10 (1)(b)..................................27.11 (3)......................................17.11 (4)......................... 17.11; 27.76, 27.84 (e)..................................27.85 46...........................................17.10 47...........................................17.10 (2)......................................17.10 49...........................................17.12 50(2), (3)................................17.12 53(2)......................................17.13 54(2)......................................17.11 Pt 3 Ch 4 (ss 55–71).................17.14 s 55(3)......................................17.14 56(1)......................................17.14 57...........................................17.15 58.........................................16.20, 16.50 59...........................................17.14 (5)–(7)................................17.15 61(2), (4)................................17.16 62(1)–(4)................................17.16 64(1), (4)................................17.17 65(1), (2)................................17.17 66...........................................17.19 67(2), (8)................................17.19 68(1)......................................17.20 (3)(c)..................................17.20 (5), (7)................................17.20 69–71.....................................17.18 Pt 3 Ch 5 (ss 72–78).................17.21 s 72(2)......................................17.21 73(1)(b)..................................17.21 (2), (3)................................17.21 (4)......................................17.21 (b)..................................17.21 (5), (6)................................17.21 74...........................................17.21 74A......................................17.21, 17.24 75...........................................17.24 76...........................................17.21 77...........................................17.21 (1)–(3)................................17.22 (6), (7)................................17.22 (8)......................................17.23 78...........................................17.24 (5)......................................17.24 79...........................................17.25

Data Protection Act 2018 – contd s 79(5)–(9)................................17.25 80, 81.....................................17.25 Pt 4 (ss 82–113).................2.7, 2.15; 3.15, 3.67; 9.144; 16.16, 16.20, 16.46 s 82(3)......................................3.15 83...........................................3.16 84(2)......................................3.39 86–91.....................................4.1 104.........................................16.50 Pt 5 (ss 114–141)..................... 2.16, 2.28 s 118(5)....................................2.33  119A.................................... 11.15, 11.25 121.........................................10.8 (5)....................................10.1 122.........................................12.2 (1)....................................12.2 (5)....................................12.1  123.........................................12.2  139(3)....................................21.7; 24.25 Pt 6 (ss 142–181).......... 2.16, 2.29; 15.14; 16.1, 16.25, 16.36 s 142(1)....................................16.2 (2)–(7)..............................16.3 143.........................................16.6 (b)....................................16.7 144.........................................16.8 145.........................................16.9 146(1), (2), (5).......................16.10 (7), (8)..............................16.11 (9)....................................16.12 148.........................................16.15 (2)....................................16.14 149....................................... 16.25, 16.29 (1)....................................16.16 (2)........................16.2, 16.16, 16.18, 16.20, 16.36 (3)–(5)..............................16.16 (6)–(8)..............................16.18 150.........................................16.18 151(5)–(7)..............................16.19 152.........................................16.20 153.........................................16.47 154.........................................16.22 155.........................................16.25 (1)....................................16.35 (3)...................................16.26, 16.29 (4)...................................16.29, 16.37 (5)...................................16.30, 16.37 (6)(a), (b).........................16.35 (7)....................................16.35 156(1)....................................16.36 (2)(a), (b).........................16.36 (3)....................................16.37 157(1)....................................16.40 (2)..................................16.40; 17.24

xix

Table of Statutes Data Protection Act 2018 – contd s 157(5)....................................16.41 158(1)....................................16.43 159.........................................16.44 160, 161.................................16.45 162.........................................16.32 (1)....................................16.47 163(2)....................................16.48 164.........................................16.51 165(1), (2)..............................16.46 166.........................................16.46 167(2), (3)..............................16.49 168(1)....................................16.50 169(1)....................................16.50 (3)....................................16.50 170(1)....................................16.52 (2)....................................16.53 (3)....................................16.54 (4), (5)..............................16.55 171.........................................16.56 (1), (5)..............................16.55 172.........................................16.56 173(3)....................................16.57 174.............................16.6, 16.20, 16.36, 16.48 178.........................................2.29 Pt 7 (ss 182–215).....................16.59 s 184......................................... 8.6; 16.55 (1), (2)..............................16.55 187, 188.................................16.59 189.........................................16.59 (1)–(4)..............................16.59 190.........................................16.59 196–198.................................16.58 204(1)....................................9.65 205................................4.13; 5.114; 9.96 (1).................................... 3.54, 3.55 207......................................... 3.62, 3.67 (3), (6)..............................3.67 (7)....................................3.68 209(4), (6)..............................3.17 210(5)....................................3.17 Sch 1...................................2.8, 2.21; 3.13; 5.2, 5.42, 5.82, 5.88, 5.92; 8.79; 17.27; 27.26, 27.64, 27.66 Pt 1 (paras 1–4)........... 3.13; 4.1; 10.22, 10.27; 17.27, 17.28; 27.67 para 1......................5.32, 5.94, 5.116; 10.27 2................................5.32 (1)...........................5.108 (2)...........................5.107 3................................5.32, 5.112 4................................5.32, 5.113 5................................5.32, 5.106

Data Protection Act 2018 – contd Sch 1 – contd Pt 1 (paras 1–4) – contd para 6...................... 5.32, 5.42, 5.106, 5.117; 10.27 7..............................5.106, 5.121 8..............................5.106; 10.27 (1)...........................5.122 (2).........................5.122, 5.123 (3)–(5)....................5.122 Pt 2 (paras 5–28)......3.13; 5.106, 5.115, 5.116; 8.79; 10.22, 10.27; 17.27, 17.28; 27.67 para 9......... 3.20; 5.106, 5.127; 27.66 (5), (6)....................5.128 10..................3.20; 5.106, 5.132; 10.27 11..................3.20; 5.106, 5.133; 10.27 12...................3.20; 5.106, 5.135 13............................5.106, 5.137 14............................5.106, 5.138 15.................5.106, 5.139; 10.27 16.................5.106, 5.140; 27.66 17............................5.106, 5.142 (2).........................5.144 18.................5.106, 5.145; 10.27 19............................ 5.106, 5.147 20................5.106, 5.150, 5.151; 10.27; 17.28 (1)(b)....................17.28 21............................ 5.106, 5.155 (3).........................5.155 22............................5.106, 5.157 23................. 5.106, 5.162, 5.166 (3).........................5.163 24.................5.106, 5.165; 10.27 25............................5.106, 5.169 26............................5.106, 5.171 27............................5.106, 5.173 (1).........................9.107 (3)(b)....................9.104 28............................5.106, 5.176 Pt 3 (paras 29–38).... 3.13; 17.27; 27.67 para 29............................17.28; 27.67 30–37........................17.28 Pt 4 (paras 39–41)......5.89; 8.79; 10.28; 17.27 Sch 2...................................2.8, 2.21; 5.83; 8.84; 9.2, 9.3, 9.4; 27.7, 27.76 Pt 1 (paras 1–5).................9.3, 9.4, 9.11 para 2........................6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.12; 27.76 (1)................... 9.12, 9.14, 9.17 (2)...........................9.19

xx

Table of Statutes Data Protection Act 2018 – contd Sch 2 – contd Pt 1 (paras 1–5) – contd para 2(3)...........................9.19 3........................6.19; 7.76; 9.15, 9.20 4....................... 6.19; 7.76; 8.25, 8.33, 8.71; 9.4, 9.23 (1)........................... 9.23, 9.27 (4)........................... 9.26, 9.27 5........................6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.28 (1)...........................9.28 (3)(a).......................9.29 Pt 2 (paras 6–15).................. 9.4, 9.31 para 6................................ 7.76; 9.31 7........................6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.32 8........................7.76; 8.16, 8.33, 8.48, 8.71; 9.4, 9.35 9........................6.19; 7.76; 8.16, 8.25, 9.33, 8.48, 8.71; 9.4, 9.38 10..................... 6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.40 11............. 6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.43 12..............................9.47 13..................... 6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.49 14......................6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.52 (2).........................9.56 15......................6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.57 (1).........................9.57 Pt 3 (paras 16, 17)................9.4 para 16......................7.10, 7.53, 7.76; 9.60; 27.17, 27.19, 27.79, 27.85 (1), (2)..................7.11 (3)......................... 7.56; 27.7 (a), (b)..............7.58 (4)(a), (b)..............9.61 17.......................7.53, 7.76; 9.64 (1)–(4)..................9.65 (5).........................9.65 Pt 4 (paras 18–25)................ 9.4, 9.67 para 18..............................27.7 19........... 6.19; 7.76; 9.68; 27.76

Data Protection Act 2018 – contd Sch 2 – contd Pt 4 (paras 18–25) – contd para 20...................... 6.19; 7.76; 9.71 (2).........................9.71 21.......................6.19; 7.76; 9.74 (4).........................9.74 22...................... 6.19; 7.76; 9.77 23..................... 6.19; 7.76; 9.80; 27.76 24..................... 6.19; 7.76; 9.84; 27.76 25.............................. 6.19; 9.87 (1), (4)..................9.87 Pt 5 (para 26)........................ 9.4, 9.92 para 26..................... 6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.4, 9.93 (3).........................9.97 (5)–(7)..................9.97 Pt 6 (paras 27, 28)................ 9.4, 9.8 para 27......................7.76; 8.16, 8.33, 8.71; 9.4, 9.102 (1).........................8.67; 9.102 (2)(d)....................8.67 (3)(b)....................9.104 28..................... 7.76; 8.16, 8.33, 8.48, 8.71; 9.4, 9.109 (4).........................9.111 Sch 3...................................2.8, 2.21; 8.84; 9.2, 9.5, 9.6, 9.114; 27.7, 27.76 Pt 1 (para 1)................. 9.5, 9.114, 9.115 Pt 2 (paras 2–6)........... 9.5, 9.115; 27.76 para 2(1)(c).......................9.122 (2)...........................9.121 3........................6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.5, 9.116 (2)...........................9.116 4........................7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.5, 9.118 (2)...................8.16, 8.25, 8.33, 8.48, 8.71 (a), (b).............. 9.119, 9.120 (c).......................9.119 5............. 7.76; 9.5, 9.121; 27.76 (3)...........................9.123 6.............................. 9.121, 9.124 (1), (2)....................9.124 Pt 3 (paras 7–12)........9.5, 9.115, 9.126, 9.127, 9.128; 27.76 para 7................................9.127 (1)...........................9.127 (2).........................9.128, 9.135 8.................... 9.65, 9.127, 9.130

xxi

Table of Statutes Data Protection Act 2018 – contd Sch 3 – contd Pt 3 (paras 7–12) – contd para 9...............7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.5, 9.130 (1)...........................9.130 (2)...........................9.130 10......................7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.5, 9.132 (2), (3)..................9.133 11......................7.76; 9.5, 9.135; 27.76 12..............................9.137 Pt 4 (paras 13–20)..... 9.5, 9.115, 9.139; 27.76 para 14..............................9.139 (4)(a), (b)..............9.65 15..............................9.139 16..............................9.139 (4)(a)–(c)..............9.65 17(1)............9.127, 9.139, 9.144 (2)................9.142 18..................... 6.19; 7.76; 8.16, 8.25, 8.33, 8.48, 8.71; 9.5, 9.140 19.......................7.76; 9.5, 9.142 20..................... 9.5, 9.142, 9.144 Pt 5 (para 21)........................ 9.5, 9.145 para 21.....................9.5, 9.145; 27.76 (2).........................9.147 (3), (4)..................9.145 (5).........................9.148 Sch 4...................................2.8, 2.21; 8.84; 9.2, 9.6, 9.150; 27.7, 27.25, 27.76 para 2.................................... 9.6, 9.152 3.................................... 9.6, 9.153 (2)–(4)........................9.154 4.................................... 9.6, 9.156 5.................................... 9.6, 9.158 (2)–(4)........................9.158 6....................................9.160 (a), (b).........................9.160 Sch 5.........................................2.8 Sch 6....................................2.8, 2.22, 2.25 para 7, 8................................3.67 10..................................2.25 Sch 7.................................2.13, 2.22; 17.3; 27.84 Sch 8.........................2.13; 17.5, 17.7, 17.8 Sch 12.......................................2.28 Sch 13.......................................2.28 Sch 14.......................................2.28 Pt 2 (paras 6–10)..................2.33 Sch 15.......................................2.29; 16.22 para 1(1)(b)..........................16.22

Data Protection Act 2018 – contd Sch 15 – contd para 2(1)...............................16.22 4(2)–(4)........................16.23 7....................................16.24 15(1).............................16.24 Sch 16.......................................2.29; 16.30 para 3(1)...............................16.30 4(1), (2)........................16.31 5....................................16.32 7(3)...............................16.33 9(1)(b)–(d)....................16.34 (2)–(4)........................16.34 Sch 17.......................................2.29 Sch 18.......................................2.30 para 1–4................................16.55 Sch 19 para 58(7).............................27.34 (8).............................5.83 307(7).........................27.34, 27.83 Sch 20.......................................2.30 para 13......................................7.47 58(1).................................12.20 Sch 21................................2.33; 11.4, 11.9 Pt 3 (paras 4–12)..................11.9, 11.36 para 4................................2.33 5(1)(c), (e)................11.36 (2)(a)–(l).................11.36 6................................2.33 7, 8............................2.33; 11.36 9................................11.36 10, 11.............2.33; 11.36; 17.21 12..............................2.33; 11.36 16..............................7.76; 16.41 Digital Economy Act 2017...........16.44 s 35...........................................10.15 Enterprise Act 2002 s 213(5A).................................9.47 European Communities Act 1972 s 2(2)........................................2.10 European Union (Withdrawal) Act 2018.......................... 2.3, 2.6, 2.7, 2.33; 3.69; 11.36; 18.9 s 2(1)........................................18.9  5(4)........................................18.9  6(3)(a)....................................18.9 (4)........................................18.9 (7)........................................18.9  20(4)......................................2.3 Sch 1 Para 2.......................................18.9 Fatal Accidents and Sudden Deaths Inquiry (Scotland) Act 1976................................... 26.29, 26.45 Financial Services and Markets Act 2000.....................................5.152 s 22...........................................5.152

xxii

Table of Statutes Freedom of Information Act 2000.......................... 7.47; 9.45; 13.50; 14.2; 18.1, 18.2, 18.4, 18.5, 18.6, 18.9, 18.13, 18.14; 19.19, 19.45, 19.53; 20.1; 21.1, 21.2, 21.9, 21.14, 21.17, 21.26, 21.35, 21.42, 21.44, 21.46; 22.2, 22.10, 22.14, 22.18; 23.2, 23.11, 23.12, 23.29; 24.1, 24.4, 24.5, 24.7, 24.14, 24.15, 24.18, 24.21, 24.26, 24.27, 24.29, 24.50, 24.65, 24.67, 24.69, 24.81, 24.83, 24.91; 25.1, 25.18, 25.29, 25.43, 25.45, 25.91, 25.129, 25.159; 26.46, 26.78, 26.81, 26.94, 26.188, 26.192, 26.201, 26.224; 27.2, 27.3, 27.6, 27.10, 27.11, 27.13, 27.14, 27.15, 27.29, 27.36, 27.84 Pt I (ss 1–20)............................24.99 s 1.............................................25.6 (1)........................................22.2 (a)....................................24.1; 25.10 (b)..................................24.1, 24.104 (3)........................................20.4; 24.39  2(1)(b)....................................24.83 (2)(b)....................................24.83 (3)........................................24.82 (fa)...................................27.11  3...........................................24.23, 24.25 (2)..............................20.4; 22.2; 24.28, 24.28 (a)....................................21.14  5..................................21.2; 24.23, 24.25  6..............................24.23, 24.26; 26.215  8(2)........................................24.33  9.............................................24.50 (2)........................................24.40 (5)........................................24.50  10(1)......................................24.37 (2)......................................24.40 (3)......................................24.37 (4)......................................24.38  11...........................................24.46 (1)....................................24.45, 24.52 (2)–(4)................................24.45  11A........................................24.18 (2)...................................24.55  12.................................20.4; 21.27; 22.9, 22.17, 22.21; 24.51 (1)......................................24.57 (2)......................................24.57

Freedom of Information Act 2000 – contd s 12(4)......................................24.57  13...........................................24.63  14............................... 20.4; 24.62, 24.65, 24.66, 24.67, 24.69, 24.73, 24.74, 24.95 (1)............................22.8, 22.9, 22.10, 22.11, 22.21; 24.65, 24.68 (2).........................24.77, 24.80, 24.79  16(2)......................................24.42  17(1)..................................24.93; 26.154 (2).................................... 24.37, 24.93 (3).................................... 24.93, 24.94 (6)......................................24.80  19........................................... 24.1, 24.8 (2)......................................24.8 (c)..................................24.47 (3)......................................24.9 (6), (7)................................24.11  20...........................................24.13 (6), (7)................................24.13  21.................................20.2, 20.4; 24.47; 25.1, 25.2, 25.3, 25.10, 25.15, 25.16, 25.17, 25.29, 25.136; 26.65, 26.83 (1)......................................25.6 (2)......................................25.7 (a)..................................25.18 (b)..................................25.8, 25.20 (3)......................................25.8  22.................................. 20.2, 20.4; 25.1, 25.21, 25.23, 25.24, 25.33, 25.36, 25.42, 25.43, 25.47, 25.50, 25.51, 25.52, 25.158; 26.148, 26.169, 26.176 (1)......................................25.36 (c)..................................25.29 (2)......................................25.36  22A..............................20.4; 25.1, 25.23, 24.38, 25.39, 25.42, 25.43, 25.47, 25.51 (1)......................25.39, 25.40, 25.48  23.................................20.4; 23.32; 25.1, 25.53, 25.54, 25.60, 25.64, 25.66, 25.67, 25.68, 25.70, 25.85, 25.86, 25.94, 25.98, 25.101, 25.119, 25.132; 26.24, 26.194 (1)........................25.54, 25.55, 25.56, 25.68, 25.70, 25.72, 25.75, 25.76, 25.94, 25.95 (2)......................................25.56

xxiii

Table of Statutes Freedom of Information Act 2000 – contd s 23(3)....................................25.55, 25.57 (5)........................ 25.56, 25.58, 25.69, 25.71, 25.87, 25.95  24.................................20.4; 21.48; 25.1, 25.53, 25.68, 25.74, 25.75, 25.89, 25.94, 25.108, 25.119, 25.132; 26.24, 26.194 (1)........................25.68, 25.82, 25.93, 25.94, 25.95, 25.96 (2)........................25.69, 25.84, 25.86, 25.87, 25.88, 25.93, 25.95  25..................................20.4; 25.1, 25.53 (3).................................... 25.56, 25.88  26................................ 20.4; 23.22; 25.1, 25.53, 25.74, 25.98, 25.99, 25.100, 25.102, 25.103, 25.104, 25.132; 26.194 (3)......................................25.105  27.................................20.4; 25.1, 25.74, 25.98, 25.119, 25.120, 25.129, 25.135, 25.136; 26.108, 26.148, 26.194 (1)...................25.121, 25.124, 25.127 (2)................................25.122, 25.124  28.................................20.4; 25.1; 26.90, 26.148, 26.194 (1)......................................25.137  29.............................. 20.4; 25.1, 25.137, 25.145, 25.155, 25.156, 25.157; 26.108, 26.148, 26.231 (1)...................25.137, 25.138, 25.140 (a)..................................25.140 (b)............................ 25.142, 25.144 (2)......................................25.138  30 20.4; 25.1, 25.38; 26.1, 26.19, 26.22, 26.25, 26.26, 26.29, 26.49, 26.55, 26.56, 26.76, 26.194, 26.211 (1)............................ 26.2, 26.3, 26.15, 26.17, 26.18, 26.22, 26.25, 26.33 (a)..........................26.2, 26.4, 26.5, 26.11, 26.14 (b)..........................26.2, 26.5, 26.6, 26.11 (c).........................26.2, 26.5, 26.11 (2)........................26.10, 26.14, 26.15, 26.17, 26.18 (a)..................................26.14 (b)..................................26.10

Freedom of Information Act 2000 – contd s 30(4)......................................26.7 (5)......................................26.6  31.................................20.4; 25.1, 25.38; 26.17, 26.22, 26.24, 26.25, 26.26, 26.29, 26.48, 26.49, 26.55, 26.56, 26.76, 26.194, 26.211 (1)......................... 26.29, 26.33, 26.48 (a).................... 26.32, 26.33, 26.35, 26.39 (b).................... 26.32, 26.36, 26.38, 26.39 (c).................... 26.32, 26.37, 26.38, 26.39 (d)................................ 26.32, 26.41 (e)................................ 26.32, 26.42 (f)................................ 26.32, 26.43 (g).................... 26.30, 26.32, 26.45, 26.46, 26.47 (h), (i)..............26.30, 26.32, 26.45, 26.47 (2)......................... 26.1, 26.11, 26.12, 26.29, 26.30, 26.32, 26.45, 26.46, 26.47, 26.52 (a)................................ 26.46, 26.47 (c)..................................26.47 (d)..................................26.47 (j)...................................26.47 (3)....................................26.32, 26.48  32.................................20.4; 25.1; 26.57, 26.59 (1)(c)..................................26.60 (2)(b)..................................26.60  33.............................. 20.4; 25.1, 25.158; 26.57, 26.66, 26.75, 26.76  34..................................20.4; 25.1; 26.77  35.................................20.2, 20.4; 22.35, 22.46, 22.79, 22.80; 25.1, 25.38, 25.74, 25.98, 25.132, 25.135, 25.158; 26.56, 26.76, 26.77, 26.84, 26.90, 26.108, 26.121, 26.122, 26.144, 26.145, 26.147, 26.152, 26.161, 26.162, 26.169, 26.176, 26.194, 26.211 (1).................................... 26.86, 26.88 (a).................... 22.46, 22.70; 26.87, 26.89, 26.93, 26.143 (b)..................................26.87 (d)..................................26.135 (3)......................................26.144 (4)......................................26.110

xxiv

Table of Statutes Freedom of Information Act 2000 – contd s 35(5)..................................26.90, 26.137 (a)–(o)...........................26.153  36................................. 20.2, 20.4; 22.35, 22.46; 25.1, 25.38, 25.98, 25.135; 26.56, 26.76, 26.77, 26.101, 26.106, 26.147, 26.148, 26.149, 26.152, 26.161, 26.163, 26.168, 26.176, 26.194, 26.211, 26.231 (2)(a)(i)–(iii)......................26.161 (b), (c)...........................26.161 (7)......................................26.156  37............................20.4; 26.170, 26.176 (1)(a)–(ab)................... 26.171, 26.174 (ac).......................... 26.172, 26.174 (ad)................................26.172  38.................................20.4; 25.1, 25.98; 26.21, 26.56, 26.177, 26.179  39................................20.4; 25.1; 26.187  40...................................5.75, 5.83, 5.84; 20.4; 23.153; 25.1, 25.13, 25.74, 25.98, 25.109, 25.119; 26.24, 26.56, 26.148, 26.186, 26.189, 26.194; 27.1, 27.2, 27.10, 27.21, 27.22, 27.27, 27.30, 27.35, 27.38, 27.71, 27.80, 27.83 (1).........................27.10, 27.13, 27.79 (2)..............................4.5; 5.57; 26.16, 26.65; 27.11, 27.80 (3)...................................... 4.5, 27.80 (3A).......................5.57; 26.16; 27.11, 27.23, 27.25, 27.80 (3B)....................... 27.11, 27.68, 27.80 (4)......................................27.80 (a), (b)...........................27.11 (4A)...................................27.80 (a), (b)........................27.75 (5A)................................. 27.10, 27.78 (5B).................................. 27.12, 27.78 (8)......................................27.34  41.......................... 20.4; 23.104, 23.108; 25.1, 25.124, 25.125, 25.149; 26.24, 26.76, 26.148, 26.169, 26.170, 26.176, 26.186, 26.190, 26.211, 26.231  42...................................20.2, 20.4; 25.1; 26.76, 26.129, 26.131, 26.148, 26.169, 26.170, 26.194, 26.195, 26.198, 26.200, 26.203, 26.204

Freedom of Information Act 2000 – contd s 42(2)......................................26.204  43.................................20.2, 20.4; 23.72, 23.108, 23.113, 23.118; 25.38, 25.119, 25.132, 25.137, 25.140, 25.149, 25.158, 25.159; 26.169, 26.186, 26.194, 26.211, 26.212 (1)......................................26.212 (2)...................26.214, 26.216, 26.225 (3)......................................26.214  44...............................20.4; 25.1; 26.170, 26.232; 27.25 (1)(a)............................ 26.233, 26.236 (b)..................................26.235 (c)..................................26.236  45.......................................24.42, 24.103 (1)......................................24.19  46...........................................24.22  50...........................................24.99  51, 52.....................................24.103  53.......................... 21.49; 24.104, 24.107 (2)......................................24.106  57(1)......................................24.101  58...........................................24.101  60(2)......................................25.56 (3)......................................25.88  62(2A)...................................25.72  63(1).........................26.17, 26.64, 26.75 (2E)....................................26.174 (3)......................................26.174 (4), (5)................................26.55  64(2)......................................25.54  77...........................................24.105  81(2)......................................26.193  84...........................................24.4, 24.27 Sch 1......................................... 21.1, 21.2 Pt I (paras 1–6)...................24.23, 24.59 Pt II–VII...............................24.23 Sch 3.........................................24.103 Freedom of Information (Scotland) Act 2002...............................14.2 Health and Social Care (Community Health and Standards) Act 2003 s 113(1), (2)..............................9.40  114(1), (3)..............................9.40 Human Fertilisation and Embryology Act 1990...............................9.152 Human Rights Act 1998 Sch 1 Pt I........................................27.25 Intellectual Property Act 2014 s 20...........................................25.42 Interpretation Act 1978 Sch 1.........................................25.100

xxv

Table of Statutes Legal Services Act 2007 Pt 6 (ss 112–161).....................9.40 Local Audit and Accountability Act 2014 s 26...........................................25.16 Local Government Act 1972 s 111.........................................10.18 Sch 12 Pt 1 (paras 1–6ZA)...............23.84 Local Government Act 1974 s 32(2)......................................23.85 Local Government Act 2000 s 2.............................................10.18 Local Government Act (Northern Ireland) 2014 s 79...........................................10.18 Localism Act 2011 s 1.............................................10.18 NHS Redress Act 2006 s 14...........................................9.40

Political Parties, Elections and Referendums Act 2000 s 23...........................................5.157 Port of London Act 1968..............21.3 Proceeds of Crime Act 2002 s 339ZB....................................5.139 Protection of Freedoms Act 2012 s 103.........................................24.26 Public Services Ombudsman (Wales) Act 2005 Pt 2A (ss 34A–34Z).................9.40 Serious Crime Act 2007 s 68...........................................5.138 Social Services and Well-being (Wales) Act 2014 Pt 10 Ch 1 (ss 171–178)...........9.40 Terrorism Act 2000 s 21CA.....................................5.139 Town and Country Planning Act 1990 s 106.........................................19.53

xxvi

Table of Statutory Instruments

Civil

Procedure Rules 1998, SI 1998/3132........... 23.52, 23.54; 26.65 Copyright and Rights in Databases Regulations 1997, SI 1997/3032........................23.67 Criminal Procedure Rules 2015, SI 2015/1490........................23.52 Data Protection (Charges and Information) Regulations 2018, SI 2018/480..........................16.43 Data Protection (Corporate Finance Exemption) Order 2000, SI 2000/184..........................9.75 Data Protection (Miscellaneous Subject Access Exemptions) Order 2000, SI 2000/419......9.151 Data Protection, Privacy and Electronic Communications (Amendments etc) (EU  Exit) No  2 Regulations 2019, SI 2019/485..........................2.33 reg 2.........................................2.33 Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419:.1.6; 2.3, 2.7, 2.21; 3.37, 3.69; 5.114; 9.2, 9.99, 9.103, 9.108, 9.111; 11.9, 11.36; 13.3 reg 5.........................................2.33 8.........................................2.33 (2), (3)..............................12.6 Sch 1.........................................2.33 para 4............................2.26; 3.15, 3.35, 3.67 (2)...............................7.46 5.................................... 2.33; 3.67 6(6), (11)......................3.56 7(2)...............................5.27 (4)...............................4.7 8....................................3.51 9(7)(a)...........................5.113 (10).............................2.33; 5.114 10..................................17.27 11..................................6.6 12(2).............................6.9 13(2).............................6.9 14..................................7.63 16.................................. 3.30; 5.44

Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/ 419 – contd Sch 1 – contd para 17..................................8.69 18..................................8.76 19..................................9.5 (2)(b)........................9.7 21(2).............................14.11 24..................................4.19 29(5).............................13.59 (10)...........................13.20 30(5).............................13.48 32..................................14.22 33(2).............................14.24 37(2)(c).........................3.61 38..................................11.4 (2), (4)......................11.6 39(4).............................11.17 41..................................11.30 43..................................2.33 44-54............................16.1 51..................................3.56 55..................................2.33 57..................................16.46 58..................................16.49 62..................................16.41 (5)(a).........................7.76 (b)........................16.40 63..................................16.25 64..................................16.25 (2).............................9.4 (4).............................9.97 69..................................9.4 Sch 2.........................................2.33 para 2....................................2.33 4....................................2.33 (3)(b)..........................2.26 (7)(b), (c)....................2.26 5....................................2.33 6.................................... 2.26, 2.33 7....................................2.33 12..................................3.51 13..................................17.27 17..................................8.76 23.................................. 2.33; 11.4 29-31............................ 2.31, 2.33 34..................................9.162 (2).............................9.7

xxvii

Table of Statutory Instruments Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/ 419 – contd Sch 2 – contd para 36..................................3.29 (4).............................4.19 37..................................17.21 39..................................17.19 41..................................2.33 42..................................2.33; 17.22 43..................................17.22 44..................................17.23 64(3).............................17.24 87.................................. 2.33; 3.67 92(23)(a), (d)................9.104 96, 97............................2.33 102.....................2.33; 16.41; 17.22 Sch 4.........................................2.33 Data Protection (Subject Access Modification) (Education) Order 2000, SI 2000/414......9.65 Data Protection (Subject Access Modification) (Health) Order 2000, SI 2000/413................9.65 Data Protection (Subject Access Modification) (Social Work) Order 2000, SI 2000/415......9.65 Digital Government (Disclosure of Information) Regulations 2018, SI 2018/912..........................10.15 Digital Government (Scottish Bodies) Regulations 2018, SSI 2018/243........................10.15 Digital Government (Welsh Bodies) (Wales) Regulations 2018, SI 2018/551..........................10.15 Environmental Information Regulations 1992, SI  1992/ 3240.....................................18.6 Environmental Information Regulations 2004, SI  2004/ 3391..................................... 9.43, 9.45; 18.1, 18.2, 18.3, 18.4, 18.5, 18.6, 18.7, 18.8, 18.9, 18.10, 18.13, 18.14; 19.17, 19.19, 19.21, 19.22, 19.28, 19.44, 19.51, 19.52, 19.54; 20.1, 20.2; 21.1, 21.6, 21.7, 21.8, 21.9, 21.10, 21.14, 21.18, 21.21, 21.22, 21.26, 21.27, 21.29, 21.33, 21.37, 21.43, 21.47; 22.1, 22.3, 22.7, 22.13, 22.14, 22.18, 22.19, 22.20, 22.32, 22.49; 23.1, 23.3, 23.4, 23.5, 23.7, 23.8,

Environmental Information Regulations 2004, SI 2004/3391 – contd 23.11, 23.19, 23.22, 23.25, 23.26, 23.32, 23.35, 23.52, 23.60, 23.68, 23.73, 23.89, 23.91, 23.94, 23.99, 23.115, 23.116, 23.117, 23.153; 24.4, 24.7, 24.65, 24.103; 25.2; 26.103, 26.122, 26.187, 26.188, 26.195, 26.202, 26.232; 27.1, 27.5, 27.7, 27.9, 27.24, 27.34, 27.38, 27.52, 27.55, 27.80 reg 1(1).....................................22.2 2.........................................23.153 (1)................................... 19.1; 23.153 (a)......................19.4, 19.6, 19.38; 23.147 (b)................................19.7, 19.36 (c)..................19.15, 19.24, 19.27, 19.36, 19.40, 19.49, 19.53, 19.54 (d)................................19.30 (e).............................. 19.31, 19.49 (f).................................19.33 (2)(c)................................21.3 (4A)..................................23.153 3.........................................21.7 (2).....................................21.11; 22.2 (a)................................21.14 (3), (4)..............................20.4 Pt 2 (regs 4–11)........................22.60 reg 4............................ 21.15, 21.19, 21.34 5(2).....................................21.43 (3).....................................27.82 (4).....................................22.56 (5).....................................19.14 (6).........................20.4; 21.24; 23.67, 23.91, 23.95, 23.105, 23.140; 26.232 6(1)(b)................................20.4 7(1)...................................21.43; 22.16 9........................... 21.20, 21.34; 22.26, 22.28 (3).....................................22.31 11.......................................21.46 12.......................................23.7 (2)...................................21.26 (2A)................................27.25 (3)............................20.4; 27.2, 27.6 (4)...................................22.1 (a)......................20.4; 22.1, 22.2, 22.3; 23.9 (b)....................20.2, 20.4; 21.27; 22.1, 22.5, 22.7, 22.10, 22.14, 22.16, 22.17, 22.21, 22.22, 22.24

xxviii

Table of Statutory Instruments Environmental Information Regulations 2004, SI 2004/3391 – contd reg 12(4)(c)..........20.4; 22.1, 22.26, 22.31 (d)................... 20.2, 20.4; 21.45; 22.1, 22.35, 22.39, 22.44, 22.45, 22.50, 22.51, 22.56, 22.57, 22.67, 22.68, 22.88; 23.1; 26.106, 26.120, 26.121, 26.122, 26.161, 26.162 (e)......................20.2, 20.4; 22.1, 22.46, 22.49, 22.58, 22.59, 22.65, 22.74, 22.75, 22.78, 22.79; 23.1, 23.77; 26.106, 26.161, 26.162 (5)...........................22.1; 23.1, 23.2, 23.97 (a)....................20.2, 20.4; 21.17, 21.48; 23.4, 23.10, 23.18, 23.26, 23.31, 23.37, 23.38, 23.146 (b)....................20.2, 20.4; 22.58, 22.83; 23.39, 23.39, 23.46, 23.52, 23.55 (c).................... 20.2, 20.4; 23.63, 23.70 (d).................... 19.13; 20.2, 20.4; 21.25; 22.58; 23.78, 23.146; 26.232 (e)....................19.13; 20.2, 20.4; 22.58, 22.85, 22.88; 23.72, 23.77, 23.98, 23.111, 23.123, 23.129, 23.146; 26.190, 26.222, 26.230; 27.25 (f)...................19.13; 20.4; 23.77, 23.130, 23.134, 23.140, 23.143, 23.144 (g).19.13; 20.4; 23.147 (6)........................21.17; 23.7, 23.33 (8)...................................20.4; 22.60 (9)...............................19.13; 23.104 (10)......................23.131 13...............................5.75, 5.83, 5.84; 7.42; 20.2, 20.4; 21.17; 22.1; 23.146, 23.153, 23.154; 27.2, 27.6 (1)...................................27.79 (2A).............................. 27.25, 27.80 (2B).............................. 27.68, 27.80 (3)...................................27.80 (3A)................................27.80 (a), (b).....................27.75 (5A)......................21.17; 23.8, 23.7; 27.11, 27.82

Environmental Information Regulations 2004, SI 2004/3391 – contd reg 13(5B)................... 21.17; 23.7; 27.11, 27.82 (d)...........................27.82 (6).................................27.34, 27.83 14.......................................21.44 15.......................................21.48 (1)(a)..............................23.34 Pt 4 (regs 16, 17)......................22.60 Pt 5 (regs 18–21)......................22.60 reg 18(1)...................................21.46 (6)...................................21.49 Environmental Information (Scotland) Regulations 2004, SSI 2004/520........................21.8 European Union (Withdrawal) Act 2018 (Exit Day) (Amendment) (No  2) Regulations 2019, SI 2019/859..........................2.3 Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, SI 2004/3244........................24.51 reg 4.........................................24.63 (1), (2)..............................24.61 (3).....................................7.47; 24.61 (4).....................................24.59 5.........................................24.63 (1).....................................24.62 (3).....................................24.62 6(2).....................................24.51 (3).....................................24.52 7.........................................24.63 Freedom of Information (Definition of Historical Records) (Transitional and Saving Provisions) Order 2012, SI 2012/ 3029 Sch 7 para 4....................................25.72 Freedom of Information (Designation as Public Authorities) Order 2011, SI 2011/2598..............24.25 Freedom of Information (Designation as Public Authorities) Order 2015, SI 2015/851................24.25 Freedom of Information (Designation as Public Authority and Amendment) Order 2018, SI 2018/1212....24.25 Freedom of information (Release of Datasets for Re-Use) (Fees) Regulations 2013, SI 2013/1977........................24.55 reg 2(2).....................................24.55 (3), (4)..............................24.56

xxix

Table of Statutory Instruments Magistrates’ Courts (Children and Young Persons) Rules 1992, SI 1992/2071........................9.130 Privacy and Electronic Communications Regulations 2003, SI 2003/2426..............2.33; 5.63; 9.69; 12.2, 12.3, 12.4 reg 2.........................................12.6 5–5C, 6, 14.........................12.4 19.......................................12.4 (1)–(3)............................12.16 20.......................................12.4, 12.17 21(b)...................................12.17 (A1)................................12.14

Privacy and Electronic Communications Regulations 2003, SI 2003/2426 – contd reg 21(1), (3)–(5).....................12.12 21A, 21B............................12.17 22.......................................12.5 (2)...................................12.5 (3)................................... 12.5, 12.7 (a)..............................12.9 26.......................................12.12 28, 29.................................12.19 Re-use of Public Sector Information Regulations 2015, SI 2015/1415...................... 8.36; 21.37; 24.18

xxx

Table of European Legislation CONVENTIONS Convention concerning the Protection of the World Cultural and Natural Heritage (Paris 17  October -21  November 1972)....................................19.45 Convention on Access to Information, Public Participation in Decision-making, and Access to Justice in Environmental Matters (Aarhus. 1998)......18.7; 23.144 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).................2.15 art 13........................................2.33 European Convention on Human Rights (Rome, 4  November 1950)....................................26.192 art 8..........................................27.25 DIRECTIVES Dir 90/131/EEC...........................18.7 art 2(1)......................................19.1 Dir 95/46/EC.....................2.2, 2.5, 2.17; 3.4, 3.10; 17.1 Recital 26.................................3.5 art 2(a)......................................3.4 (d)......................................3.16 8..........................................3.10 Dir 2002/58/EC............................ 8.69; 12.3 Dir 2003/4/EC..............................18.7 art 6..........................................21.49 7(2)(a)–(g)...........................21.16 Recital (1).................................19.26 Dir 2008/1/EC..............................19.9, 19.11 Dir 2016/680/EU....................2.5, 2.10, 2.13; 3.12; 17.1 art 15, 22..................................2.2 REGULATIONS Reg (EU) 182/2011 art 5..........................................11.25 Reg (EU) 2016/679....................1.6; 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.10, 2.11, 2.12, 2.14, 2.16, 2.17, 2.18, 2.19, 2.20, 2.21, 2.22, 2.23, 2.24, 2.25, 2.26, 2.27, 2.29, 2.31, 2.32, 2.33; 3.1, 3.4, 3.13, 3.14, 3.15, 3.17, 3.20, 3.21, 3.26, 3.28, 3.34, 3.35, 3.37, 3.39, 3.47,

Reg (EU) 2016/679 – contd 3.49, 3.56, 3.58, 3.62, 3.66, 3.67, 3.68; 4.1, 4.3, 4.6, 4.14, 4.16; 5.3, 5.5, 5.7, 5.13, 5.33, 5.41, 5.54, 5.61, 5.62, 5.63, 5.88, 5.113; 6.9; 7.1, 7.2, 7.4, 7.11, 7.13, 7.16, 7.18, 7.20, 7.21, 7.23, 7.25, 7.29, 7.34, 7.39, 7.41, 7.42, 7.44, 7.46, 7.47, 7.53, 7.56, 7.72; 8.7, 8.17, 8.71; 9.1, 9.2, 9.3, 9.7, 9.11, 9.21, 9.28, 9.31, 9.35, 9.43, 9.54, 9.57, 9.67, 9.74, 9.92, 9.93, 9.95, 9.101, 9.107, 9.115, 9.116, 9.162; 10.1, 10.4, 10.5, 10.9, 10.13, 10.22, 10.32, 10.39, 10.47; 11.1, 11.2, 11.4, 11.5, 11.15, 11.16, 11.31; 12.2, 12.3, 12.6; 13.1, 13.11, 13.12, 13.55; 14.3; 15.2, 15.15; 16.2, 16.29, 16.41, 16.42, 16.50; 17.1, 17.9, 17.11, 17.18, 17.26, 17.28; 24.2, 24.7; 27.1, 27.3, 27.4, 27.6, 27.9, 27.14, 27.15, 27.16, 27.17, 27.22, 27.24, 27.25, 27.27, 27.38, 27.77, 27.79, 27.83, 27.85 Recital (15)............................... 3.35, 3.37 (16)...............................2.22 (22)............................... 3.62, 3.63 (23)...............................3.62 (24)...............................14.5 (26)............................... 3.1, 3.5 (27)...............................3.55 (28).......................... 3.1, 3.21, 3.22 (29)...............................3.1 (32)............................... 3.40, 3.41 (34)...............................3.6 (39)...............................6.2 (41)...............................5.35 (42)............................... 3.42; 5.6 (43)............................... 3.43, 3.44 (45)............................... 5.27, 5.35 (46)............................... 5.24, 5.25

xxxi

Table of European Legislation Reg (EU) 2016/679 – contd Recital (47).......................5.48, 5.49, 5.54, 5.55, 5.59, 5.62, 5.80 (48)...............................5.48 (49)............................... 5.48, 5.61 (50)............................... 4.7; 5.41 (58)...............................6.2 (63)............................7.1, 7.3, 7.17 (64)...............................7.24 (65)............................... 8.17, 8.21 (66)...............................8.23 (67)............................... 8.26, 8.29 (68)............................... 8.34, 8.45 (69)...............................8.49 (71)........................8.72, 8.74, 8.77 (75).......................5.69; 13.6, 13.7; 15.4 (76)...............................15.4 (78)...............................3.58 (81)...............................3.27 (90)–(93)......................13.3 (94)...............................13.3, 13.47 (95), (96)......................13.3 (104), (105)..................11.6 (106), (107)..................11.8 (109).............................11.23 (111)........................... 11.26, 11.31 (112).............................11.28 (113).............................11.32 (115).............................11.30 art 2.......................................... 3.15, 3.67 (1)...................................... 3.35; 7.46 (1A)................................... 3.37; 9.2 (2)......................................3.15 (b).................................2.22 (5)......................................3.15 (b).................................3.37 3..........................................3.67 (1)......................................3.62 (2)..............................2.33; 3.57, 3.62; 15.12 (2A)................................... 2.33; 3.57 4(1)................................. 3.1, 3.5; 18.12 (2)......................................3.14 (4)...................................... 3.32; 7.63 (5)......................................3.34 (6)...................................... 3.36, 3.37 (7)......................................3.16 (9), (10)............................. 3.38; 8.11 (11)....................................3.39 (12).................................... 3.53; 15.2 (13)....................................3.6 (14)....................................3.54 (15)....................................3.55; 5.114 (16)....................................3.56 Ch II (arts 5–11)......................  7.47; 16.16 art 5................................. 5.89; 9.17, 9.34,

Reg (EU) 2016/679 – contd art 5 – contd 9.42, 9.48, 9.51, 9.56, 9.60, 9.70, 9.73, 9.79, 9.83, 9.86, 9.88, 9.93, 9.117, 9.120, 9.131, 9.134, 9.141, 9.153, 9.155, 9.157, 9.159, 9.161; 16.16, 16.40 (1)......................................4.19 (a)............................ 4.1, 4.2; 8.27; 9.13, 9.18, 9.30, 9.98 (b)..................... 4.1, 4.2, 4.8; 5.41; 9.13, 9.18, 9.30, 9.98 (c)..............................4.1, 4.2; 9.98 (d)...................... 4.1, 4.2; 8.1; 9.98 (e), (f)........................4.1, 4.2; 9.98 6..................................3.37; 5.90; 9.18, 9.93, 9.98; 10.21, 10.25, 10.45; 12.3; 16.16, 16.40; 27.26, 27.29 (1)......................................27.34 (a)............................ 5.1, 5.4; 8.39; 27.30 (b)............................ 5.1, 5.9; 8.39; 10.26 (c)...........................2.25; 5.1, 5.13; 9.3; 10.25; 13.59 (d)............................ 5.1, 5.24, 5.97 (e)...........................2.21, 2.25; 5.1, 5.25, 5.27, 5.29, 5.40, 5.80; 8.41, 8.54; 9.3; 10.25 ,10.48; 13.59; 14.3; 27.68 (f)............................5.1, 5.45, 5.79, 5.83; 6.9; 8.62; 9.108; 10.25, 10.48; 27.30, 27.33, 27.34, 27.35, 27.52, 27.64, 27.68, 27.83 (2)......................................5.27 (3)......................................9.3 7................................3.42; 9.98; 16.16, 16.40 (1), (2)...............................3.42; 27.31 (3)......................................3.42; 27.31 (4)......................................3.42 8..................................3.50, 3.51; 9.98; 16.16 (1)......................................8.18 (2)......................................3.51 (4)......................................3.52 9....................................2.8, 2.33; 3.37; 5.2, 5.82, 5.92; 9.93; 10.22, 10.27; 13.15; 14.10; 16.16, 16.40; 17.27; 27.26

xxxii

Table of European Legislation Reg (EU) 2016/679 – contd art 9(1)...................................... 3.10, 3.11 (2)....................................17.27; 27.64 (a).........................5.92, 5.93; 8.39, 8.79; 10.27; 27.64 (b)....................... 5.92, 5.94, 5.116; 10.27 (c)..........................5.24, 5.92, 5.96 (d)................................. 5.92, 5.98 (e)......................5.92, 5.101; 27.64 (f)..................................5.92, 5.103 (g)......................... 5.32, 5.42, 5.92, 5.105; 8.79; 17.27 (h).......................5.25, 5.92, 5.107; 8.19; 10.27 (i).................... 5.111, 5.112, 5.113; 8.19; 10.27 (j)..................................10.27 (3)......................................5.107; 8.19 (4)......................................5.114 10................................2.14, 2.33; 3.57; 9.98; 13.15; 14.1, 14.10; 16.16; 17.2, 17.26, 17.27; 27.67 11........................................16.16 (2)....................................9.98 Ch III (arts 12–23)...................9.162 art 12................................3.26; 8.20, 8.76, 8.83; 9.3; 16.16, 16.40 (1).................................... 7.65, 7.66 (2)....................................7.20 (3)..............................7.39; 8.1, 8.44, 8.69; 9.90 (4)............................7.39; 8.10, 8.44, 8.69; 9.90 (5)............................7.33; 8.12, 8.44, 8.69 (a)...............................27.14 (6)........................... 7.21, 7.24; 8.44, 8.69, 8.83; 27.14 (6A)–(8)..........................6.6 13............................... 3.26, 3.37; 5.12; 6.8, 6.9, 6.16; 9.3, 9.5, 9.6, 9.17, 9.19, 9.22, 9.25, 9.27, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.59, 9.70, 9.73, 9.76, 9.79, 9.83, 9.86, 9.88, 9.93, 9.98, 9.117, 9.120, 9.131, 9.134, 9.141; 10.13, 10.29, 10.31, 10.48; 16.16, 16.40 (1)(e)............................... 3.38; 5.21 (2)(f)................................8.82 (3)....................................6.11

Reg (EU) 2016/679 – contd art 13(4)...........................6.12, 6.18; 10.32 14............................... 3.26, 3.37; 5.12; 6.8, 6.16; 9.3, 9.5, 9.6, 9.17, 9.19, 9.22, 9.25, 9.2, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.59, 9.70, 9.73, 9.76, 9.79, 9.83, 9.86, 9.88, 9.93, 9.98, 9.117, 9.120, 9.131, 9.134, 9.141; 7; 10.13, 10.29, 10.31, 10.48; 16.16, 16.40 (1)(c)...............................5.21 (e)...............................3.38 (2)....................................9.56 (g)...............................8.82 (3)....................................9.56 (5)....................................6.18 (b)...................6.18; 9.107, 9.108, 9.113 15................................. 3.26; 7.71; 8.1; 9.3, 9.5, 9.6, 9.17, 9.2, 9.25, 9.27, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.70, 9.73, 9.76, 9.79, 9.83, 9.86, 9.88, 9.90, 9.93, 9.98, 9.104, 9.121; 10.48; 16.16, 16.40 (1)..............................7.5, 7.63; 9.19, 9.59, 9.63, 9.106, 9.112, 9.117, 9.120, 9.131, 9.134, 9.141; 27.11, 27.13 (a), (b)......................... 7.5, 7.63 (c)..........................3.38; 7.5, 7.63 (d)–(h)........................ 7.5, 7.63 (2)..........................7.63; 9.59, 9.106, 9.112, 9.117 (3)..............................7.8, 7.64, 7.65; 9.19, 9.59, 9.63, 9.106, 9.112, 9.117, 9.126, 9.136, 9.138, 9.143, 9.149, 9.153, 9.155, 9.157, 9.159, 9.161; 27.14 (4).................................... 7.9; 27.17 16..................................3.26; 8.1, 8.16; 9.3, 9.5, 9.6, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.59, 9.93, 9.106, 9.112, 9.117, 9.120, 9.131, 9.134, 9.141; 16.16, 16.40

xxxiii

Table of European Legislation Reg (EU) 2016/679 – contd art 17........................ 3.26; 8.1, 8.17, 8.42; 9.3, 9.5, 9.6, 9.17, 9.27, 9.30, 9.34, 9.42, 9.48, 9.51, 9.56, 9.59, 9.93, 9.115, 9.117, 9.120, 9.131, 9.134, 9.141; 16.16, 16.40 (1)....................................8.19 (2)....................................8.22 (3)....................................8.19 (b)............................... 5.22, 5.44 18..................................3.26; 5.23; 8.1, 8.9, 8.26; 9.3, 9.5, 9.6, 9.17, 9.27, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.59, 9.93, 9.117, 9.120, 9.131, 9.134, 9.141; 10.48; 16.16, 16.40 (1).................................. 9.106, 9.112 (a)............................... 8.27; 9.29 (b)...............................8.27 (c)........................8.27; 9.93, 9.98 (d)...............................8.27 (2)............................. 3.30; 5.23, 5.44 (3)....................................8.29 19..................................3.26; 8.1, 8.11, 8.12, 8.13, 8.17, 8.22, 8.26, 8.30; 9.3, 9.5, 9.6, 9.17, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.59, 9.98, 9.92, 9.112, 9.115; 16.16, 16.40 20................................3.26, 3.37; 7.70; 8.1, 8.34; 9.3, 9.5, 9.6, 9.17, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.93, 9.115; 16.16, 16.40 (1)............................8.37; 9.59, 9.98, 9.112, 9.117, 9.120, 9.131, 9.134, 9.141 (a)......................... 5.8, 5.12, 5.22, 5.26, 5.44, 5.85 (b)............................... 5.8, 5.12 (2)............................8.37; 9.59, 9.98, 9.117, 9.120, 9.131, 9.134, 9.141 (4).................................... 8.41, 8.43 21..................................3.26, 3.37; 5.8; 8.1; 9.3, 9.5, 9.6, 9.17, 9.25, 9.27, 9.30, 9.34, 9.37, 9.39, 9.42, 9.48, 9.51, 9.56, 9.93; 10.48; 16.16, 16.40; 27.11, 27.68, 27.70, 27.71, 27.72, 27.74

Reg (EU) 2016/679 – contd art 21(1)..............................5.8, 5.12, 5.22, 5.26, 5.85; 8.18, 8.27, 8.49; 9.59, 9.98, 9.106, 9.112, 9.117, 9.120, 9.131, 9.134, 9.141; 27.69 (2)............................ 8.18, 8.49, 8.50, 8.61, 8.71 (3)............................. 5.85; 8.50, 8.59 (5)....................................8.69 (6)............................. 8.49, 8.64, 8.67 22................................. 3.26; 8.1, 8.72, 8.73, 8.76, 8.80, 8.84; 9.3, 9.93, 9.115; 16.16, 16.40 (1).................................... 7.63; 8.72 (2)....................................8.74 (a)...............................5.12 (3)....................................8.75 (4).................................... 7.63; 8.79 23........................................3.26 (1).................................. 4.7; 9.3, 9.4, 9.5, 9.6 (2).................................... 4.7; 9.3 Ch IV (arts 24–43)...................7.47 art 25........................................16.28 (1)....................................3.58 (2)....................................3.60 27(1) ,(2).............................3.57 28................................3.21; 7.50; 10.5; 16.16; 17.15 (1).................................... 3.21, 3.26 (2)....................................3.25 (3).................................... 3.26, 3.29 (a)–(c).........................3.26 (d)............................... 3.25, 3.26 (e)...............................3.26 (f).......................3.26; 7.50; 15.13 (g), (h)........................ 3.26; 7.50 (4).................................... 3.25; 10.4 (6)–(8).............................3.27 (10)..................................3.28 29.................................. 3.21; 6.3; 7.50, 7.61, 7.62; 13.14; 14.5, 14.23; 15.1, 15.12; 16.16 30..................................3.21; 4.19; 5.1; 7.50; 16.16 (2).................................... 3.29; 4.19 (5)....................................4.20 31........................................16.16 32........................................3.29; 16.28 (1)....................................4.16; 16.16 33.............................. 3.27, 3.53; 9.162; 15.5, 15.15 (1)....................................15.1, 15.12

xxxiv

Table of European Legislation Reg (EU) 2016/679 – contd art 33(2)....................................15.13 (3)....................................15.5 34..................................3.27; 9.3, 9.93, 9.162; 15.8, 15.15; 16.16 (1)............................9.14, 9.17, 9.51, 9.98; 15.8 (3)....................................15.10 (4)............................9.14, 9.51, 9.98; 15.11 35................... 3.27; 10.38; 13.3; 16.16 (1)......................... 3.52; 13.21, 13.59 (3)(a)...............................8.81 (4)....................................13.14 (5)....................................13.59 (7)(b)...............................13.26 (9)....................................13.22 (10)................................ 13.20, 13.59 36................................3.27; 9.93; 13.3; 14.24; 16.16 (2)....................... 13.46, 13.47, 13.56 (4), (4A)..........................13.48 37........................................16.16 (1)(c)...............................14.10 38........................................16.16 (6)....................................13.54 39.......................... 14.15, 14.18, 14.23, 14.24; 16.16 (1)(e)...............................13.54 40...................................... 11.15; 16.28 (1)....................................2.16 41(1)....................................2.16 42.............................. 3.27, 3.61; 11.15; 16.28 (1)....................................2.16 43........................................3.27 (1)(b)...............................3.61 Ch V (arts 44–46)...............4.1; 9.93; 11.2, 11.30 art 44............................... 3.37; 11.1; 16.40 45.............................. 3.37; 11.1, 11.31, 11.35; 16.40 (2)....................................11.6 (3)....................................11.6 (5)....................................11.8 46................................3.37; 7.63; 11.1, 11.15, 11.35; 16.40 (3)....................................11.17 47..............................3.37; 11.1, 11.18; 16.40 (2)....................................11.19 (d)...............................11.25

Reg (EU) 2016/679 – contd art 47(2)(k), (m).......................11.20 (n)...............................11.20 48.............................. 3.37; 11.1, 11.30; 16.40 49.............................. 3.37; 11.1, 11.26, 11.35; 16.40 (1).................................. 11.26, 11.32 (3).................................. 11.27, 11.34 (5)....................................11.29 50........................................2.33 55........................................15.12 56(1)....................................15.12 57(1)(d)...............................12.2 (f)................................16.46 (2)....................................16.46 58...................................... 13.47; 15.14 (1)....................................16.40 (2)(a)–(h), (j)...................16.25 60–62..................................9.99 63........................................9.99; 11.18 64–67..................................9.99 77.......................................16.46, 16.59 78.......................................16.46, 16.59 79........................................16.59 (1)....................................16.49 80........................................16.59 (1)....................................16.59 82........................................3.28; 16.59 83................................3.28; 11.1; 16.1, 16.25 (1).................................. 16.26, 16.27 (2).................................. 16.26, 16.28 (4)....................................16.40 (5)....................................16.40 (b)...............................7.76 84................................3.28; 11.1; 16.1, 16.25 Ch VII s 1.................................2.33 Ch VII s 2.................................2.33 Ch IX (arts 85–91)...................7.47; 16.40 art 85........................................16.40 (2A).................................9.97 86–88..................................16.40 89........................................16.40 (1)............................4.2; 5.113; 6.15; 8.64, 8.66, 8.67; 9.103, 9.105, 9.107, 9.111 (2)....................................9.4 (4).................................. 9.103, 9.111 90, 91..................................16.40 95........................................12.2

xxxv

Table of Cases A

All-Party Parliamentary Group on Drones v Information Comr (EA/2016/0176)........25.127 All Party Parliamentary Group on Extraordinary Rendition (APPGER) v Information Comr & Foreign & Commonwealth Office (EA/2011/0049-0051).......................25.95 All-Party Parliamentary Group on Extraordinary Rendition (APPGER) v Information Comr & Foreign & Commonwealth Office [2015] UKUT 377 (AAC).................24.85 All-Party Parliamentary Group on Extraordinary Rendition (APPGER) v Information Comr & MOD [2011] UKUT 153 (AAC), [2011] 4 WLUK 478.............. 25.127, 25.128 Amin v Information Comr & Department for Energy & Climate Change [2015] UKUT 527 (AAC)............................................................................. 22.70; 26.108 Archer (Benjamin) v Information Comr & Salisbury District Council (EA/2006/0037).....................................................................................................23.81 B

Baker (Norman) v Information Comr & the Cabinet Office (EA/2006/0045)........ 23.25; 25.78 Bickford-Smith v Information Comr & Rural Payments Agency (EA/2010/0031)......21.40 Black v Information Comr (EA/2011/0064)..................................................................19.47 Blake (Jason) v Information Comr & Leicester City Council (EA/2018/0179)............24.75 Blake (Kenneth) v Information Comr (EA/2009/0026)............................... 27.45, 27.52, 27.61 Boddy v Information Comr (EA/2007/0074)................................................................22.29 Bolton (Peter) v Information Comr & East Riding Council (EA/2011/0216)...............27.52 Bristol v Information Comr & Portland & Brunswick Squares Association (EA/2010/0012)..............................................................................23.110, 23.124, 23.127 Burt (Peter) v Information Comr & Ministry of Defence (EA/2011/0004)...................25.91 C

CP v Information Comr [2016] UKUT 472 (AAC).......................................................24.75 Cabinet Office v Information Comr (EA/2010/0031)........................................... 22.80; 26.125 Cabinet Office v Information Comr & Ashton [2018] UKUT 208 (AAC)....................24.75 Cabinet Office v Information Comr & Webber [2018] UKUT 410 (AAC)...................22.46, 22.70; 26.108 Calland v Information Comr & Financial Services Authority (EA/2007/0136)............26.198 Campaign Against the Arms Trade (CAAT) v Information Comr (EA/2007/0040)......23.12, 23.18, 23.38; 25.127, 25.135 Campbell v MGN Ltd [2004] UKHL 22, [2004] 2 AC 457, [2004] 2 WLR 1232........16.50 Chichester District Council v Information Comr & Friel (EA/2011/0180) [2012] UKUT 491 (AAC)......................................................................................23.84 Coco v AN  Clark (Engineers) Ltd [1968] 7  WLUK  2, [1968]  FSR  415, [1969] RPC 41.......................................................................................................26.192 Cole (Chris) v Information Comr & Ministry of Defence (EA/2013/0042 & 0043).....25.118 Commission for Local Administration in England v Information Comr (EA/2007/0087).....................................................................................................26.33 Common Services Agency v Scottish Information Comr [2008]  UKHL  47, [2008] 1 WLR 1550, [2008] 4 All ER 851........................................................................3.4 Comr of Police of the Metropolis v Information Comr (EA/2010/0008)......................25.65 Cooper v National Crime Agency [2019] EWCA Civ 16, [2019] 1 WLUK 203... 27.35, 27.39 Corporate Officer of the House of Commons v Information Comr & Norman Baker MP (EA/2006/0015)...............................................................................................27.44 Corporate Officer of the House of Commons v Information Comr & (1) Ben Leapman, (2) Heather Brooke, (2) Michael Thomas (EA/2007/0060-0063, 0122, 0123, 0131)......................................................................................................................27.39

xxxvii

Table of Cases Corporate Officer of the House of Commons v Information Comr & Brooke (Heather), Leapman (B) & Ungoed-Thomas (Jonathan Michael) [2008]  EWHC  1084 (Admin), [2009] 3 All ER 403, [2008] 5 WLUK 384............................................27.39 Council of the Borough & County of the Town of Poole v Information Comr (EA/2016/0074).....................................................................................................26.228 Cranfield University v Information Comr (EA/2011/0146)..........................................26.218 Craven v Information Comr & the Department of Energy & Climate Change [2012]  UKUT  442 (AAC), on appeal [2015]  EWCA  Civ 454, [2015] 1 WLR 5316, [2016] 3 All ER 221........................................... 22.10, 22.16, 22.17, 22.18 D

DB v General Medical Council [2018] EWCA Civ 1497, [2018] 6 WLUK 588, (2018) 164 BMLR 19..................................................................................................... 7.11, 7.57 DBERR v Information Comr & Friends of the Earth (EA/2007/0072).........................19.21; 21.9, 21.10; 22.46, 22.70 DBERR v Information Comr (EA/2008/0096)..........................................................21.9; 22.18 Dalley (Group Captain) v Information Comr (EA/2011/0180)................... 23.85, 23.91, 23.93 Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, [2017] 1 WLR 3255, [2017] 2 WLUK 461..............................................................................................7.34 Department for Environment, Food & Rural Affairs v Information Comr & Badger Trust [2014] UKUT 526 (AAC), [2014] 11 WLUK 872.......................................22.46 Department for Business, Energy & Industrial Strategy v Information Comr & Alex Henney [2017] EWCA Civ 844, [2017] PTSR 1644, [2017] 6 WLUK 652.........19.2, 19.23, 19.24, 19.26, 19.27, 19.28 Department for Business, Enterprise & Regulatory Reform (DBERR) v Dermod O’Brien & Information Comr [2009]  EWHC  164 (QB), [2009] 2  WLUK  222.............................................................................................................. 26.207, 26.208 Department for Communities & Local Government (DCLG) v Information Comr & WR [2012] UKUT 103 (AAC)..............................................................................23.44, 23.45, 23.56; 26.206, 26.209 Department for Education & Skills (DFES) v Information Comr & Evening Standard (EA/2006/0006).....................................................................................................22.44; 26.92, 26.96, 26.104, 26.115, 26.116 Department of Health v Information Comr [2011]  EWHC  1430 (Admin), [2011] 4 WLUK 586, [2011] Info TLR 47........................................................................ 3.4, 3.5 Department of Work & Pensions v Information Comr (EA/2006/0040).......................26.143 Department of Work & Pensions v Information Comr (EA/2010/0073).......................26.212 Department of Work & Pensions v Information Comr (EA/2014/0074, 0109 & 0130) 25.156 Department of Work & Pensions v Information Comr & Zola [2014]  UKUT  0334 (AAC).....................................................................................................................25.157 Derry City Council v Information Comr (EA/2006/0014)............................................23.113; 25.140, 25.156; 26.221, 26.222 Dicker (Michael) v Information Comr (EA/2012/0250)...............................................27.46 Doherty (Paul) v Information Comr & HMRC (EA/2011/0202)..................................26.41 Dransfield v Information Comr & Devon County Council see Information Comr v Devon County Council & Dransfield Doorstep Dispensaree Ltd v Information Comr (EA/2018/0265).................................16.7 Douglas v Hello! Ltd (No  3) [2005]  EWCA  Civ 595, [2006]  QB  125, [2005] 3 WLR 881.............................................................................................................16.50 Driver (Ian) v Information Comr & Thanet District Council (EA/2017/0218).............26.190 Dun (Peter) v Information Comr & National Audit Office (EA/2010/0060).................27.54 E

East Sussex County Council v Information Comr (Case 71/14, 6  October 2015)............................................................................................................... 19.54; 21.29 Elmbridge District Council v Information Comr (EA/2010/0106)..................... 23.107, 23.112

xxxviii

Table of Cases Export Credit Guarantee Department v Information Comr & Mr N  Hildyard (EA/2008/0071).....................................................................................................23.15 F

Fish Legal v Information Comr [2012] UKUT 177 (ACC)........................................ 21.4, 21.5 Foreign & Commonwealth Office v Information Comr (EA/2011/0011).....................26.47 Foster (Colleen) v Information Comr (EA/2013/0176).................................................27.60 Friends of the Earth v Information Comr & Export Credits Guarantee Department [2008] EWHC 638 (Admin), [2008] 3 WLUK 401, [2008] Env LR 40................26.116 G

Gardner v Information Comr (EA/2018/0150)..............................................................22.36 Ghafoor v Information Comr (EA/2015/0140)..............................................................24.33 Gibson v Information Comr & Craven DC (EA/2010/0095)................................. 27.40, 27.57 Gilby (Nicholas James) v Information Comr & Foreign & Commonwealth Office (EA/2007/0071).....................................................................................................25.127 Glawischnig v Bundesministerium fur Sicherheit und Generationen (Case C-316/01)........................................................................................................ 19.20, 19.25 Goldsmith International Business School v Information Comr & Home Office [2014] UKUT 563 (AAC)............................................................................... 27.35, 27.39 Google Inc v Vidal-Hall [2015]  EWCA  Civ 311, [2016]  QB  1003, [2015] 3 WLR 409.............................................................................................................16.50 Google Spain SL & Google Inc v Agencia Espanola de Proteccion de Datos (AEPD) & Mario Costeja Gonzalez (Case C-131/12) [2014] QB 1022, [2014] 3 WLR 659, [2014] 2 All ER (Comm) 301............................................................................. 3.64; 8.17 Greenwich v Information Comr & Brownie (EA/2014/0122).......................................23.122 Guardian Newspapers Ltd v Information Comr & Chief Constable of Avon & Somerset Police (EA/2006/0017)..........................................................................26.20 H

Haslam (Dale) v Information Comr & Bolton Council (EA/2014/0029) [2016] UKUT 0139 (AAC)................................................................................... 27.38, 27.39, 27.48, 27.58 Her Majesty’s Treasury v Information Comr & Evan Owen [2009]  EWHC  1811 (Admin), [2010] QB 563, [2010] 2 WLR 931.......................................................26.133 Highways England Co Ltd v Information Comr & Henry Manistey [2018] UKUT 423 (AAC).....................................................................................................................22.36 Hogan (Christopher Martin) & Oxford City Council v Information Comr (EA/2005/0026 & 0030)...................................................................... 23.4; 25.45, 25.127 Hussein v Sandwell Metropolitan Borough Council [2017]  EWHC  1641 (Admin), [2018] PTSR 142, [2017] 6 WLUK 626................................................................27.39 I

Information Comr v (1) CF & (2) Nursing & Midwifery Council [2015] UKUT 449 (AAC).....................................................................................................................27.38 Information Comr v Devon County Council & Dransfield [2012] UKUT 440 (AAC), [2013] 1 WLUK 547, [2015] EWCA Civ 454.......................................................22.11, 22.12, 22.16; 24.67, 24.68, 24.69, 24.70, 24.75 Information Comr v HMRC & Gaskell [2011] UKUT 296 (AAC)..............................24.85 Information Comr v Halpin [2019] UKUT 29 (AAC)...................................................27.39 Information Comr v Malnick & ACOBA [2018] UKUT 72 (AAC)..............................26.156 J

John Connor Press Associates Ltd v Information Comr (EA/2005/0005).....................23.3; 25.45; 26.212, 26.216

xxxix

Table of Cases K

Kalman (Phillip) v Information Comr & Department of Transport (EA/2009/ 0111)............................................................................................................... 25.77, 25.90 Kirkcaldie v Information Comr & Thanet District Council (EA/2006/0001)...............9.69; 19.53; 23.43; 26.202 L

Lampert (Jeffrey) v Information Comr & Financial Services Authority (EA/2010/0203).....................................................................................................24.79 Lancashire Fire & Rescue Service v Information Comr (EA/2018/0084)....................19.27 Lee v Information Comr & King’s College, Cambridge (EA/2012/0015)....................24.68 Lindqvist (Bodil) v Kammaraklagaren (Case C-101/01) [2004]  QB  1014, [2004] 2 WLR 1385, [2003] ECR I-12971........................................................................11.5 London Borough of Bexley & Colin P England v Information Comr (EA/2006/0060 & 0066)..................................................................................................................25.15 London Borough of Camden v Information Comr & YV [2012] UKUT 190 (AAC)...26.50 London Borough of Southwark v Information Comr, Lend Lease & Glasspool (EA/2013/0162).................................................................................. 19.22, 19.28, 19.32, 19.49; 23.122 M

McKennitt v Ash [2006] EWCA Civ 1714, [2008] QB 73, [2007] 3 WLR 194...........16.50 Mackenzie (Donnie) v Information Comr (EA/2013/0251)..........................................25.105 Markinson v Information Comr (EA/2005/0014)..........................................................21.35 Mersey Tunnel Users Association (MTUA) v Information Comr & Halton Borough Council (EA/2009/0001)...................................................................... 19.21, 19.28; 22.42 Mills (Hugh) v Information Comr (EA/2013/0263)......................................................26.226 N

Newcastle upon Tyne NHS Foundation Trust v Information Comr (EA/2011/0236)...25.17 O

O’Brien (Dermod) v Information Comr & Department for Business, Enterprise & Regulatory Reform (DBERR) (EA/2008/0011)....................................................26.92 Ofcom v Information Comr & T-Mobile (EA/2006/0078).................................... 19.10; 23.26, 23.36, 23.71 Office of Communications (Ofcom) v Information Comr (Case C-71/10) [2010] UKSC 3, [2010] 1 WLUK 520, [2010] Env LR 20.................. 21.22; 23.26, 23.36 Office of Government Commerce v Information Comr & A-G  [2008]  EWHC  737 (Admin)..........................................................................................................22.46; 26.104 P

People for the Ethical Treatment of Animals Europe (PETA) v Information Comr & University of Oxford (EA/2009/0076)...................................................................23.35 Plowden (Stephen) v Information Comr & FCO (EA/2011/0225 & 0228)........ 25.125, 25.131 Poplar Housing Association & Regeneration Community Association (Poplar Harca) v Information Comr & People’s Information Centre (EA/2018/0199)..................21.3 Port of London Authority v Information Comr & John Hibbert (EA/2006/0083)........21.3 Purser v Information Comr & LGO (EA/2010/0188)....................................................26.233 R

R  v British Coal Corpn, ex p Ibstick Building Products Ltd (Case CO/1610/93) (21 October 1994)..................................................................................................19.28 R v Derby Magistrates Court, e p B [1996] AC 487, [1995] 3 WLR 681, [1995] 4 All ER 526...................................................................................................................26.206 R v Secretary of State for Environment, Transport & the Regions, ex p Alliance against Birmingham Northern Relief Road [1998] EWHC Admin 598............................19.28

xl

Table of Cases R (on the application of El Gizouli) v Secretary of State for the Home Department [2019] EWHC 60 (Admin), [2019] 1 WLUK 111, [2019] ACD 44................... 17.5, 17.6 R  (on the application of Evans) v A-G  [2015]  UKSC  21, [2015] AC  1787, [2015] 2 WLR 813.................................................................................................... 21.49; 24.107 R  (on the application of Lord) v Secretary of State for the Home Department [2003] EWHC 2073 (Admin)..................................................................... 9.9; 19.7; 23.3; 25.45; 26.216 R  (on the application of Miller) v Secretary of State for Exiting the EU [2017] UKSC 5................................................................................................10.17 R (on the application of Mohamed) v Secretary of State for Foreign & Commonwealth Affairs [2010] EWCA Civ 65, [2011] QB 218, [2010] 3 WLR 554......................25.128 R  (on the application of Office of Communicatons) v Information Comr [2009] EWCA Civ 90, [2009] 2 WLUK 565, [2009] Info TLR 13................ 23.71, 23.76 Rosenbaum (Martin George) v Information Comr & House of Lords Appointments Commission (EA/2008/0035)................................................................................26.207 Rudd v Bridle & J & S Bridle Ltd [2019] EWHC 893 (QB), [2019] 4 WLUK 164.7.63 Rudd v Information Comr (EA/2008/0020)..................................................................19.28 S

Salmon (Roger) v Information Comr (EA/2007/0135).................................................27.45 Schrems (Maximillian) v Data Protection Comr (Case C-362/14) [2016]  QB  527, [2016] 2 WLR 873, [2015] 10 WLUK 117............................................................11.11 Scotland Office v Information Comr (EA/2007/0128)......................................... 22.75; 26.115 Scotland Office (Stage 2) v Information Comr (EA/2007/0070)...................................25.135 Secretary of State for the Home Department v Rehman [2001]  UKHL  47, [2003] 1 AC 153, [2001] 3 WLR 877......................................................................... 25.78, 25.80 Secretary of State for Transport v Information Comr (EA/2008/0052).................. 22.37, 22.49 Sinclair v Information Comr & Department of Energy & Climate Change (EA/2011/0052).....................................................................................................23.14 Smartsource Drainage & Water Reports Ltd v Information Comr [2010] UKUT 415 (AAC), [2010] 11 WLUK 588, [2011] JPL 455................................................. 21.4, 21.5 South Gloucestershire Council v Information Comr & Bovis Homes (EA/2009/0032)............................................................................................ 22.62; 23.104 South Lanarkshire Council v Scottish Information Comr [2013]  UKSC  55, [2013] 1 WLR 2421, [2013] 4 All ER 629................................................................. 27.35, 27.39 Stevenson (William Thomas) v Information Comr & North Lancashire Teaching Primary Care Trust [2013] UKUT 181 (AAC)............................................... 26.32, 26.47 Stone v South East Coast Strategic Health Authority [2006] EWHC 1668 (Admin), [2006] 7 WLUK 321, [2007] UKHRR 137...........................................................27.39 Surrey Heath Borough Council v Information Comr & John Morley [2014] UKUT 0339 (AAC).....................................................................................................................27.53 T

Three Rivers District Council v Governor & Company of the Bank of England [2004] UKHL 48, [2005] 1 AC 610, [2004] 3 WLR 1274....................................26.197 Trago Mills (South Devon) Ltd v Information Comr & Teignbridge District Council (EA/2012/0028).....................................................................................................27.52 U

UKIP v Information Comr [2019] UKUT 62 (AAC)....................................................16.9 University of Central Lancashire v Information Comr & Colquhoun (EA/2009/ 003)............................................................................................................. 26.168, 26.220 University of Newcastle v Information Comr & British Union for the Abolition of Vivisection [2011] UKUT 185 (AAC)...................................................................21.14 V

Visser (Willem) v Information Comr & London Borough of Southwark (EA/2011/0188).....................................................................................................26.229

xli

Table of Cases Visser (Willem) v Information Comr & London Borough of Southwark (EA/2012/0125).....................................................................................................21.14 Voyias v Information Comr & London Borough of Camden (EA/2011/0007)...... 26.34, 26.50 W

Watts (Mark) v Information Comr (EA/2007/0022)............................................... 19.41; 23.51 Waugh (Rob) v Information Comr & Doncaster College (EA/2008/0038)...................27.52, 27.59, 27.61 Weltimmo sro v Hungarian Data Protection Authority (Case C-230/14) [2016] 1 WLR 863, [2015] WLUK 12..............................................................................3.64 West (Stephen) v Information Comr (EA/2010/0120)...................................................26.209 Wirral Metropolitan Borough Council v Information Comr (EA/2012/0117).......22.37, 22.39, 22.42, 22.43 Wise v Information Comr (GIA/1871/2011).................................................................24.68 Wm Morrison Supermarket plc v Various Claimants [2018] EWCA Civ 2339, [2019] 2 WLR 99, [2019] 2 All ER 579............................................................................4.18 Wynn (Stephen) v Information Comr & Serious Fraud Office (EA/2011/0084)...........26.5

xlii

Part 1

Data Protection Section A

Data Protection – Main Provisions

CHAPTER 1

Introduction and Key Points 1.1 Information known as ‘personal data’ (information about identifiable individuals) has become the new oil; an enormous resource which underlies and powers other economic and public service activity, and whose value grows as its uses become ever more widespread. 1.2 The need for ‘data protection’ has become more widely understood as concerns over the privacy of information about ourselves as individuals, and the risks of identity theft, unauthorised access to our financial or personal affairs, and the mass sharing of information about us for commercial purposes without our agreement (or even knowledge, on occasion), have come to dominate the headlines. 1.3 The law of ‘data protection’ is a system of legal rights and obligations which protects how, and limits the circumstances in which, information (‘personal data’) about living individuals may be used. It is, however, a system of regulation, not of prohibition. It allows such data to be used in many different ways, provided those who hold and control the data do so in accordance with the rules set down by the system. It is not, as often commonly supposed, a means to require such data not to be used. In fact, the opposite is often the case, as vast quantities of personal data are used lawfully in Europe every day. In countries without data protection systems, or with only very limited ones, there are considerable possibilities for the misuse of data, in ways harmful to individuals. Even in Europe, including the UK, and the small (but growing) number of other countries with developed regulatory systems, there is very substantial scope for the use of such data. In those countries, the law seeks a careful balance between the privacy interests of the individual, and the interests of companies and public organisations which wish to use the information for legitimate commercial reasons, or need to use it in the public interest; while guarding against illegitimate uses. 1.4 The uses made of personal data, the importance of such information, and its commercial value, have multiplied enormously in the age of the internet and mass electronic communications. The ability to store and match data about different aspects of individuals’ lives make possible improved targeting of public services to those most in need of them. The commercial possibilities from advertisements sent directly to individuals, and selected against an analysis of their interests and preferences, have generated business opportunities based on the economic value of such information which were unknown less than a generation ago. In 2018, however, the public in the USA and Europe began to learn about the scale on which their personal information, and those of their friends and contacts, was being gathered, compared, analysed, and exploited commercially. For the first time, criticism of such activities began to be voiced by mainstream politicians and media; and apparently to resonate with the public. 3

1.5  Introduction and Key Points

1.5 One area where awareness has been slower to develop, but which carries considerable implications for data privacy, has been the development of so-called ‘Cloud’ computing services; where data are stored in a way allowing multiple access by authorised users – the security implications, and even the question of which jurisdiction applies, have been poorly understood. 1.6 Whether this growing awareness of the uses made of individuals’ information, and of the erosions of privacy which have already resulted, will lead over time to a reduction in the use by individuals of social media, or to greater discrimination over the ways in which individuals make their personal data available – which to date has been extraordinarily lax – remains to be seen. It seems very likely, however, that demands for the legal safeguards protecting personal privacy to be more effective, and expectations that individuals should have a greater degree of control (or at least influence) over the use and sharing of their personal data between organisations, will increase in the future.

KEY POINTS The following points are important to getting data processing right: 1. The law is not just in the GDPR. The Data Protection Act 2018 (DPA 2018) supplements, enlarges, modifies, and at times replaces, the GDPR. (Both are modified by new regulations in the event of Brexit (the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 20191, or ‘DPPEC Regulations’). The GDPR (renamed the ‘UK GDPR’ after Brexit, in the version applying in this country) and the Act have to be read together, and the DPA 2018 is the main source for some of the most important features of the regime, including lawful bases for the processing of ‘special category’ (formerly sensitive) data, and the exemptions. 2. The ‘lawful bases’ for processing (previously the data processing ‘conditions’ under the Data Protection Act 1998 (‘DPA  1998’)) are central to whether processing is compliant. The lawful basis for each processing activity needs to be identified. 3. The ‘purposes’ of the processing are also central because they define the scope of much else, including the ‘data protection principles’. The purposes need to be identified and recorded. 4. The new ‘individual rights’, such as erasure, data portability and the stronger right to object, are important, and controllers will need to be properly compliant with them. 5. There are many exemptions from data processing requirements. They work in different ways, but were often poorly-understood or even overlooked under the DPA  1998. The exemptions are extended

1 SI 2019/419.

4

Introduction and Key Points 1.6

and somewhat simpler now than under the DPA  1998, although still complicated, but they enable controllers and processors to carry out tasks more effectively, where the rules recognise that some of the requirements may otherwise inhibit them. A key ‘exemption’ concerns personal data relating to more than one individual, which requires a careful balancing of their interests. (In Section B  (Chapters 7 and 8) below, each individual right ends with the exemptions which apply to it; and in Section B, Chapter 9 each exemption ends with a summary of the rights or requirements to which it may apply). 6. Transparency in processing (enhanced Privacy Notices, and the use of clear language); the Accountability principle (clear recording, and being able to explain the processing undertaken); ‘data protection by design’ (building it into the planning of activities); and Data Protection Impact Assessments (identifying and reducing data protection risks before new processing), are also important elements of the new culture of enhanced data protection.

5

CHAPTER 2

GDPR and Data Protection Act 2018

THE GDPR 2.1 Against this background, the General Data Protection Regulation (‘GDPR’) was well-timed1. It came into effect on 25 May 2018. (The UK’s Data Protection Act 2018 (‘DPA 2018’) received Royal Assent on 23 May 2018, and most of it came into force on the same day as the GDPR – see below). Unusually for a piece of European (or even domestic) legislation, the GDPR was already widely known before that date. This was partly because of the coverage of the mass collection and use of personal data without the knowledge of individuals, which erupted in the preceding weeks and generated much publicity for the European ‘GDPR’. It entered the public consciousness, however, because in the weeks leading up to its introduction almost everyone in the UK with an email address began to receive regular messages about it. Very many organisations holding individuals’ personal data felt obliged to contact them by email to seek an updated consent to their data being held, citing the GDPR as the reason2. The Regulation became widely discussed in the media, with various explanations (of varying degrees of accuracy) given for why individuals’ email inboxes were receiving so many messages, and why the new measure was necessary. Since then, organisations large and small have reviewed their data handling, for the reason of the GDPR. In December 2018, the Commissioner said in a speech that over 8,000 data breaches in the UK had been reported to her since the GDPR had come into effect just over six months previously. Complaints from the public over a comparable period had increased from 9,000 to 19,000, and the ICO’s ‘front line services’ had all increased by at least 100%3. 2.2 The GDPR evolved from several years of negotiations. It built on the previous Data Protection Directive 19954 (transposed into UK law as the Data Protection Act 1998 or ‘DPA 1998’); and, contrary to much of the press reporting, represents less a radical change than an evolution and tightening of the law. It was widely (and inaccurately) reported that the new Regulation required an individual’s consent to be obtained before their personal data could continue 1 Regulation (EU) 2016/679, 4 May 2016. 2 Much of this activity was unnecessary. There appeared to be considerable misunderstandings about the interpretation of the GDPR, and the importance of ‘consent’ under it. In many cases, it may have been that the Regulation provided a convenient reason to seek to renew contact made long before with an individual, or to refresh email lists. 3 Elizabeth Denham, UK  Information Commissioner, speech at International Privacy Forum, Wellington, New Zealand, 4th December 2018. 4 Directive 95/46 EC, 24 October 1995.

6

The GDPR 2.3

to be processed. Some of the individual rights which have been treated as new (eg the right to have decisions taken by automated means reviewed by a human decision-maker) were, in fact, modelled on provisions in the 1995 Directive and the DPA 19985. It does, nonetheless, contain new individual rights, such as the right of ‘data portability’. It significantly tightens and extends previous rights and protections, and updates them for the internet era. And its scale and relevance – in an environment where the possibilities and commercial opportunities, but also the risks to privacy, represented by the mass use of personal data, have become part of everyday experience – are much better recognised. 2.3 The GDPR sets a leading standard globally for data protection. As a European ‘Regulation’, unlike a Directive, the GDPR has applied directly in the United Kingdom from 25 May 2018 while it has remained an EU member, without needing to be enacted in the form of a domestic statute; albeit with significant amendments made by the DPA 2018. From the moment of the departure of the UK from the European Union6, the GDPR automatically becomes adopted into UK law under the terms of the European Union (Withdrawal) Act 2018. At that point, the wording of the Regulation will have moved from having direct effect to have become part of the UK’s own law; operating alongside the DPA 2018, and continuing to require cross-referencing between them. It will become known in the UK as the ‘UK GDPR’. At the time of updating (April/May 2019), the date on which the UK had been due to leave the EU had been amended twice, as a consequence of extensions agreed at EU level. In consequence, it was unclear whether the UK would: — leave the EU on or by 31 October 2019 at 11pm (with or without a transitional period afterwards); — do so at a later date than 31 October 2019, if the initial two-year period for withdrawal from the EU were suspended or further lengthened by agreement; or — (possibly) remain in the EU, perhaps after one or more further extensions of the exit date and another referendum. What follows, therefore, necessarily reflects these different potential outcomes, and it should be read in the light of subsequent developments. The UK  Parliament passed, in February 2019, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU  Exit) Regulations 20197 (the ‘DPPEC  Regulations’). These were to apply from ‘exit day’ (ie  on or by 31 October 2019; or another date, if ‘exit day’ is further amended by regulations under the European Union (Withdrawal) Act 2018, s 20(4)8). As a result, in terms 5 Compare Article 15 of the 1995 Directive, and DPA 1998, s 12; with Article 22 and DPA 2018, s 14. 6 Scheduled, at the date of writing, to apply by 11pm on 31 October 2019, unless amended as outlined in this paragraph. 7 SI 2019/419. 8 At the time of updating, the European Union (Withdrawal) Act 2018 (Exit Day) (Amendment) (No 2) Regulations 2019, SI 2019/859 were in force to amend the Withdrawal Act to reflect a leaving date of 31 October 2019; although this was subject to an earlier date being possible if the UK had by then approved the proposed withdrawal agreement (or a later date, if agreed with the EU Council).

7

2.4  GDPR and Data Protection Act 2018

of the legislative framework for data protection, there appeared at the date of updating to be three potential outcomes: (a) (in the event of departure from the EU on or by 31  October 2019, with or without a transitional period afterwards): the GDPR as modified (and renamed the ‘UK GDPR’) by the DPPEC  Regulations, together with the DPA 2018, as also modified by the DPPEC regulations (with effect from the date of departure); (b) (in the event of departure from the EU at a date later than 31 October 2019, with or without a subsequent transitional period): the GDPR with direct effect up to the date of departure, together with the DPA 2018; and (from the date and time of exit day) the GDPR as modified by the DPPEC Regulations (the ‘UK GDPR’), and the DPA 2018, as also modified by the DPPEC Regulations; or (c) (in the event of no departure from the EU): the GDPR continuing to have direct effect in the UK, as supplemented or modified by the DPA  2018 in the form in which the latter was enacted (without any impact from the DPPEC Regulations on either measure).

DATA PROTECTION ACT 2018 2.4 The GDPR required all EU member states to pass domestic legislation to deal with significant provisions which it left for local determination. The DPA  2018 performs that role; supplementing, extending, interpreting, and amending the GDPR in a UK context. The issues left for national decision notably included the scope (within a broad outline), and the subject-matter, of the exemptions from GDPR requirements, and additions to the lawful bases for processing of ‘special category’ personal data (on the latter, see paras 5.92– 5.177). The 2018 Act adopts a comprehensive range of such exemptions in the UK, partly carried over or developed from those in the previous Act; with new additions. The exemptions are examined in detail in Chapter 9 below. The exemptions in the DPA  1998 were complicated, poorly understood, and often incorrectly applied. In practice, personal data have almost certainly been withheld from individuals when the information should have been disclosed to them; although on other occasions exemptions could doubtless properly have been claimed for information which was released. The exemptions under the new Act are still complicated, but somewhat less obscure, and offer an opportunity to apply them more clearly and consistently. 2.5 As well as exemptions, and special category processing, however, the DPA 2018 does several things in relation to the GDPR and UK law: •

In the period before Brexit when the GDPR has applied as a piece of EU law, the Act has altered its provisions in a UK context, within the discretion allowed to member states under the Regulation itself.

• The Act has prepared the ground for specifically UK rules to apply after Brexit, which are altered further, beyond the discretion in the GDPR. It alters the language of the GDPR to a degree, and applies a UK jurisdiction. 8

Data Protection Act 2018 2.7

•

The Act extends a regime, based on the GDPR, to processing of information about identifiable individuals which is (and always was) outside EU jurisdiction. Because the DPA 1998 was a domestic measure implementing a European one, it was not well-understood that it expanded the scope of data protection law in the UK beyond those areas of EU competence, to apply to areas of activity to which the Data Protection Directive did not apply. Before Brexit, the DPA 2018 also transposes the Law Enforcement Directive9 into UK law, and extends it, in Part 3 of the Act; hiving-off criminal and sentencing personal data into a separate regime (see Section F). It extends a separate data protection regime, moreover, to the security services in Part 4.

2.6 Before the enactment of the present Act, the Government said that, after Brexit, it intended to unite the existing data protection measures into a single overall statute; merging the GDPR, the DPA 2018, and Regulations made under the latter. In the Explanatory Notes to the Data Protection Bill (but not repeated in the Explanatory Notes to the eventual Act), the government said: ‘When the UK leaves the EU there will no longer be a distinction between general data inside and outside the scope of Union law. The Government’s intention is that GDPR standards will continue to apply to data processing within the scope of Part 2. When the GDPR is brought within the UK’s domestic law, using the powers in the European Union (Withdrawal) Bill the Government expects to make provision to enable a single domestic legal basis to apply the GDPR data processing standards.’ (paragraph 35) 2.7 As explained in para 2.3 above, the DPPEC Regulations, made under the European Union (Withdrawal) Act 2018, were approved in February 2019 and have effect from the date of the UK’s exit from the EU10. Before Brexit, the GDPR (as amended by the DPA 2018) and Parts 1 and 2 (in particular) of the DPA have applied jointly to most ‘processing’ of personal data in the UK which does not fall within processing by statutory agencies for crime-fighting purposes (covered by Part 3), or by the security and intelligence services (covered by Part 4). After Brexit, the GDPR (renamed the ‘UK GDPR’) and the DPA 2018, both as amended by the DPPEC Regulations, are to apply; albeit still as two measures to be applied in parallel. (The DPPEC Regulations strengthen the links between them, including by increased cross-references). Notwithstanding the creation of an apparently free-standing UK regime, in the form of the ‘UK GDPR’ and the DPA 2018 as amended, it also appears very likely that the UK rules will remain closely aligned with those of the EU for the foreseeable future. The main changes in the DPPEC  Regulations are outlined below. The remainder of this Chapter summarises the pre- and post-Brexit positions in the alternative. In Part 1 as 9 Directive (EU) 2016/680. 10 The government said in December 2018 that it would use those powers, in the event of the UK leaving the European Union without a withdrawal agreement, to make provision for continued cross-border flows of personal data from the UK – see paras 11.36 and 2.33(b).

9

2.8  GDPR and Data Protection Act 2018

a whole of this book (covering data protection), the main amendments made by the DPPEC Regulations are indicated where they are relevant, alongside the pre-Brexit position; but the text should be read in the light of the timing of, or any developments subsequent to the date of writing in relation to, the UK’s withdrawal from its membership of the EU. 2.8 Most practitioners, if they are not advising an organisation dealing with crime or criminal justice, or the intelligence services, will be concerned very largely with Parts 1 and 2 of the DPA 2018, and the Schedules accompanying them (ie ss 1–28, and Schs 1–6). These provisions, and particularly Schs 1–4, contain many important amendments and additions to the GDPR in a UK context, with which practitioners will need to be familiar: — Schedule 1 adds a significant number of lawful bases on which to process special category data to those in Article 9 of the GDPR; or interprets them. — Schedules 2–4 set out the many exemptions of different types to the GDPR. 2.9 At the time of writing, the Commissioner’s guidance ‘An introduction to the Data Protection Bill’ awaited updating in the light of the passing of the Act.

Background to the Act 2.10 The GDPR, although having direct effect in the law of each member state since 25 May 2018, left many issues and areas of law to be determined by those states in their own legislation. The DPA 2018 performs that role in the UK. As a result, the two have to be read together to understand the law in the UK. Even then, they do not form all of the sources of the UK’s data protection law derived from, or associated with the GDPR. Before Brexit, the Act uses the term ‘data protection legislation’ to refer to any part of UK data protection law derived from any of the following (section 3(9)): • The GDPR; •

The ‘applied GDPR’ (see para 2.23);

•

The 2018 Act;

•

Regulations made under the 2018 Act; and

• Regulations made under s  2(2) of the European Communities Act 1972 relating to either the GDPR (in its original form) or the Law Enforcement Directive. After Brexit, the distinction between the ‘GDPR’ and the ‘applied GDPR’ disappears, to produce the ‘UK GDPR’ (see para 2.33(a) below). 2.11

The main ‘gaps’ in the GDPR, which the Act fills, are—

•

Modifications to certain definitions in the GDPR;

•

The lawful bases for processing special category personal data in the UK; 10

Data Protection Act 2018 2.15

•

Exemptions from the GDPR in the UK;

•

The age of consent of children to processing for internet society services;

•

Modifications to the rights of individuals (arising from the exemptions);

•

The scope and application of public interest processing.

2.12 As well as filling in the intentional ‘gaps’ in the GDPR, the Act extends the range of data protection rules into areas not covered by EU law.

Law Enforcement processing 2.13 The Act implements, and extends the application of, the Law Enforcement Directive (‘LED’), which applies to the processing of data about criminal matters, where conducted by one or more ‘competent authorities’ (defined in Sch  7 of the Act; essentially bodies concerned with policing and crime, or prosecutions and criminal justice;or, in s  30(1)(b) other legal persons, to the extent of any statutory functions for law enforcement purposes). This applies a system of rules which in different respects both resembles the former data protection regime and the GDPR. The LED in fact applies only to cross-border processing of personal data for law enforcement purposes. Part 3 of the Act applies to all domestic law enforcement processing. DPA  2018, Sch  8, sets out conditions for ‘sensitive processing’ under Part 3. A summary is given in Chapter 17 below, although it is beyond the scope of this work to analyse these in the same degree of detail as the GDPR.

Article 10 processing: criminal data 2.14 The GDPR also provides in Article 10, for the processing of personal data on criminal matters by bodies that are not ‘competent authorities’, but which may hold or need from time to time to handle data concerning criminal matters (eg  a data controller passing personal data about a member of its staff to the police, at their request, in connection with a criminal investigation). This is then given practical effect in DPA 2018, s 10(4) and (5), and s 11(2); together with Sch 1, Parts 1–3. (See Chapter 17).

Intelligence Services 2.15 The Act provides for a specific regime covering data processing by the intelligence services; according those services a separate regulatory regime for the first time in Part 4. This is based on standards in the modernised Convention 108 of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The provisions of Part 4 are beyond the scope of this work. 11

2.16  GDPR and Data Protection Act 2018

Information Commissioner and enforcement 2.16 The Act also sets out the enhanced role and functions of the Information Commissioner (Part 5), and a revised enforcement regime consistent with the GDPR (Part 6). The enforcement regime is summarised in Chapter 16 below. New or expanded functions include: the encouragement of the drawing-up of Codes of Conduct relating to how the GDPR is to be applied11; the accreditation of industry or sector-related bodies to monitor compliance with such codes12; or, the encouragement of the establishment of data protection certification mechanisms, and of seals and marks, for the purpose of demonstrating compliance13. The European Commission published a study on certification mechanisms under the GDPR14.

THE GDPR AND THE ACT 2.17 As indicated, the distinction between processing falling under, or outside, the GDPR arises because the Regulation applies only to those areas of public policy for which the EU has (or had, in the UK before Brexit) ‘competence’, or jurisdiction and a power to act. The 1995 Directive excluded areas such as public and state security; defence; the country’s economic well-being when relating to state security; and, the activities of the state in areas of criminal law15. 2.18 The DPA  1998 however, transposed the rules in the Directive, and applied them more generally to most of the rest of the data processing carried out in the UK. Thus, if the GDPR had simply been given direct effect in the UK, without any extension to activities outside the EU’s competence, it would not have applied to significant areas of the processing undertaken in the UK; and thereby narrowed the scope of data protection. It had, therefore, to be extended to apply to the wider range of processing outside EU competence. This in turn,and the complications added by Brexit at a later date, have occasioned the Act’s rather complex provisions as to its interrelationship with the Regulation. 2.19 Pre-Brexit, the Act contains four separate data protection regimes, covering: – Activity which is within the scope of the GDPR; – Activity which is outside the scope of the GDPR (but which the Act brings within its version of the GDPR’s rules – see paras 2.22–2.25 below); – Activity undertaken by ‘competent authorities’ for law enforcement purposes; – Activity undertaken by the security and intelligence services. 11 12 13 14

GDPR, Article 40(1). GDPR, Article 41(1). GDPR, Article 42(1). ‘Data Protection Certification Mechanisms: Study on Articles 42 and 43 of the Regulation (EU) 2016/679’, Final Report (completed February 2019). 15 Former Directive 95/46/EC, Article 3.

12

Structure and main provisions of the Act 2.22

Post-Brexit, the first two of these categories are merged (see para 2.33(a) below).

STRUCTURE AND MAIN PROVISIONS OF THE ACT 2.20 After an overview and key terms in ss 1–3 (Part 1), the most important provisions for general processing are in Part 2. Before Brexit, the main provisions are split into two key Chapters: Chapter 2, covering processing to which the GDPR applies; and, Chapter 3, which extends those rules to processing to which the GDPR does not apply. The significance of Chapter 3 changes after Brexit – (see paras 2.26 and 2.33(a) below).

Part 2, Chapter 2 2.21 Chapter 2 (ss 6–20 and Schs 1–4) supplements the GDPR and has to be read with it. Pre-Brexit, the chapter addresses the areas of the GDPR left for member states to implement and develop. Terms used in Chapter 2 have the same meaning as in the GDPR, unless they are modified in the chapter (in which case the Chapter 2 version applies). The key provisions in Chapter 2 are: •

Section 8: the meaning of the lawful basis for processing by the public sector, or in the public interest, in Article 6.1(e) (see para 5.27ff below);

•

Section 10 and Sch 1: the lawful bases for processing special category data (see paras 5.86ff);

• Section 15 and Schs 2–4: exemptions from data processing requirements (see Chapter 9); •

Section 19: the meaning of safeguards on processing for research, statistical or archiving purposes (see paras 9.102–9.113 below).

The main change introduced by the DPPEC Regulations, apart from removing the distinction with the ‘applied GDPR’ in DPA 2018, s 4 (see paras 2.22–2.25 below), is the insertion of ss 17A–17C into the Act, dealing with regulations for cross-border transfers of personal data (see para 2.33(b) and Chapter 11 below).

Part 2, Chapter 3 2.22 The pre-Brexit position is that Chapter 3 (ss 21–28, and Schs 6–7) applies to processing to which the GDPR does not apply; because either the activity falls outside the scope of EU law, is manual unstructured data (see paras 3.36–3.37), or falls within the EU common foreign and security policy (to which the GDPR also does not apply16). Chapter 3 does not apply, moreover, to processing by a competent authority for law enforcement purposes under Part 3, or processing by the intelligence services. 16 GDPR, Article 2(2)(b), and Recital 16.

13

2.23  GDPR and Data Protection Act 2018

2.23 The chapter applies the GDPR to the processing of these wider categories of personal data to which it (the chapter) applies, but as though its Articles were part of a UK Act17; and with modifications. The resulting regime is described as ‘broadly equivalent’ to the GDPR18. The application of the GDPR by Chapter 3 in this way, to the processing to which the chapter applies, is called (before Brexit) ’the applied GDPR’19. 2.24 Provision made in Chapter 2 applies (before Brexit) to the ‘applied GDPR’20. (Examples include the additional lawful bases, and the exemptions). The rules in Chapter 2, in the form applied by Chapter 3, are called, perhaps confusingly, the ‘applied Chapter 2’21. 2.25 Schedule  6 then modifies the (pre-Brexit) GDPR as it applies to processing to which Chapter 3 applies; and amends Chapter 2 as it applies to Chapter 3 (ie  the ‘applied Chapter 2’)22. Some of the changes merely alter language to make better sense in a UK context (eg  ‘UK’ for ‘member state’; or ‘Information Commissioner’ for ‘supervisory authority’). Others are more significant (eg an additional power to adapt the ‘legal obligation’ or ‘public task’ lawful bases by domestic regulations, in Schedule 6, para 10)23. Care is needed before Brexit in handling personal data to which Chapter 3 applies, to take account of changes made either in the chapter or by Sch 6. 2.26 After Brexit, the distinctions between the ‘GDPR’ and the ‘applied GDPR’ are removed, and the two categories are replaced by the ‘UK GDPR’(see para 2.33(a)). Schedule 6 is repealed. Article 2 of the GDPR (on material scope) is rewritten to include (rather than exclude) the types of processing which were previously outside the GDPR. The ‘applied GDPR’ is removed from the terms defined in DPA 2018, s 3; and Chapter 2 of Part 2 of the Act is applied to the ‘UK GDPR’ as a whole. Part 2, Chapter 3, is radically revised by the removal of the separate regime for the ‘applied GDPR’ (in ss 21–23), leaving it to contain definitions of manual unstructured data (ss 24–25) and of national security and defence (s 26)24.

National security and defence 2.27 There are wide exemptions in ss 26–28 for processing under the ‘applied GDPR’ for the purposes of national security or defence (for example, from the need for a lawful basis for the processing). These exemptions are applied, after Brexit, to GDPR processing as a whole.

17 DPA 2018, s 22(1). 18 DPA 2018, ss 1(3) and 4(3)(b). 19 DPA 2018, s 3(11). (Emphasis added). 20 DPA 2018, s 22(2). 21 DPA 2018, s 22(3). (Emphasis added). 22 DPA 2018, s 22(4) (pre-Brexit only). 23 The legal obligation basis (GDPR, Article  6(1)(c)) and the ‘public task’ basis (GDPR, Article 6(1)(e)). See also power in DPA 2018, s 16(1)(a). 24 DPPEC Regulations, Sch 1, para 4; and Sch 2, paras 4(3)(b) and 4(6), 4(7)(b) and 4(7)(c), 6, and 29–31.

14

Recitals to the GDPR 2.32

ICO and enforcement 2.28 Part 5 sets out the general functions and powers of the Information Commissioner. These include the operation of the ICO’s office (Sch  12), her general functions (Sch 13), and co-operation and mutual assistance with other supervisory authorities (Sch 14). 2.29 The enforcement regime for the Act is set out in Part 6. Schedule  15 covers powers of entry and inspection. Schedule 16 includes the previous range of powers; enhanced by the greatly-increased financial penalties in the GDPR. Section 178 and Sch 17 oblige the ICO to review the processing of personal data in the context of journalism. 2.30 In Part 7, Sch  18 contains definitions relevant to health records, conviction records, and records relating to statutory functions. Schedule 20 deals with transitional provisions.

RECITALS TO THE GDPR 2.31 It is helpful to understand the place of ‘Recitals’ in the structure of the GDPR. These have no equivalent in a UK statute. A UK Act of Parliament has ‘sections’ (grouped into ‘Chapters’ and ‘Parts’) all of which represent the law. Nothing in a UK Act describes its purposes: these have to be deduced from the wording of the statute. While the sponsoring government department will publish ‘Explanatory Notes’ when a Bill appears, and then revise them when the Act is passed, these only accompany the legislative document, and provide a brief commentary. They often describe an Act more in terms of its process than content, and have little to say about its purposes. Indeed, all too often they merely repeat in summary what the text says, rather than giving an explanation, While they may on occasion assist as to how an Act works, they do not describe why it is written in a given manner, nor what it is intended to do. In contrast, a European Regulation, for example, has ‘Articles’ (equivalent to the ‘sections’ of a UK Act), constituting the law as enacted. It also has ‘Recitals’, which precede the Articles. These describe the purposes of the law and what it is intended to achieve; often giving examples. They are not in themselves law (in an EU context), but they are persuasive. They are also very useful, because they give more detail about the intended purpose; particularly since European law is designed to be interpreted ‘purposively’ – ie, in line with its purpose. The description of the purposes thus sets out the direction in which the law is meant to be interpreted; and may also indicate, at least broadly, its limits. The courts (including in the UK) increasingly looked to Recitals to assist in interpreting European legislation, and they will remain relevant to previously-decided cases; as well as helpful to understanding in the context of the UK GDPR (if introduced), notwithstanding Brexit. 2.32 At a practical level, however, it can be difficult to make the best use of the Recitals, because a Regulation or other European measure does not clearly link the relevant Recitals and Articles to each other (although they do follow broadly the same order in the document). The best approach to understanding the 15

2.33  GDPR and Data Protection Act 2018

GDPR is, therefore, to read through the relevant Recitals first, in order to gain a general familiarity with them; and then to develop a closer knowledge of the ones that seem to be most important to the area concerned. This book contains a suggested correlation table between Recitals and Articles (see Appendix 2). It should be stressed, however, that this is neither official nor exclusive; any Recital may have relevance to any Article, depending on the context. In addition, and frustratingly for UK readers used to referring to Acts of Parliament, the GDPR also contains no contents page listing the Articles and Recitals. Again, a suggested (and necessarily unofficial) list of its contents is included as Appendix 1.

THE DPPEC REGULATIONS 2019 2.33 Post-Brexit, the DPPEC  Regulations alter the GDPR and the Data Protection Act 2018; the result being the ‘UK GDPR’. The regulations also make a significant number of amendments to the 2018 Act. They do not, it may be noted, merge the GDPR and the Act; as might have been expected when the government said at the outset of the Parliamentary passage of the then Data Protection Bill that it expected after Brexit to produce a ‘single domestic legal basis’ to apply the standards in the GDPR (see para 2.6). Practitioners will continue to need to cross-refer between the two legislative measures (a nuisance and liable to be confusing; although some amendments to both provisions make this a little easier – see (j) below). The regulations do unite two elements of the pre-Brexit regime; but those are the GDPR itself, and its extension in UK law (the ‘applied GDPR’), created by the DPA 2018. From this, it will be appreciated that the operative date, in relation to the coming into effect of the amended versions of the GDPR and the DPA 2018 (in order to reflect Brexit) is the formal date of the UK’s departure from the EU (assuming it occurs); not the length of any transition or ‘implementation’ period which might follow that departure. This is the case notwithstanding that, in many other fields than data protection, EU law would continue to apply, on a ‘standstill’ basis, from the date of Brexit until the end of the transition period. (NB. The only exceptions to this pattern in these regulations are: a) amendments to the Privacy and Electronic Communications (EC Directive) Regulations 200325 (‘PECR’), to align its definition of consent with that in the GDPR; and, b) two corrections to the DPA 2018, in DPPEC Regulations, Sch 4. Both had effect from 29 March 2019). In relation to previous EU case law, or general principles of EU law, these are retained in certain circumstances; but have no application to processing, after Brexit, of personal data which fell within the ‘applied GDPR’ before the Brexit date; unless those cases or principles were also relevant to such processing before Brexit. In practice, therefore, new and unrelated developments after Brexit, in case law or the general principles of EU law, will not affect such applied GDPR processing. (See DPPEC  Regulations, reg  5; and also the explanation, in the context of the EIR, of retained EU law and EU case law, in para 18.9). 25 SI 2003/2426.

16

The DPPEC Regulations 2019 2.33

The majority of the provisions in the regulations are contained in two Schedules, amending the GDPR (Sch 1) and the DPA 2018 (Sch 2) respectively. The latter includes a new Schedule, inserted into the DPA  2018 as Sch  21, containing transitional provisions for the period immediately after Brexit. Part 3 deals with cross-border transfers of personal data until replacement decisions take effect (see sub-para (b) below as to the transitional provisions; and Chapter 11 as to the permanent rules for cross-border transfers). The principal changes, post-Brexit, are: (a) Uniting the UK’s two previous GDPR regimes, by removing the distinction between the GDPR (applying to most processing from 25  May 2018) and the ‘applied GDPR’ (introduced by the DPA 2018, s 3(11) and applied by Part 2, Chapter 3; see paras 2.10 and 2.23); and replacing them with the ‘UK GDPR’. Pre-Brexit, the ‘applied GDPR’ has applied to areas outside the EU’s competence, such as: national security; processing under the common foreign and security policy; or, manual unstructured personal data (see paras 2-22–2.26). Instead, the DPPEC regulations provide for a single regime for all general data processing activities26. The exemption under the applied GDPR relating to defence and national security (DPA 2018, s 26) applies under the ‘UK GDPR’ to processing as a whole in the UK; (b) Dealing, but only partially, and initially on a transitional basis, with the future of cross-border transfers of personal data. The Regulations pass to the Secretary of State the functions previously held by the European Commission in relation to making ‘adequacy decisions’, which permit the unrestricted transfer of personal data to approved ‘third countries’ (or a sector or territory within such a country); and make transitional provision for such transfers from the UK from exit day27. The transitional provisions on adequacy (effectively continuing the previous, pre-Brexit, decisions) may be replaced by ‘adequacy regulations’ made by the Secretary of State. The Regulations also provide for the issuing of standard contractual clauses on data transfers, the approval of Binding Corporate Rules, or, the notification to the ICO of one-off derogations to enable transfers to occur in specific situations28. The Secretary of State may make regulations as to standard data protection clauses; while the Information Commissioner is empowered to do the same (or to approve one-off clauses or administrative arrangements), to approve Binding Corporate Rules, or to support Codes or certification. (See Chapter 11 generally). – Transitional provisions from the moment of Brexit underpin data transfers from the UK to other countries in the European Economic Area (‘EEA’), other ‘safe countries’ (or territories or sectors within them) previously designated by the EU  Commission, European institutions, 26 DPPEC  Regulations, Sch  2, paras 2, 4–7, 29–31, and 96 and 102 (applying transitional provisions in DPA 2018, Sch 21: see Pts 2 and 4). 27 DPPEC Regulations, Sch 2, para 23, paras 41–42 (on law enforcement processing), and para 102 (inserting DPA 2018, Sch 21, on transitional provision; including Part 3 on data transfers). 28 DPPEC Regulations, Sch 1, paras 39–40; and Sch 1, para 42, respectively.

17

2.33  GDPR and Data Protection Act 2018

international organisations previously designated as adequate, or Gibraltar. The regulation deems UK ‘adequacy regulations’ to apply where the EU  Commission has previously so decided. They do not cover, however, transfers to the UK on the basis of adequacy from EEA/ EU countries (ie  that the UK’s own rules meet the requirements of adequacy), since this is necessarily a matter for decision by the EU after Brexit. The transitional provisions on cross-border transfers are inserted as Sch 21, paras 4–6, to the DPA 2018 (renumbered as Sch 21, paras 6–8 after Brexit by the regulations referred to below). – Further regulations (the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU  Exit) No. 2 Regulations 201929, (the ‘DPPEC  No  2’ Regulations, amending the first such Regulations) likewise deem to fall within the ‘adequacy regulations’ those transfers from the UK to transferees whose privacy policy includes a commitment to comply with the Privacy Shield Principles agreed by the EU Commission before Brexit (DPPEC No 2, Regulations, reg 2). This is obviously of importance to controllers exporting personal data from the UK to US companies; which would otherwise fall outside the UK regime after Brexit; (c) Making provision on a similar pattern for personal data transferred to third countries for law enforcement purposes (DPA 2018, Sch 21, paras 10–12; see paras 17.21–17.24); (d) Extending the extra-territorial application of the ‘UK GDPR’ to controllers based outside the UK, which are processing in order to offer goods and services to individuals in the UK, or to monitor their behaviour (otherwise than where the personal data have fallen before Brexit under the ‘applied GDPR’) (GDPR, Art 3(2) as amended, and 3(2A) as inserted)30. See para 3.67; (e) Removing access for controllers in the UK to the ‘one-stop shop’ for reporting and investigating data protection infringements and data breaches to a single supervisory authority at European level; together with most of the processes for co-operation between the ICO and other such supervisory authorities under the GDPR (eg removing Chapter VII, sections 1–2 of the GDPR). (See para 15.12); (f) Preserving Article 50 of the GDPR, in UK law, notwithstanding sub-para (e) above, in order to allow a common basis for EU supervisory authorities and the UK  Commissioner to develop international co-operation mechanisms (DPA 2018, s 118(5), and Sch 14, Part 2; relating to Article 13 of the Data Protection Convention). At the same time, the right of the ICO to sit on the European Data Protection Board, or ‘EDPB’, is removed31;

29 SI 2019/485. 30 DPPEC Regulations, Sch 1, para 5; and, Sch 2, para 87. 31 DPPEC Regulations, Sch 1, paras 43 and 55 (re Pt 2); and, Sch 2, para 97 (re Pt 3).

18

The DPPEC Regulations 2019 2.33

(g) Passing functions, such as encouraging the certification of data processing systems, from the European Commission to the ICO; (h) Inserting cross-references between the GDPR and the DPA  2018 to align their drafting more clearly (eg  inserting references into Articles  9 and 10 of the GDPR, dealing respectively with lawful bases for processing special category data, and with processing of data relating to criminal convictions and offences, which draw attention to linked provision in sections 10, 11 and 19 of the DPA 2018) (eg see paras 5.113, or 17.27); and (i) Making many minor and consequential amendments to the Act to replace references to the ‘GDPR’ with the ‘UK GDPR’, and to remove references to the ‘applied GDPR’; and to align the language of the GDPR and Act with a post-Brexit context. In one or two instances, for reasons that are unclear, powers granted to the UK are removed; rather than transferred into the domestic provisions. An example is a power before Brexit to introduce further conditions applying to the processing of genetic, biometric or health data, which is repealed after Brexit32. As noted above, the DPPEC regulations (reg 8) amend the Privacy and Electronic Communications Regulations 2003 (the ‘PECR regulations’), with effect from 29 March 2019, so that the definition of consent in the PECR is brought into line with the more specific conditions defined in the GDPR (see para 12.6). So-called ‘Keeling Schedules’ are texts of the GDPR and DPA 2018, into which the relevant changes and amendments have been inserted and highlighted; which makes their impact much clearer. Both are available online – see Appendix 3.

32 DPPEC Regulations, Sch 1, para 9(10).

19

CHAPTER 3

Definitions in the GDPR and Territorial Scope

DEFINITIONS Meaning of ‘personal data’ 3.1 Personal data means any recorded information ‘relating to’ an ‘identified or identifiable’ living individual (or ‘data subject’)1. An identifiable living individual means a living individual ‘who can be identified, directly or indirectly, in particular by reference to: (a) an identifier such as a name, an identification number, location data, or an online identifier, or (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’2. 3.2 This definition has a number of elements, which need to be considered separately: •

There are (as before) two tests as to whether a piece of recorded information is personal data. Both have to be met: — whether a living individual is ‘identified or identifiable’ from that information, either alone or in combination with other information; and — whether the information relates to that living individual.

Meaning of identification 3.3 A person is ‘identified or identifiable’ from personal data if the content of the data in some way distinguishes or sets them apart from other people. It is far broader than merely ‘biographical’ information about their name, date of birth, education, employment etc (although it will also include those types of

1 The UK uses the term ‘living individual’, which has the same meaning as ‘natural person’ (DPA 2018, s 3(2)). The GDPR does not apply to the personal data of deceased persons (see also Recital 27); although much of the information may also be the personal data of surviving relatives. The living individual to whom the personal data relate is the ‘data subject’ (DPA 2018, s 3(5)). 2 DPA 2018, s 3(3). See also Article 4(1), and Recitals 26 and 28–9 of the GDPR.

20

Definitions 3.4

facts about them). It does not need to record something unique to that person, even within a small group; but merely something which marks them out from others, ascribes them to a category, or tells you something about them; especially if that feature differs from the description of others. Identifying someone ‘directly’ means doing so from the information in question (which may be only a part of what the controller holds about them). Identifying them ‘indirectly’ means doing so from a combination of the information in question and other information available. The following examples of recorded information would be likely to ‘identify’ the persons to whom they refer: •

The address given by an internet service provider (ISP) to a person’s laptop. This information would identify the individual user directly – as the holder of that address – without recourse to other information. It would also be possible for the ISP provider to identify the individual indirectly, by name or some other identity, by looking at the record of who held that ISP address. Example: indirect identification Consider the following written statements. Assuming that the other information about those individuals was also held, the statements would ‘identify’ them indirectly: • ‘Our highest-performing student in that year came from Hong Kong’ [identifying the home country of that student. His or her identity can be established by comparing the statement with the list of grades attained by students in that year]. •

‘Three of the fifteen qualified mechanics in our workshop are female’ [The identities of those who are female can be established by comparing this statement with the list of employees].

3.4 In the UK, under the former Data Protection Act 1998 (‘DPA 1998’), the only information which could be referred to indirectly in this way was information which was in the ‘possession’ of the data controller (or likely to come into their possession). This limitation was in fact at variance with the 1995 Directive, which made no such distinction3. It ignored the situation where other information about the data subject was in the public domain (eg  via the press), or known to third parties; as opposed to being held by the data controller. The DPA’s approach caused recurrent confusion in this country, when (for example) a controller had to decide whether it would be fair to release information publicly about an individual, which might be damaging to them if combined with other information that might be available in the public domain. The courts had to get round the problem by elaborate formulations 3

See Directive 1995/46/EC, Article 2(a).

21

3.5  Definitions in the GDPR and Territorial Scope

in cases such as those referred to below4. The GDPR has meant the removal of this unfortunate distinction from the UK’s law, with the Data Protection Act 2018 (‘DPA  2018’) following suit, so that the UK now conforms to the European rules as they were previously intended to apply. The additional information which could lead to an indirect identification may potentially exist in any place or form where it is accessible to another person. The information does not need to be in the public domain. Example: indirect identification The ‘National Statistics Authority’ publishes an annual collection of interesting statistics. This year it has compiled a list of children who have passed musical instrument examinations years earlier than usual. The numbers passing the final grade (Grade 8) in each instrument are very small, even across the country. Those children will be identifiable, even if only to their families and friends in their local areas; or from any local publicity about them, such as press reports or school newsletters. If the statistics are to be published, therefore, the Authority needs to bear in mind that they meet the first test for constituting personal data; namely, that the individuals concerned are identifiable from the information (indirectly in this case). 3.5 Recital 26 states that in determining whether an individual is identifiable, account should be taken of ‘all the means reasonably likely to be used’ to identify a person, either by the controller or by another person5. All ‘objective factors’ should be taken into account, such as the ‘costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and [later] technological developments’. In other words, not every theoretical means of identification should be taken into account; but it is right to assess what information is realistically available; which, if it were combined with the information in question, would identify the person. If such information exists, the information in question is likely to be regarded as identifying the person. Underlining the intended breadth of the scope, the ICO advises that the controller should consider all the means likely to be available to a determined searcher (eg an investigative journalist, or an estranged partner) who has a particular reason to want to identify an individual. As technological search capabilities become more sophisticated, and the information available online about individuals multiplies, it seems likely that the threshold for meeting the test of identifiability will continue to fall.

4

Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, paras 25–27; Department of Health v ICO [2011] EWHC 1430 (Admin), paras 46–56. 5 Recital 26 of the 1995 Directive referred to ‘all the means likely reasonably to be used’ (ie  inverting the word order of ‘likely’ and ‘reasonably’; which is arguably similar, but not identical, in meaning). Whatever the precise meaning, it was omitted from the DPA  1998; although helpfully referred to in the Dept of Health case (see preceding footnote), which took a practical approach to the problem created by the drafting.

22

Definitions 3.7

• ‘Identifiers’: as indicated above, an identifier includes a ‘name, an identification number, location data, or an online identifier’6. The list is not exhaustive, and these are only examples. While identification numbers featured in the previous Directive (and can be expected to increase with the greater use of ‘pseudonymisation’7), ‘location data’ and ‘online identifiers’, such as Internet Protocol (‘IP’) addresses (of computer devices owned by individuals) or those which enable the profiling of individuals from their use of websites, bring the language into the 21st century; and reflect the rapid advances in technology since the DPA 1998. • ‘Factors’: these are more personal ways of identifying a person8. The majority were present in the previous Directive (although again not referred to in the DPA 1998), namely those concerning a person’s identity in: – ‘physical’ terms (eg their appearance, or health); – ‘physiological’ terms (eg organisms in their body); – ‘mental’ terms (eg their intellectual capacity; or mental health); – ‘economic’ terms (eg their employment, or standard of living); – ‘cultural’ terms (eg their ethnic or national background); or – ‘social’ terms (eg their class, or their family background). Some of these factors are likely to overlap. 3.6

To this list, the GDPR adds:

– ‘genetic’ factors (eg a person’s DNA)9; and –

a further type, ‘biometric’ data, which is introduced in Article 9 (see para 3.12 below).

Meaning of ‘relating to’ 3.7 The second part of the test of personal data is that the information has to relate to the living individual. The information will not be the personal data of an individual if, while it enables them to be identified, it is not in some sense about them.

6 7 8 9

DPA 2018, s 3(3)(a); derived from Article 4(1) of the GDPR. See para 3.34. DPA 2018, s 3(3)(b). GDPR, Article  4(13): personal data relating to a person’s ‘inherited or acquired genetic characteristics’ which give unique information about their physiology or health, and which result in particular from an analysis of a biological sample from them. Recital 34 refers to analysis from chromosomal, deoxyribonucleic acid (DNA), or ribonucleic acid (RNA); or from an element enabling ‘equivalent information to be obtained’.

23

3.8  Definitions in the GDPR and Territorial Scope

Example: William is aged 92. He is housebound, and lives in a 12th floor flat in the northern part of Notown. There are only three male housebound users of the council’s home care service who are aged over 90 in that area. Before the council’s home care service was reduced last year, his carer called every day; now she calls only twice a week. Although the information (in a council report) in the first extract below, describes something which affects William as one of the users of the service, it is a statement about the service in general, rather than specifically about William. He would probably be identifiable from this description, at least to his family, as well as to the council itself and individual staff, but the information does not relate to him, because it is not about him, as opposed to being about the service; and so is not his personal data: ‘There are about 250 users of Notown’s carers’ service in the northern area of the authority, for whom the service has been reduced. This includes housebound users in high-rise flats in the most elderly agegroup (90 upwards), and the council needs to pay especial attention to their needs.’ Contrast this with: ‘William’s service has been reduced to twice a week, along with most of the other 250 users in the northern area of the authority’. The second statement relates to William, and the reduction in service that he has suffered; while also conveying that the service in general has been reduced, and how many others have been affected. The second statement is, therefore,William’s personal data. 3.8 With that caveat, the Information Commissioner has long advised in the UK that there are many ways in which information can relate to an individual, and that a broad approach should be adopted10. Her current guidance can be seen as grouping the likely factors into three categories: the content of the information; the purpose of the processing; or, whether there is likely to be an impact on the individual. The factors underlying these groupings are as follows. Information is likely to relate to an individual if it: • is obviously about them; • is linked to them; 10 See ‘Determining what is Personal Data’, ICO, version 1.1, pp 9–23. Shortly before publication it appeared that the guidance wasno longer listed on the ICO’s website. It remained available via this link: https://ico.org.uk/media/for-organisations/documents/1554/determining-what-ispersonal-data.pdf

24

Definitions 3.10

•

is being processed to inform or influence actions or decisions affecting them;

•

is of biographical significance about them;

•

focuses or concentrates on that individual; or

•

has the potential to have an impact on that individual.

Six ways of ‘relating to’ an individual 1. Beryl’s medical record is ‘obviously about’ her. 2. Fred is in a post for which the salary band is £20–£25,000 pa. When the salary information is ‘linked’ to his post, it relates to him. 3. Gina has made a complaint, which has been investigated and will be considered at a meeting this afternoon. As well as her original complaint, the papers which will be used at the meeting to ‘inform or influence’ the decision relate to her. 4. Indira works in Human Resources. The record of her attendance at the meeting in example (3) above is ‘biographical’ about her (in a minor, but sufficient, way), since it records what she was doing at that time. 5. The record that the Human Resources department attended 72 meetings last year about complaints (such as the one in example (3)) is not Indira’s personal data, even though she was one of the HR staff whose attendances contributed to the total, because it does not ‘focus’ on her. In contrast, the record at (4) focusses on her attendance specifically. 6. A record of the fuel consumption of two identical delivery vans, which were recently purchased by Getit There Deliveries Ltd, shows that Stan used more fuel for the equivalent distance than Frieda. As a result, the manager asks Stan to drive more carefully; and indicates that he will watching the fuel costs of his van to ensure that they are not excessive. The record of the fuel consumption has had an ‘impact’ on Stan (influencing him to drive more carefully), and that information relates to him. 3.9 As these examples show, information can often ‘relate to’ an identifiable individual, and thus become personal data about that person, where there is a dynamic relationship between a set of circumstances and the individual, which the information describes; or, because of the effect on that person, described in the information.

‘Special category’ (formerly ‘sensitive’) personal data 3.10 The DPA  1998 contained a category of what in the UK were called ‘sensitive’ personal data which required to be given additional protection. The term now adopted in the UK, ‘special categories’ of personal data, was in the 25

3.11  Definitions in the GDPR and Territorial Scope

1995 Directive11. It reappears in Article 9.1 of the GDPR, with some changes of scope, and has been adopted with minor variations in the UK legislation12. 3.11

‘Special category’ personal data are either:

data revealing:

racial or ethnic origin;



political opinions;



religious or philosophical beliefs; or



trade union membership;

or data of the following types: genetic data;

biometric data for the purpose of uniquely identifying a person;



data concerning health;



data concerning a living individual’s sex life or sexual orientation13.

3.12 The terms ‘genetic’ and ‘biometric’ data have been added to the category, as compared with the previous list of ‘sensitive data’14. Personal data consisting of information as to the commission or alleged commission by a person of an offence, or as to any proceedings for an offence, or their outcome (‘disposal’) or any resulting sentence, have been omitted from the definition of special category data and now fall under the Law Enforcement directive (see Chapter 17 below). 3.13 The starting point for the processing of special category data is that it is formally prohibited; although a significant number of exemptions then permit processing where the circumstances apply that are described in the exemption. It is, therefore, vital to be clear as to the basis on which such data are being processed. The UK legislation adds to the list of exemptions in the GDPR (as permitted by the Regulation) in DPA 2018, s 10 and Sch 1, Pts 1–215. The grounds or lawful bases of processing in the UK are set out at Chapter 5 below.

Processing 3.14 ‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated 11 Directive 95/46/EC, Article  8. The term is shortened in this work to ‘special category’ personal data. 12 See DPA 2018, ss 10, 11 and Sch 1. 13 GDPR, Article 9(1). 14 In the former DPA 1998, s 2. 15 For processing to which the GDPR applies. See paras 17.26–17.28 below in relation to processing of personal data on criminal matters by controllers which are not ‘competent authorities’ under DPA 2018, Part 3. These controllers may use the same lawful bases in DPA 2018, Sch 1, Pts 1–2, as apply to special category processing, with the addition of those in Sch 1, Pt 3.

26

Definitions 3.16

means. This can include: collecting, recording, organising, structuring, storing, adapting or altering data. It also encompasses the retrieval, consultation, use, disclosure, alignment (ie with other data); or, combination, restriction, erasure or destruction of the data. Disclosure includes transmitting or disseminating the data, or otherwise making the data available16. Within these categories, the breadth of activities which count as the ‘processing’ of data has not changed with the introduction of the GDPR/DPA 2018. In effect, as the ICO has said previously, any activity relating to personal data, is ‘processing’ (including merely holding the information). 3.15 Apart from the layout, the definition of ‘processing’ in the DPA 2018 differs from that in the ‘pre-Brexit’ GDPR only in omitting the words ‘whether or not by automated means’; which has no practical effect on the meaning. The scope (‘pre-Brexit’) of the UK definition covers17: — processing covered by the GDPR; — processing added to the UK regime as the ‘applied GDPR’18; — processing for law enforcement purposes by crime-fighting agencies (under Part 3 of the Act)19; — processing for security or intelligence purposes (under Part 4 of the Act). Post-Brexit, the GDPR and ‘applied GDPR’ are merged. In legislative terms, Article 2 of the ‘UK GDPR’ (which defines its material scope) is amended to include processing outside the scope of EU law before exit day, or processing on activities under the common foreign and security policy (so that they are effectively moved from the DPA 2018, s 21, to the GDPR, Article 2; as are the exclusions of personal or household processing, and processing for the law enforcement (Part 3) or intelligence services purposes (Part 4)). Article 2 is also redrafted to apply to ‘automated or structured processing’, which is defined as processing wholly or partly by automated means, or processing by other means which forms part of a filing system, or is intended to do so (Article 2(5)).

Controllers and processors 3.16 A ‘controller’ (formerly called a ‘data controller’ in the UK) means the natural or legal person, public authority, agency or other body who or which, alone or jointly with others, determines the ‘purposes’ and the ‘means’ of the processing20. The controller is the legal person who determines why the data are being processed, and how they are to be processed. If a person working with 16 17 18 19

GDPR, Article 4(2). DPA 2018, s 3(4). See also DPA 2018, ss 5(7), 29(2) and 82(3). Ie DPA 2018, Chapters 2 and 3 of Part 2. See para 2.23 above. See GDPR, Article 2(2), as amended by DPEC Regulations, Sch 1, para 4; and Chapter 17 below. 20 GDPR, Article  4(7). The same word (‘means’) in the previous Directive (Article  2(d)) was rendered as the ‘manner’ of processing in DPA  1998, s  1(1). No difference appears to be intended between the meanings.

27

3.17  Definitions in the GDPR and Territorial Scope

personal data has discretion to decide how, or why, the data are processed, they should be regarded as a controller. There may be more than one controller for a given piece of information (eg if two or more controllers hold the data jointly; or, if the data have been ‘shared’ between them – see Chapter 10 on ‘Data Sharing’). 3.17 The definition is varied in the UK in the following respects in relation to general data processing: (a) Where the processing is under the GDPR, and takes place only for purposes required by an enactment, and by means required in the enactment, the controller is the legal person on whom or which the obligation falls to carry out the processing21. See example (a) below; (b) Each government department is treated as a separate controller from any other government department; (c) The controllers of the Royal Household, the Duchy of Lancaster (a part of the government), and the Duchy of Cornwall (held by the Prince of Wales) are specified officials22; (d) Government departments, or the office holders in (c) above (as distinct from individual employees), are immune from prosecution from certain (although not the main) data protection offences under the GDPR and DPA 201823; and (e) The controllers in respect of the House of Commons and House of Lords are specified officials, with certain exemptions from prosecution similar to those above24. Example (a): statutory controller: Lisa runs an MOT testing centre in Glasgow. She is required by statutory regulations for [an imaginary] new-style MOT to record the name and address of the vehicle owner when she tests their car; and to enter those details electronically onto the MOT certificate. The regulations lay down how the names and addresses are to be recorded. Although Lisa has no discretion over how she records the personal data, she is treated as a controller for that purpose, because she has the statutory responsibility to carry out the processing. 3.18 The obligations of controllers and processors differ. Establishing whether an organisation is a controller or a processor is often fundamental to understanding the relationships, and respective obligations, between one organisation and another. In relation to a given piece of information, a legal person can be a controller for one type of processing of the data, and a processor 21 DPA 2018, s 6(2). There are separate provisions in relation to controllers for processing for law enforcement, or for the security or intelligence services (DPA 2018, ss 32 and 83). 22 DPA 2018, s 209(4). 23 DPA 2018, s 209(6). 24 DPA 2018, s 210(5).

28

Definitions 3.21

for another type of processing of the same data. For example, if Controller A contributes information to a ‘data sharing’ arrangement with Controllers B–D, but also carries out some routine processing operations on some of the shared data on behalf of its partners – such as keeping the information up to date, or inputting new data – it will be a controller in relation to the operation as a whole; but a processor for these latter activities. In such a case, it will be necessary to identify in the sharing arrangement which role applies to which operation, in order to determine who is responsible for carrying it out; and which organisation bears what level of accountability if there is a data breach. 3.19 A  ‘processor’ (formerly called a ‘data processor’ in the UK) is a living individual or legal person, public authority, agency, or other body who or which ‘processes’ personal data on behalf of the controller. If, for example, an organisation contracts out the paying of its salaries, or the disposal of its confidential waste (including personal data), the legal persons providing those services will be processors. Other examples may include information technology (‘IT’) service providers, or ‘Cloud’ service providers. Processors have acquired new responsibilities under the GDPR which mean that they have to take on a greater role alongside controllers (eg to assist in the event of a data breach). The fundamental distinction between the two remains, however, that the controller may exercise some discretion or judgement over how they undertake a piece of processing; whereas a processor is obliged to carry out an operation determined by the controller.

New obligations on processors, and contracting between controllers and processors 3.20 Under the DPA  1998, it was the responsibility of the data controller to specify (by contract or agreement) what the data processor had to do in relation to security25. In addition, under that Act, the data controller bore the whole responsibility for any breach of the Act’s requirements. The position under the GDPR is more balanced as to responsibilities. The need for a detailed contract or agreement remains; and is extended beyond security with a specific series of requirements as to its components. The DPA 2018 does not alter these requirements under the GDPR. 3.21 Under Articles  28–30 of the GDPR, controllers are obliged to use only processors who (or which) provide sufficient guarantees as to how they will: implement the GDPR’s requirements in relation their processing for the controller; and, ensure the protection of the data subject’s rights (Article 28(1)). The guarantees should cover the expert knowledge, reliability and resources necessary to implement the required technical and organisational measures, including for security (see Recital 81)26.

25 DPA 1998, Sch 1, Pt 2, paras 9–12. 26 A  processor may be able to show this by adherence to an approved code of practice or certification mechanism, when they are developed.

29

3.22  Definitions in the GDPR and Territorial Scope

3.22 A contract (or other legal agreement) has to be made that is binding on the processor, in relation to the controller, and which sets out: •

the subject-matter and duration of the processing;

•

its nature and purpose;

•

the type of the personal data to be processed;

•

the categories of data subjects which will be involved; and

•

the obligations and rights of the controller (Article 28(3)).

3.23 When drawing this up, the parties should take into account the specific tasks and responsibilities of the processor, the type of processing to be carried out, and the risks involved to the rights and freedoms of the data subject. In other words, the contract or agreement should be specific and detailed, and an organisation should be able to show how it has taken these elements into account. 3.24 It follows that a key responsibility of staff handling (or advising on) data processing matters for a controller is to ensure that the controller identifies and keeps abreast of its processing operations; and that it has in place effective contracts, or other enforceable agreements, covering all such arrangements. Similarly, a key responsibility of a processor (or those advising a processor) is to ensure that it is in a position to understand, and to meet, these contractual or other legal obligations placed on it.

Contracts/agreements 3.25 Under the terms of the contract/agreement, a processor is not to engage another processor without the prior written authorisation of the controller. This can be given generally, or reserved for agreement in each specific case. If there is a general authorisation, the controller is to be informed of any additions or replacements, and to have an opportunity to object (Article 28(2)). The second processor is to acquire the same obligations, by contract or other legally enforceable agreement, as applied to the first processor; and the first processor is to remain responsible to the controller for performing any obligations which the second processor fails to perform (Article 28(4)). The contract or agreement has to commit the processor to observing these conditions (Article 28(3)(d)). 3.26

The contract/agreement is to stipulate the following27:

(i) that the processor will process the personal data only on ‘documented instructions’ from the controller (including with regard to any transfers of personal data to a third country or to an international organisation28), unless the activity by the processor is one required by EU member state law (or, post-Brexit, by domestic law). In the latter case, the processor is to inform the controller before undertaking the processing, unless prevented by law from 27 GDPR, Article 28(3)(a)–(h). 28 See Chapter 11 below as to international transfers.

30

Definitions 3.26

doing so on ‘important grounds of public interest’. In other words, other than exceptionally, the controller must have given the processor detailed written instructions as to the processing before it can be carried out; including as to any transfers to other jurisdictions (which includes servers located, for example, in the USA); (ii) that the processor will ensure that those authorised to do the processing have committed themselves to confidentiality, or are under a statutory obligation of confidentiality. The processor thus takes on responsibility for vetting their staff, and for obliging them to give personal undertakings that they will handle the personal data to be processed for the controller confidentially. This would not apply if those staff were already subject to such an obligation under statute; (iii) that the processor will take all measures required of them under the security requirements of the GDPR29. In practice, however, the Article leaves the controller and processor to negotiate what level of security is appropriate, and who is to meet which requirement. The controller needs always to have in mind, however, that it has the responsibility for securing sufficient guarantees from the processor (Article  28(1)); and for agreeing appropriate terms with the processor as to the latter’s responsibilities (Article 28(3)); (iv) that the processor will take appropriate technical and organisational measures, so far as possible, to fulfil the controller’s obligations to respond to the rights of data subjects as laid down in Articles 12–23 of the Regulation (eg  the rights of access, and to rectification, erasure, or the restriction of processing). The processor’s obligation is limited, however, by the caveat that it should take into account the ‘nature of the processing’. This appears likely to mean that it is restricted by the scope and type of the information being processed for the controller; so that the processor would not be obliged to exceed boundaries related to them in rendering assistance to the controller with individual rights. This seems to leave much scope for disagreement. Controllers would be well-advised to negotiate these terms closely; (v) that the processor will assist the controller with the appropriate security measures; with the notification of data breaches to the ICO and to individuals (where required under Articles 33–34); and, with the controller’s obligations in relation to data protection impact assessments (in Articles 34–36). Again, these requirements on the processor are limited by taking into account the ‘nature of the processing’, and also ‘the information available to the processor’ – see the comment above; (vi) that after the end of the processing service, the processor will delete or return all personal data to the controller (at the choice of the controller); and will delete existing copies, unless required by EU or member state law to store the personal data; and 29 See the detailed measures referred to in GDPR, Article  32 (eg  as to pseudonymisation or encryption, where appropriate).

31

3.27  Definitions in the GDPR and Territorial Scope

(vii) that the processor will make available to the controller all information to demonstrate their compliance with the obligations in Article  28. The processor is also to allow audits and inspections by the controller, or another person ‘mandated’ by the controller; and to contribute to them. 3.27 As an alternative to creating an individual contract, there is also an option to base the contract or agreement referred to above wholly or partly on standard clauses produced by the EU Commission, or by the ICO after Brexit; including where these form part of a certificate granted to the controller or processor30. 3.28 Processors become liable to financial penalties under the GDPR31. If a processor infringes the GDPR by ‘determining the purposes and means of processing’, it will be considered to be a controller in respect of that processing (Article 28(10)). This would, however, not affect its status for the purposes of any liability it may have, in its capacity as a processor. 3.29 Processors have similar recording obligations to those of controllers32. They are to maintain a record of all categories of their processing activities, containing the names and contact details of the controller, any other processors, the categories of processing, any transfers of personal data to a third country outside the EU and, where possible, a general description of their security measures. Post-Brexit, processors are obliged to implement security measures appropriate to the risks, in cases where Article  32 of the UK GDPR does not apply33.

Restriction of processing 3.30 The restriction of processing means that personal data are required to be marked and stored, and may otherwise only be processed: •

with the consent of the data subject;

•

for the establishment, exercise or defence or legal claims, or for the protection of the rights of another individual or legal person; or

•

for reasons of ‘important public interest’ (defined pre-Brexit, in relation to the EU or a member state)34.

3.31 Restriction arises at the instance of the data subject in certain circumstances; such as, for a temporary period, if he or she contests the accuracy of the data (see paras 8.26–8.33).

30 GDPR, Article 28(6)–(8), or Article 28(6) and (8) after Brexit. See also Recital 81. Certification mechanisms are provided for in GDPR, Articles 42-43. 31 GDPR, Articles 82–84. 32 Under GDPR, Article 30(2). 33 See DPA 2018, s 28(3); as amended by DPPEC Regulations, Sch 2, para 36. 34 GDPR, Article 18(2), as amended by DPPEC Regulations, Sch 1, para 16.

32

Definitions 3.35

Profiling 3.32 ‘Profiling’ means any form of automated processing of personal data which consists of using the data to evaluate aspects of that person’s activities or preferences; ie  the tracking of individuals’ personal data, usually of their online activities, to build up a picture of their preferences of characteristics. It may be used, for example, to analyse or predict a person’s performance at work, economic situation, health, personal preferences (eg  as to products), interests, reliability, behaviour, location or movements35. 3.33

Profiling is likely to include activities such as:

• the use of ‘cookies’ to track customers’ or users’ preferences, analysed through their browsing of an organisation’s website; •

the electronic tracking of individuals’ location or movements through their mobile telephone;

•

the collection of financial information about individuals in order to assess their credit-worthiness;

•

the measuring of information about the work performance of members of an organisation’s staff by its Human Resources department.

Pseudonymisation 3.34 ‘Pseudonymisation’ (a new term in the GDPR) means ascribing an identity to an individual (such as a customer or reference number), and keeping the ‘key’ to the new identity separate and in a safe location; so that only the creator of the identifier has access to it. As a result, processing of the individual’s personal data takes place in a way that the data can no longer be attributed to the specific data subject without the use of the key. Pseudonymising data is seen as a way of encouraging the wider use and sharing of personal data, while increasing its security. Unlike anonymised information, where no individual is identifiable, the data subject remains identifiable to the holder of the key. As a result, the information concerned remains the personal data of the individual36.

Filing system 3.35 Recital 15 explains that, in order to avoid the protection of the GDPR being circumvented, it should be ‘technologically neutral’, and should apply to both processing by automated means, and to manual processing where the data are contained (or intended to be) in a filing system. The pre-Brexit GDPR has thus applied to processing of personal data wholly or partly by automated means,

35 GDPR, Article  4(4). See also DPA  2018, s  33(4), in relation to profiling for crime-fighting purposes under Part 3 of the Act. 36 GDPR, Article 4(5).

33

3.36  Definitions in the GDPR and Territorial Scope

and to processing other than by automated means of personal data which form part of a ‘filing system’, or are intended to form part of a filing system37. PostBrexit, the definition in the UK of ‘automated or structured processing’ is worded slightly differently, as described at para 3.15 above. 3.36 The DPA  2018 slightly alters the wording. A  ‘filing system’ is any ‘structured set of personal data’ which are ‘accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis’38. Under the DPA 1998, there was much debate about the extent of what the Act defined in the UK as a (paper-based) ‘relevant filing system’; or, as to the degree to which such a system had to be organised in order for its contents to count as ‘data’ (and therefore potentially to be personal data). In the private sector, paper records were covered by the 1998 Act only if they fell within such a filing system; were destined to be input into an electronic system; (or, exceptionally if they formed part of certain types of paper files such as health records). In the public sector, the position was more complex because ‘unstructured manual data’ (essentially loose or unfiled papers, which fell outside these categories) were also covered by the 1998 Act; although only limited individual rights applied to them. The 2018 Act effectively maintains these distinctions39. It arguably extends the scope of filing systems, thereby expanding the range of paper records covered by them. The definition makes clear that it treats systems which have the same function, but which are sited within different parts of an organisation, or dispersed geographically within it, as a single filing system. 3.37 There appears still to be some doubt, however, over the precise extent of a ‘structured set of personal data’ in relation to information held on paper. The reference to personal data that are ‘accessible according to specific criteria’40 must certainly, as before, include files that are organised by name and then by subject matter (eg an HR file for ‘Kieran Smith’, sub-divided by subjects such as leave records); or, files that are organised by subject matter (eg ‘Leave Records’, or ‘Pay statements’), with a sub-divider or a separate file for a name (‘K. Smith’) under each category. In her initial overview guidance on the GDPR produced by the Commissioner, the new definition was considered at that time, to be broad enough to include ‘chronologically ordered sets of manual records containing personal data’ (eg all the paper correspondence and documents relating to ‘Kieran Smith’ in one file, provided they were kept in date order). This advice no longer appears on the ICO’s website, however, as at the date of writing. According to Recital 15, moreover, files or sets of files which ‘are not structured according to specific criteria’ fall outside the GDPR; including any cover pages in such papers. (Example: on this basis, a loose box or bundle of papers, provided that they were not intended to be organised into a filing system, would still be excluded).

37 GDPR, Article 2(1) (as amended by DPPEC Regulations, Sch 1, para 4). 38 DPA 2018, s 3(7). See also GDPR, Article 4(6). 39 Pre-Brexit, unstructured manual data in the public sector are brought within it, to the same extent, by DPA 2018, s 21(2). 40 GDPR, Article 4(6); DPA 2018, s 3(7).

34

Definitions 3.38

Greater clarity would be helpful in guidance, therefore, in order to delineate any extent to which the GDPR/Act do now apply to a greater proportion of paper records than previously. The basic position remains, however, that paper in a filing system is potentially part of personal data in both the public and private sectors, by virtue of the GDPR; while loose papers are brought under the regime for the public sector only (and with only limited individual rights attaching to them) by the DPA 2018 (and, post-Brexit, by Article 2(1A) of the UK GDPR). The manual unstructured processing of personal data is brought within the scope of the UK regime before Brexit by DPA 2018, s 21(2). That provision is repealed after Brexit by the DPPEC Regulations, but the Regulations transfer the inclusion of manual unstructured processing from the Act to the UK GDPR, under Articles 2(1A) and 2(5)(b). The obligations on public authority controllers are, however, quite limited. Provisions listed in DPA 2018, s 24(2), do not apply to such data. As a result, only one of the data protection principles (principle (d), on accuracy) applies to manual data. Requirements such as those concerning: lawful bases (Articles 6 and 9); Privacy Notices (Articles 13 and 14); data portability (Article 20); the right to object (Article 21); or, international transfers (Articles 44–49; including, after Brexit, those based on adequacy regulations or standard clauses), do not apply to manual data. There is also only a limited right of access (see paras 7.46–7.49). The DPPEC regulations do not alter this position in substance after Brexit.

Recipient 3.38 ‘Recipients’ have to be declared in a number of circumstances; eg  in access requests, or privacy notices41. A  ‘recipient’ is simply a natural or legal person, including a public authority, agency or other body, to whom or which personal data are disclosed, whether or not they are also a ‘third party’. A ‘third party’ is a natural or legal person who is not the controller, processor, data subject, or another person who is authorised to process the data under the direct authority of the controller or processor. There is a distinction, however, in that public authorities which receive personal data ‘in the framework of a particular inquiry’, and in accordance with EU or member state law (or post-Brexit, in accordance with domestic law), are not classed as recipients. In a case of that kind, their processing of the information has only to comply with the relevant data protection rules for that type of processing42. Example: inquiries If a public authority is obliged to examine a health and safety issue, and gathers evidence for its inquiry, it will not be a ‘recipient’ in that context. It would not, therefore, be necessary for another controller, which disclosed evidence to them for the purposes of that inquiry, to declare them to be a ‘recipient’ – eg in the context of an access request by a data subject whose personal data had been disclosed. 41 GDPR, Articles 15(1)(c); or 13(1)(e) or 14(1)(e) respectively. 42 GDPR, Article 4(9) and (10).

35

3.39  Definitions in the GDPR and Territorial Scope

Consent 3.39 ‘Consent’ is given specific features under the GDPR, and is significantly upgraded in relation to what needs to be demonstrated. It was an uncertain basis for processing an individual’s personal data under the DPA 1998, which did not define it. Article 4(11) of the GDPR supplies a robust definition of the consent of the data subject, as: any ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’43 The consent needs, therefore, to be a statement or other clear type of action, showing agreement to the specific processing concerned. It also needs to be informed (ie the data subject should be aware at least of the identity of the controller, and the intended purposes of the processing but see also para 3.47). 3.40 Recital 32 clarifies that consent can still be given orally, as well as in written form. It may include ‘ticking a box’ on a website, or another statement which clearly indicates the ‘data subject’s acceptance of the proposed processing or his or her personal data’, as constituting consent. Silence, pre-ticked boxes or mere inactivity by the data subject, on the other hand, do not constitute consent. 3.41 A  consent should cover all the types of processing carried out for the same purpose or purposes; requiring the controller to make the extent of processing for a particular purpose clear to the data subject in advance. Where there are a number of purposes, the consent should cover them all. If consent is sought by electronic means, the request should be ‘clear, concise and not unnecessarily disruptive to the use of the service for which it is provided’44. 3.42 Articles 7 adds further conditions before consent can be used as a lawful basis on which to process an individual’s personal data. [Emphases have been added]: • the controller has to be able to demonstrate that the data subject has consented45. So the controller needs to have a record of the consent (or possibly some means by which to oblige the data subject to confirm it). For this reason, for an oral consent, a record should be made by the controller; •

if the consent was given in writing, and the declaration in which it appeared also concerned other matters, the request for the consent should be presented in a manner ‘clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’46. It should also not contain unfair terms47. So, if the consent was sought and recorded on a pre-prepared form (whether on paper or online), the section, box or other area containing the request, and the place for the data subject’s agreement,

43 The DPA 2018 does not include a separate definition of consent for general processing. Section 84(2) uses the same formulation in relation to security or intelligence processing. 44 GDPR, Recital 32. 45 GDPR, Article 7(1). 46 GDPR, Article 7(2). 47 GDPR, Recital 42.

36

Definitions 3.42

need to have been separate from any other part of the agreement. The text of the consent needs be set out clearly and in straightforward language; •

the individual must have the right to withdraw his or her consent at any time (and to be informed of this right before giving consent). The withdrawal is to be as easy as the giving of the consent (emphasising its weakness as a basis for processing, from the controller’s point of view). Recital 42 states that consent is not freely given if the data subject has ‘no genuine or free choice’; or if they are unable to refuse, or later to withdraw, their consent ‘without detriment’. If consent is withdrawn, however, this does not affect the lawfulness of the processing prior to the withdrawal48;

• when assessing whether consent has been freely given, the ‘utmost account’ is to be taken of whether (amongst other factors) the performance of a contract, including the provision of a service, has been made conditional on the giving of consent to processing of personal data that is not necessary to the performance of that contract49. So the consent needs to be closely focussed on what is integral to the contract’s purpose; and may not be valid to the extent that it exceeds those boundaries. The Commissioner, in her detailed guidance on consent, refers to ‘avoiding making consent a condition of a contract’. Guidelines from the Article 29/ EDPB  Working Party referred to the need for ‘special caution’ on this point. In general terms, any element of inappropriate pressure on the data subject would render consent invalid. While it will almost always be better to use the contractual lawful basis, rather than consent, in cases involving contractual transactions (see para  5.9 below), the language of the Article does not go this far; the issue in Article  7(4) being whether the terms for which consent is sought are necessary to the contract. Example: performance of contract made conditional on unnecessary consent An internet service provider makes the provision of its services conditional on acceptance of terms that allow it to make various uses of the personal data collected which are not necessary to the operation of the contract. These include passing the individual’s data to certain of the advertisers using its site. These wider uses will benefit the provider financially, and probably form part of its planned revenue stream from the contract. They are not, however, necessary to whether the internet service can be provided to the individual. They should form one or more options to which the individual can opt in if they choose. The consent to the wider terms will not be a lawful basis of the processing. The provision of the service itself should be made on the lawful basis that it is necessary to the provision of the contract; not on the basis of consent.

48 GDPR, Article 7(3). 49 GDPR, Article 7(4).

37

3.43  Definitions in the GDPR and Territorial Scope

3.43 Recital 43 expands the latter theme. Consent will not form a lawful basis for processing where there is a ‘clear imbalance’ between the controller and data subject. An example is given of a controller which is a public authority: the Recital says that will be ‘unlikely’ that the consent was freely given in all the circumstances. At face value, however, this is too broad. It should, it is suggested, be taken to refer to instances: where a public authority has a right to require information from a data subject; where it has an obligation to provide a service, or to enforce a rule, in relation to that individual; or, where it is exercising authority over the individual or placing a requirement on him or her. It should not be understood, it is suggested, that public authorities are intrinsically unable to rely on consent where they are providing a product or service on a discretionary, rather than an obligatory basis in relation to a particular individual (ie where there is no imbalance; or where any imbalance is not relevant to the case). 3.44 The Recital states also that consent is to be presumed not to be freely given, even where it is appropriate in an individual case, if it does not allow separate consent to be given to different processing operations (ie if the processing in issue cannot be separated from other proposed processing, so that each type of processing can be made subject to a separate consent). 3.45 The ICO makes clear in her detailed guidance that consent remains most likely to be the appropriate lawful basis only where no other such basis applies. In other words, it should be seen as a last resort. 3.46 The ICO has advised that consents reached under the DPA 1998 need not be reviewed if they conform to the higher threshold required by the GDPR; but should be reviewed if they do not do so. Otherwise, an alternative lawful basis should be sought. 3.47 The former Article 29 Working Party (now the European Data Protection Board or EDPB) produced guidelines on consent, updated in April 201850. For consent to be informed, the purpose, type of data, existence of the right to withdraw, information about any use of the data for decisions based on solely automated processing, or possible risks from any transfers to third countries without an adequacy decision (and appropriate safeguards), should be added to the points referred to in para 3.39. The guidance also stresses the importance of clear language when seeking consent. 3.48

See also Chapter 5, at paras 5.4–5.8 on consent.

Consent – the health service 3.49 The National Health Service has developed its own language and scheme for the management of health care data about individuals in data protection terms; known as the ‘Caldicott principles’. This system gives significant prominence to 50 Article  29 Working Party/EDPB‘ Guidelines on Consent under Regulation 2016/679’ (wp259rev.01).

38

Definitions 3.53

the concept of ‘consent’; although this has a range of meanings in healthcare, in terms of such processing, which go beyond the scope of this book. It should be understood that the GDPR and the DPA 2018 apply to processing in the healthcare sector as much as any other area. In the author’s view, the systems adopted by the NHS dovetail the data protection principles with the general reliance in the provision of healthcare on the patient’s ‘consent’ in a wider sense, including as to treatment, and this may be confusing in some cases.

Child’s consent 3.50 Article  8 concerns the age at which children may give their consent (independently of their parents) to the provision to them of ‘information society services’51. Article  8 sets the (pre-Brexit) default age at 16 years; but allows member states to set lower age limits in each country, where they are based on consent, down to a minimum of 13 years. 3.51 The UK has chosen 13 years as the minimum age52. Services offered to children below that age must (if consent is the lawful basis) receive the consent of the holder of parental responsibility: otherwise, the processing of the personal data of a child below that age (and thus the provision to them of the service) will only be lawful in data protection terms if another lawful basis applies. The controller is to make reasonable efforts to verify a parental consent, ‘taking into consideration available technology’ (Article 8(2)). 3.52 Pre-Brexit, section 9(b) of the DPA  2018 excludes preventive or counselling services offered online from the definition; the effect being to exempt them altogether from the requirement for parental consent where such services are offered online. Post-Brexit, this provision is moved to Article 8(4) of the UK GDPR.

Personal data breach 3.53 A ‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data which are being transmitted, stored, or otherwise processed (see GDPR, Article 4(12)). The breach can be accidental or ‘unlawful’ (in effect, deliberate or negligent). The limitation of the term to a security breach should be noted. This contrasts with wider risks to (for example) the ‘rights and freedoms of natural persons’, with which Data Protection Impact Assessments are also concerned (GDPR, Article 35(1)). The controller will often have to notify a data breach to the ICO (see GDPR, Article 33 and Chapter 15).

51 Ie commercial websites or electronic storage services. 52 The pre-Brexit provision is in the DPA 2018, s 9(a). Post-Brexit, the DPPEC Regulations, Sch 1, para 8, amend Article 8 of the UK GDPR to this effect; and Sch 2, para 12 of the Regulations repeals DPA 2018, s 9.

39

3.54  Definitions in the GDPR and Territorial Scope

Biometric data 3.54 ‘Biometric data’ means personal data resulting from ‘specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person’ which allow or confirm that person’s unique identification, such as facial images or ‘dactyloscopic data’53. The former include, in the current level of technology, iris recognition data. The latter refer to fingerprints. The key characteristic, of current and future technologies, is that the processing allows the person to be identified uniquely; which can be demonstrated on a scientific basis.

Data concerning health 3.55 This means personal data concerning a person’s physical or mental health; but also information about the provision of health care services which reveal information about that individual’s health status54. The course of care of a living individual will thus fall within information concerning his or her health. As under the DPA  1998, data about the health of a deceased person prior to their death, or about the course of their care, is no longer their personal data55. Such information is often treated, however as forming the personal data also of surviving close relatives.

Main establishment and representatives 3.56 Pre-Brexit the GDPR introduced the concept of a ‘main establishment’ in the EU, for organisations which have more than one establishment56 within the Union’s area. Pre-Brexit, or within the EU as a whole, the location of the main establishment will determine with which national regulator (or ‘supervisory authority’) the controller may deal on behalf of the organisation as a whole. Where a controller has an ‘establishment’ in more than one EU member state, the place where it conducts its central administration will be its main establishment, unless decisions on the purposes and means of processing are taken in another establishment which has the power to have them implemented (in which case, the latter will be its main establishment). Where a processor has establishments in more than one EU member state, its place of central administration within the EU, or (if none) the establishment where its main processing activities take place (in the context of the activities of the establishment) will be its main establishment57. The definition of a ‘main establishment’ is removed from the 53 GDPR, Article 4(14). See also DPA 2018, s 205(1). 54 GDPR, Article 4(15); and DPA 2018, s 205(1). 55 GDPR, Recital 27. Pre-Brexit, member states may provide for rules regarding the processing of the data of deceased persons, although the UK has not done so in this respect. 56 See paras 3.63–3.65 below. 57 GDPR, Article 4(16). This provision is removed in the UK after Brexit by the DPPEC Regulations, Sch 1, para 6(6). As to the one-stop shop, and the position after Brexit, see ICO: ‘One-StopShop regulatory oversight by a lead data protection authority’.

40

Definitions 3.58

UK GDPR, however, along with the concepts of ‘cross-border processing’ and a ‘lead supervisory authority’, after Brexit58. This change means the removal of UK organisations from participation in the ‘one-stop-shop’, whereby controllers or processors carrying out processing which affects individuals in more than one EU (or European Economic Area) state, or having an establishment in more than one such state, need deal usually only with one regulatory authority (eg over data breaches). 3.57 Pre-Brexit, or within the remainder of the EU after Brexit, a controller or processor based outside the EU will have to appoint a ‘representative’ to act on its behalf, and to deal with the supervisory authorities in the member states in which individuals to whom it offers goods and services, or whose behaviour is monitored by them, are located. Post-Brexit, the same requirements apply to a controller outside the UK offering goods and services, or monitoring behaviour, within the UK, to designate a representative in the UK, under Article 27(1) of the UK GDPR (with limited exceptions for processing under the former ‘applied GDPR’ – see UK GDPR, Articles 3(2) and 3(2A)).’This requirement does not apply to public authorities; nor to controllers or processors where the processing is only occasional, does not involve processing of special category data (or criminal convictions and offences data under Article 1059) on a large scale, and is unlikely to result in a risk to the rights and freedoms (such as the privacy) of individuals (taking into account factors such as the nature and purposes of the processing)60.

Data Protection by Design, and Data Protection by Default 3.58 Controllers are required under the GDPR, both when deciding on a means of processing and when carrying it out, to ‘design in’ data protection considerations; both from the outset, and when the processing is carried out. (The DPA  2018 does not amend these Articles of the GDPR). The controller is expected to adopt internal policies, and to implement measures, to do this. Relevant measures include: •

‘pseudonymisation’ of data in order to increase its security;

•

adoption of ‘data minimisation’ principles in order to reduce the amount of data processed to only that necessary for the purpose;

•

‘transparency’ with regard to why and how they process data;

•

enabling the individual to monitor how his or her data are being processed (eg through a secure website portal);

•

creating and improving security features61.

58 59 60 61

DPPEC Regulations, Sch 1, paras 6(6), 6(11) and 51 respectively. See para 17.26. GDPR, Article 27(2). GDPR, Article 25(1) See also Recital 78.

41

3.59  Definitions in the GDPR and Territorial Scope

3.59 This is not an absolute standard. Much of it overlaps with other data processing requirements; enabling them to be seen as elements of an overall objective. Controllers are expected to take into account the ‘state of the art’ at the time of their consideration of what data protection by design requires of them. They may also take into account the cost of implementation, the nature, scope, context and purposes of the processing, and the likelihood and severity of any risks to the privacy of individuals. The controller needs, therefore, to make decisions in advance as to what the standard of pseudonymisation, and the various factors, require of it; to, for example, implement it (recording that it has done so), and to review its decisions from time to time. 3.60 Linked to this, and overlapping both with it and with other individual requirements, is the requirement for data protection ‘by default’; effectively, that the use of individuals’ personal data is to be minimised as a default position62. The provision obliges controllers, again by appropriate technical and organisational measures, to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This principle applies to the amount collected, the extent of processing, the period of storage, and the data’s accessibility during that period. The measures taken are to ensure that, by default, personal data are not made accessible without the ‘individual’s intervention’ (eg  their agreement) to an ‘indefinite number of natural persons’. Thus, other than exceptionally where the individual wishes it, general unrestricted access to the personal data of an individual is not to be permitted. 3.61 Certification can be used as a partial means of showing compliance with either concept, where a mechanism has been approved under powers in Article 42. In practice, this will apply in the future when such certification mechanisms (eg by industry bodies) are available to show good practice, and where national approval mechanisms have been devised and set up. These will involve the United Kingdom Accreditation Service (‘UKAS’), as well as the ICO63.

TERRITORIAL SCOPE OF THE GDPR 3.62 The EU-wide GDPR claims extensive territorial application. It specifies that it applies to processing of personal data ‘in the context of the activities of an establishment’ (see para 3.64) of a controller or processor in the Union, regardless of whether or not the processing takes place in the Union. It also applies to processing of the personal data of data subjects who are in the EU, by a controller or processor who is not established in the Union, where the processing activities are related to: (a) the offering of goods and services to data subjects in the EU, (irrespective of whether a payment is required); or (b) the monitoring of their behaviour so far as it takes place in the Union64. 62 GDPR, Article 25(2). 63 See GDPR, Article 43(1)(b), as amended by the DPPEC Regulations, Sch 1, para 37(2)(c)). 64 GDPR, Article 3(1)–(2) and Recitals 22–23.

42

Territorial scope of the GDPR 3.66

Prior to Brexit, DPA 2018, s 207, repeats the pattern of scope of the GDPR, but related to the UK rather than the EU, and to data subjects in the UK. 3.63 A  controller or processor is ‘established’ in the European Union (or the UK) if there is an ‘effective and real exercise of activity through stable arrangements’ by it. The legal forms of those arrangements, such as whether the controller or processor has a branch, or a subsidiary which has separate legal personality, in that country do not determine whether or not that body is an establishment65. 3.64 In Google Spain66, the original case on the ‘right to be forgotten’, the European Court gave a very broad interpretation to an ‘establishment’ under the Directive. The question was whether an establishment in Spain was processing personal data in the context of the activities of its parent company in the United States, when the processing concerned by the parent company was separate from the processing being undertaken by Google Spain. The Court said that the Directive did not require the processing to be carried out by the establishment in Spain, where it was carried out in the context of the activities of the establishment. The subsidiary in that case was intended to promote and sell advertising space offered by the search engine. Thus the activities of a parent company and its subsidiary will be linked if the purpose of the subsidiary is to make the parent company profitable. 3.65 The Court confirmed this approach in Weltimmo67, where it said that the presence of only one representative in a country could, in certain circumstances, be enough to constitute a stable arrangement in that country; where he or she acted with a ‘sufficient degree of stability’ through using local equipment to provide the service. The concept of ‘establishment’ in the Directive included ‘any real and effective activity – even a minimal one – exercised through stable arrangements’. 3.66

The EU-wide GDPR thus claims to apply to:

— Organisations established in the EU which are processing personal data in the EU (eg a French clothing company, processing personal data in Poland because its processor is located there). — Organisations established in the EU which are processing data outside the EU (eg a French company processing personal data in Sierra Leone, because its processor is located there). — Organisations outside the EU, offering goods and services to individuals in the EU (eg a Chinese company, offering cars for sale in Europe; especially if they can be ordered in an EU language and paid for in an EU currency). — Organisations outside the EU which are monitoring the internet activity of individuals taking place within the EU (eg  an American company which monitors the use of its social media services by individuals in Italy).

65 GDPR, Recital 22. 66 Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez Case C-131/12. 67 Weltimmo s.r.o. v Hungarian data protection authority Case C-230/14. See para 30.

43

3.67  Definitions in the GDPR and Territorial Scope

TERRITORIAL SCOPE OF THE UK PROVISIONS AFTER BREXIT 3.67 As indicated above (para 3.62), the pattern of the scope of the DPA 2018 before Brexit has mirrored the GDPR’s provision across Europe as a whole, in a UK context68. Thereafter the territorial application of the Act is governed by amendments to the DPA 2018, s 207, and to UK GDPR, Article 3, made by the DPPEC Regulations69. These are similarly modelled on the same pattern as in the GDPR, but adapted so that the Act and the UK GDPR apply in the following circumstances: (a) To the processing of personal data in the context of the activities of an establishment of a controller or processor in the UK, whether or not the processing takes place in the UK; (b) To the processing of the personal data of data subjects in the UK, which is carried out in the context of activities of a controller or processor not established in the UK where the processing activities are related to: ·

the offering of good or services to data subjects in the UK, whether or not for payment; or

·

the monitoring of data subjects’ behaviour in the UK.

The latter category (b) applies, however, only to ‘relevant’ processing. This excludes processing which, before exit day: falls outside the scope of EU law; was in the course of an activity which, before exit day, was part of common foreign and security policy activities; or, was manual unstructured processing by an FOI public authority. In other words, if data in this category fall within the former ‘applied GDPR,’ those data are excluded from the territorial application of the UK regime to a controller or processor not established in the UK. Where the processing is of one of the types to which Part 2 of the Act does not apply (law enforcement processing under Part 3, or intelligence services processing under Part 4), the Act applies only to processing in the context of the activities of a controller or processor in the UK (irrespective of whether the processing takes place in the UK). As before, the UK GDPR also applies to the processing of personal data by a controller established in a place where UK domestic law applies by virtue of public international law (eg in a UK embassy)70. 3.68 Although not an exclusive list, the following have an establishment in the UK (in relation to processing to which the GDPR applies): — An individual who is ordinarily resident in the UK; — A body incorporated under the law of the UK, or a part of the UK;

68 Under the GDPR before Brexit, however, the rules in relation to controllers or processors not established in the UK have not applied to processing under the ‘applied GDPR’, by virtue of DPA 2018, s 22 and Sch 6, paras 7–8. 69 Schedule 2, para 87; and amendments to the GDPR, Articles 2 and 3, made by Sch 1, paras 4 and 5, respectively. 70 See UK GDPR, Articles 3, and 2(1), (1A) and (2); and DPA 2018, s 207.

44

Territorial scope of the UK provisions after Brexit 3.69

— A partnership or other unincorporated association formed under the law of the UK or a part of the UK; — A person not falling under any of the above, who maintains, and carries on activities through, an office, branch, agency or other ‘stable arrangements’ in the UK71. 3.69 The UK government, in guidance issued in December 2018 concerned with cross-border flows of data in the event of the UK leaving the EU without a withdrawal agreement, indicated that regulations under the EU (Withdrawal) Act 2018 were expected early in 2019, to maintain the extra-territorial scope of the UK data protection framework; and also to oblige non-UK controllers who are subject to that framework to appoint representatives in the UK, if they are processing UK personal data on a large scale72. These regulations were subsequently enacted as the DPPEC Regulations 2019.

71 DPA 2018, s 207(7). 72 Department for Digital, Culture, Media and Sport: ‘Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019’, 13 December 2018. See also paras 11.36–11.37 in respect of cross-border flows of data.

45

CHAPTER 4

Data Protection Principles

GDPR DATA PROTECTION PRINCIPLES 4.1 The data protection principles are broadly similar to those in the Data Protection Act 1998 (‘DPA 1998’), Sch 1, Part 1, although with certain changes1: — The former eight principles have been reduced to six, by the removal of the principle expressly to give effect to the rights of data subjects (the former sixth principle); and the moving of the former eighth principle (concerned with transfers of personal data outside the EU) to form Chapter V (Articles 44–46) of the GDPR, where it is no longer described as a principle. (The latter was, in fact, always separate under the Directive). This does not affect, however, its importance for those controllers who move personal data across borders. In the UK, these rules are likely to acquire expanded importance after Brexit. — An important new requirement for controllers to demonstrate compliance (the ‘Accountability Principle’) is added by Article 5(2) (see para 4.19-4.22 below). This forms in effect a seventh principle, although it is not listed with the others; and — The six main principles, formerly numbered, are now denoted in the GDPR by the letters (a)–(f), and given descriptions. 4.2

Under the six principles, personal data are to be2:

(a) processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes (‘purpose limitation’)

 although further processing for archiving purposes in the public interest,

scientific or historical research purposes, or statistical purposes, with the safeguards required under Article 89(1), is not be considered to be incompatible with the initial purpose;

1 GDPR, Article 5(1)(a)–(f). The DPA 2018 does not alter these for general processing in the UK. The Act enacts a version of them (bearing some resemblance also to the previous ones contained in the DPA 1998, but with significant variations from both), for the purposes of law enforcement (ss 35–40) and intelligence services processing (ss 86–91). See Chapter 17 re law enforcement. 2 Article 5(1)(a)–(f).

46

GDPR Data Protection Principles 4.4

(c) adequate, relevant and limited to what is necessary to the purposes (‘data minimisation’); (d) accurate and, where necessary, kept up to date (‘accuracy’)

 all reasonable steps are to be taken to ensure that inaccurate data are

(having regard to the purposes for which the data are processed), erased or rectified without delay;

(e) kept in a form that permits identification of the data subject for no longer than necessary for the purposes for which the data are processed (‘storage limitation’)

 although data processed solely for archiving, scientific or historical

research, or statistical purposes, may be stored for longer periods, provided the controls in Article  89(1) (as interpreted by DPA  2018, s 19), and technical and organisational measures to protect individuals, are in place (see para 5.113 below as to safeguards);

(f) processed in a manner that ensures appropriate security (‘integrity and accountability’)

 including against unauthorised or unlawful processing, and against

accidental loss, destruction or damage, using appropriate technical and organisational measures.

These are now examined in more detail.

Principle (a): Lawfulness, Fairness and Transparency 4.3 The requirement in principle (a) for processing to be ‘transparent’ is new, and represents an important focus in the GDPR on day to day openness in the manner of processing. This is intended to develop further as technology makes it more practicable for individuals to be given secure access to view the processing of the data held about them. It is central to Privacy Notices, and to the language in which the accompanying information to responses to access requests is to be expressed3. 4.4 The former First Principle required that personal data should be processed ‘fairly and lawfully’; and that it should not be processed unless at least one of the conditions in the former Sch 2 of the DPA 1998, was met. In addition, in the case of ‘sensitive’ personal data, at least one of the conditions in the former Sch 3 had also to be met. The requirement under the DPA 1998 for these ‘conditions’ to be met has become a requirement for one or more ‘lawful bases’ of processing under the GDPR to be present. With the change of language has come a shift in emphasis from fairness to lawfulness, with the former having lesser prominence than previously as a core concept. The lawful bases are central to the scheme of the GDPR, whereas ‘fairness’ is not. The Data Protection Act 2018 (‘DPA 2018’) likewise emphasises these bases, and intertwines the exemptions with them. 3

See paras 7.60–7.62.

47

4.5  Data Protection Principles

4.5 The ICO has in recent years given great prominence to ‘fairness’ in her guidance (to the extent of stressing its importance as the central concept, over that of the former data processing ‘conditions’4). Some re-balancing of the ICO’s guidance may now be necessary.

Principle (b): Purpose limitation 4.6 Defining the purposes for which personal data are to be (or are being) processed is central to successful compliance with the GDPR. The limits of processing permitted under the principles are defined very largely around the purposes in each case; including, in this instance, whether processing for a new purpose is ‘incompatible’ with the initial purpose. The purposes have to be ‘specific, explicit and legitimate’. This means that they have to be: described in particular terms; recorded; and, undertaken for a proper and lawful reason. All controllers should be able to show the purpose(s) of each piece of processing which they undertake (or which is undertaken on their behalf). A record need not be extensive, but it should at least pinpoint and summarise the key purposes of each given type of processing. Example – record of purposes The following might form a summary record of processing in the area of local authority housing: ‘This record about [name], concerning [subject] is processed in order to enable the authority to: •

provide local authority housing to tenants;

•

enable the payment of rents by tenants, or repayments to tenants;

•

administer the tenancies;

•

maintain or repair the council’s housing units;

•

determine complaints or disputes raised by residents;

•

enable communication by the authority with its tenants;

•

assist in dealing with crime and maintaining a peaceful environment for residents;

•

enable communication by the council with leaseholders.’*

*ie those who have bought properties under the Right to Buy which are sited in a block or other building for which the local authority retains the freehold 4

For example in the guidance on the application of fairness, under the former first data protection principle, in relation to whether to disclose third party data in FOI requests: Freedom of Information Act 2000, s 40(2) and (3). See paras 27.27–27.28.

48

GDPR Data Protection Principles 4.7

4.7 As under the DPA 1998, any new processing should not be for a purpose that is ‘incompatible’ with the initial purpose. This does not mean that any new purpose is prohibited. A  new purpose is permitted, provided that it does not contradict or undermine the initial purpose. Recital 50 provides guidance, and in practice there is greater latitude than the wording of the principle might seem at first to suggest. The Recital states the following: •

where the new processing is compatible with the initial processing, no new lawful basis is required. It is suggested, however, that the type and manner of processing should be close to the original; or, at least, that the controller or processor should review its lawful basis to ensure that it encompasses the new processing. As the ICO points out, moreover, it may well be necessary to seek a fresh consent, if the processing has been undertaken on the basis of consent;

• if the processing is necessary for the performance of a task in the public interest, or in the exercise of official authority by the controller, the law (either from the EU or a member state; or, after Brexit, by domestic law – see Article 6(3)) may determine the tasks and purposes which are to be regarded as compatible and lawful. The DPA 2018 has not, however, made such provision; •

In order to determine whether a new purpose is compatible with the initial purpose, the controller should take into account (amongst other factors): – any link between the initial, and the intended further, processing; – the context in which the personal data were collected (for example, the reasonable expectations of the data subjects as to further use; arising from their relationship with the controller). See the example below; – the nature of the personal data; – the consequences of the further processing for the data subjects; –

the existence [or otherwise] of appropriate safeguards in both processing operations.

These factors are set out in GDPR, Article  6(4), where the new purpose is not based on consent, or on EU or member state law (or, after Brexit, on domestic law), or on any of an extensive list of factors in Article 23(1), such as regulatory functions. After Brexit, national security and defence are moved from Article 23(1) to be referred to directly in Article 6(4)5. Example: reasonable expectations A  local authority’s tenant would probably expect the processing of his or personal data, collected for the purpose of administering the tenancy, to extend to allowing the council (and probably its legitimate contractor) to contact them about maintenance matters or redecoration; and the council 5

As amended, post-Brexit, by the DPPEC Regulations, Sch 1, para 7(4).

49

4.8  Data Protection Principles

would fairly argue that it needed to use the data in this way in order to manage the tenancy. The tenant would have a reasonable expectation, however, that this would not extend to commercial companies (even ones concerned with housing matters) being given access to his or her personal data. 4.8 Any further processing which is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, is not an incompatible purpose (ie it may proceed under this principle), provided that certain conditions are met. These are that the activity concerned is not likely to cause substantial damage or distress to a data subject; and, that it is not carried out for the purposes of measures or decisions with respect to a particular data subject (other than for the purposes of ‘approved medical research’, as defined in the Act and Regulations)6. 4.9 If the new processing differs significantly from the old purpose, or would surprise the data subject, or could have an unjustified impact on him or her, it is likely that it should be regarded as ‘incompatible’; and a new consent should be sought. 4.10 Overall, the purpose limitation principle does not prevent further uses of the data; but it restricts them. If the purposes have changed, or if the data are to be used for a new purpose which had not been foreseen at the time of collection, the principle will prevent the new processing unless: — the new purpose is not incompatible with the old purpose; — the data subject gives their consent to the new processing; or — there is a clear separate legal measure which means that the new processing is either required or permitted (eg a new law, or a discretionary new function given to a public authority) on which the authority may rely. 4.11 If the processing is undertaken for a new purpose, the relevant Privacy Notice(s) should be updated to reflect this. Example: compatible or incompatible purposes A  local authority collects data about children in the last year of primary school in its area in order to run its admissions system to secondary schools. The information includes: the address and contact information for the parents/guardians of the pupils; the school attended to date by the children; their previous and expected test results; and, the distance between their home address and the nearest secondary school in the area.

6 GDPR, Article  5(1)(b), Recital 50, and DPA  2018, s  19(2)–(6). See also para  5.41. See DPA 2018, s 19(4) and (5) in relation to ‘approved medical research’.

50

GDPR Data Protection Principles 4.12

Case 1. After several children do not receive their first choice of school, a local fee-paying school approaches the authority and asks for the names and addresses, in order to market its school to their parents as an alternative. While there is some link in the subject matter, the new purpose is incompatible, for two reasons: (i) it is not intended to be used to run a comparable statutory process; and (ii) parents’ reasonable expectations would be that their contact details would not be made available to another institution; especially for a commercial reason. Case 2. The authority writes to the parents affected with two pieces of information: (i) the name of an independent advisor whom they may consult (for a fee) as to their options; and (ii) information about state schools in neighbouring local authority areas which have places available. The authority judged that there was insufficient time, before the deadline for revised applications, to ask the parents’ permission to use their data in this way; although it exceeds the purposes (ie  the application process itself) for which they had originally said that the data would be used. Case 2 is close enough to the original purpose to mean that, in the circumstances, principle (b) is not infringed. Case 3. As an example of the research exception, an educational researcher applies for the information to assist her five-year statistical study of the performance of the admissions system, in which the results will be anonymised and from which no decisions affecting those children will be drawn. The safeguards meet the requirements in the UK for a statistical purpose that is exempt from the purpose limitation rules; and thus the new purpose is not treated as incompatible with the initial one.

Principle (c): Data minimisation 4.12 To comply with this principle, the controller should analyse its processing activities (including proposed activities), in the light of their purposes, and should apply the following three tests to each type of processing: — are the personal data we hold (or are proposing to collect, or to acquire) sufficient to enable us to carry out this purpose; or do we need more information? This is, however, rarely a problem. — are all of the personal data we hold, or propose to collect, relevant to our purpose? 51

4.13  Data Protection Principles

— are all of the personal data we hold, or propose to collect, ‘necessary’ to the purpose for which we are holding or collecting it? This may be interpreted to mean ‘reasonably necessary’, in the sense of proportionate to the purpose; rather than whether it is literally indispensable; although the question of whether the purpose could be achieved without the information at all, or with a lesser amount or type of information, should also be considered. To the extent that any answer to the above questions is ‘No’, the principle will be infringed.

Principle (d): Accuracy 4.13 ‘Inaccuracy’ is defined in DPA 2018, s 205, as meaning (in relation to personal data) ‘incorrect or misleading as to any matter of fact’. The controller should ensure that it has systems in place for testing the accuracy of information it holds. These include alternative forms of recording names, or other differences in information which identifies individuals. This test should particularly be applied before, for example, personal data are shared with another controller; although realistically it would probably need to be done on a sampling basis. Where keeping the information up to date is necessary for the purpose of the processing, the controller should be able to show that it has systems enabling it to do so; and that they are effective. These will need to ensure, moreover, that all versions of the information held are identified, and that corrections or updates reach each version of the information. This may require the controller to ‘map’ the flows of information within the organisation; or, to or from partner organisations, including the creation of copies, or various opportunities for storage by multiple recipients.

Principle (e): Storage limitation 4.14 The controller’s records management systems are crucial to adhering to this principle (as to other areas of data protection compliance, such as providing an effective right of access). Data protection staff and records managers will need to work closely together in the light of the GDPR, and the DPA 2018, if they do not already do so. The controller should already have ‘retention schedules’ applying to all types of records, which set down policies as to how long personal data of particular kinds, or applied to particular uses, are to be kept. This should extend to information in manual files, given the wider definition of a ‘filing system’; but also to emails or other electronic documents held on individual laptops or other portable devices (including the private devices of any members of staff of the organisation, if allowed to use them for work purposes); as well as on the controller’s main system. 4.15 As well as developing and reviewing such policies, it can also be important that staff members who are at an appropriate level, but also sufficiently close to be involved in the day to day operation, have the authority to initiate destruction procedures; and that they carry them out as part of their role. 52

The new Accountability Principle 4.19

Principle (f): Integrity and Accountability 4.16 The security requirements of the GDPR have not changed significantly. The continuing requirement is to maintain security systems to protect the personal data held from being accidentally or deliberately compromised; and, to follow practices which accord with the level of risk to the personal data held, and with the degree of harm that would follow from a data breach. The GDPR requires, however, that controllers assess their risks. The controller and processor are each required to implement appropriate technical and organisational measures to meet security risks (whether from a cyber-attack, or from physical or organisational factors), taking into account: the ‘state of the art’; the costs of implementation; and, the nature, scope, context or purposes of the processing; as well as the level and likelihood of the risk (Article 32(1)). The list is helpful, in containing limitations (cost, and potentially the nature of the processing or the likelihood of risk); but requires an assessment to be made. 4.17 These risk factors will change constantly; generally in the direction of greater technical capacity and vigilance being both available and necessary. With the explosion in recent years in the scale of data held and transferred electronically, the security needs have grown commensurately; and can be expected to continue to do so. 4.18 At the time of writing, permission had been granted for an appeal to the Supreme Court against the ruling of the Court of Appeal in the Morrisons case7 that the employer in that case was ‘vicariously liable’ (ie liable for the acts of its employee), in circumstances where payroll data (including bank details) of 100,000 staff had been unlawfully placed on the internet by a disgruntled employee. It should be noted that cases involving vicarious liability are very ‘factspecific’, so that another case which is superficially similar may not necessarily see the same result. The case, which was heard under the DPA  1998, raises questions about whether the legislation excludes an action for such liability in those circumstances. In relation to the tort of misuse of private information, and breach of confidence, the Court of Appeal held that the statute did not exclude the bringing of an action based on vicarious liability in relation to either ground8. The outcome of the appeal to the Supreme Court is likely to be significant in relation to the first question; and as to whether the scope or otherwise for vicarious liability to apply in the latter circumstances. It may also be important more generally as to the relationship between the different causes of action.

THE NEW ACCOUNTABILITY PRINCIPLE 4.19 The controller is responsible for compliance with the data protection principles9. This should be seen as linked to the very specific requirements for

7 8 9

Wm Morrison Supermarket plc v Various Claimants [2018] EWCA Civ 2339. See also para 16.50. GDPR, Article 5(1).

53

4.20  Data Protection Principles

processing activities to be recorded10. The controller is to maintain a record of (amongst other items): •

the purposes of the processing;

•

the categories of data subjects;

• the time limits envisaged for erasure of the different categories of data it keeps; and • a general description of the security arrangements (or, post-Brexit, where there is an exemption from these requirements on the grounds of defence or national security, a description of the security arrangements deemed appropriate to the risks)’11. Processors are obliged to keep a similar but shorter list12. Representatives of controllers or processors, where they are required to have them, are also obliged to keep similar records. 4.20 The record is to be kept in writing and must be made available to the ICO on request. There is an exemption for organisations employing fewer than 250 people, unless: there is a risk to the rights and freedoms of data subjects; the processing is not occasional; or, the processing involves special category data, or criminal information. Similar obligations are placed on processors13. 4.21 Against the background of these recording requirements, in order to fulfil the Accountability principle, a controller needs at any given time to be in a position to demonstrate compliance by: • showing how the processing is ‘lawful, fair and transparent’ (relating to principle (a)); • demonstrating that the purposes of all types of processing have been recorded, including how any further purposes are not incompatible with the initial purpose (relating to principle (b)); •

showing how the requirements of principles (b)–(e) are met, in relation to each case of processing, in the context of the purposes;

•

showing how the security requirements in principle (f) have been assessed and met.

4.22 In each case, a controller should assume that compliance will require regular reviews to establish that the principles are still being met; or, that any necessary action to upgrade or restore compliance should be taken. As examples of measures that may need to be taken to ensure compliance with the Accountability principle, the Information Commissioner advises the following:

10 11 12 13

GDPR, Article 30. DPPEC Regulations, Sch 1, para 24, and Sch 2, para 36(4). GDPR, Article 30(2). GDPR, Article 30(5).

54

The new Accountability Principle 4.22

— Technical and organisational measures, such as developing internal data protection policies covering staff training, internal audits of your data processing activities, and reviews of internal Human Resources policies concerning data protection; — Maintaining relevant documentation; — Appointing a data protection officer where appropriate (eg  in the public sector; see Chapter 14); — Implementing the principles of ‘data protection by design’, and ‘data protection by default’ (see para 3.58); — Using data protection impact assessments where appropriate (see Chapter 13 below); — Adhering to approved codes of conduct and/or certification schemes.

55

CHAPTER 5

Lawful Bases of Processing 5.1 The requirement under the first principle (a) in Article 5, that processing should be done ‘lawfully’, means that every act of processing has to fall within at least one ‘lawful basis’ in the GDPR, Article 6(1)(a)–(f). These were formerly the ‘data processing conditions’ in the UK, which were set out in Schedule  2 of the Data Protection Act 1998 (‘DPA  1998’). Establishing which of these lawful bases or conditions applies in each case is at the core of data protection compliance. It forms an important part of the Accountability principle (although, curiously, it falls outside the recording requirements in Article 30). 5.2 There are additional requirements in relation to the processing of special category data under Article 9 (which replaced the former Schedule 3 of the DPA  1998); as supplemented by Data Protection Act 2018 (‘DPA  2018’), Schedule 1 – see para 5.86ff below.

SIX LAWFUL BASES 5.3 The six lawful bases are as follows. The descriptions below are based on those in the ICO’s guidance on the GDPR:

(a)  Consent: ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’ (Article 6(1)(a)) 5.4 Some of the press coverage before the coming into effect of the GDPR gave a misleading impression of the importance of consent under the Regulation, implying that it would become the main criterion of lawful processing. The Regulation does make the conditions for a valid consent more stringent, but it does not in any way increase its likely range of use at the expense at the other lawful bases (if anything, the opposite seems likely). It remains the case that it should be relied upon, if it applies, only where no other lawful basis is available. 5.5 The meaning of ‘consent’ was examined in detail at paras 3.39–3.48 above; and that section could also be referred to. The Commissioner describes this basis as applying where: ‘the individual has given clear consent for you to process their personal data for a specific purpose’. The ICO’s consistent guidance on consent has been that it should be used only if no other condition/lawful basis is applicable. There can be uncertainty over the extent of consent, and the withdrawal of a consent would end the processing (unless another lawful basis becomes available). Under the GDPR, the additional requirements attaching to 56

Six Lawful Bases 5.7

a valid consent have added to the obstacles to its use. On the other hand, where no other lawful basis applies, the processing will often touch on the individual closely, or arise from unusual activity; and the controller may wish the data subject to have the responsibility for giving their consent. 5.6 Recital 42 sets out that the controller should be able to demonstrate that the data subject has consented to the processing operation. Where consent is written, there should be safeguards to ensure that the data subject knows that his or her consent has been given, and the extent of what it covers. Where the controller formulates a declaration of consent in advance, it needs to be in an intelligible form that is easily accessible, using clear and plain language and containing no unfair contract terms. For consent to be informed, the data subject should at least know the identity of the controller, and the purposes of the intended processing. As indicated above, consent has not been freely given if the data subject has no genuine or free choice, or cannot refuse or withdraw their consent without suffering harm. 5.7 Consent is presumed not to be freely given if it does not permit consent to be given to a different processing operation despite it being appropriate in the individual case. (See Example A below). Nor would it be freely given if the performance of a contract (including providing a service) were made dependent on the consent, despite such consent not being necessary for the performance. (See Example B below). Example A: Consent as lawful basis Danny’s email provider is creating a series of deals with commercial partners to share the data it holds on its customers with them; and, at the same time, looking to share customers’ details with its sister companies within the same group as itself in the future. It offers him a new contract, for which his consent is sought: (a) to sharing his details within the company’s group, when created. The company says this will be in about three months’ time; (b) to sharing his details now, with commercial partners outside the company, marketing a wider range of merchandise and services than within the company group. Danny is asked to give his consent to this sharing as a single package. He asks, however, whether he can give his consent now to the in-house sharing, and in three months’ time to the wider sharing when he has thought about it. The company refuses, and insists that he must give his consent now to both, or lose their service. The requested consent is invalid. The company should have allowed Danny to give his consent separately to the two different processing operations. Example B: Consent as lawful basis Danny received an email from his email provider in May 2018, shortly before the coming into effect of the GDPR. It required him to give his consent to new 57

5.8  Lawful Bases of Processing

contractual terms, as a condition of continuing the service. The new terms included that personal data about a number of his consumer preferences, as well as his identity and email address, would be shared with a number of commercial partners of the provider. The consent sought from Danny was invalid, since performance of the contract to continue the email service was made dependent on the giving of a consent which was not necessary (however desirable for the company) to the performance of the contract. 5.8 Where processing is based on consent, all individual rights potentially apply, save the right to object (Article 21) (see Chapter 8)1. In addition, a data subject who has given their consent to the processing (or explicit consent in the case of special category data), may exercise the right to data portability, where the processing is carried out by automated means2.

(b)  Contract: ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ (Article 6(1)(b)) 5.9 The Commissioner expresses this as: ‘the processing is necessary for a contract you have with the individual, or because the individual has asked you to take specific steps before entering into a contract’. 5.10 In a commercial context, this basis may be more appropriate than consent in cases where the latter basis has previously been claimed. For the reasons above, the contractual basis should be considered before consent in relation to any processing arising in the context of a trading activity. The same is the case in relation to an anticipated trading relationship where the individual has asked the controller to take preliminary steps (eg  by asking, through the producer’s website, to be sent information about a product). If the collection of particular personal data from the individual is necessary to the carrying out of the contract, this basis would be more appropriate because consent should represent a genuine choice; which may not be the case if the supply of the data by an individual to a potential controller is made conditional on the making of the contract. In the case of some contracts for services, for example, it is sometimes claimed that consent is needed at the outset to cover all later processing. This is unlikely to be valid, for the simple reason that the data subject cannot know in advance what processing will be considered necessary under the contract in the future; and so the consent cannot have been given with full knowledge. In reality, if the purpose of the ‘consent’ sought at the outset is to enable the contract to be carried out, the contractual basis, which also embraces steps taken at the request of the data subject to enter the contract, would be a more solid condition on which to base the processing. 1 2

GDPR, Article 21(1). GDPR, Article 20(1)(a) and (b).

58

Six Lawful Bases 5.12

5.11 In the public or private sectors, controllers should consider using this lawful basis for processing information necessary to their engaging in contracts with other people (eg the processing by public authorities of personal information about contractors in the context of their procurement of goods or services). They may also wish to consider it in relation to the Human Resources (‘HR’) information which they hold about their staff, since such information will, at least in part, arise from, and be processed in accordance with, their individual contracts of employment with their staff. 5.12 The right to data portability does apply where the processing rests on the contractual basis. Most of the other individual rights also apply, save for the right not to be subject to a wholly automated decision, which does not apply where this lawful basis is used3; or, the right to object4. Example: Contract as lawful basis Roberta, who is aged 25, has inherited a lump sum from her late grandmother. She wishes to invest the sum for a 10-year period. She goes to an investment broker, who says that he needs her consent to invest the money as he sees fit over that period; and that her consent will cover his processing of her personal data for this purpose throughout that time. He will also expect to share some of her personal data with commercial companies in the future, in order to identify further investment opportunities as they occur. She agrees, but this is not a valid consent for data protection purposes. Instead, the broker should have relied on the contractual basis to collect the personal data he needed at the outset, at her request, in order to take steps prior to entering a contract between Roberta and himself to invest the funds on her behalf. (The scope of Roberta’s personal data in this context would include the amount of her capital, and her investment expectations). Once the contract is made and if it so provides, the broker may legitimately take control of the handling of the funds and invest them on Roberta’s behalf; with any processing of her personal data being necessary for the purposes of the contract. If the contract so provides, he may also share the data with potential other advisors and investment opportunities. He should keep Roberta informed of the progress of the fund, and of the other persons with whom he is sharing her data, in accordance with her rights under Articles 13 and 14. (The rules on transfers outside the EU/UK may also be relevant to future investments).

3 4

GDPR, Article 20(1)(a) and (b); and Article 22(2)(a). GDPR, Article 21(1).

59

5.13  Lawful Bases of Processing

(c)  Legal obligation: ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (Article 6(1)(c)) 5.13 The Commissioner expresses this basis simply as follows: ‘[the] processing is necessary for you to comply with the law (not including contractual obligations)’. This lawful basis has hardly changed with the GDPR; although the Commissioner advises reviewing any processing undertaken on the basis of the former condition5, to check that this remains the correct lawful basis (see Example (i) below). 5.14 The processing involved need not be that of the controller: another person may rely on this basis if that person’s processing would enable the controller to meet its legal obligation (see Example (ii) below). The obligation may arise from statute, an order of a court, or a rule of common law. Example (i): Legal obligation as lawful basis – controller’s legal obligation An employer is given a new legal obligation in statute to share information with the relevant government department about the age and employment status of its staff. This is in order to monitor possible benefit fraud. The employer may base its processing on its legal obligation. Example (ii): Legal obligation as lawful basis – processor relying on controller’s obligation A second employer, subject to the same new statutory obligation, has recently outsourced its Human Resources function. It now needs its new HR provider to pass the above information to it, in order that the employer can fulfil its legal obligation to submit the information to the government. The outsourced HR provider may rely on the employer’s legal obligation in order to carry out the processing. NB. It is not necessary, therefore, for the legal person who or which undertakes the processing to have the legal obligation; provided the processing is necessary to compliance with a legal obligation to which the controller is subject. 5.15 The obligation cannot arise, however, from contract; since that kind of obligation has been voluntarily adopted, and the essence of this basis is that the processing is compulsory. Any element of choice or discretion over whether to undertake the processing will make the basis inapplicable. In the same way that a controller may not opt out of its data protection obligations by contract, so it similarly may not opt into them and then claim a legal obligation.

5

DPA 1998, Sch 2, para 3.

60

Six Lawful Bases 5.20

5.16 It is not necessary for the legal obligation to require that the precise processing operation should take place; nor for it to specify the precise information to be processed (although if it arises from a statutory obligation or a court order, it may often do so). It is necessary merely that the overall purpose of complying with the legal obligation arises from statute or common law (ie  judge-made law); that the obligation is on the controller; and, that the particular processing is required to meet the controller’s obligation. On the other hand, the controller or processor should be able to identify the legal obligation. They may rely on guidance from the government, or from within the relevant industry or service sector in which it operates, as to the legal position; provided that the advice or guidance identifies the legal obligation concerned. It will not be necessary to cite the specific legal provision; provided the obligation is clear, or its actions are based on clear and reliable advice on the nature of the obligation. 5.17 For processing to be ‘necessary’ to fulfil a legal obligation, it should be a reasonable and proportionate way of achieving compliance with the obligation. If there is another reasonable way to comply (or if there is a choice over whether to comply) the processing may not be ‘necessary’ to compliance. The Commissioner advises that it is likely to be clear from the legal provision in question whether the processing is ‘necessary’ to compliance. 5.18 As with all the lawful bases, it is important to document any decision to rely on this basis, including the reasoning involved. 5.19 It will normally be the controller which has the legal obligation. For example, a company may have a legal obligation to report suspicious activity, which it considers may indicate money laundering, to the relevant authorities. It is possible (but less common) for a processor to have a legal obligation (eg to report potentially illegal activity). Occasionally, it may be another controller which has the obligation, but the first organisation which has the information which the other controller needs. In those circumstances, controller A may rely on a legal obligation which applies to controller B, where processing by controller A is necessary in order to meet controller B’s legal obligation (see Example (iii) below). Example (iii): Legal obligation as lawful basis – controller relying on legal obligation of another controller A local authority (Controller A) is asked to pass personal data to a regulator (Controller B) in order that the latter can investigate a matter under a court order obliging it to do so. Provided the information is necessary to the investigation, the local authority may supply it to the regulator under this lawful basis. NB: the ‘public task’ basis, relying on the function of Controller B, might also have been available in this situation. 5.20 Although it is sometimes argued that controllers that are public authorities may rely on this condition when carrying out their duties (as 61

5.21  Lawful Bases of Processing

opposed to powers), the author does not consider this to be correct. There are two main reasons. First, the ‘public task’ lawful basis should be treated as the main foundation for undertaking processing which is linked to public functions, since it is aligned directly with the powers and duties of public bodies, and the processing necessary to carry them out. Second, the precise legal obligation on the controller to process any particular piece of data, arising from such a duty, may well be unclear. Its extent may rely on an exercise of professional judgment, or of a degree of discretion by the public authority. The duty will carry an incidental obligation to process some personal data in order to carry it out effectively; but it will not lead necessarily to the conclusion that a particular piece of personal data should, or should not, be processed. So, for example, a social care authority may have a statutory duty to process the personal data of a service user in order to provide social care to him or her, once that person has been demonstrated to be eligible to receive it; but it will be the authority’s social workers or other professional staff who will determine which specific data about that person should be collected or used to provide the service they need. 5.21 Information about the lawful basis relied upon, and the purposes of the processing should be included in privacy notices (Articles 13(1)(e) or 14(1)(c)). 5.22 An individual has no rights to erasure or data portability, or to object, where this lawful basis is relied upon6. 5.23 On a related point, it may be noted that personal data which have been made subject to the right of restriction (Article  18) may still be processed by a controller or processor against whom the right has been exercised, for the establishment, exercise or defence of legal claims7.

(d)  Vital interests: ‘processing is necessary in order to protect the vital interests of the data subject or of another person’ (Article 6(1)(d)) 5.24 This basis will arise relatively rarely. It is restricted to processing that is necessary in an emergency to protect the vital interests of the data subject, or of another natural person. ‘Vital interests’ relate to life-and-death matters, and the Commissioner describes this basis simply as: ‘the processing is necessary to protect someone’s life.’ Recital 46 describes it as applying it to ‘an interest which is essential for the life of the data subject or that of another person’ (suggesting that the interests involved might not be limited to the strict cause of the life-threatening condition, but might also include the patient’s immediate treatment, where the matter was of that degree of seriousness, or possibly also include information about other matters relevant to the survival of the individual).

6 7

GDPR, Articles 17(3)(b), 20(1)(a), or 21(1) respectively. GDPR, Article 18(2).

62

Six Lawful Bases 5.27

Example: Vital interests as lawful basis Your HR records show that a staff member has a rare medical condition. She is taken ill at work. Your HR department passes on its knowledge of the condition to the paramedics who attend the patient. The processing of this information would fall under this lawful basis. (Since the information would also be special category information, as relating to the health of the individual, the processing would need also to rely on the equivalent condition in Article 9(2)(c) – see para 5.96).

5.25 Recital 46 says that relying on this basis to support processing for the vital interests of ‘another natural person’ (ie  other of the data subject) should take place in principle only where another legal basis is not ‘manifestly’ (ie  clearly) available. It also points out that ‘vital interests’ and a ‘public interest’ basis may coincide; for example, when monitoring epidemics or humanitarian emergencies. This might be taken to suggest that, in the example above, passing on information to the paramedics about the patient’s nearest relative, or their emergency contact telephone number, might not properly fall under this basis, and should be seen instead (at least in a case involving public health provision) as necessary to the public task of the NHS body which has responsibility for providing the service, in order to fall under the lawful basis in Article  6(1)(e). (If the health care was provided on a private basis, the equivalent lawful basis for this wider information would appear to be the contractual basis above; while the basis for the special category data would seem be processing necessary for the purposes of the provision of healthcare under Article  9(2)(h) (see paras 5.107–5.110 below). It seems doubtful, however, that controllers should be overly-concerned about passing on helpful information in such a situation. Rather, the existence of alternative lawful bases, as well as of the vital interests basis itself, should be taken as an indication that the data protection rules provide more than adequate means to enable the necessary steps to be taken in an emergency. 5.26 There are no individual rights to data portability, or to object, where this basis of processing has been used8. The other individual rights apply.

(e)  Public task: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (Article 6(1)(e)) 5.27 This basis, although couched in new language, is very similar to the previous data-processing condition in the former Sch  2, paras 5(a)–(d) of the DPA  1998, covering public functions9. This similarity is made express by

8 9

GDPR, Articles 20(1)(a) and 21(1). Former DPA 1998, Sch 2, para 5.

63

5.28  Lawful Bases of Processing

the DPA  2018, s  8, which provides10 that the lawful basis includes (but is not restricted to) the processing of personal data which is necessary for: (a) the administration of justice; (b) the exercise of a function of either House of Parliament; (c) the exercise of a function conferred on any person by an enactment; (d) the exercise of a function of the Crown, a Minister of the Crown, or a government department; or (e) an activity that supports or promotes democratic engagement.. 5.28 Elements (c) and (d) above should cover the great majority of the processing undertaken by the public sector. 5.29 There are three differences between the new lawful basis and the old data processing condition: (i) the exercise of a function of either House of Parliament under element (b) did not form part of the former data processing condition (in the DPA 1998, Sch 2, para 5); (ii) the reference in the former condition in the DPA 1998, Sch 2, para 5(d), to the ‘exercise of any other functions of a public nature exercised in the public interest by any person’, has not been reproduced in the 2018 Act. The former wording referred to activities undertaken in the public interest by persons other than the public sector; probably based on statutory functions of the public authority concerned (eg the collection of waste by a contractor for a local authority). The wording of Article 6(1)(e) itself, however, which refers to ‘the performance of a task carried out in the public interest’, appears to be sufficiently broad to encompass this type of processing; and the ICO’s guidance reflects this approach (see para 5.30); (iii) the fifth category (e), concerned with promoting democratic engagement, is new, and was added during the progress of the Bill through Parliament. The Explanatory Notes to the 2018 Act (para 86) describe the basis as intended to cover a ‘wide range of political activities inside and outside election periods’. These include democratic representation, communicating with electors, gathering opinion, campaigning activities, supporting the work of elected representatives and candidates, and fundraising. This points to the processing arising from the main campaigning activities of political parties as falling within this lawful basis for the first time. The recording of individuals’ political opinions (or voting intentions) by political parties is covered by an associated lawful basis for special category data (see paras 5.157–5.160 below). 5.30 The functions listed in the DPA 2018, s 8, as falling within this lawful basis do not comprise its full extent. The Commissioner’s guidance looks at the wider basis as reflected in Article 6(1)(e). She divides it into two; regarding the 10 Using powers, pre-Brexit, in GDPR, Article  6(2), and reflecting Recital 45. Article  6(2) is removed as unnecessary, post-Brexit, by the DPPEC Regulations, Sch 1, para 7(2).

64

Six Lawful Bases 5.32

first part of the basis (‘a task carried out in the public interest’) as applying where: ‘the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law’. The second part (‘the exercise of official authority vested in the controller’) is seen as covering the public functions (ie the powers and duties) of public authorities, where they are set out in law. Public authorities’ mainstream activities, therefore, arising under their statutory powers and duties (and equating to the activities covered by s 8), come under the second part of the definition. 5.31 Public authorities may probably also use the first half on occasion, since in the Commissioner’s view it can apply to ‘any organisation that exercises official authority’; as well as to one that is carrying out tasks in the public interest, provided there is a legal basis for the activity. (The basis would not appear, therefore, to cover such activities undertaken voluntarily, or in a purely public-spirited way, unless such a legal basis has been established in advance). 5.32 Processing undertaken by a company under a contract as part of a task it was carrying out, where the contract had been let to it by a public authority after a tendering process, could rely on the first half of this lawful basis for its processing. The same would apply to a charity or voluntary organisation providing a service for a public authority. Example (i): Public task basis (first part: private sector) A  waste company has a contract to empty household bins in Uptown. It keeps records of any special requirements notified to it concerning individual users of its service. Residents are expected to move their bins weekly to the front of their homes. One record states that Emily, the elderly occupant of 34 Acacia Drive, needs her wheelie-bin fetched from behind her house because of her problems with mobility. The company’s processing of the record would fall under this basis. The company’s task in the public interest (ie  to empty the bins) is set out in law under the contract. The particular processing (ie recording the need to fetch Emily’s bins, and that she has a mobility problem) is necessary to its performance, so that the task can be carried out in the most effective way. The recorded information concerning her mobility problem is special category data, for the processing of which the company can rely on the equivalent lawful basis in Article 9(2)(g), and DPA 2018, Sch 1, para 6 – see paras 5.117–5.120 below. Example (ii): Public task basis (second part: public sector) Uptown council provides its social housing ‘in-house’ through its own staff. As the local housing authority, the council has a record that Emily needs the assistance of a carer twice a week. Uptown arranges the service with the county council, which is the social care authority for the area. The district council’s processing of Emily’s personal data to the county council, and the county council’s further processing of the data so that one of its carers will attend and provide the service, are both an exercise of the respective councils’ ‘official authority’ as controllers. 65

5.33  Lawful Bases of Processing

In the district council’s case, as the original controller, sharing the data with the county council either falls under its general power of competence, or is ancillary to its housing functions.11 In either case, the processing represents for this reason an exercise of its ‘official authority’. In the case of the county council, which becomes a further controller of Emily’s data, its processing of her data is an exercise of its functions as the social care authority for residents of its area. Both sets of processing are ‘necessary’ to enable the respective functions of the two councils to be carried out effectively, and so fall under the second part of the ‘public task’ lawful basis. (As above, the processing of the special category data about Emily’s health falls also under the equivalent basis in Article 9(2)(g); or it may also fall under the basis for social care processing in Article 9(2)(h)). In both cases, the activities also fall under DPA 2018, s 8(c). 5.33 The ‘public task’ basis is intended to be the foundation on which the majority of processing by public bodies is carried out (although the term ‘public task’ does not appear in the GDPR)12. Its use can be expected to be expanded to take in, as well, most of the processing which was carried out by public authorities under the former ‘legitimate interests’ condition13; since this is now denied to such authorities when performing their public tasks (see para 5.80 below). 5.34 Public authorities should, therefore, see this lawful basis as applying to processing undertaken: •

for the purposes of their statutory functions, or activities arising from them; or

•

in the exercise of the authority vested in them (eg as regulators, enforcement bodies, licensing bodies, land-use planning authorities, health and safety authorities etc).

5.35 Since statute does not cover all activities of public bodies in detail, where an activity is ‘reasonably incidental’ to a statutory function, it is treated as authorised by that function, under a familiar principle of administrative law; and so should be seen in this context as falling under the public task basis in the same way14. There are, however, limits to how far this lawful basis may be used. The Commissioner’s description is that ‘your underlying task, function or power must have a clear basis in law’, and its application must be ‘clear and foreseeable’ (derived from Recital 41). Public authorities, or others relying on this lawful basis, should be able to identify the function or activity on which the lawful basis relies; and also the legal authority for their carrying it out. 11 See paras 10.14–10.18 on legal powers to share data. 12 The Commissioner points out that, while there is no direct link to the same phrase ‘public task’ as set out in the Re-Use of Public Sector Information Regulations 2015, there is some overlap. The ICO also suggests that a public body’s core role and functions may be a useful starting point in demonstrating its ‘official authority’ for the purposes of the GDPR. 13 Former DPA 1998, Sch 2, para 6. 14 Also confirmed in GDPR, Recitals 41 and 45.

66

Six Lawful Bases 5.40

5.36 Other legal persons, outside the public sector, who or which undertake processing that is necessary for the performance of a task carried out in the public interest, would include: •

a statutory planning inspector conducting a planning inquiry into a refusal of planning permission on behalf of the Secretary of State. The inspector’s report forms a core part of the appeal as subsequently determined by the Minister. The inspector’s processing of personal data in the course of running the inquiry, or of preparing the report (eg using objectors’ personal data in quoting their arguments against the granting of planning permission), would fall under this basis.

• a private company making personal data about one of its directors available to the company regulator, a public body. The processing will fall under this basis, as necessary to the regulator’s exercise of its public authority. • a building contractor, carrying out work for a public body under contract, which processes personal data such as contact information about individuals working in the public authority, or about associated contractors; to the extent that the processing was necessary to the performance of the task in the public interest. 5.37 As a further example, the Commissioner’s guidance refers to private water companies, which are regarded as carrying out ‘functions of public administration’, because they exercise special legal powers over individuals (eg hose pipe bans, and powers of entry onto private land) in order to provide a water supply in the public interest. In that case, the exercise of such powers would come from the ‘official authority’ vested in those companies. 5.38 While the second part of the lawful basis (the exercise of official authority) is limited to processing for the purposes of such authority vested in the controller, the first part (the performance of a task in the public interest) is not so limited. It can relate to processing which is necessary to the private body’s performance of the task (as well as, or alternatively to, the public authority’s exercise of its functions). 5.39 Processing under either part of the public task basis must be ‘necessary’ to the performance of the task, or the exercise of the authority. If the task could reasonably be performed, or the powers be exercised, in a way that was less intrusive on the privacy of individuals, the basis would not apply. The Commissioner describes this as needing to show that the processing is carried out in a ‘targeted and proportionate way’. It is suggested that this test should not be regarded as unduly restrictive. Provided the processing is reasonable and proportionate, and there is no less intrusive approach evidently available that would achieve the same objective, the test is likely to be met. It is not necessary to justify processing under the second limb of the test in the public interest. 5.40 As with other bases, it is important under the Accountability principle to document how the controller or processor is compliant with it, under Article 6(1) (e), or DPA  2018, s  8. This requires specifying the task, function or power involved, with the statutory or common law basis on which it is undertaken. It 67

5.41  Lawful Bases of Processing

will also require reasoning as to why the processing is ‘necessary’ in that context (see Example (i) after para 5.32 above). Privacy notices should be updated with basic information about the purposes and lawful basis of the processing, and should be communicated to individuals. Example: Documenting your processing and reasons under the ‘public task’ basis The following might be a short record of a particular type of processing; although there is no set format and controllers should develop their own. Activity

Provision of advice to school-leavers on government training programmes. Legal basis for activity Power in [imaginary] Advice to School Pupils Act 2018, s 14. Lawful basis for Exercise of function of government processing department (DPA 2018, s 8(d), and GDPR, Article 6(1)(e)). Description of Collection of school leavers’ contact processing data; discussion in interviews of training and apprenticeship courses available; creation of electronic file for each pupil by name and reference number; record of discussions and advice given: despatch by email/letter to the pupil and parents of the advice given to the school-leaver; follow-up letter after three months seeking outcome/ feedback. Why processing ‘necessary’ to function(s) Contact information is necessary to enable discussion to be followed-up. A record of advice enables service given to be confirmed, and renewed as necessary. Minimum data to be collected to enable function to be performed effectively. Data destroyed, other than reference number, after six months from end of course, or if no response to second follow-up letter. Privacy Notice updated? Yes [date updated] How PN available to Provided and explained to school leaver pupil? at interview before data collected. Also available on departmental website [address or link]

5.41 The ICO points out in her guidance that, where processing has been undertaken under this basis, further processing will be considered compatible with the initial processing where it is undertaken for: 68

Six Lawful Bases 5.46

– archiving purposes in the public interest; – scientific research purposes; or – statistical purposes15. 5.42 As indicated above, the processing of special category data, which arises from the public task basis, will require an additional lawful basis under Article  9(2)(g) (or another basis in that Article). The DPA  2018, s  10 and Sch  1 make similar provision as above in relation to Parliamentary, statutory or governmental functions for special category data16. This should provide the necessary UK basis for the processing; although an ‘appropriate policy document’ will also be needed before it can be claimed (see paras 5.89–5.91). 5.43 Separate provision is made in respect of special category data (constituted by political opinions), generated by activity promoting ‘democratic engagement’17. 5.44 The rights to erasure and data portability are excluded if this lawful basis is used18. Processing may also take place of data that has been made subject to the right of restriction, for reasons of important public interest19.

(f)  Legitimate interests: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’ (Article 6(1)(f)) 5.45 The Commissioner’s simple description of this basis is that: ‘the processing is necessary for your legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests’. The ICO describes it as the most flexible of the lawful bases, but also as one which should not be assumed to be appropriate for all processing. 5.46 While this formulation outlines the broad test involved, it is suggested that a more specific approach is required to identify the balance that has to be struck. The Commissioner suggests that this lawful basis may be appropriate where the controller does not want the data subject to have the control represented by consent; or, where the controller has a ‘compelling justification’ for the processing. It may also be used for relatively uncontentious processing, such as contacts between senior individuals in a business context. 15 16 17 18 19

Based on GDPR, Article 5(1)(b) and Recital 50. DPA 2018, Sch 1, para 6. See paras 5.157–5.160. GDPR, Articles 17(3)(b) or 20(1)(a). GDPR, Article 18(2). After Brexit, the DPPEC Regulations (Sch 1, para 16) remove a reference to the public interest being that ‘of the Union or of a Member State’.

69

5.47  Lawful Bases of Processing

5.47 •

The basis requires a three-part test to be met:

to identify a legitimate interest (the ‘purpose test’);

• to establish whether the processing is necessary to achieve the legitimate interest (the ‘necessity test’); and, if so •

to balance the legitimate interest against the interests, rights and freedoms of the individual (the ‘balancing test’), as to whether the former are ‘overridden’ by the latter.

In terms of steps to be taken, this is the same process as formerly applied under DPA 1998, Sch 2, para 6. (a) Purpose test: the legitimate interests can be those of the controller or of a third party, and can include commercial interests as well as those more likely to be seen as ‘public’ interests. Unlike the formulation in the DPA 1998, the third party need not be the legal person to whom the data are to be disclosed; so that the legitimate interest can be that of any other person. This broadens the basis of a legitimate interest, with the result that it can encompass a general public interest, as well as the interests of an individual or organisation. In effect, a piece of data processing could be a ‘good thing’ if it occurred, and qualify as a legitimate interest on this basis. The requirement is solely that the interest should be ‘legitimate’; which simply means not illegitimate, unethical or unlawful. At the same time, the specific weight to be given to a legitimate interest will vary with the circumstances. 5.48 The Commissioner points in her guidance to the processing of references to client or employee data, or data for the purposes of marketing, fraud prevention, transfers within a group of undertakings, or IT security, as examples where there is a potential legitimate interest20. There can also be a legitimate interest in disclosing information about possible criminal matters or security threats (eg to the police, or security services). A controller processing the personal data of its employees, as part of its consideration of a restructuring of part of its service, would also have a legitimate interest. 5.49 A further point made in Recital 47, which is relevant to the balancing test below, is that a legitimate interest can exist where there is a ‘relevant and appropriate relationship’ between the data subject and the controller (such as where the data subject is a client, or an employee); although, at least in the UK, it is not restricted to such circumstances. 5.50 Generally, a legitimate interest should not be unduly difficult for the controller or processor to identify; although the weight to be given to it may vary considerably. If there is no legitimate interest, however, the processing should not be attempted under this lawful basis.

20 The references on which this is based are variously in GDPR, Recitals 47–49; although some are rather obscure.

70

Six Lawful Bases 5.51

Example (a): Purpose test The A-Z recruitment agency wants to assess its effectiveness by processing the personal data of those it has placed in jobs over the past 12 months, in terms of salaries earned and jobs that offer further career progression. It plans to use the information in an advertisement for its services. No names will be used, and the data will be pseudonymised (with the agency keeping the ‘key’ secure). Any other identifying information about individuals will also be removed. A-Z has a legitimate interest in undertaking this processing in order to market its services more effectively. (b) Necessity test: as elsewhere, ‘necessary’ in this context means that the processing need not be ‘absolutely essential’, but should be a targetted and proportionate way of achieving the legitimate interest. If there is another reasonable way of achieving the legitimate interest, which is less intrusive on the privacy of the individual, the test will not be met. While this particular act of processing does not have to be unavoidable, if the specific legitimate interest is to be met, it must be at least no more intrusive than any other form of processing which would similarly meet that objective. The ICO points out that it may be important to distinguish processing that is necessary to the stated purpose, from processing which is only necessary because of the particular method which has been chosen to achieve it. Example (b): Necessity test In the previous example, A-Z considers whether there is any other way of establishing the information it seeks on its effectiveness, without doing the research (and thus the processing) from the records in its database, as to individuals’ salaries and their opportunities for career progression. As noted above, it proposes to pseudonymise the data, and to remove other identifying information. It cannot identify an approach that would yield the same quality of results from other methods (eg approaching individuals and interviewing those willing to have a discussion, which it concludes would produce a self-selected and unrepresentative group). It decides that it could, however, produce a satisfactory result from sampling a proportion of its records, rather than surveying all of them, while still yielding a statistically viable result. It decides that, on this reduced basis, the processing of the records would be a targetted and proportionate way of achieving its legitimate interest. 5.51 Balancing test: the Commissioner, in her recent guidance on the GDPR, takes a cautious approach to the use of this basis; particularly in relation to the interests of the data subject (although this caution is more evident in parts of the outline than in the detailed guidance; the latter being more nuanced). In her outline guidance, she advises that this basis is most likely to be appropriate where the use of the data would be in ‘ways that people would reasonably expect and that have a minimal privacy impact’. Its use in marketing, for example, 71

5.52  Lawful Bases of Processing

would be suitable where the use of individuals’ data would be ‘proportionate’, with a ‘minimal privacy impact’ and if ‘people would not be surprised or likely to object’. Additional care would be needed as well over using this legitimate interests basis to support processing in relation to the data of children. Where any harm would be caused, disclosure should not proceed. 5.52 The Commissioner does acknowledge that the basis may be used lawfully to disclose personal data to a third party, but says that it should be avoided if the personal data would be used in cases where people would not understand the processing; would not reasonably expect their data to be used in that way; or, would be likely to object to the processing if it were explained to them. Reliance on this basis should be avoided for processing that would cause harm, the ICO advises, ‘unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact’21. 5.53 While it is understandable that the Commissioner may properly wish to encourage caution over the processing of personal data, especially after a period during which privacy considerations have been far too little observed in society, it is respectfully submitted that this wording in the outline guidance, which appears to suggest that controllers should avoid using this basis in most cases where any harm or distress (or even, potentially, a perception of harm) would be likely to result from the processing – as opposed to balancing any harm to the data subject with the legitimate interest, in order to establish whether the latter should outweigh it – is not correct. It sets the bar too high; to the point where the lawful basis would be unusable in many cases of minor harm, or a perception of such harm (even a misplaced one), where there is a weighty legitimate interest and no other lawful basis is available. 5.54 The view seems to be that there has been a change in the wording from the previous condition in DPA 199822; and also that the previous wording in that Act (‘unwarranted prejudice’) represented a narrow test of harm which is absent from the version in the GDPR. As a result, the Commissioner has taken the view that a wider test of harm should now be applied, and that almost any form of harm to the data subject should prevent the lawful basis from being used. She further relies for this view on a reference in Recital 47 stating that the interests of data subjects could override a legitimate interest where the ‘data subjects do not reasonably expect further processing’. There are two difficulties with this interpretation: (a) Whatever the wording, actual harm in a narrow sense was not the sole criterion under the DPA  1998. Other factors, such as a data subject’s reasonable expectations, had always been relevant, both to general ‘fairness’, and to the balancing test under the former condition. This was evident both from the ICO’s own guidance, and from decisions in this area. ‘Prejudice’ or harm was interpreted broadly, as meaning disadvantage; thus reducing the practical difference between the approaches. The Recital does not change 21 See ICO guidance on ‘legitimate interests’ in ‘Guide to the General Data Protection Regulation (GDPR)’. 22 The former DPA 1998, Sch 2, para 6.

72

Six Lawful Bases 5.57

the position, other than to make it explicit. (It is also arguably giving an example, rather than creating a limitation); (b) While there is a difference in the wording, as between the GDPR and the DPA 1998, between the old (‘unwarranted prejudice’) and the new (‘interests or fundamental rights and freedoms of the data subject’), and whether the legitimate interests should be overridden by them; there is no difference as between the GDPR and the 1995 Directive. The wording of the former directive and the wording in the GDPR are virtually identical on this point; save, in the latter case, in allowing for a legitimate interest to be that of any third party (and in giving special weight to the privacy interests of children). The phrase ‘interests [which] are overridden’ appears in both texts; as does the description of the data subjects’ interests as ‘interests or fundamental rights and freedoms’. It was the DPA 1998 which was at variance with its parent directive; not the GDPR which has changed the scope. The text was always intended to be wider than about harm purely to interests. It was, moreover, applied as such in the UK under the DPA 1998. 5.55 Even with this difference, the ICO, elsewhere in the same outline guidance, describes the ‘key elements’ of the test as remaining the same, with only ‘some small changes to the detail’. This does not sit comfortably with the suggestion that a wider test should now be adopted of the types of harm to the data subject which should be taken into account; nor that the harm to the data subject should be given greater weight than previously (other than in relation to children, about which the Article is explicit). Recital 47 does refer to legitimate interests needing ‘careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place’; but this is a moderating factor, rather than an exclusion; and, as part of a Recital, it is persuasive rather than mandatory. Finally, as the Commissioner acknowledges elsewhere, the reasonable expectations of data subjects at the time of the collection of the data (and likewise the expectations of society in relation to what it considers to be acceptable processing) may change in any given case by the time of the processing; and so form a somewhat unreliable basis for a firm exclusion. 5.56 This wording in the Commissioner’s new outline guidance thus runs the risk of altering the considerations surrounding the balancing test too strongly against disclosure; without a sufficiently sound reason to do so arising from the drafting of the Regulation. It amounts to giving too much weight too readily to the reasons against disclosure, and preventing the factors on both sides from being properly balanced against each other. 5.57 As well as limiting the potential use of this lawful basis, this approach could be expected to carry a danger in relation to FOI/EIR requests involving the personal data of third parties (ie persons other than the requester)23. In that area, the FOI/EIR regime takes its lead from the DPA regime, as to whether disclosure of such data would be a breach of the data protection principles (in practice, the 23 Freedom of Information Act 2000 (‘FOIA 2000’), s 40(2) and (3A).

73

5.58  Lawful Bases of Processing

first principle; requiring the disclosure to be lawful, fair and transparent). Setting the bar for disclosure higher than previously risks conflict with the tests already established in the very numerous FOI/EIR decisions in that area. Other than the general protection of individuals’ personal data which would be expected, there has been no ‘pre-loading’ of the weight of the privacy interests against disclosure in those cases, in the way in which the Commissioner – in her outline guidance – seems now to be suggesting should be applied. 5.58 Against that background, the Commissioner has set out in her more detailed advice how the balancing test should be approached. This, as noted above, is more fairly balanced as to the weight to be given to adverse factors affecting the data subject. That there appear to be differences between the two levels of guidance is a matter of some concern. 5.59 In both sets of guidance, the Commissioner advises a ‘legitimate interests assessment’ (‘LIA’); which is more balanced, and described as a ‘type of light-touch risk assessment’, to be considered in the specific circumstances of the proposed processing, before it is undertaken24. This is essentially the same as the three-step test advised under the previous regime. The three elements to be considered are: – the legitimate interest, and its weight in the given case; – whether the processing is ‘necessary’ to meet those interests; and, – whether or not, when balanced with any adverse effects on the data subject, the latter outweighs (or ‘overrides’) the former. 5.60 After some preliminary points, the relevant factors to each element of these tests are set out at paras 5.64–5.75 below.

LIA TEST – PRELIMINARY POINTS 5.61 The Commissioner says that the GDPR highlights legitimate interests in processing personal data concerning: – fraud prevention; – network and information security; or – purposes indicating possible criminal acts or threats to public security25. 5.62 She also states that the GDPR suggests that the ‘legitimate interests’ basis is likely to apply to processing in the areas of: – employee or client data (Recital 47);

24 See ICO website: ‘How do we apply legitimate interests in practice?’; and reference to fraud in Recital 47. 25 See GDPR, Recital 49.

74

LIA Test – Preliminary Points 5.65

– direct marketing (Recital 47); or – transfers of personal data for administrative purposes within corporate groups (Recital 48). 5.63 In relation to direct marketing, however, it should be noted that, if a controller is marketing by electronic means, and if the relevant ‘e-privacy’ rules require consent (as is the case, at the time of writing, under the Privacy and Electronic Communications Regulations 2003 (‘PECR’)), and a soft opt-in does not apply, processing of that kind without the consent of the data subject will be both contrary to those regulations and unlawful under the GDPR (see para 12.5). As a result, the ‘legitimate interests’ (or any other) basis for any such processing would not be available for direct marketing in those circumstances, since it would contravene the first of the data protection principles.

LIA Test – Relevant Factors 5.64

Against that background, relevant factors to consider are as follows:

(1) Legitimate interests (or ‘purpose test’): an organisation should consider: • the reason it wants to process the data; and what it is trying to achieve; •

who would benefit from the processing, and in what way;

•

whether there are any wider benefits to the processing (eg to other third parties, or the general public);

•

how important those benefits might be;

•

what the impact would be if the processing did not proceed;

•

the intended outcome for individuals;

•

whether its use of the personal data would in any way be unethical or unlawful;

•

whether the processing complies with other legal requirements, or with industry guidelines or codes.

5.65 The essential point is that there has to be a specific benefit or purpose in mind to represent the legitimate interest. It is not enough to have a general business purpose without it being specifically identified. This emphasises that the LIA test cannot be relied upon as a catch-all; nor used regularly without separate consideration being given to each type of processing. Example: LIA test – Legitimate interest: A company wants to rely on the legitimate interests basis to process marketing information on a regular basis. It cannot simply rely on having a recurrent legitimate interest in a particular type of processing: the legitimate interest 75

5.66  Lawful Bases of Processing

needs to be identified on each occasion of its use, and described in specific terms, eg: ‘The purpose is to undertake marketing to [X  number] of previous customers, in order to increase overall sales by [Y  per cent]; OR to improve the sales of [Z product].’

5.66 The emphasis in the guidance on identifying and recording the aims of the processing, and the overall objectives, is welcome. Considering alternatives to the processing is an important way of assessing its importance, as are identifying the benefits and ascribing weight to them. The objective of this part of the LIA exercise should be to establish a clear argument for the interest which the processing is intended to serve, and some estimate of its weight and importance. (2) Necessity test: the ICO’s guidance continues that the controller should next consider the following: •

whether the processing actually helps to further the legitimate interest;

• whether the processing is a reasonable way to go about meeting that interest; •

whether there is another, less intrusive, way to achieve the same result.

5.67 The first consideration is often overlooked: whether processing this specific information, and in this particular way, will assist the legitimate interest. The requirement is to establish a causal link between the processing and the desired outcome; which applies not merely to the processing of the information as a whole, but to each specific element of it. 5.68 The second consideration could usefully be read as asking whether the processing is ‘reasonable and proportionate’: is this form of processing suitable to the scale and weight of the legitimate interest, and of the likely intrusion on privacy? Previous case law has spoken of whether there is a ‘pressing social need’ for the processing, and whether the processing is proportionate to meeting that need. If there is a less intrusive way of achieving the same result (eg  by using statistics, rather than individuals’ personal information; or by using smaller amounts of their data) the necessity test is not met. As a result, the lawful basis will not be available for that processing, unless the alternative approach is taken. (3) Balancing test: Factors relevant to the ‘balancing test’ (ie factors relevant to the impact of the processing on the individual’s privacy interests, followed by a balancing exercise as to whether they are of greater weight than – ie should ‘override’ – the legitimate interest). There is no set list of factors to take into account; nor a precise template. The Commissioner gives particular emphasis to assessing whether the data subject would expect the processing to occur; judged by the objective standard of what the reasonable person (rather than the specific data subject) would expect. This can be affected by 76

LIA Test – Preliminary Points 5.70

what has been said in the controller’s or processor’s Privacy Notice(s); or direct to the data subject. The ICO makes clear, however, that this factor does not automatically decide the matter. 5.69 The ICO draws attention to Recital 75, which includes a long list of general risks to the rights and freedoms of data subjects (not related specifically to this lawful basis). Essentially, any type of impact may be relevant, including physical or financial impacts, or an inability to use rights as a result of the processing. The Recital appears to be more directly aimed at risks to be examined under Data Protection Impact Assessments (DPIAs), rather than this lawful basis; but it serves as a useful checklist in this context, and a reminder of the breadth of the risks that should be considered in the balancing exercise. The Recital refers to processing which could lead to ‘physical, material or non-material damage’, and includes examples referred to below at para 5.70 (III). Practitioners should refer to this Recital as a checklist when considering the balancing test (ie as to whether all potential factors have been taken into account). 5.70 Echoing her guidance on the former data protection principles in the context of FOI/EIR requests involving the personal data of third parties, the ICO suggests that the balancing test should consider the following three groups of factors, to the extent that any of them is relevant in a given case26: I: The nature of the personal data to be processed – whether any of the data are particularly private or ‘sensitive’ (eg special category data, or data about criminal matters; or, data which concern an individual’s financial information; or a child’s data); – whether the data are about people in their personal or professional/ working capacities (the latter usually having a lesser expectation of privacy); – whether some of those affected would be likely to object to the processing, or would consider it to be intrusive. II:

the reasonable expectations of the data subject: – these might be affected by whether, for example, there is an existing relationship between the controller/processor and the data subject (eg as a member of staff, or a customer, user or client; any of whom might reasonably expect greater privacy in the handling of their data, as an implicit result of their relationship with the controller); – how long ago the data were collected, and whether they were gathered directly from the data subject (and, therefore, potentially with their knowledge, and possibly their co-operation); or via a third party (where this may not have been the case); – what the data subjects have been told about further processing of their data;

26 See ICO website: ‘How do we apply legitimate interests in practice?’

77

5.71  Lawful Bases of Processing

– whether the further purposes of processing, or its method, would be widely understood by the data subject(s); – whether there is (in fact) any evidence of what the data subjects’ reasonable expectations might be; and, if not, whether some form of consultation might be appropriate before the processing starts. III:

the potential impact on the data subjects, and any safeguards: – whether the processing is of a type inherently likely to result in a ‘high risk’ to individuals’ rights and freedoms. If so, the Commissioner advises that a Data Protection Impact Assessment (‘DPIA’) should be conducted27. This can take the place of the LIA; – otherwise, whether the processing might: •

create a barrier to individuals exercising their rights;

• create a barrier to individuals gaining access to services or opportunities; • cause any loss of the individual’s control over the further use of their data; •

lead to any physical harm;

•

lead to any financial loss to the individual, or a risk of identity theft, or of fraud;

•

cause any other significant disadvantage to the data subject (such as their suffering discrimination, a loss of confidentiality, or damage to their reputation); or

•

whether the individual is particularly vulnerable.

5.71 Both the likelihood and severity of any harm should be assessed. A  high risk of either requires a more substantial legitimate interest in order for the processing or disclosure to proceed. The controller or processor should also consider whether it can apply any safeguards which could reduce the risk of harm, or mitigate any consequences (eg  limiting the data processed). The Commissioner advises that this can on occasion change the balance; with the result that the test can be met, where this would not otherwise have been the case. 5.72 The balance should then be weighed to see whether the lawful basis applies. The Commissioner says that there is ‘no foolproof formula’ as to the outcome. Negative effects for the data subject may not outweigh the legitimate interests of the controller/processor28. The weight of the purpose has to be balanced with the severity of the impact. Before proceeding with the processing, the controller must, however, be ‘confident’ that the legitimate interests are not overridden by the risks/privacy interests. The Commissioner suggests that if 27 See Chapter 13 on DPIAs. 28 This statement may be contrasted with the undue caution (in the author’s view) in parts of the Commissioner’s summary guidance, as described at paras 5.51–5.58 above.

78

LIA Test – Preliminary Points 5.74

there is a ‘serious mismatch’, where the data subject’s interests are stronger than those of the controller/processor in the following areas, those of the data subject should be followed. 5.73 These appear to be the factors to which the ICO considers that particular weight should be given: – where the data subject would not reasonably expect the processing; – where the data subject would be likely to object to the processing (although this should surely be read as limited to objections that are objectively reasonable); – where there would be a significant (adverse) impact on the data subject (or, presumably, would be likely to be such an impact, since this could not be predicted with full accuracy); – where the processing would prevent the data subject from exercising rights (or, again, would be likely to do so, for the same reason); – where the data are particularly sensitive29.

‘Warning Factors’ 5.74 The ICO’s guidance also suggests a useful further checklist of factors which may indicate that the legitimate interests basis is unlikely to be appropriate, where: – the controller is a public authority, processing personal data to perform its tasks; – the processing is not consistent with legal, ethical or industry standards; – there is no clear purpose; or, the data are being kept ‘in case needed’; – the desired result could be achieved without the processing (or the particular processing) proposed; – the controller/processor would prefer the data subject to take responsibility for their protection themselves (ie they would prefer to process on the basis of the consent of the data subject); – the processing will use data in ways that the data subject would not expect (although the ICO recognises here that this could still be outweighed by a compelling legitimate interest); – there is a risk of significant harm (although the ICO recognises that this could still be outweighed by a compelling legitimate interest); – the outcome of the balancing test clearly does not support the processing; – negative publicity about the processing would be embarrassing; – another lawful basis more obviously applies30. 29 ICO website: ‘What is the legitimate interests basis?’, pp 11–12. 30 ICO: ‘When can we rely on legitimate interests?’

79

5.75  Lawful Bases of Processing

5.75 As to whether the test for the ‘legitimate interests’ basis has really changed from its predecessor, much will have to be learnt by experience and decisions. As indicated above, if it had changed, there would be a ‘knock-on’ effect on the handling of personal data in FOI/EIR requests; and this seems unlikely. It is notable that the Commissioner did not produce so much guidance on the operation of this balancing test in the context of the DPA 1998 as on its operation in relation to the FOIA 2000, s 40 (and the equivalent provision in the Environmental Information Regulations 2004 (‘EIR’), reg 13). Those exemptions/ exceptions have produced a significant number of ICO and Tribunal decisions, showing the importance of these rules in that context. It would nonetheless be welcome if the Commissioner were, in the context of the GDPR, to evolve more detailed guidance, which directly addressed the considerations to be applied to the new version of the legitimate interests basis in the context of the Regulation.

Legitimate interests – other considerations Relying on the legitimate interests basis 5.76 If this lawful basis is used, details of the legitimate interest claimed must be stated in the relevant Privacy Notice. The ICO also advises that individuals should be informed ‘upfront’ of the use of this basis. The Commissioner’s guidance includes a long checklist of other steps before the basis should be used, including that safeguards have been considered to reduce the impact of the processing where possible; and that the controller has considered offering an opt-out to the processing. It also advises that, if the LIA suggests that there would be a significant privacy impact, the controller should consider whether it needs also to conduct a Data Protection Impact Assessment first31. This emphasises that proposed processing, which is found by the controller to raise high risks to privacy or other rights, should be approached with care; with a DPIA as the proper next step. The checklist also advises that an LIA, conducted to support using this lawful basis, should be reviewed, and repeated if the circumstances of the processing change. 5.77 A controller using this lawful basis should, as in other cases, record the legitimate interest involved, and the process and outcome of any LIA. Once the initial processing has been undertaken under this basis, it may be possible to process the data for a new purpose as well, if the latter purpose is compatible with the old one; but the Commissioner recommends conducting a new LIA in these circumstances. 5.78 If this basis is used to support direct marketing (see paras 5.63 above, 8.59 and Chapter 12), an individual’s right to object to the processing is absolute; whereupon the processing of the data of that person must stop. Processing for other purposes can be continued, if an objection is made, provided the controller can show that its legitimate interests are sufficiently compelling to override the rights of the individual. 31 See Chapter 13.

80

LIA Test – Preliminary Points 5.81

Legitimate interests and children 5.79 The use of this basis to process children’s personal data is not excluded, but Article  6(1)(f) specifies that such data require special protection. The controller or processor takes on a ‘responsibility to protect them from risks that they may not fully appreciate and from consequences they may not envisage’32. Additional weight needs to be given to children’s interests; and, in consequence, a greater weight in favour of the legitimate interest will be necessary to justify the processing.

Legitimate interests basis and public authorities 5.80 The legitimate interests basis is not available to public authorities ‘in the performance of their tasks’. The reasoning appears to be that the legislature can give public authorities their own basis for processing data, where this falls within their public task, under domestic provisions defining the scope of Article 6(1)(e); and that this should confine such processing33. 5.81 The ICO interprets this to mean that this basis/condition is available when a public authority is acting, for a legitimate reason, outside its tasks as a public authority. This might be interpreted as the authority acting outside its ‘core’ tasks, although the ICO does not use this term in this context. Example: Legitimate interests outside public task A local authority is in a partnership arrangement with a commercial developer, to develop a site in its town centre. The local authority is relying on its general power of competence to do so. It needs to process the personal data of staff of the contractor in order to advance the project (which it will do under the lawful bases applying to its functions). Depending on the statutory or other functions of the authority, other activities connected with the project might include: – promoting community-based or charitable activities which it supports; – activities concerning the management or investment of its financial assets; – any dealings or dialogue with proposals from other bodies (eg a public consultation to which it wishes to respond). The legitimate interests basis might be available to the local authority for data processing arising under these other activities, if they did not form part of its tasks as a public authority (or perhaps its ‘core’ tasks). In each case, however, the authority should consider first whether the processing (or part of it) does fall under its public task.

32 ICO guidance: ‘Where can we rely on legitimate interests?’ 33 See GDPR, Recital 47. Additional UK provision is in DPA 2018, s 8.

81

5.82  Lawful Bases of Processing

Special category personal data 5.82 While the legitimate interests basis can apply to special category data, as much as to ‘ordinary’ personal data, such data will (as before under the DPA 1998) be incapable of being processed unless there is also an applicable lawful basis under GDPR, Article 9 (see para 5.92ff below; or as extended by the DPA 2018, Sch 1). As with the previous Act, there is no equivalent to this legitimate interests lawful basis in relation to special category data. Other lawful bases may, in some cases, apply to the processing of some or all of such special category data.

Use of legitimate interest basis in Freedom of Information/ Environmental Information Regulations 5.83 As already indicated, the legitimate interests basis has been (in its previous form as the sixth condition in the DPA 1998, Sch 2), the usual means by which the personal data of third parties (ie  the personal data of other than the requester) have been disclosed in response to information requests under the FOI/EIR regimes. The exclusion of the public sector from this lawful basis, when exercising its public task, caused considerable concern and debate amongst practitioners in the UK, when the terms of the GDPR were first finalised. While moving to the use of another lawful basis, of which the legal obligation basis seemed the most plausible, was discussed, together with whether this could be achieved merely through guidance from the ICO, the eventual outcome is much more satisfactory. It is achieved by the device of creating a limited exception to the GDPR’s disapplication of Article 6(1)(f). This is done by the DPA 2018, Sch 19, paras 58(8) and 307(7); which amend respectively the FOIA 2000, s 40 and reg 13 of the EIR, and omit the disapplication where those provisions apply. The effect is to restore the status quo ante the GDPR. 5.84 As a result, public authorities may continue to use the ’legitimate interests’ condition, as the basis for considering whether the personal data of third parties should be disclosed in FOI/EIR requests (see Chapter 27). The desirability of not disturbing the careful case law that has been built up on those provisions (and which continues to develop) will have been clear; especially given the large number of appeals to the ICO and Tribunal on section 40/Regulation 13.

Individual rights 5.85 The right to data portability does not apply where ‘legitimate interests’ is relied upon as the lawful basis (Article 20(1)(a)). The right to object, and other individual rights, do apply. The controller or processor can continue to process data, where an objection is made (save in respect of direct marketing34), if it can

34 GDPR, Article 21(3).

82

Lawful Bases – Special Categories 5.90

show that it has compelling legitimate grounds to do so35 (which will require a stronger reason for the processing than is necessary under the legitimate interests basis).

LAWFUL BASES – SPECIAL CATEGORIES 5.86 This section deals with the numerous, but narrow, lawful bases upon which special category data may be processed. 5.87 The basic structure is that special category data may not be processed, unless an exemption is in place. See GDPR, Article 9(1) and (2). The exemptions constitute the lawful bases in practice, therefore, under which processing may take place. 5.88 As was the case under the DPA 1998, the GDPR contains an extensive list of such lawful bases, under which the processing of special category data may take place, in Article 9(2) (with minor amendments, post-Brexit, from the DPPEC Regulations); and the list is extended further in the UK by the DPA 2018, Sch  1. Many of these bases are narrow, however, and are likely to arise only occasionally.

‘Appropriate policy documents’ 5.89 In a number of cases, where processing is permitted provided the relevant lawful basis is present, the DPA 2018 requires the controller (but not a processor) to have in a place an ‘appropriate policy document’. (The types of processing where such a document is required are identified individually below, in relation to the relevant lawful basis). An appropriate policy document is defined as a document which explains the controller’s procedures for complying with the data protection principles (ie in Article 5 of the GDPR); and, which explains the controller’s policies with regard to retention and erasure of the data, giving ‘an indication’ in each case of how long the data are likely to be retained36. 5.90 Two further ‘additional safeguards’ have to be observed, in relation to these policy documents: • the policy document has to be retained throughout the period of the processing, plus a further six months; as well as being reviewed and updated as appropriate from time to time. It is also to be made available to the Commissioner, on request, without charge. •

the document has to include: – which ‘condition’ (ie  lawful basis in DPA  2018, Schedule  1) is relied upon;

35 GDPR, Article 21(1). 36 See DPA 2018, Sch 1, Pt 4, paras 38–41.

83

5.91  Lawful Bases of Processing

– which lawful basis in GDPR, Article  6 (ie  the basis required for processing personal data generally, separate from the processing of special category data) is relied upon; – whether the personal data are in fact retained or erased in accordance with the policies described on that issue; and, if not, the reasons (although it seems contradictory to require such policies, and then to permit derogations from them on the basis merely of an explanation). 5.91 Whether a distinct document, or set of documents, is required is unclear (although the wording does suggest this), since many of the requirements are likely to overlap with information which practitioners will hold in other forms. It is suggested that the ICO may need to clarify this issue to avoid needless duplication. One suggestion may be that an APD need contain only brief descriptions, while cross-referring to relevant documents elsewhere. The main burden on the controller at the outset may be in identifying the relevant conditions and lawful bases in sufficient detail; and relating its retention schedules to the detailed activities identified.

EXEMPTIONS/LAWFUL BASES IN GDPR, ARTICLE 9 5.92 The exemptions/lawful bases are set out in GDPR, Article 9(2)(a)–(h), as follows; together with modifications and additions introduced by DPA 2018, Sch 1. The Article 9 bases are:

Explicit consent (Article 9(2)(a)) 5.93 Explicit consent of the data subject for one or more specified purposes of processing; unless EU law, or that of the member state (or, post-Brexit, domestic law), prevents the data subject from giving such consent (which would be unusual). The DPA  2018 adds no special UK provisions in relation to this basis. The Article  29 Working Party (in the guidelines on consent referred to at para  3.47 above) described ‘explicit’ as referring to ‘the way consent’37 is expressed by the data subject. It means that the data subject must give an express statement of consent. While the most obvious method would be to secure a signed statement, this is not essential, and it could be done electronically.

Employment, social security or social protection (Article 9(2)(b)) 5.94 Processing is necessary to carry out obligations, or exercise specific rights, in relation to employment law or social security or ‘social protection’ law, insofar as authorised by: 37 Article  29 Working Party/EDPB ‘Guidelines on Consent under Regulations 2016/679’ (wp259rev.01), (Section 4, page 18).

84

Exemptions/Lawful Bases in GDPR, Article 9 5.99

(i) EU or member state law (or domestic law, after Brexit); or (ii) a collective agreement under member state/domestic law, which provides appropriate safeguards for the rights and interests of data subjects. The relevant provision in UK law is in DPA 2018, Sch 1, Pt 1, para 1 (see also s  10(1)(a)). This permits processing necessary for the purposes of performing or exercising obligations or rights of the controller or data subject, relating to employment, social security or social protection. The latter is defined to include public or private interventions to meet needs such as sickness, disability old age, unemployment, or social exclusion. 5.95 In the UK, this basis can only be relied upon where the controller has in place an ‘appropriate policy document’, as outlined above.. This lawful basis covers processing required by law by employers (eg over benefits, which may also involve information about health; and thus be special category data).

Vital interests (Article 9(2)(c)) 5.96 Processing is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent. 5.97 This lawful basis covers the same processing as that referred to in Article 6(1)(d) covering life and death interests (see paras 5.24–5.25), with the additional requirement that the data subject is ‘physically or legally incapable of giving consent’; and provides the legal basis for the special category data likely to be involved.

Not for profit organisation (Article 9(2)(d)) 5.98 Processing is carried out (in the course of its legitimate activities) by a not-for-profit organisation, foundation or association, which has a political, philosophical, religious or trade union aim, and with appropriate safeguards, and which relates solely to: (i) its members or former members; or (ii) persons who have regular contact with it in connection with its purposes; and provided that the data are not disclosed outside the body, without the consent of the data subject. 5.99 The reference to former members, as well as current ones, is a change from the previous condition in the DPA  199838. Those involved in voluntary bodies, political parties, or various types of membership organisation for these

38 Compare former DPA 1998, Sch 3, para 4(c).

85

5.100  Lawful Bases of Processing

purposes have a fair degree of licence under this basis in the processing of both their membership data, and of personal data they hold about those with whom they have contact. It is all-important, however, that the information is kept secure; and that no personal data are disclosed externally without the consent of any individual affected. 5.100 For political parties, see also the ‘substantial public interest’ processing of the political opinions of electors at para 5.157 below.

Made public by data subject (Article 9(2)(e)) 5.101 Processing is of personal data which (it can be shown) have been made public by the data subject. 5.102 Where the data subject has ‘manifestly’ (ie, clearly) already put the special category data into the public domain, the controller may process it further without restriction. It will be necessary to have some evidence that this is the case, such as a media report quoting from the personal data, with the individual named as the source; or, a social media report revealing or discussing the data, originating from the data subject; unless it is evident that the information could not have reached the public domain by any other route.

Legal proceedings or claims (Article 9(2)(f)) 5.103 Processing is necessary to establish, exercise or defend legal claims; or where a court is acting in its judicial capacity. 5.104 The special category data may be processed where necessary (in the sense of reasonably necessary) for court proceedings, or in connection with a legal claim. As an example, an organisation needs to disclose part of the sickness record of a former employee to an employment tribunal, in order to defend a claim brought by him for unfair dismissal. It also needs to send the same extract to its outside legal advisers for advice on writing the witness evidence from its head of Employee Relations. Both types of processing would be covered by this lawful basis.

Substantial public interest (Article 9(2)(g)) 5.105 Processing is necessary for reasons of the ‘substantial public interest’, on the basis of EU law or that of a member state (or of domestic law, after Brexit). The processing must: (i) be proportionate to the aim pursued; (ii) respect essential data protection rights; and (iii) provide suitable safeguards for data subjects. 86

Exemptions/Lawful Bases in GDPR, Article 9 5.109

5.106 The DPA  2018 devotes the whole of Part 2 of Schedule  1 to setting out what activities fall within this basis in the UK39. The Act uses the power to make domestic law in this area to create an extensive further list of derogations; many carried over from those previously created under statutory instruments made under the former DPA 1998. It also clarifies the general tests in (i)–(iii) in the preceding paragraph, so that controllers in the UK can know more precisely what processing is covered, and the specific tests in each case. See section below (Substantial public interest processing) from para 5.115.

Health and social care (Article 9(2)(h)) 5.107 Processing is necessary for medical health, or social care purposes. This is a wide-ranging lawful basis, and includes processing necessary for the following40: (a) preventive or occupational medicine; (b) the assessment of an employee’s working capacity; (c) medical diagnosis; (d) the provision of health or social care; (e) the provision of treatment; (f) the management of health or social care systems and services (on the basis of EU or member state law, or domestic law after Brexit); or (g) processing necessary pursuant to a contract with a health professional, and subject to safeguards arising from41: •

obligations of professional secrecy;

•

rules established by national competent bodies; or

•

rules provided by another person who is subject to either professional secrecy or to rules established by national competent bodies.

5.108 DPA  2018, Sch  1, para  2(1) defines the elements in (a)–(f) above (reflecting GDPR, Article  9(2)(h)) as processing for ‘health or social care purposes.’ 5.109 Sections 10(1)(c) and 11(1) of the DPA  2018, clarify that, in the UK context, the wording of the provision in (g) of the paragraph above includes circumstances in which the processing is carried out by or under the responsibility of a health professional or a social work professional; or, by another person who in the circumstances, is bound by a legal duty of confidentiality. In other words, it

39 See DPA 2018, s 10(3), and Sch 1, Part 2, paras 5–28 (and see section below from para 5.115). 40 See DPA 2018, Sch 1, para 2(2). 41 GDPR, Article 9(2)(h) and 9(3).

87

5.110  Lawful Bases of Processing

includes processing by the private healthcare sector, provided it takes place under professional supervision. 5.110 This lawful basis, in its various forms, is capable of underpinning the majority of the processing of special category data about patients in the healthcare system, by both the NHS and private providers; or about users or residents of the social care system, whether by local authorities with responsibility for community care services, or by various charitable or commercial providers of such care.

Public health (Article 9(2)(i)) 5.111 The processing is necessary for public health, in the public interest, such as: – protecting against serious cross-border threats to health; – ensuring high standards of quality or safety in health care; – ensuring high standards of medicinal products or medical devices; on the basis of European or member state law (or post-Brexit, domestic law) which provides suitable measures to safeguard the rights and freedoms of a data subject, such as professional secrecy. 5.112 This is then modified by the DPA 201842 to mean that the processing is necessary, for reasons of the public interest in the area of public health (as in the GDPR), and is carried out either: – by or under the responsibility of a health professional; or –

by another person who in the circumstances owes a legal duty of confidentiality (mirroring the formulation for health and social care). Example: Public health Noburgh health authority wants to work with secondary schools in its area to introduce a new form of immunisation for teenagers against a form of flu to which they are vulnerable. The programme is in the public interest, and necessary on medical advice to reduce exposure to the illness. It will be carried out under the control of the authority’s medical director, who is a doctor. The programme will require the sharing by the schools of healthrelated data about the pupils with the health authority, which will check its identifying information for the pupils with the data held by the schools. GDPR, Article 9(2)(i) and DPA 2018, Sch 1, para 3, provide a lawful basis for the processing.

42 DPA 2018, s 10(1)(d) and Sch 1, para 3.

88

Substantial Public Interest Processing 5.115

Archiving, scientific or historical research, statistics (Article 9(2) (j)) 5.113 The processing is necessary for archiving in the public interest, scientific or historical research purposes, or statistical purposes; provided the processing contains safeguards required by GDPR, Article 89(1). The DPA 2018 then applies s 19, which interprets the safeguards on processing in Article 89(1)43. The GDPR requires that measures are taken to protect the rights of those whose personal data are used in research, such as by minimising the data used, or pseudonymising the information (ie giving the research subjects an alternative identity such as a reference number which is secure). Section 19 applies this as follows: (a) the measures will not be sufficient to meet the requirements in Article 89(1), if the processing is likely to cause substantial damage or substantial distress to the data subject; (b) in addition, the processing will not satisfy the requirements for safeguarding if it is for the purposes of measures or decisions with respect to a particular data subject, except for ‘approved medical research’ (which is defined in the section; effectively so that it will qualify only if it has been approved by a suitable body44). 5.114 Before Brexit, member states may apply further conditions or limitations with regard to the processing of genetic or biometric data, or of ‘data concerning health’ (GDPR, Article 9(4)). The latter are defined in Article 4(15) as personal data related to the physical or mental health of a natural person/living individual, including the provision of healthcare services, which reveal information about his or her health status. The definition will, therefore, include the personal data relating to an individual that would fall under the category of health and social care information (Article 9(2)(h) – see para 5.107 above) but also wider information about the individual’s general state of health. The GDPR definitions of biometric and genetic data are described at paras 3.54 and 3.6 respectively (and Chapter 3, footnote 9). The DPA 2018 repeats the definitions of all three (in s 205), without modifying their meaning45. After Brexit, however, the DPPEC regulations remove this power to add further conditions or limitations to such processing46.

SUBSTANTIAL PUBLIC INTEREST PROCESSING 5.115 Part 2 of Sch 1 of the DPA 2018 adds considerably to the list of lawful bases available for special category processing, under the general description of 43 See DPA 2018, s 10(1)(e); Sch 1, para 4; and ss 19(1)–(3). Post-Brexit, the DPPEC Regulations (Sch 1, para 9(7)(a)) make explicit, in GDPR, Article 9(2)(j), the link with s 19. 44 DPA 2018, s 19(4) and (5). 45 Save to convert ‘data’ from the plural into the singular, as elsewhere in the Act. 46 DPPEC Regulations, Sch 1, para 9(10).

89

5.116  Lawful Bases of Processing

activities which are undertaken in the ‘substantial public interest’. It describes these as ‘conditions’ (rather than lawful bases, or exemptions from the general ban on such processing) by defining in each case the circumstances in which they apply. It is important, therefore, to examine the relevant wording in Sch 1 to ensure that the proposed processing fits within its terms; although these are drafted fairly broadly. 5.116 The Act also imposes an additional requirement: that in many cases of such processing, listed in Part 2 of the Schedule, an ‘appropriate policy document’ (‘APD’)47 has to be in place for the processing to be valid (as also for processing for employment, social security, or social protection)48. What follows is necessarily a summary:

Statutory and government purposes49 5.117 The processing will be permitted if it is necessary for: •

the exercise of a function conferred on a person by an enactment or rule of law; or

•

for the exercise of a function (ie a power or duty) of the Crown, a Minister of the Crown, or a government department.

5.118 In each case, the processing has to be ‘necessary for reasons of substantial public interest’. This is not defined in this context, and so will have to be worked out in decisions and guidance. It seems unlikely that the bar will be set unduly high, provided the processing is carried out for the purposes of a public function or activity, is in the public interest, and appears to be more than marginally justifiable. As well as the function etc relied upon, the controller’s conclusion that it is in the substantial public interest, and the reasons, should be recorded. 5.119 An appropriate policy document is required at the time of processing. 5.120 In practice, this lawful basis should cover the great majority of the processing of special category data by the public sector; but, in order to do so, such bodies need to examine their activities, and to identify the functions or other legal obligations on which they are based; and to ensure that the appropriate policy documents are first written (or, at least that the requirements are covered – see para 5.91), and then are up to date.

47 As described above at paras 5.89–5.91. 48 GDPR, Article 9(2)(b) and DPA 2018, Sch 1, Pt 1, para 1 (employment, social security and social protection). In relation to APDs under Sch 1, Part 2, see para 5.89. 49 DPA 2018, Sch 1, Pt 2, para 6.

90

Substantial Public Interest Processing 5.126

Administration of justice or parliamentary purposes 5.121 This condition is met if the processing is necessary for either purpose50. As above, this should cover all such special category processing by the courts and criminal justice system, and by either House of Parliament. An appropriate policy document is required for such processing when it is being carried out.

Equality of opportunity or treatment 5.122 The processing of four categories of personal data, namely information about individuals in relation to their: (i) racial or ethnic origin; (ii) religious or philosophical beliefs; (iii) health; or (iv) sexual orientation will be permitted if it is necessary to identify or review the existence or absence of equality of opportunity between groups of people ‘specified’ in relation to those categories; in order to allow such equality to be promoted or maintained51. 5.123 ‘Specified’ has a particular meaning, relating to a table in DPA 2018, Sch 1, para 8(2), of categories of data and groups of people in relation to them (eg people with different states of physical or mental health). 5.124 The basis will not apply, however, if: • the processing relates to measures or decisions about a particular data subject; •

the processing would be likely to cause substantial damage or substantial distress to an individual; or

• the data subject (or one of them) has given notice in writing, and with reasonable notice, to the controller that it should not process data about that person; and the period of notice has expired. 5.125 Controllers should, therefore, be able to rely on this basis for the purposes of monitoring equality of opportunity, provided that they take care to avoid the harmful outcomes outlined. It will also be important that controllers have arrangements in place to deal effectively with any requests to cease processing. 5.126 An appropriate policy document is required when the processing is carried out.

50 DPA 2018, Sch 1, Pt 2, para 7. 51 DPA 2018, Sch 1, Pt 2, para 8(1)–(5).

91

5.127  Lawful Bases of Processing

Racial and ethnic diversity at senior levels of organisations 5.127 There is a lawful basis for processing of special category data if: (i) the personal data reveal racial or ethnic origin; (ii) the processing is carried out as part of identifying suitable individuals to hold senior positions in an organisation, or type of organisation; (iii) the processing is necessary to promote or maintain diversity amongst holders of such positions; and (iv) it can reasonably be carried out without the consent of the data subject (meaning that the controller cannot reasonably be expected to obtain the individual’s consent, and is not aware that they have withheld their consent)52. 5.128 Processing that would be likely to cause substantial damage or substantial distress to an individual cannot, however, be carried out under this lawful basis. The terms ‘senior position’ (eg a company director) and ‘senior manager’ (eg a significant decision-maker) are defined in the legislation53. 5.129 An appropriate policy document is required when the processing is undertaken.

Preventing or detecting unlawful acts 5.130 There is a lawful basis for processing which: (i) is necessary for the purposes of preventing or detecting unlawful acts; (ii) has to be carried out without the consent of the data subject, so as not to prejudice the purposes; and (iii) is necessary for reasons of the substantial public interest. 5.131 Any act is covered which is unlawful (including, but not solely, criminal acts), provided the other two conditions are met; principally that there is a reason for secrecy (eg to avoid the destruction of evidence). 5.132 If the processing would involve giving the personal data to a ‘competent authority’ (eg  the police), the processing will have a lawful basis even if the controller does not have in place an appropriate policy document. The effect is that a controller does not have to produce a policy document covering this form of processing (at least if it is not an activity in which it engages regularly)54.

52 DPA 2018, Sch 1, Pt 2, para 9. 53 DPA 2018, Sch 1, Pt 2, para 9(5) and (6). 54 DPA 2018, Sch 1, Pt 2, para 10.

92

Substantial Public Interest Processing 5.134

Example: Processing for detecting unlawful acts The police approach Bertha’s company for background information about Sid, a new member of the staff. They suspect Sid of involvement in a fraud before he came to work at the firm, and want to know more about his previous activities and recent movements. Bertha tells them the limited information the company holds about Sid’s previous job and whereabouts, but is concerned that she may have broken the GDPR. Provided that the police were able to tell Bertha that they needed the information without Sid’s consent (or knowledge), because otherwise the investigation would be impaired; and, provided that the information would help their investigation (and thus be in the substantial public interest), the transfer will have been lawful. Bertha should have made sure that she had received statements of this kind before releasing the data. She should also insist on receiving them in writing. Bertha does not need to have a policy covering a disclosure of this kind.

Protecting the public against dishonesty 5.133 There will be a lawful basis if the processing is: necessary for the exercise of a ‘protective function’; must be carried out without the consent (ie including the knowledge) of the data subject, in order not to prejudice that function; and, is necessary for reasons of substantial public interest. A ‘protective function’ is one intended to protect the public against: – dishonesty, malpractice or seriously improper conduct; – unfitness or incompetence; – mismanagement in administering a body or association; or – failures in service by a body or association55. 5.134 Unlike the prevention or detection of unlawful acts in the circumstances described in para 5.132 above, a controller needs to have an appropriate policy document in place when processing the special category data.

Example: Protecting against dishonesty An insurance industry regulator has a function of investigating complaints over failures of service. Maggie has complained that her insurance company has been incompetent over renewing her house insurance, leading to loss

55 DPA 2018, Sch 1, Pt 2, para 11.

93

5.135  Lawful Bases of Processing

to her when the house was later damaged in a fire. She is now in dispute with them. The investigation centres on the competence of Philip, a member of the renewals team, who spoke to Maggie when she rang to renew her cover; and, in particular, his previous health background. The regulator is seeking information from the company’s occupational therapist, who had arranged for Philip to receive treatment for depression the previous year, before it re-interviews him. The regulator is concerned that, if Philip becomes aware of this, he may alter this evidence. The lawful basis would allow the therapist to process Philip’s personal data from her records, including the record of Philip’s treatment, in order to answer the investigator’s questions; provided the company has an appropriate policy document in place. The regulator would also need to have such a policy, in order to process the information under the investigation.

Regulatory requirements relating to unlawful acts and dishonesty 5.135 There is a lawful basis if the processing is necessary to comply with (or to assist others to comply with) a regulatory requirement involving establishing whether a person has committed an unlawful act (or has unlawfully failed to act), or has been involved in dishonesty, malpractice or other seriously improper conduct. The lawful basis applies only where the controller cannot reasonably be expected to obtain the consent of the data subject, and the processing is necessary in the substantial public interest56. A ‘regulatory requirement’ is one imposed by statute, or by a person exercising a function under statute; or, a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity. Unlike the lawful basis of processing for the prevention or detection of crime, an appropriate policy document is necessary at the time of this processing.

Example: Regulatory requirements relating to unlawful acts The [imaginary] Motor Trade Licensing Authority has been created as a regulator of garages repairing motor vehicles. One of its statutory tasks is to regulate the use of new laws governing the use of sub-standard generic parts for repairs, instead of parts which are of suitable quality or have been supplied by the original manufacturer. It undertakes regular inspections, and is currently monitoring a garage specialising in Italian cars, run by Alfred. It

56 DPA 2018, Sch 1, Pt 2, para 12.

94

Substantial Public Interest Processing 5.137

approaches individuals within various reputable parts suppliers, asking them to record any business they do with him, to see whether he orders parts from those suppliers. Any incidental information about Alfred which may also be reported and which might fall within special category personal data may be processed by both the suppliers, and the Authority, on this lawful basis, provided it is relevant (eg  that he was unwell for a period, during which orders ceased) and there is an appropriate policy document in place.

Journalism in connection with unlawful acts and dishonesty etc 5.136 There is a lawful basis for the use of special category data for the publication for certain journalistic, academic, artistic or literary purposes (the ‘special purposes’). The lawful basis covers only situations where those purposes are undertaken in relation to acts which are unlawful or dishonest. It does not permit the processing of special category data for those purposes in general. 5.137 The lawful basis applies where the processing: (i) consists of disclosing the personal data for (one or more of) the special purposes; (ii) is carried out in connection with the following matters (or allegations) about them: (a) the commission of an unlawful act (or a failure to act); (b) dishonesty, malpractice or other seriously improper conduct of a person; (c) unfitness or incompetence of a person; (d) mismanagement in the administration of a body or association; or (e) a failure in services provided by a body or association; (iii) is necessary for reasons of the substantial public interest; (iv) is carried out with a view to the publication of the personal data by any person; and (v) the controller must reasonably believe that publication would be in the public interest. This has to be on an objective test of reasonableness (ie that a reasonable person, in possession of the relevant facts, would believe publication to be in the public interest; not merely that it is the controller’s own opinion). The lawful basis applies even if no appropriate policy document is in place57.

57 DPA 2018, Sch 1, Pt 2, para 13.

95

5.138  Lawful Bases of Processing

Example: journalism in connection with unlawful acts The Weekly Beast, a local newspaper in Newchester, has received information from a source about an alleged misappropriation of funds from a local charity by its former director, who left suddenly last month. It wishes to publish the story. Most of the information it holds is not special category data, but part of it concerns fingerprint evidence said to implicate the director. A further strand in the story concerns the philosophical beliefs of those supporting the charity, which the director professed to support and promoted widely in the area. Before instructing her journalists to pursue the story, the editor decided that collecting and holding information about the story was in the substantial public interest. She also now believes that publication would be in the public interest, and that her opinion on that matter is reasonable. Provided these conditions are met (and her opinion is objectively reasonable), the lawful basis will apply to both the collection and holding of the special category information held (eg  the biometric data, and the philosophical beliefs of individuals); and the publication of these pieces of information.

Preventing fraud 5.138 The lawful basis applies if the processing is necessary to prevent fraud (or a particular kind of fraud), and consists of: (i) the disclosure of personal data by a person as a member of an anti-fraud organisation, (as defined in the Serious Crime Act 2007, s 68)58; (ii) the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation; or (iii) the processing of personal data that has been disclosed as described in (i) or (ii)59. An appropriate policy document is required at the time of processing. Example: Preventing fraud The South Western Bank and the Premier Bank are asked by the police to co-operate in comparing similar financial transactions for two groups of their respective customers whom the police suspect of money-laundering. The activities concern large and regular payments to private health providers in other countries which the police think are suspicious. To any extent that the information relates to the health of the individuals, it will be special 58 Ie any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes (Serious Crime Act 2007, s 68). 59 DPA 2018, Sch 1, Pt 2, para 14.

96

Substantial Public Interest Processing 5.140

category data. The police pass various emails concerning the suspects to the two banks for examination against their financial and correspondence records. Any special category information disclosed to the two banks will have been passed to them by a member of the police staff under activity (i) above. Their processing of the data will take place under activity (iii) above. Any disclosure of special category data which either of the banks makes to the police, as a result of their examination, will take place under activity (ii) above. In each case, however, both the police and the banks will need to have an appropriate policy document in place to cover their processing.

Suspicion of terrorist financing or money laundering 5.139 There is a lawful basis for the processing of special category data which is necessary for the purposes of making a disclosure in good faith in connection with: (i) the suspected commissioning of a terrorist financing offence, or to identify terrorist property (disclosure within a regulated sector under the Terrorism Act 2000, s 21CA); or (ii) disclosure within a regulated sector in relation to suspicions of money laundering, under the Proceeds of Crime Act 2002, s 339ZB)60. An appropriate policy document is required at the time of processing.

Support for individuals with a particular disability or medical condition 5.140 Processing by a not-for-profit body which supports individuals with a particular disability or medical condition will fall within this lawful basis if the processing: (i) is of personal data revealing racial or ethnic origin; genetic or biometric data; data concerning health; or concerns an individual’s sex life or sexual orientation; (ii) relates to a person who is or has been a member of the body, and has (or has had, or has a significant risk of developing) the disability or condition with which the body is concerned; or is a relative or carer of such a person; (iii) is necessary for the purposes of raising awareness of the disability or medical condition; or of providing support to individuals falling within (ii) above, or of enabling them to support each other; (iv) can reasonably be carried out without the consent of the data subject (ie the controller cannot reasonably be expected to obtain it, and is not aware of the 60 DPA 2018, Sch 1, Pt 2, para 15.

97

5.141  Lawful Bases of Processing

data subject having withheld it; although this does not include a mere failure to respond to a request for consent); and (v) is necessary for reasons of substantial public interest61. An appropriate policy document is required at the time of processing.

Counselling etc 5.141 Processing falls within this lawful basis if it is: (a) necessary for the provision of confidential counselling, advice or support, or of another similar type of service which is provided confidentially; (b) is carried out without the consent of the data subject for one of the reasons below; and (c) is necessary for reasons of the substantial public interest. 5.142 The reasons for which consent need not be obtained are: (i) in the circumstances, it cannot be given by the data subject; (ii) in the circumstances, the controller cannot reasonably be expected to obtain the consent from the data subject; or (iii) obtaining the consent of the data subject would prejudice the provision of the service62. An appropriate policy document is required at the time of processing. 5.143 An example of the latter might be the provision to a therapist of information about the health background of a vulnerable person, who is not aware of the special category data concerned; where revealing the existence of the processing to them would be upsetting and be likely to harm the counselling being provided to them.

Safeguarding of children and of individuals at risk 5.144 There is a lawful basis where processing is necessary to protect an individual from neglect, or physical, mental or emotional harm, or to protect their physical, mental or emotional well-being. The individual must either be aged under 18 years, or be aged 18 or over and at risk. The processing has to be carried out for one of the same reasons as under the preceding basis63; and has to be necessary for reasons of the substantial public interest.

61 DPA 2018, Sch 1, Pt 2, para 16. ‘Disability’ and ‘carer’ are defined in the paragraph. 62 DPA 2018, Sch 1, Pt 2, para 17. 63 Ie those in DPA 2018, Sch 1, Pt 2, para 17(2).

98

Substantial Public Interest Processing 5.149

5.145 A person is ‘at risk’ if he or she is aged 18 or over; has ‘needs for care and support’; is experiencing neglect, or physical, mental or emotional harm (or is at risk of one of them); and, is unable to protect himself or herself as a result. ‘Protection’ can be of an individual or a type of individual64. 5.146 An appropriate policy document is required at the time of processing.

Safeguarding of economic well-being of certain individuals 5.147 There is a lawful basis for processing which is: (i) necessary for the purposes of protecting the economic well-being of a person aged 18 or over who is at economic risk; (ii) of data concerning health; (iii) carried out without the individual’s consent for the same reasons as in para 5.142 above in relation to counselling; and (iv) is necessary for reasons of substantial public interest65. 5.148 An individual is an ‘individual at risk’ under this paragraph if they are less able to protect their economic well-being (than others), by reason of physical or mental injury, illness or disability. 5.149 An appropriate policy document is required at the time of processing. Example: Economic well-being of an individual Limedale District Council runs a small toy-making workshop providing employment for adults who suffer from various forms of mental illness or incapacity. Harry is being assessed for a job there. He was previously moved from a placement on a catering training scheme following a disagreement with another trainee. The council is keen to secure the new placement for Harry, but wants to consult the manager of the previous scheme as to whether the incident may reflect on his suitability to work in the factory. Harry is still very upset about what happened, and considers that he was not at fault over it; but refuses to discuss it. The council cannot reasonably be expected to ask Harry for his consent to their consulting the manager of the previous scheme. The processing would fall under this lawful basis, provided: – it is reasonably necessary to whether Harry can be given the placement; and – both the council and the previous scheme have appropriate policy documents in place.

64 DPA 2018, Sch 1, Pt 2, para 18. 65 DPA 2018, Sch 1, Pt 2, para 19.

99

5.150  Lawful Bases of Processing

Insurance 5.150 There is a lawful basis where the processing is: (i) necessary for an ‘insurance purpose’; (ii) of special category data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health; and (iii) necessary for reasons of substantial public interest66. 5.151 In addition, where the processing is not carried out for the purposes of measures or decisions affecting the data subject; and the data subject does not have (and is not expected to acquire): – rights against (or obligations in relation to) a person insured under an ‘insurance contract’ to which the ‘insurance purpose’ relates; – other rights or obligations in connection with such an ‘insurance contract’. the lawful basis will not apply unless the processing can reasonably be carried out without the consent of the data subject. The latter will be the case only where: •

the controller cannot reasonably be expected to obtain the consent of the data subject; and

•

the controller is not aware of the data subject withholding consent (although this does not include where the data subject has merely failed to respond to a request for consent)67.

5.152 The terms ‘insurance purpose’ and ‘insurance contract’ are defined. The former constitutes advising on, underwriting or administering an insurance contract, administering a claim under it, or exercising a right or complying with a claim under it. An insurance contract is a contract of general or longterm insurance, but is defined in the Financial Services and Markets Act 2000 (‘FSMA 2000’)68. 5.153 An appropriate policy document needs to be in place at the time of the processing.

Occupational pensions 5.154 This lawful basis permits the processing of special category data which: (i) is necessary for making a determination over eligibility for, or benefits payable under, an occupational pension scheme; 66 DPA 2018, Sch 1, Pt 2, para 20. 67 DPA 2018, Sch 1, Pt 2, para 20. An ‘insurance contract’ and ‘insurance purpose’ are defined in paragraph 20. 68 FSMA 2000, s 22. Practitioners in that field should refer to the definitions direct.

100

Substantial Public Interest Processing 5.161

(ii) is of data concerning health relating to an individual who is the parent, grandparent, or great-grandparent, or a sibling, of a member of the scheme; (iii) is not carried out for the purposes of making decisions with respect to the data subject (ie the relative); and (iv) can reasonably be carried out without the relative’s consent. 5.155 The latter is the case only where the controller cannot reasonably be expected to obtain the consent of the relative; or, the controller is not aware that they have withheld consent (although this does not include a mere failure by them to respond to a request for consent)69. 5.156 The lawful basis thus applies where the pension provider wishes to establish, or investigate further, the health of a relative of a person whose eligibility for an occupational pension, or benefits under the scheme, are being determined; where the decision does not concern the relative, but the provider cannot reasonably be expected to ask the relative for his or her consent..

Political parties 5.157 Registered political parties70 may process personal data revealing the political opinions of individuals (which they generally collect through the process of canvassing electors’ views) where doing so is necessary for the purposes of their ‘political activities’, subject to certain exceptions. ‘Political activities’ include campaigning, fund-raising, political surveys and case-work71. 5.158 The exceptions are that: (i) the processing would cause substantial damage or substantial distress to a person; or (ii) the data subject has given written notice to the controller not to process personal data about them, and has not withdrawn the notice, the notice was given over a reasonable period, and the period has now expired. 5.159 An elector thus effectively has an opt-out from information about his or her political opinions being lawfully processed by a political party. 5.160 An appropriate policy document is required at the time of the processing.

Elected representatives responding to requests 5.161 Elected representatives, or persons acting with their authority, may process special category data in connection with the discharge of their functions, 69 DPA  2018, Sch  1, para  21. ‘Occupational pension scheme’, and ‘member’, are defined in para 21(3). 70 Ie parties included in the register maintained under Political Parties, Elections and Referendums Act 2000, s 23. 71 DPA 2018, Sch 1, Pt 2, para 22.

101

5.162  Lawful Bases of Processing

and in response to a request by an individual that the elected representative take action on their behalf; provided the processing is necessary for the purposes of, or in connection with, the action reasonably taken (or, presumably, to be taken) by the elected representative in response to the request. 5.162 This is subject to the limitation that, where the request is made by someone other than the data subject, the processing may take place only if it must be carried out without the consent of the data subject for one of the following reasons: •

in the circumstances, consent cannot be given by the data subject;

• in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject; • obtaining that person’s consent would prejudice the action taken by the elected representative; or •

the processing is necessary in the interests of another individual and the data subject has withheld their consent unreasonably72.

5.163 ‘Elected representatives’ are defined in paragraph  23(3), and include MPs, members of the Scottish Parliament and Welsh and Northern Ireland Assemblies, councillors, elected mayors, and police and crime commissioners. Example: Elected representatives responding to requests (i) Elsie writes to her MP, Olwen, to ask her to take up her case with the local hospital. Elsie feels that her recent treatment has left her with mobility problems which could have been avoided. Olwen writes to the hospital asking for details, outlining Elsie’s complaint, and referring to a number of aspects of her health which Elsie made available to her. The processing of Elsie’s data about her health, and the details of her treatment, may be undertaken under this lawful basis. (ii) Gerald writes to his MP, Terence, about his father, Clive, who came to the UK from Jamaica in the 1950s. Clive is now very elderly, and has signed a power of attorney for Gerald to manage his affairs. Gerald believes that his father should be compensated for a letter he received from the Home Office, questioning his right to remain in the UK. He asks Terence for help. Terence agrees to write to the Home Office, on the basis of documents provided by Gerald which show his father’s birthplace and parents in Jamaica, and his nationality. Terence is concerned to establish whether Clive consented to the use of this information about his national background and ethnicity to be used in this way. Gerald replies that he has not sought his father’s consent, but that asking Clive would cause him distress; and that his father would consider that he had entrusted his affairs to his son. Terence can rely on the lawful condition in the second bullet point above.

72 DPA 2018, Sch 1, Pt 2, para 23.

102

Substantial Public Interest Processing 5.172

5.164 An appropriate policy document is required at the time of the processing.

Disclosure to elected representatives 5.165 A disclosure of special category personal data to an elected representative (or someone acting with their authority), which is made in response to a communication to that controller from the elected representative, which in turn was made in response to a request from an individual, will have a lawful basis; provided the personal data are relevant to the subject matter, and the disclosure is necessary to respond to the communication73. 5.166 Where the request to the elected representative was made by someone other than the data subject, the processing may take place without the consent of the data subject only if one of the same reasons applies as in Sch 1, para 23 (see para 5.162 above). The term ‘elected representative’ is defined in the same way as above. 5.167 The lawful basis means that public institutions or private corporations approached by elected representatives over casework may process special category data in order to reply, provided the data are relevant. They may only do so without the consent of the data subject for one of the same reasons as above. 5.168 An appropriate policy document is required at the time of the processing.

Informing elected representatives about prisoners 5.169 MPs, members of the National Assembly for Wales, or the Scottish Parliament, may be informed about a prisoner (including arrangements for their release), provided the member is under an obligation not to further disclose the personal data. ‘Prisoner’ includes a person detained in a young offender institution, a remand centre, a secure training centre, or a secure college74. 5.170 An appropriate policy document is required at the time of the processing.

Publication of legal judgments 5.171 Processing consisting of the publication of a judgment or other decision of a court of tribunal, which is necessary for the purposes of such publication, has a lawful basis in relation to any special category personal data involved75. 5.172 An appropriate policy document is required.

73 DPA 2018, Sch 1, Pt 2, para 24. 74 DPA 2018, Sch 1, Pt 2, para 25. 75 DPA 2018, Sch 1, Pt 2, para 26.

103

5.173  Lawful Bases of Processing

Anti-doping in sport 5.173 There is a lawful basis for the processing of special category data that is necessary: (i) for the purposes of measures designed to eliminate doping in sport, which are undertaken by or under the responsibility of a body or association which is responsible for such elimination; whether in a particular sport, at a sporting event or in sport generally; or (ii) for the purposes of providing information about doping, or suspected doping, to such a body or association76. 5.174 Measures designed to ‘eliminate’ doping include, for this purpose, measures designed to identify or prevent it. The disclosure of personal data by a controller to the responsible body, or processing in order to prepare to do so, are covered by the lawful basis notwithstanding that the controller does not have an appropriate policy in place. In any other case of processing falling under this lawful basis (eg  by the responsible body or association itself), an appropriate policy document is required.

Standards of behaviour in sport 5.175 Processing of special category data has a lawful basis if it: (i) is necessary for the purposes of measures designed to protect the ‘integrity’ of a sport or sporting event; (ii) must be carried out without the consent of the data subject so as not to prejudice those purposes; and (iii) is necessary for reasons of substantial public interest. 5.176 The ‘integrity’ of the sport or a sporting event refers to measures designed to protect either of them against: (i) dishonesty, malpractice or other seriously improper conduct; or (ii) a failure by a participant in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or the event77. 5.177 An appropriate policy document is required at the time of processing.

76 DPA 2018, Sch 1, Pt 2, para 27. 77 DPA 2018, Sch 1, Pt 2, para 28.

104

CHAPTER 6

Transparency and Privacy Notices TRANSPARENCY 6.1 Transparency requires controllers and processors to adopt a stance of openness about the processing they undertake. This should underlie and be evident from their general approach, so that data subjects can understand and feel confidence in replies from the controller or processor to any questions they may ask about the processing of data about them (or which they may view through portals etc). In particular, measures such as Privacy Notices (formerly also known as ‘Fair Processing Notices’), and communications provided to data subjects (including those who are exercising their various individual rights, such as the right of access), should be: • concise; • transparent; •

intelligible and in an easily accessible form; and

•

in clear and plain language, particularly if addressed to a child.

6.2 The requirements of the ‘Transparency’ principle are set out in Recitals 39 and 58. Individuals should be made aware of the risks and safeguards occasioned by the processing, and of their rights. The purposes of the processing should be made explicit, should be legitimate, and need to be determined at the time when the data are collected. The data should be processed only if the purpose could not reasonably be fulfilled by other means, with time limits for erasure or periodic review, and all reasonable steps taken to ensure that inaccurate data are corrected or deleted1. Information addressed to the public should be concise, accessible and easy to understand. ‘Visualisation’ may be used, for example through a website; and especially in areas, such as online advertising, where it may be difficult to understand who is collecting an individual’s data. Information addressed to children should be in such clear language that the child can easily understand it2. 6.3 The Article 29 working party (an advisory group formed of the various information regulators in the EU, predating the European Data Protection Board) produced guidance on the principle3. This describes transparency in terms of engendering trust in processes which affect citizens, by enabling them to understand and, if necessary, challenge processes of decision-making. 1 GDPR, Recital 39. 2 GDPR, Recital 58. 3 Article  29 Data Protection Working Party (now the European Data Protection Board): ‘Guidelines on transparency under Regulation 2016/679’.

105

6.4  Transparency and Privacy Notices

Transparency is ‘intrinsically linked to fairness’ and the accountability principle, and the controller should be able to demonstrate that personal data are being processed transparently. Noting the lack of a definition in the GDPR, the guidelines point to Recital 39, which says that an individual should be enabled to be aware that his or her data are being processed, and to what extent. Any communications should be in easily accessible language; especially in relation to information identifying the then controller, the purposes of processing, or further information to ensure fair and transparent processing.

PRIVACY NOTICES 6.4 Privacy Notices are central to the concept of ‘Transparency’ under the GDPR. Although they were required under the Data Protection Act 1998 (‘DPA 1998’), they have significantly grown in importance under the Regulation. In consequence, controllers should review their Notices regularly to ensure that they meet the detail of the new requirements; especially where these have been extended. More particularly, they should consider whether the notices fully satisfy their enhanced purpose of describing and illustrating the processing which the controller is undertaking; and making individuals aware of the risks involved in the processing. 6.5 A ‘Privacy Notice’ is a statement by the controller as to how the personal data of individuals, which it holds, will be used. A controller is required to ensure that the Notices are transparent. 6.6 There are slightly different rules as to Privacy Notices (as there were under the DPA 1998) depending on whether they apply to data subjects who have themselves supplied their personal data to the controller, or where the individual’s data have been obtained by the controller other than from the data subject. The information may be accompanied by standardised icons, where these have been determined by the EU Commission. After Brexit, this role is transferred to the ICO and the procedure is strengthened, where such icons give a ‘meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner4.

Key points on Privacy Notices 6.7 •

The following key points are worth noting in relation to Privacy Notices: Privacy Notices should be seen as central to an organisation’s compliance with Transparency.

• The broader scope of identifiability in the definition of personal data, and breadth of the concept of information ‘relating to’ an individual, mean that personal data has a wider scope than was previously assumed. In consequence, Privacy Notices will need to be displayed in relation to, or be designed to apply to, a wider range of information concerned with individuals than previously. 4

See GDPR, Article 12(6A)–(8); and DPPEC Regulations, Sch 1, para 11.

106

Privacy Notices 6.9

•

They need to be available when the information is obtained (when the data are received from the data subject); or, at the latest within one month (when the data are obtained from a third party).

• The ICO recommends a ‘layered approach’, with general notices at a high level, leading to more detailed notices relating to narrower ranges of information. •

Notices need to be proactively drawn to the attention of the data subject; not merely displayed on a website or included with the application form.

• When the data will be used for automated processing (eg  profiling), information must be given about the logic and consequences. • Controllers should also be aware of the range of exemptions to the requirements applying to Privacy Notices.

Content of Privacy Notices 6.8 The requirements of Articles  13 and 14 as to the content of Privacy Notices are as follows:

Privacy Notice: requirements where data are obtained from individual (Article 13) 6.9 Where the data are obtained from the data subject, the controller must provide all of the following information to the data subject, at the time when the data are obtained:

5

•

The identity and contact details of the controller (or their representative).

•

The contact details of the Data Protection Officer (if there is one).

•

The purposes of the intended processing, and the ‘lawful’ basis for the processing (see Chapter 5 above).

•

If the processing is based on the legitimate interests basis in Article 6(1) (f), the legitimate interest which is being pursued (whether by the controller or a third party).

•

The recipients, or categories of recipients, of the data (if any).

•

If the data are to be transferred outside the EU, whether this will be on the basis of an ‘adequacy decision’ by the EU  Commission; or, after Brexit, on the basis of relevant adequacy regulations under DPA 2018, s 17A5 (ie to a country with a broadly similar data protection regime); or, otherwise, the basis under the GDPR for the transfer to be made (see Chapter 11).

See DPPEC Regulations, Sch 1, paras 12(2) and 13(2).

107

6.10  Transparency and Privacy Notices

6.10 At the same time, the controller must also provide the following further information ‘to ensure fair and transparent processing’: •

The period for which the information will be stored, or (if not possible) the criteria used to determine that period.

•

The existence of the rights to request access, rectification, erasure, or restriction of the processing; to object to the processing; and, to ‘data portability’ where applicable (see Chapters 7 and 8 below, where the individual rights are described, and the exemptions to each right are listed6; and also Chapter 9 on the exemptions).

•

The existence of the right to withdraw consent, where the lawful basis for the processing is consent (or explicit consent, for special category data).

•

The right to complain to the ICO.

•

Whether the personal data have to be provided, under statute or contract; whether the data subject has to provide the information; and, the possible consequences of failing to do so.

• Whether there is ‘automated decision-making, including profiling’. If so, meaningful information is to be given about the logic involved in the processing, its significance, and the consequences of the processing envisaged for the data subject. 6.11 Where the controller intends to further process the data for another purpose, different to the one for which the data was collected, the controller must provide the data subject, before the further processing, with information on that other purpose; and also provide any other information that is relevant (ie in the new context), as referred to above7. 6.12 None of the above requirements applies to any extent to which the data subject already has the information8.

Privacy Notices: requirements where data are not obtained from data subject 6.13 Where the personal data have not been obtained from the data subject, the controller is to provide the data subject with:

6 7 8

•

the same information as in the box at para 6.9 above;

•

the categories of personal data concerned;

On the exemptions, see paras 7.76, 8.16, 8.25, 8.33, 8.48 and 8.71. GDPR, Article 13(3). GDPR, Article 13(4).

108

Privacy Notices 6.17

•

the same additional information as in the box at para 6.10 above;

•

the source of the data and, if applicable, whether it came from a publicly accessible source.

6.14 The controller is to provide the information: • within a reasonable period after obtaining it, having regard to the circumstances of the processing; but at the latest within one month; • if the personal data are to be used for communication with the data subject, at the latest at the time of the first such communication; or •

if disclosure to another recipient is envisaged, at the latest when the data are first disclosed.

6.15 The above rules do not apply where, or to the extent that: •

The data subject already has the information;

•

The provision of the information would be impossible, or would involve a disproportionate effort. Examples might include where the processing was for archiving in the public interest, for scientific or historical purposes, or statistical purposes, (subject to safeguards in Article 89(1), such as data minimisation, or pseudonymisation); or, insofar as those obligations would render impossible, or seriously impair, the achievement of the objectives of the processing. In these cases, the controller is to take appropriate measures to protect the data subjects’ rights and interests, including making the information publicly available;

•

The obtaining or disclosure of the information is expressly laid down by law to which the controller is subject, and which provides appropriate measures to protect the data subject’s legitimate interests; or

•

The data must remain confidential, subject to an obligation of professional secrecy regulated by law, which can include a statutory obligation of secrecy.

6.16 According to the ICO, Notices now need to be proactively drawn to the attention of data subjects; either by sending them, or by displaying them accessibly, and informing the data subject of the notice and how to view to it. This is because the wording in Articles  13 and 14 is that the controller shall ‘provide’ the specified information to the data subject9. 6.17 The right to be informed is subject to general exceptions (see following paragraph); and to specific exemptions (see para 6.19 and Chapter 9).

9

See the ICO’s detailed guidance on her website on the Right to be Informed: ‘When should we provide privacy information to individuals?’

109

6.18  Transparency and Privacy Notices

General exceptions from requirements on Privacy Notices 6.18

Privacy Notices are not required in the following instances:

(a) where the data have been obtained from the data subject: (i) the data subject already has the information10. (b) where the data have been obtained other than from the data subject: (i) the data subject already has the information; (ii) providing the information to the data subject would be impossible; (iii) providing the information to the data subject would involve a disproportionate effort (eg for certain research or archiving in the public interest).; (iv) providing the information to the data subject would be likely to render impossible, or seriously impair, achieving the objectives of the processing (in which case, the controller is to take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information publicly available); (v) the controller is required by law to obtain or disclose the data; (vi) where the data must remain confidential, subject to an obligation of professional secrecy regulated by law11. The Article  29 working party, referred to above, states that the principle of accountability requires controllers to demonstrate and document what information the data subject has, how and when they received it, and (if the case) that no changes have been made which would make it out of date. The guidelines also recommend providing ‘layered’ levels of information on the controller’s website, with links to different levels of detail. On the question of active provision of information in Privacy Notices (see below) the working party reached the same view as the ICO: the wording of the Regulation is to ‘provide’, and this requires ‘active steps’ to be taken by the controller to furnish the information; not by the data subject to find it. Exemptions from Privacy Notices 6.19 As well as the general exceptions above, a number of specific exemptions may apply in a given case to the duty to provide Privacy Notices. The exemptions are discussed in more detail at Chapter 9, but listed here, showing where they are located in the DPA 2018: 1. Crime and taxation (Sch 2, paras 2–3);

10 GDPR, Article 13(4). 11 GDPR, Article 14(5), including Article 14(5)(b) in relation to the general exception (iv) in this paragraph. See further paras 9.107-9.108 in relation to that provision.

110

Privacy Notices 6.19

2. Immigration (Sch 2, para 4); 3. Disclosure required by law, or for legal proceedings (Sch 2, para 5); 4. Functions designed to protect the public (Sch 2, para 7); 5. Bank of England audit functions (Sch 2, para 9); 6. Regulatory functions relating to legal services, the health service or children’s services (Sch 2, para 10); 7. Regulatory functions of other bodies (eg the ICO) (Sch 2, para 11); 8. Parliamentary privilege (Sch 2, para 13); 9. Judicial independence or proceedings (Sch 2, para 14); 10. Crown honours, dignities or appointments (Sch 2, para 15); 11. Legal professional privilege (Sch 2 para 19); 12. Self-incrimination (Sch 2, para 20); 13. Corporate finance (Sch 2, para 21); 14. Management forecasts (Sch 2, para 22); 15. Negotiations with the data subject (Sch 2, para 23); 16. Confidential references (Sch 2, para 24); 17. Examination scripts (Sch 2, para 25); 18. Journalistic, academic and literary purposes (Sch 2, para 26); 19. Health data processed by a court (Sch 3, para 3); 20. Education data processed by a court (Sch 3, para 18).

111

Section B

Individual Rights

CHAPTER 7

Right of Access 7.1 The ‘right of access’ under the GDPR was widely known in the UK as the ‘subject access right’ (or ‘SAR’) under the Data Protection Act 1998 (‘DPA 1998’), and this term seems likely to continue to be used in this country interchangeably with ‘right of access’. The access right has come to be seen as central to the data protection regime: enabling the data subject to check that their data have been recorded accurately1. It is also increasingly seen by individuals as a means to scrutinise the processing of their data; and, where necessary, as leading on to them exercising their other rights in order to gain a measure of control over the processing. The access right is the most frequently exercised individual right, and constitutes one of the most significant data processing obligations on a controller. Many controllers employ full-time trained staff to deal with it. Subject access forms a substantial proportion of the complaints to the Commissioner on data protection issues: in 2016–17, approximately 7,700 complaints about controllers’ handling of subject access were made to the ICO. 7.2 The GDPR has not changed the substance of the access right, although it has extended the information to which a requester is entitled, eased the formalities involved in making a request (including allowing oral requests), and removed the power to charge for a request in most cases. The Data Protection Act 2018 (‘DPA 2018’) adds the exemptions and rules on handling the personal data of third parties. 7.3 The general expectation is that the numbers exercising the right will grow further, partly in consequence of these changes; and partly with increased public awareness of data protection. There is a greater emphasis under the Regulation on the electronic making and answering of requests. Much of the familiar process of photocopying and posting large bundles of personal data to individuals has already been replaced by electronic communication, and this will increase; or, in the medium-term, is intended to give way to secure portals through which the data subject is enabled to have access to (or to continue to monitor the processing of), his or her personal data2. 7.4 Alongside increased rights, however, the GDPR has also for the first time created a right for controllers to refuse an access request that would be too burdensome. In addition, the number of exemptions from subject access, already significant, is extended further in the UK; and set out more clearly.

1 2

See Recital 63. Recital 63 states that: ‘Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.’

115

7.5  Right of Access

MEANING OF ACCESS REQUEST – IN SUMMARY 7.5 GDPR, Article 15(1), gives an individual the right to obtain from a data controller: (i) ‘confirmation as to whether or not personal data concerning him or her are being processed’; and (if so) (ii) access to the personal data; and (iii) a list of additional information about the processing in Article 15(1)(a)–(h) (covering areas such as: the purposes of the processing; the recipients of categories of recipients, or, any available information as to the source of the data (where the data were collected from someone other than the data subject). 7.6 The duty is to provide the personal data the controller holds about the requester. It is not to create information about that person; nor to analyse what it holds. 7.7 The right is similar to the right of subject access under the DPA 1998. The new right is, however, generally to be free, in an important change from the previous maximum fee of £10 for most requests. Exceptionally, a reasonable fee, based on administrative costs, may be charged for: •

additional copies; or

•

in place of a refusal.

7.8 The information is to be provided in a commonly used electronic form, where the request has been made by electronic means; unless requested by the data subject to be in another form (Article 15(3)). 7.9 The right to obtain a copy of the data is not to affect the ‘rights and freedoms of others’ adversely (Article 15(4)). This is intended to form the basis of domestic rules governing the disclosure or otherwise of ‘third party’ or ‘mixed’ personal data; ie information that is the data of both the requester and another person. The data identify and relate to both the requester and the other person, and cannot be omitted from the response while still giving effect to the intention of the request (because otherwise the requester would be denied some of his or her data)3. 7.10 The rules in those circumstances are similar (although not identical) to those in the previous s 7(4) and (6) of the DPA 1998. In principle the data need not be disclosed, but the obligation to do so is not removed where either: the third party gives his or her consent; or, it is reasonable in all the circumstances (having regard to a range of factors) to disclose the information to the requester without the consent of the third party4. One new factor is added (the type of information which would be disclosed, see para 7.56). 3 4

See further paras 7.52–7.59 below. DPA 2018, Sch 2, Part 3, para 16. See paras 7.56–7.59 below.

116

Access requests in detail 7.14

7.11 It was thought for a short period before the GDPR’s implementation that there was a presumption against disclosure to the requester in such cases, but that it could be rebutted in a particular instance. This was, however, rejected by the Court of Appeal in DB v General Medical Council5, which said that there is no presumption in either direction. This interpretation should be assumed to continue under the GDPR regime; and is supported by a slight change of wording, whereby the word ‘unless’ (there was consent, or it was reasonable etc to disclose) in the former DPA 1998, s 7(4) was omitted from DPA 2018, Sch 2, para 16(1) and (2).

ACCESS REQUESTS IN DETAIL 7.12 The third element of a response to a SAR (the additional information in para 7.5 (iii) above) has often been overlooked in the past, on the basis that it would be covered by the content of any personal data to be disclosed. This was not correct, and will certainly not now meet the level of compliance expected under the GDPR. Controllers will need to have systems and processes in place to identify and provide the additional background information as an integral part of handling the request, with a view to providing the information in a standard format (see paras 7.65ff below).

Oral requests 7.13 In a major change from the previous rules, an access request under the GDPR, unlike a former SAR, does not need to be made in writing in order to be valid. This is because the Regulation does not stipulate it to be necessary that a request is made in writing. Under the DPA 1998 (although not the originating Directive) a SAR did have to be made in writing6. An oral request (eg by telephone or in person) is now valid. It will be important that controllers have systems in place, and that staff have been instructed or trained, to ensure that such requests are recognised as access requests by those receiving them; recorded by them in writing as quickly as possible; and then that the text is checked as soon as practicable with the requester as to whether it accurately represents his or her request (or is amended, as necessary).

Other formalities 7.14 There are few formalities. The controller is advised to offer a form for making access requests, in order to ensure that it collects the information it needs to search for the information; but it cannot insist on its use. An access request may be made in any format. 5 [2018] EWCA Civ 1497. 6 DPA 1998, s 7(2)(a).

117

7.15  Right of Access

Credit reference agencies 7.15 Credit reference agencies have more limited duties in relation to access, in that the request is taken to apply only to the applicant’s financial standing, unless he or she indicates otherwise. A  disclosure must be accompanied by a statement informing the requester of their rights to correct information which is incorrect7.

Dialogue with requester 7.16 The ICO’s Code of Practice on Subject Access (which remains in place at the time of writing)8 encourages controllers to engage in dialogue with the requester. The ICO’s new guidance on the GDPR appears to limit this, however, to large requests only (without otherwise mentioning entering dialogue) saying: ‘If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.’ 7.17 This appears to arise from Recital 63, which says that a controller processing a ‘large quantity of information’ should be able to request that ‘before the information is delivered, the data subject specify the information or processing activities to which the request relates’. This is narrower than a general permission to undertake dialogue to clarify a request. The deadline would not be delayed while the discussion took place. 7.18 Notwithstanding this latter point, the ICO does in her latest GDPR guidance repeat the position from the SAR Code that: ‘The period for responding to the request begins when you receive the additional information.’ This seems, however, potentially to be inconsistent with the following sentence, which says that you still have to comply if the requester refuses to provide any further information; which seems closer to the effect of the Recital. 7.19 Taking our cue from the ICO’s earlier approach, however, examples of the sort of dialogue which ought to remain capable of being legitimate in a particular case might be: •

‘During what period (approximately) would such correspondence have been sent?’

• ‘What are our connections with you (eg  employment, service use, sales, complaints) and roughly when did these connections occur?’

7 8

DPA 2018, s 13; referring to Consumer Credit Act 1974, s 159. ICO: ‘Subject Access, Code of Practice’, version 1.2 (2017).

118

Access requests in detail 7.23

• ‘We have much information about you of that kind. Is there something specific, or a particular occasion or period which you would like us to concentrate on?’ •

‘What search terms would you suggest?’

7.20 The controller should not, however, give the requester the impression that the latter is obliged in any way to limit the exercise of his or her rights. Questions or discussion such as: ‘We cannot really look for that, as it has not been archived properly’; or ‘You need to cut down the scope of that request’; or, ‘We cannot simply look for your information all over the organisation’ are invalid, and will count as a significant breach of the requester’s rights. While it is legitimate to query a request which is along the lines of ‘please send me all the personal data on me that you hold’, to the extent of asking whether there is something more specific they are seeking, or what type of contact you had with them (as above), in the end the requester has the right to make and maintain such a request. The GDPR does allow, however, for a duty not to arise where the controller is not in a position to identify the data subject9.

Identity checks 7.21 Somewhat surprisingly, the GDPR has relaxed to a degree the former expectation that identity checks should normally be required; although the Commissioner had been saying for some time that these should not be overburdensome10. The Regulation limits them to situations where the controller has ‘reasonable doubts’ over the identity of the person making the request. In those circumstances, the controller may ‘request the provision of additional information necessary to confirm the identity of the data subject’11; but it appears to have no power to require the identity to be produced. 7.22 This may seem paradoxical, as public concern increases over the security of personal data. The risk is evident that the personal data of X could be disclosed in error to Y, if the requester is not obliged to provide evidence of their identity, at least where they are not well-known to the controller (such as a member of their staff, or a regular user or customer); and especially if the request has been made electronically, or other than in person, or in the context of some continued dealings with the person. On the other hand, the purpose appears to be not to constrain access requests unduly by allowing over-elaborate security checks which some applicants may find off-putting. 7.23 The ICO’s current GDPR guidance stresses the importance of only asking for information that is necessary to confirm who they are, stating that: ‘The key to this is proportionality’. The period for answer commences when the

9 GDPR, Article 12(2). 10 See SAR Code, pp 23–25. 11 GDPR, Article 12(6).

119

7.24  Right of Access

identity information is received, so a controller should let the individual know as soon as possible that this information is required (ie that their request is on ‘hold’ until that time). 7.24 On the other hand, Recital 64 says that the controller should use ‘all reasonable measures to verify the identity of a data subject who requests access’; and that this is the case in particular ‘in the context of online services and online identifiers’. The Recital takes a less cautious tone than Article 12(6), and seems to contradict it. Against this background it is suggested that controllers should not hold back from undertaking security checks where they have some doubt as to the identity of the requester; to the extent of doing so where the controller is not reasonably sure about the identity of the person concerned. Such checks should, however, be proportionate to the degree of doubt; and to the expected sensitivity or otherwise of the information sought. 7.25 It is suggested that controllers may wish to develop criteria as to what constitutes ‘reasonable doubt’ in their area of activity; possibly coupled with an internal procedure for staff to follow. Potential grounds might be as follows, although it is stressed that these would need to be supported by some reasoning as to why they would constitute a level of doubt that was ‘reasonable’ in the specific circumstances, since the trend of the GDPR is away from regular checks: — not recognising the name of the requester (and unable readily to identify them from a search of the records); — no current course of dealing with the requester, into which the request ‘fits’; — sensitivity of the information to be disclosed, combined with an absence of past contact with/recognition of the requester; — a significant quantity of special category information in the reply; — applicant is a minor, or a vulnerable adult; — serious impact if information disclosed to person other than the data subject whom it concerns; or — significant quantities of third party data would be disclosed.

Plan for search 7.26 Once a request has been received, as a practical matter it should be logged forthwith, with the latest date for reply diarised for follow-up action. It is good practice to acknowledge the request, although this is not a requirement. After any initial dialogue with the requester, if considered necessary, it may also be sensible to establish a plan for the search, with a view to prioritising the parts of the organisation’s records which are to be examined. This could perhaps start with a discussion with any members of staff who may be familiar with the requester, or with any matters concerning the requester with which the controller has been dealing. 120

Access requests in detail 7.28

Examples: — For a former staff member, consider consulting their line manager, immediate colleagues, or Human Resources staff. — For a customer or user, consider consulting those staff who have dealt with them, or who have knowledge of their case, or of the issue concerned. After that, the person co-ordinating the response should consider the following possible locations: •

Electronic systems databases;

document filing systems, held centrally or on a network;

emails (including those archived, or ‘deleted’ otherwise than in accordance with a retention/destruction schedule); texts; •

social media announcements or records.

Manual systems

Paper filing systems, where records are likely to be in hard copy (or partly in hard copy), eg: complaints, personnel records, historic files;

(in the public sector) unstructured manual records (but see paras 7.46–7.49 below). 7.27 Physical and electronic locations should also be searched, which staff think from their knowledge may contain personal data of the requester; or which appear to be potential sites as the search progresses (eg branch offices’ records; particular historic paper files; electronic or paper files on specific topics, projects, or subject areas with which the requester appears to have been involved). Other ‘leads’ may be provided by the requester, after discussion, such as: names of other individuals with whom they had dealings; topics over which they were associated with the organisation; or, dates within which they had contact with it. 7.28

The search terms to be used should be defined and recorded:

— Variants of the requester’s name, initials or other identifiers (such as a past job title, or a reference/membership number associated with the organisation); — Topics or subjects with which they have had dealings with it; — Any other information which may identify the requester (eg customer records, or records of issues or complaints over a particular product or service with which they may have been associated). The steps taken during the search should be logged, so that the controller can account for where it has looked, if it needs to describe the process in response to a complaint or to the ICO. 121

7.29  Right of Access

Requests made on behalf of data subjects 7.29 Some access requests are made on behalf of other people. This may be because they are minors, lack the capacity as adults to be able to make their own request, or simply wish the matter to be handled by a solicitor or other representative, relative or friend. The SAR Code advised that the third party was responsible for providing evidence of authority to make the request, and this does not appear to be affected by the GDPR. Thus a solicitor or anyone making a request on behalf of a client should expect to provide a letter of authority to the controller; unless the controller is confident from previous dealings that the requester wishes that person to act as their representative on this matter. If the third party has a power of attorney (whereby the individual has appointed them to handle their affairs) this would normally be considered sufficient. An order from the Court of Protection, appointing a person as the representative of another, should similarly be considered sufficient. 7.30 Where the controller is unsure that the data subject would understand what information would be disclosed to the third party by an access request made on their behalf, the Code advises that one option is to send the information to the data subject, so that they have a choice over whether to disclose it to the third party. 7.31 In the case of a child, the law does not produce a clear-cut procedure. The personal data are that of the child, irrespective of his or her age (although the Code does not recognise that, depending on their content, the data may at the same time be those of the parent as a third party). The request is that of the child; even though it is recognised that an access request can be made for a younger child on his or her behalf by their parent or guardian. The issue is whether the child is sufficiently mature to understand their rights, and to interpret the information disclosed to them; both being considered in broad terms. The Code lists a number of factors which should be considered in that context. In Scotland, the child is presumed to have the maturity to make his or her own access request from the age of 12 years. The rest of the country does not have the same age; although the Commissioner suggests that the Scottish deemed age may indicate what is reasonable for the rest of the country. (It may also be noted that 13 years and upwards has been chosen as the age in the UK from which parental consent is unnecessary for the provision to a child of ‘information society services’). 7.32 The Commissioner points out that, even at that age, a child who can make an access request may not have the necessary maturity to give consent to sharing their personal data with others. The implication is that the reply should be sent to the child in those circumstances. Where a request has validly been made on behalf of a child, the controller should consider the possible adverse implications for the child of sending the reply to the person who has made the request. It may be incumbent on the controller to consult those staff closest to the matter on that issue; particularly in the social care field, or if the information appears to raise any issues concerning safeguarding or child protection. 122

Access requests in detail 7.35

Refusal: an access request that is ‘manifestly unfounded or excessive’ 7.33 Article  12(5) provides that where ‘requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character’, the controller has the option to either: • charge a reasonable fee, taking into account the administrative costs of providing the information or communication; or •

refuse to act on the request.

The onus is on the controller to demonstrate the ‘manifestly unfounded or excessive character of the request’. The meaning of ‘unfounded’ is not clear, although it is presumably intended to refer to a request which is mistaken or has no basis (eg that a person had no apparent connection with the organisation; but wanted to establish that it held nothing about him or her). 7.34 While the DPA  1998 allowed some opportunity to refuse requests where a reasonable period had not elapsed since a previous similar request which the data controller had answered12, the opportunity to refuse an access request on the grounds of the burden involved is new. The DPA  1998 also contained a provision allowing some relief for the controller where ‘supplying the data subject with a copy of the information in permanent form’ was ‘not possible or would involve disproportionate effort’ (DPA  1998, s  8(2)(a)); and the Court of Appeal had interpreted this provision in 2017 to cover effort that would be disproportionate in the search leading to the supply, as well as to the supply itself of the information)13. The need on practical and resources grounds for explicit provision to protect controllers from the most burdensome requests has now been recognised in the GDPR. The interpretation placed on it by the ICO, and the terms of its drafting, point, however, to only a limited application. 7.35 The Commissioner interprets the reference to ‘in particular because of their repetitive character, in her outline guidance on the right of access’ to mean ‘taking into account whether the request is repetitive in nature’. Another reading might be that repetitive requests are particularly likely to be capable of refusal; but that a request can also be ‘unfounded’ without being repetitive. The drafting of the GDPR, Article  12(5) would suggest, however, that there do need to have been previous requests from the same requester (probably on similar or related areas), before the exception can be claimed; since the reference is in the plural (‘requests’) being manifestly unfounded or unreasonable. The change may, therefore, be less radical, and more associated with the previous rule concerning repeated requests, than may initially be apparent; although the ICO does not describe it in this way. Reasons will be needed to justify the decision.

12 Former DPA 1998, s 8(3). 13 Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74.

123

7.36  Right of Access

7.36 Further guidance from the ICO will be needed before controllers can use the exemption with confidence, although the following examples are suggested: — the repetitious making by the requester of overlapping access requests; — attempts by the requester to circumvent previous refusals, especially if a third party’s data were withheld, or where there were clear grounds of exemption; — requesting the same or similar information, where little or nothing has changed since the last request (ie similar to the DPA 1998); — making one or more requests that overlap with, or repeat, a previous request, where replying would impose a significant burden in terms of a search, and the requester has been asked to assist to describe the type of information sought, but produced nothing; — making a large request, which would impose a significant burden, having made previous similar requests (although probably not on wholly unrelated areas). 7.37 Refusal on this ground should be notified to the requester within one month. If a fee is charged, the ICO advises that there is no need to comply with the request until it has been received.

Request form 7.38 If a request form is offered by the controller, it could seek the following information. It would doubtless be helpful to explain that this is intended to assist the controller to conduct its search, by understanding better the type and scope of the information sought. The purpose of the questions is not to limit the requester’s right of access, but to assist the controller to carry it out: •

The name and contact details of the requester (including any previous name that may be relevant to the period of the request);

• In broad terms, how the organisation ‘knows’ the requester, or has had dealings with them; •

Which part(s) of the organisation the requester has dealt with, or thinks may hold his or her information;

•

Whether the requester is seeking records of a particular type, or covering a particular issue;

• During what period (approximately) the requester has had dealings with your organisation; 124

Access requests in detail 7.41

• Whether there has been anyone in particular with whom the requester had dealings, or to whom the controller could usefully speak to assist in identifying the information held; • Any variants of the requester’s name which may have been used in correspondence you may hold about them (if not already volunteered by the requester); •

Evidence of the requester’s identity (if the controller has reasonable doubts about it – see paras 7.21–7.25 above);

•

Evidence of the third party’s authority to make the request (if the request has been made by another person on behalf of the data subject);

• Anything else the requester would like to tell the controller to assist in handling the request.

Timescale for response 7.39 The duty under the GDPR is to provide the information sought without undue delay, and in any event within one month. At the latest by that date, if the controller is not going to comply with the request (ie to refuse, including a partial refusal) the controller is to provide the requester with the reasons for not doing so; and to inform them of their right to complain to the ICO and thereafter to appeal14. 7.40 There has been much discussion of what is the meaning of ‘one month’; and from when it should be counted. On the latter point, the ICO advises counting from the date after receipt, whether or not that date is a working day. On the former point, a month can obviously vary between 28 and 31 days. The ICO advises counting from the date after receipt to the end of the ‘corresponding date’ in the following month (ie  the day with the same numbered date). Where this is not possible, because the following month is shorter and there is no corresponding date (eg  30th January having no counterpart in February), the time limit should be treated as the end of the last day of the following month. If that corresponding date falls at a weekend or on a public holiday, the date for reply should be taken to be the end of the next working day – see Example (i). 7.41 The Commissioner includes a heavy hint in her GDPR guidance that controllers could consider adopting a standard 28-day period for reply, if consistency is required for the purposes of their internal systems. This seems sensible, to avoid confusion over dates and the consequential missing of deadlines; even if it is unwelcome to controllers, in terms of the yet further shortened time for reply. The periods involving February could be as short as 28 days in any event, as Example (ii) shows.

14 GDPR, Article 12(3) and (4). See para 7.42 below.

125

7.42  Right of Access

Examples: deadlines for reply to access requests (i) Sylvia receives an access request on 30th May. Counting from the following day (31st May), there is no corresponding date of 31st June, so the date for reply will normally be 30th June. If that date falls at a weekend or on a public holiday, however, the date for reply will be the end of the next working day. (ii) Ernest receives an access request on 30th January. The time limit runs from 31st January. As there is no corresponding date in February, the deadline will normally be the end of 28th February (or 29th February in a Leap Year); unless that date falls at a weekend, or on a public holiday. In other words, the period for reply in the most extreme example will be a strict 28 days. 7.42 The controller may extend the period by a further two months ‘where necessary, taking into account the complexity and number of the requests’. On a strict reading of the text (from the use of the word ‘and’, and its interpretation in UK legislation) both conditions would need to be in place (ie the request is complex, and the ‘number’ of them obliges the controller to use more time). The Commissioner has taken the view in her GDPR guidance, however, that either condition is sufficient; and that the latter one refers to the controller having received a number of requests from the same individual15. 7.43 Where the controller extends the deadline, it must inform the requester within one month of its receipt of the request, giving the reasons for the delay. Where the request was made by electronic means, this information should be provided by the same means, unless the data subject has indicated otherwise. 7.44 The ICO has decided in her initial GDPR guidance that she considers that it will be ‘unlikely to be reasonable’ to extend the time limit if: (i) the request is manifestly unfounded or excessive; (ii) an exemption applies; or (iii) the controller is requesting proof of identity before considering the request. 7.45 The Commissioner does not give her reasons for these qualifications, but they may be inferred to be: (i) Manifestly unfounded: the controller should have considered this issue earlier, before the one-month deadline, and notified the requester (although this overlooks cases where the scale of the request only becomes apparent towards the end of the period for reply, as a result of the search);

15 This approach differs from that taken by the ICO on a similar issue of interpreting ‘and’ under the Environmental Information Regulations 2004 (‘EIR’).

126

Access requests in detail 7.48

(ii) If an exemption applies: the ICO may be concerned to avoid the power to extend time being used to spend longer in considering to what extent exemptions apply, or in undertaking redactions; (iii) Identity: The identity should have been checked at the outset, rather than towards the deadline for response.

Manual unstructured data 7.46 The processing of manual unstructured data in the public sector (ie information in paper or other physical form which is not, and is not intended to be, part of a ‘filing system’) arises by virtue of the ‘applied GDPR’16; and, after Brexit, under GDPR Article 2(1A) (as inserted by the DPPEC Regulations, Sch 1, para 4(2)). As under the DPA 1998, such data are covered to a limited extent by the right of access. A controller is not obliged to comply with the right if: (a) the request does not contain a description of the personal data sought; or (b) the controller estimates that the cost of complying would exceed the appropriate maximum. 7.47 The estimate under (b) above is made on the same basis as the cost limit used in the FOIA (ie  the limits of £450 in the wider public sector, or £600 in the civil service respectively), calculated at £25 per hour, in terms of determining, locating, retrieving, and extracting the information)17. In addition, the right of access does not apply to manual unstructured processing of personal data relating to appointments, removals, pay, discipline, superannuation or other personnel matters in relation to a wide range of public service. The exclusions relate to: service in the armed forces; service in any office or employment under the Crown or any public authority; or, service in any office or employment, or under any contract for services, in respect of which a power to take action, or to determine or approve the action, is vested in the monarch, a Minister of the Crown, the National Assembly for Wales or the Welsh Ministers, a Northern Ireland Minister, or an FOI public authority (DPA 2018, s 24(3) and (4)(a)). (The exclusions also apply to a significant proportion of the other GDPR provisions, including the data protection principles in Chapter II, the other individual rights in Chapter III, the rules as between controllers and processors in Chapter IV, and the rules as to processing for the ‘special purposes’, or for research, statistics and archiving in the public interest in Chapter IX (see DPA 2018, s 24(4)). 7.48 The controller remains liable, if it applies the cost limit exception, for confirming whether or not the personal data of the requester are being processed; unless it estimates that the cost of answering that question would itself exceed the cost limit. This could presumably arise where the requester sought unstructured 16 DPA 2018, s 21(2); and by inference from GDPR, Article 2(1). 17 See DPA 2018, s 24(5) and (6); Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, SI  2004/3244, reg  4(3); and, transitional provision (preserving those amounts, pending any new regulations) in DPA 2018, Sch 20, para 13.

127

7.49  Right of Access

manual data which the controller did not believe that it held, but estimated that it would not be able to demonstrate this until after a search which would exceed the cost limit. 7.49 These rules replicate those that applied under the former DPA  1998, s 9A, and remain the only instance of an expressly financial limit applied to the right of access.

Controllers and Processors – respective responsibilities 7.50 The responsibility for dealing with access requests remains with the controller. The processor has no direct responsibilities in this area under Articles  28–30, or for assisting the controller with them. The controller is required, however, to have in place contractual arrangements which guarantee that the processor will assist it with relevant access requests (Article 28(3)(e)). The involvement of a processor is not of itself a ground for extending the time limit beyond one month18.

Joint controllers’ responsibilities 7.51 Where there are two or more controllers for the same piece of personal data (eg because one has shared the information with the other(s), under a data sharing agreement), they should – where they are aware of each other’s roles – agree a procedure as to how, and by whom, access requests will be dealt with in respect of the joint data.

‘Third party’ data 7.52 As indicated above, there will often be a problem with an access request, where some of the information identified from a search as being the personal data of the requester is also the personal data of another person (a ‘third party’)19. The same words may be the personal data of two or more people. Often, while the name of the other person could in principle be redacted, as a purely practical exercise, it would either achieve nothing in terms of disguising their identity from the requester, because they are already known to him or her or the context makes their identity obvious. In another case, removing their name would excise a significant part of the requester’s personal data; including, on occasion, what they really want to know (or should be enabled to learn); and this deprives them of information to which in principle they are entitled. The information in issue may include, for example, a record that the third party was the source of information about the requester; or of something significant which they said or did in relation to the requester. 18 See paras 3.16–3.24 generally. 19 See paras 7.9–7.11 above.

128

Access requests in detail 7.56

The joint personal data will often describe an area of joint activity between the individuals, or a dispute between them. Deciding the respective weight of the rights of both parties can be among the most difficult choices which data protection practitioners have to make. 7.53 The GDPR says merely that a requester’s right to obtain a copy of his or her personal data is not adversely to affect the rights and freedoms of others. Any further provision is left to member states. The UK has re-imported the relevant wording from the DPA 1998, with slight amendments and one addition, via the DPA 2018; treating it as an exemption from subject access20. 7.54 It is not the case that the personal data that relate to both individuals can be redacted. The controller does not have to disclose information to the requester, to the extent that doing so would involve disclosing information ‘relating to another individual who can be identified from the information’21. However, paragraph 16(2) of the Schedule disapplies this exemption (ie creates an exception to it) where either: (a) the other individual (the ‘third party’) has consented to the disclosure of the information to the data subject (ie to the requester); or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual. 7.55

The controller has, therefore, to make two judgments:

(a) whether to seek the consent of the third party (if they can be found), which is not compulsory; and (b) (whether or not the controller has sought, or obtained, the third party’s consent) whether it is ‘reasonable’ to disclose the information to the requester without the consent of the third party (which can arise either because they have not been asked; or because, when asked, they refused consent, but the controller thinks it is nonetheless reasonable in all the circumstances to disclose the data). 7.56 In making the second judgment (or series of judgments, since it applies to each piece of information that relates to both individuals), the controller should have regard to the following factors. The first is new under the GDPR: (a) the type of information that would be disclosed; (b) any duty of confidentiality owed to the other individual; (c) any steps taken by the controller with a view to seeking the consent of the other individual; (d) whether the other individual is capable of giving consent; and

20 See DPA 2018, Sch 2, Part 3, paras 16–17, which provide the basis of the exemption; replacing the former ss 7(4)–(6), and 8(7) of the DPA 1998. See also paras 9.60–9.63 below. 21 See DPA 2018, Sch 2, Part 3, para 16(1); and definition at para 9.61 below.

129

7.57  Right of Access

(e) any express refusal of consent by the other individual22. Considerations to take into account in that context would include: •

What sort of information is involved; and what (if anything) does its nature tell the controller about whether it should be disclosed without consent?

•

Is the other person capable of giving consent (eg time may have elapsed)?

• Has the other person refused their consent? (Although, if they have, the controller still has to consider whether it is reasonable to disclose notwithstanding their refusal) •

What is the impact on the other individual (eg how harmful or not would disclosure be)?

•

Is the identity of the other person already known to the requester?

7.57 Assuming there is no consent, the controller then has to balance the respective weights of the requester’s right of access and the privacy interests or welfare of the other individual. This has to be done in respect of each piece of information. If they are equal, there is no disclosure (as confirmed by the Court of Appeal in DB)23. It is only if the controller considers the requester’s right to be of greater weight, so that it is reasonable to disclose without the consent of the third party (whether or not it has been sought), that it will disclose the piece of personal data. 7.58 The more usual position is still that it will not be reasonable to disclose data which are equally about two people without the other person’s consent. In a particular instance (or in relation to a particular piece of information), however, the weight in favour of disclosure may be greater than that against. This could arise where the specific piece of information is of particular importance to the requester; perhaps because it explains what he or she wants to know, and it is reasonable in the circumstances that they should be informed of it. If this is the case, even something harmful or distressing to the third party may have to be disclosed, in order to give proper effect to the requester’s rights. See Example (ii) as to how this might work in a given case. Example (i): third party data Consider the following extract from the note of a monthly Human Resources internal meeting at Easysales Ltd: ‘Bill and Rashida have worked in the Eastern sales team for the last two years. In her annual staff appraisal last year, Rashida expressed dissatisfaction over the team’s performance, saying that Bill works less hard than the others, achieves lower sales figures, and drags down the level of their joint bonuses. 22 DPA 2018, Sch 2, para 16(3). 23 See para 7.11; albeit decided under the DPA 1998.

130

Access requests in detail 7.58

Bill reported Rashida to management last month for spreading unjustified gossip about him to their colleagues. He said that he had previously asked her to stop, but she had ignored him. We noted that we may have to relocate one of them to another team if the bad feeling continues.’ Each of the sentences relates to both members of staff. Other than the first one, which is uncontentious (recording only where they both work and how long they have been there), each of the remaining sentences records something about both of them which at least one of them would potentially find objectionable. If Rashida were now to make an access request, all of the above would be identified in a search for her personal data. The same information is also, however, the personal data of Bill. Rashida is entitled in her access request only to her personal data, so any information that was only Bill’s could be redacted, and removed from consideration. In this example, however, there is no information that relates only to Bill. See Example (ii) below for what the controller should do. Example (ii): third party data The text is as in Example (i) above. The controller needs to decide first whether to seek Bill’s consent. Assuming it decides not to do so, because it is sure he would refuse, it should consider the following: First sentence (‘Bill and Rashida..’): uncontentious. Reasonable to disclose to R. Second sentence (‘In her annual..’): R knows this already, so disclose to her Third and fourth sentences (‘Bill reported Rashida….He said that….’): much will depend on: (a) whether R knows this by now because of an investigation. If she does, including the allegation, disclose. If she knows a complaint was made, but not its nature, and it has now been discounted, redact accordingly. If what B said he had asked her to do is known to R, disclose to her; (b) on the other hand, if R  does not know about the complaint, perhaps because the company has a confidentiality procedure, it should consider any duty of confidence owed to B (see Sch 2, para 16(3)(b)). Disclosure in breach of such a duty would not be reasonable without an overriding legitimate reason; or (c) whether, despite the above, the information about the complaint is of real importance to R (the type of information – see Sch 2, para 16(3)(a)). 131

7.59  Right of Access

If, for example, on investigation, B’s complaint proved to be unjustified, but it is having a continuing impact (eg unfairly harming R’s career), it may be reasonable to disclose it to her. Last sentence (‘We noted..’): if B  has been warned, but R  has not, it will be reasonable to disclose it to R. Likewise, if neither knows, it is probably unlikely that there is a reasonable ground to withhold it from R. The controller might wish to consider whether another exemption applies (eg management forecasts). 7.59 See paras 9.65–9.66 in relation to the exceptional treatment of the personal data of health workers, social workers and education staff, where their data are also the personal data of a requester.

Transparency and language 7.60 Article 12(1) requires a controller to provide ‘any communication’ about the right of access24 in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’; especially for any information addressed to a child. 7.61 The Article 29 working party (now the European Data Protection Board) produced guidance on the meaning of transparency. In the context of the access right, the advice relates to the additional accompanying information, since the text of the personal data cannot be altered. 7.62 The guidance should be consulted, but the following give a flavour of its approach 25: • ‘Concise and transparent’ means that ‘data controllers should present the information/communication efficiently and succinctly in order to avoid information fatigue’. •

‘Intelligible’ means that ‘it should be understood by an average member of the intended audience’.

•

A ‘central consideration of the principles of transparency’ is that ‘the data subject should be able to determine [NB in the sense of ‘understand’, not ‘decide’] in advance what the scope and consequences of the processing entails’. As best practice, the controller should ‘separately spell out in unambiguous language what the most important consequences of the processing will be’.

•

‘Clear and plain language’ means that ‘the information should be provided in as simple a manner as possible, avoiding complex sentence and language

24 As also in relation to other requests made by individuals. 25 Article  29 Data Protection Working Party, ‘Guidelines on transparency under Regulation 2016/679’, WP 260, paras 7–12.

132

Access requests in detail 7.63

structures. The information should be ‘concrete and definitive’ and not ‘phrased in abstract or ambivalent terms’. It should not ‘leave room for different interpretations’. The purposes and the legal basis of the processing should be clear. Unclear phrases such as ‘We may use your personal data to develop new services’; or ‘language qualifiers’ such as ‘may’, ‘might’, ‘often’, or ‘possible’, should also be avoided.

Accompanying information 7.63 The accompanying information which has to be provided with the response, typically in a covering letter, is as follows: (a) the purposes of the processing. The purposes should already have been established and described in the relevant Privacy Notice, for which they are also necessary. Subject to the point noted at the end of this sub-paragraph, a description in the covering letter to an access request might be as follows26: Example: ‘Your personal data are processed by us for the purposes of managing your tenancy with us, including: (i) holding, and from time to time revising, your tenancy agreement; (ii) holding your bank account details for the purposes of receiving rental payments, or for processing such payments (including any consequential payments from us to you, such as refunds); and, (iii) holding contact information about you to enable us to contact you as required in relation to your tenancy’. It should be noted, however, that whereas the DPA 1998, s 7(1)(b)(ii) and (iii), required a ‘description’ of the purposes of processing (and also of the recipients or classes of recipient to whom the data were, or may to have been, disclosed), the GDPR. Article  15(1) refers to the ‘following information’. In the case of Rudd v Bridle27, it was held, under the DPA  1998, that where s  7(1)(c)(ii) of that Act referred to ‘any information available’ as to the source of data, rather than to a ‘description’ of the data, the source itself had to be disclosed. By analogy, the different wording in the GDPR, Art 15(1), referring to ‘information’ (rather than, as under the DPA  1998 to a ‘description’ of three types of such information), there may be at least a greater expectation under the GDPR that the actual information will be disclosed (at least where Article 15(1) contains no qualifying words relevant to the given case, as it does in Article 15(1)(d)). It may be preferable, therefore, in relation to the ‘purposes’ of the processing, or to the other types of information specified in Article 15(1) and set out below, for the information itself to be disclosed wherever practicable; rather than a description such as that given in the example above.

26 GDPR, Article 15(1)(a)–(h) respectively. 27 Rudd v Bridle and J&S Bridle Ltd [2019] EWHC 893 (QB).

133

7.63  Right of Access

(b) the categories of personal data concerned: with the point above in mind, it may nonetheless be the case that some form of description is necessary of the types or categories of information involved, such as: Example: ‘the personal data processed for the administration of your tenancy, comprises: the tenancy agreement; correspondence (including emails), and records of telephone contact; property maintenance records; and, financial records held by ourselves (or our bank) relating to rental or other payments made by you to us, or payments made by us to you (eg if you have paid too much)’. (c) the recipients or categories of recipient to whom the personal data have been, or will be, disclosed; in particular, recipients in third countries or international organisations. The main part of this information should have been identified already in the relevant Privacy Notice. Some interrogation of the records, or discussion with staff, may be needed to establish whether a disclosure is expected to be made of a type of information which has not yet occurred. The phrase ‘in particular’ underlines the importance of being aware of the possibility of third-country transfers, even where the information itself has no connection with cross-border matters (see Chapter 11). This could arise, for example, from the use by an organisation of an internet server in the ‘cloud’, or based outside the EEA, to store the personal data involved. ‘International organisations’ are bodies created between member states, such as the United Nations, or the North Atlantic Treaty Organisation (NATO). Where the data have been (or will be) transferred to a third country or international organisation that does not have an ‘adequacy’ decision (meaning that its data protection rules are recognised as equivalent), the information given to the data subject is to include information about the ‘appropriate safeguards’ which are applicable under Article  46 (eg  ‘binding corporate rules’ within a multinational conglomerate; or, standard data protection clauses endorsed by the UK Commission – see Chapter 11 below)28. (d) where possible, the period of storage envisaged for the personal data; or, if not possible, the criteria used to determine that period. This information should, if possible, be drawn from existing retention schedules based on your records management policies. If there is no such schedule (or it does not cover all of the data), or if the criteria do not determine a fixed period – perhaps because they are dependent on another event taking place, or not occurring – the criteria, or a statement of them, should be disclosed; Example: ‘There is no fixed period for the retention of our file on our after-sales service to you, since that depends on how long you decide to retain the car you have bought from us. Our policy is securely to destroy the personal data of former customers once two years have elapsed since we last serviced the vehicle, or otherwise last heard from you; and, in either case, after a reminder email has been sent inviting you to contact us about either purchasing a new car, or a resumption of our after-sales service’.

28 GDPR, Article 15(2).

134

Access requests in detail 7.64

(e) The existence of the requester’s rights to request rectification or erasure of the personal data by the controller, the restriction of processing of personal data concerning the data subject, or the right to object to such processing. (See the explanation of these rights in Chapter 8 below); (f) The right to lodge a complaint with a ‘supervisory authority’ (the supervisory authority in the UK being the Information Commissioner). The right may be exercisable in some cases to the supervisory authority of another EU member state. UK controllers, particularly those operating in other European countries, or selling or marketing products or services to individuals in those countries, may expect to receive enquiries from supervisory authorities about complaints made in other EU member states. After Brexit, the right in the UK is lodged expressly in relation to the Commissioner29; (g) Where the personal data held are not being (or have not been) collected from the data subject, any information available as to their source. The controller is quite likely to have a record of how it knows certain information about an individual; and, as above, this information will have been required for the Privacy Notice. Examples might include: information obtained from a reference from a previous employer; or, information received from a predecessor company, when the controller took over the provision of a financial investment service to the individual concerned; (h) The existence of any automated decision-making, including profiling, referred to in GDPR, Article  22(1) and (4) [decisions based solely on automated processing]; and (if so) meaningful information about the logic involved, as well as the significance and consequences for the data subject which the controller envisages from such processing. ‘Automated decision-making’ principally refers to processing by electronic means in a database, computer or other form of electronic equipment, although it is not restricted to that form of automation (encompassing any processing by machine, where decisions are taken automatically). ‘Profiling’ is defined in GDPR, Article 4(4) (see para 3.32 above). Again, this information is likely already to exist, since it is required for Privacy Notices; although it would be prudent to review whether any such reference in a Privacy Notice is up to date, before including its terms in a response to an access request.

Fees for additional copies 7.64 Where the data subject requests additional copies, the controller may charge a ‘reasonable fee based on administrative costs’. The ICO refers to additional copies ‘following a request’, but the wording would appear to be broad enough to allow a charge also for extra copies which were sought at the time of the original request30.

29 DPPEC Regulations, Sch 1, para 14. 30 GDPR, Article 15(3).

135

7.65  Right of Access

Format of reply 7.65 In terms of what has to be provided, GDPR, Article  15(3) requires the controller to ‘provide a copy of the personal data undergoing processing’. Somewhat obscurely, this has to be provided ‘in writing, or by other means, including, where appropriate, by electronic means’31. (It may also be provided orally, if the data subject so requests, under the same Article). Where the request has been made by electronic means (eg  by email or via a website), however, and unless the data subject requests otherwise, Article  15(3) requires that the information in response is to be sent in a ‘commonly used electronic form’. 7.66 It appears that the provision in Article 12(1) should be read as meaning simply that: — the response should be in writing, unless otherwise requested (noting that oral responses can also be requested); — where appropriate, the response is to be made by electronic means (including because the request was in that form); — exceptionally, where (or to the extent that) a response by electronic means is not appropriate (most probably for a practical reason), it should be made by ‘other means’. 7.67 It appears that, if all or part of the personal data to be disclosed are held on paper, they will need to be rendered into an electronic form before disclosure where this format is necessary. 7.68 A  typical response to an electronic request might, therefore, be in the form of an email in reply, with a covering letter attached containing the accompanying information; and with the personal data as a second attachment, in the form of a PDF or similar electronic document. Consideration needs to be given to the security of any emailing arrangement.

Redacting documents 7.69 As a practical matter, documents which have been ‘redacted’ (legally edited) before disclosure should, whether they are intended to be disclosed in electronic or paper form, be printed out or photocopied; and then scanned or otherwise produced as a static electronic document such as a PDF. The reasons are that: •

software exists that can undo electronic redaction;

• in relation to physical redaction, the process of blanking-out text with a ‘marker pen’ can leave the relevant passage open to inspection in strong light; or, with relevant words only partially obscured. It should be photocopied and then scanned into an electronic document. 31 GDPR, Article 12(1).

136

Access requests in detail 7.73

As a matter of the security of the withheld data, therefore, it is important to take proper steps to protect the information from unintended disclosure as a result of the redaction process itself.

Data portability 7.70 The right in Article  20 to ‘data portability’, to receive personal data from the controller in a ‘machine-readable’ format in certain circumstances, is described below32. The data subject can also ask the controller to send it direct to a third party. While this right is separate from the right of access, it is not inconceivable that a data subject could link them, and ask for his or her data to be made available (or sent to another person) in that form.

Exemptions from the right of access 7.71 The DPA 2018 broadly carries over the previous exemptions from subject access, and adds to them. These are listed below, and set out in more detail in Chapter 9. There are a total of 38 exemptions (including one solely Scottish one) from the right of access in Article 15 (see table below after para 7.76); including the handling of third party data, which is now treated as an exemption33. 7.72 The ICO has also produced a helpful list of UK exemptions under the Act, and where these apply, including in relation to the right of access34; although it is still related at the time of writing to the (former) Data Protection Bill, and omits certain exemptions. All of the exemptions (to both the right of access, and to data protection as a whole) should be applied on a case by case basis only: a blanket approach to exemptions would almost certainly be a breach of the GDPR, since they would have been applied too readily and without detailed justification in the light of the factors most relevant to the case.

Requirement to provide reasons for refusal 7.73 The requirement to provide reasons for refusing all or part of an access request (as for other types of individual request) may prove to be problematic. Under the DPA 1998, the controller could, where it withheld some of the personal data held under an exemption, make a limited statement in the refusal letter along the lines that it was ‘providing the data to which the requester was entitled’ (or similar wording). While some controllers named the exemption they considered to apply, they were not required to do so.

32 Where it was received from the data subject originally; or, is being processed for the purposes of a contract. See paras 8.34–8.43. 33 DPA 2018, Sch 2, Part 3, paras 16–17. See paras 7.52–7.59 above. 34 See ‘An Introduction to the Data Protection Bill’, ICO, pp 27–35.

137

7.74  Right of Access

7.74 The difficulty even with merely naming the exemption is in some cases that it reveals information about what is held and has been redacted. This may be enough in certain cases to undermine the exemption. Supplying further information about the reasoning in such cases could be expected to make that process more likely. 7.75 Whether the new requirement will in practice mean going beyond citing the relevant exemption – perhaps with some relief from needing to do so where it would undermine the exemption on the facts – remains to be seen. Requiring a fuller explanation of the reasons would raise significant practical issues for controllers. it is suggested that, unless there is clear guidance to the contrary, practitioners should continue as before, and refer to exemptions having been applied, in these circumstances.

Monetary penalties and access requests 7.76 Monetary penalties apply to failures to give proper effect to the access right at the higher rate (up to €20 million, or up to 4% of world turnover in the preceding year); whichever is the higher. Post-Brexit, for infringements occurring after that date, the monetary amount is amended to up to £17.5 million35.

Exemptions from right of access The following exemptions may apply in specific cases: (1)

Crime and taxation: general36;

(2)

Crime and taxation: risk assessment system37;

(3) Immigration38; (4) Information required to be disclosed by law etc; or in connection with legal proceedings39; (5)

Functions designed to protect the public etc40;

(6)

Audit functions41;

(7)

Functions of Bank of England42;

35 GDPR, Article 83(5)(b) as amended, after Brexit, by the DPPEC Regulations, Sch 1, para 62(5) (a). See also para 16.41; and transitional provision in DPA 2018, Sch 21, para 16. 36 DPA 2018, Sch 2, para 2; see paras 9.12–9.19 below. 37 DPA 2018, Sch 2, para 3; see paras 9.20–9.22 below. 38 DPA 2018, Sch 2, para 4; see paras 9.23–9.27 below. 39 DPA 2018, Sch 2, para 5; see paras 9.28–9.30 below. 40 DPA 2018, Sch 2, para 7; see paras 9.32–9.34 below. 41 DPA 2018, Sch 2, para 8; see paras 9.35–9.37 below. 42 DPA 2018, Sch 2, para 9; see paras 9.38–9.39 below.

138

Access requests in detail 7.76

(8) Regulatory functions relating to legal services, health services and children’s services43; (9)

Regulatory functions of other bodies44;

(10) Parliamentary privilege45; (11) Judicial Appointments, Judicial independence, Judicial proceedings46; (12) Crown honours, dignities and appointments47; (13) Protection of the rights of others (‘third party data)48; (14) Legal professional privilege49; (15) Self-incrimination50; (16) Corporate Finance51; (17) Management forecasts52; (18) Negotiations with data subject53; (19) Confidential references54; (20) Examination scripts and examination marks (DPA 2018, Sch 2, para 25; see paras 9.87–9.91 below)55; (21) Journalistic, academic, artistic and literary purposes56; (22) Research and statistics57; (23) Archiving in the public interest58; (24) Health data processed by a court59; (25) Data subject’s expectations and wishes with respect to health data60; (26) Serious harm from disclosure of health data61;

43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

DPA 2018, Sch 2, para 10; see paras 9.40–9.42 below. DPA 2018, Sch 2, para 11; see paras 9.43–9.48 below. DPA 2018, Sch 2, para 13; see paras 9.49–9.51 below. DPA 2018, Sch 2, para 14; see paras 9.52–9.56 below. DPA 2018, Sch 2, para 15; see paras 9.57–9.59 below. DPA 2018, Sch 2, para 16; see paras 7.9–7.11, 7.52–7.59 and 9.60–9.66 below. DPA 2018, Sch 2, para 19; see paras 9.68–9.70 below. DPA 2018, Sch 2, para 20; see paras 9.71–9.73 below. DPA 2018, Sch 2, para 21; see paras 9.74–9.76 below. DPA 2018, Sch 2, para 22; see paras 9.77–9.79 below. DPA 2018, Sch 2, para 23; see paras 9.80–9.83 below. DPA 2018, Sch 2, para 24; see paras 9.84–9.86 below. DPA 2018, Sch 2, para 25; see paras 9.87–9.91 below. DPA 2018, Sch 2, para 26; see paras 9.93–9.100 below. DPA 2018, Sch 2, para 27; see paras 9.102–9.108 below. DPA 2018, Sch 2, para 28; see paras 9.109–9.113 below. DPA 2018, Sch 3, para 3; see paras 9.116–9.117 below. DPA 2018. Sch 3, para 4; see paras 9.118–9.120 below. DPA 2018, Sch 3, para 5; see paras 9.121–9.126 below.

139

7.76  Right of Access

(27) Social work data processed by a court62; (28) Data subject’s expectations and wishes with respect to social work data63; (29) Serious harm from social work disclosure64; (30) Education data processed by a court65; (31) Serious harm from education data disclosure66; (32) Child abuse data67; (33) Human fertilisation and embryology information68; (34) Adoption records and reports69; (35) Statements of special educational needs70; (36) Parental orders and reports71; (37) Information provided by the Principal Reporter for children’s hearing (Scotland)72; (38) National security73.

62 63 64 65 66 67 68 69 70 71 72 73

DPA 2018, Sch 3, para 9; see paras 9.130–9.131 below. DPA 2018, Sch 3, para 10; see paras 9.132–9.134 below. DPA 2018, Sch 3, para 11; see paras 9.135–9.137 below. DPA 2018, Sch 3, para 18; see paras 9.140–9.141 below. DPA 2018, Sch 3, para 19; see paras 9.142–9.144 below. DPA 2018, Sch 3, para 21; see paras 9.145–9.149 below. DPA 2018, Sch 4, para 2; see paras 9.152–9.153 below. DPA 2018, Sch 4, para 3; see paras 9.154–9.155 below. DPA 2018, Sch 4, para 4; see paras 9.156–9.157 below. DPA 2018, Sch 4, para 5; see paras 9.158–9.159 below. DPA 2018, Sch 4, para 6; see paras 9.160–9.161 below. DPA 2018, s 26; see paras 9.162–9.163 below.

140

CHAPTER 8

Other Individual Rights

RIGHT TO RECTIFICATION – ARTICLES 16 AND 19 (AND RECITAL 65) 8.1 A data subject has a right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. In other words, individuals can ask controllers to correct data held about them which they consider to be inaccurate. Such a request will often follow an access request, which turns up a record which the individual considers to be inaccurate. It forms an important adjunct to the right of access (whose purpose is to enable individuals to check whether their data are being recorded accurately). The right is also linked to the duty to maintain accurate data (which, where necessary, are also up to date) in GDPR, Article 5(1)(d). 8.2 It may be important to underline the distinction between the two rights: the right of access exists to require the controller to identify an individual’s data and to make it available to them. The right of rectification exists to enable an individual to require the controller to correct an inaccurate record. There is no separate right to require the controller to check whether your data are being held accurately; ie  to mount a speculative or ‘fishing’ exercise to seek potentially inaccurate data. In exercising the right to rectification, the individual has to identify to the controller the specific record which they believe to be inaccurate. 8.3 Requests can be made verbally or in writing. So a controller (or in practical terms, at least its public-facing staff) needs to know how to recognise a request, and how to record it, if it has been received orally or other than in writing. The Commissioner suggests training in relation to the former; and a recording policy and log in relation the latter. It would also be advisable, once an oral request has been recorded in writing, to check with the requester that the correction or addition sought has been accurately captured. As with most of the other individual rights, the period for response is one month; or two further months for complex or numerous requests1. 8.4 If the controller has doubts about the identity of the requester, the same rules apply to conducting checks as in relation to the right of access2. The controller should take into account the data that it holds on the individual and, if an identity check is needed, should tell him or her within one month of their need 1 The same time limits apply to each of the rights in Articles 15–22 [ie the rights concerning: access; rectification; erasure; restriction; data portability; objection; and, automated decisionmaking] – see Article 12(3). See also discussion of timing (in the context of access requests) at paras 7.39–7.45. 2 See paras 7.21–7.25.

141

8.5  Other Individual Rights

to produce identification. There is no need to comply with the request until the evidence has been received. 8.5 The Commissioner advises that the controller should ‘take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary’. Thus the controller should neither assume that the data are inaccurate, nor that they are not. In either case, it should investigate and seek to establish the correct position; and act accordingly. This is the case even if it had already applied a procedure to check accuracy when the information was collected. The controller should take account of any arguments or information supplied by the requester as to the accuracy of any data. What constitutes reasonable steps will vary, however, with how important it is that the information is accurate. If, for example, significant decisions will be affected by its accuracy, or the accuracy of the record is likely to be important to the individual in reputational terms, more elaborate steps will be required than if the information is trivial, or if its accuracy has no great consequences. The controller may, however, take into account at this point any previous steps it took to consider the accuracy of the information. 8.6 Inaccuracy is defined in the Data Protection Act 2018 (‘DPA  2018’) as where information is ‘incorrect or misleading as to any matter of fact’3. It excludes, therefore, matters of opinion even where they are controversial; save as to whether the opinion is correctly recorded. An opinion which is accurately recorded, however unwelcome to the individual concerned, is unlikely to need to be amended (if at all) under this right. If such a record is inaccurate, it is likely to need to be amended rather than removed. If a mistake has subsequently been resolved, but remains relevant because it explains an event or decision, it may be necessary to retain the mistaken record, alongside a corrected one, and to add a note of explanation to the file. 8.7 Depending on the context, the right may also extend to requiring the controller to complete an incomplete record, including by providing a supplementary statement. (Thus, for example, an individual shows that part of a record is missing. If it cannot be found; the controller may need to place an outline of the missing information – or, if its broad content is unknown or disputed, at least some explanation that it is absent – onto the record). The GDPR says, however, that this right is exercisable ‘taking into account the purposes of the processing’. The Commissioner’s initial guidance repeats the point, without elaborating it. The Recitals similarly do not assist. One interpretation may be that whether a record is ‘complete’ should be determined in the light of the breadth or otherwise of the purposes of the processing; so that, if the purposes are limited, the record need not contain extraneous detail. As a result, an individual would have no right to require the controller to add detail to a record which went beyond the controller’s purposes in undertaking the processing. 8.8 A controller will need appropriate systems to make sure that corrections or additions that need to be made to the data are effective, and that they reach all

3

DPA 2018, s 205.

142

Right to rectification – Articles 16 and 19 (and Recital 65) 8.12

copies of the information it holds. This it may need to establish whether other copies or versions are held, which may need to be updated separately. Examples might include information held by managers remotely on private devices or emails; or copies previously circulated electronically within the organisation. (See Chapter 11 re information sent internationally). 8.9 While it is considering whether they are inaccurate, the controller should restrict the processing of the data concerned: ie suppress its use pending correction. There should be no need for the requester to make a separate request for restriction under Article 18 to achieve this outcome. 8.10 If the controller ‘does not take action on the request’ (ie does not make the correction or addition as requested, within the time limit), it must explain the reasons to the requester within one month, and inform him or her of their right to complain to the ICO or a court4. This will arise, therefore, where: (a) the controller refuses the request, in whole or part; or (b) it wishes to extend the time. 8.11 If the controller rectifies the data, this is to be communicated to each ‘recipient’ to whom the data have been disclosed, unless this is impossible or involves disproportionate effort5. A ‘recipient’ is any individual or legal person to whom (or to which) the data ‘are’ disclosed (including disclosure in the past, as well on a continuing basis); whether or not they are a ‘third party’6. The latter is defined as an individual or legal person, other than the data subject, controller, processor or others, who is or are directly authorised by the controller or processor to process the data7. Public authorities which receive data on request under the law (whether European or other member state law; or, after Brexit, domestic law) are not, however, treated as recipients. Their processing of the data has to comply with any rules applying to those purposes. 8.12 The controller will, therefore, need systems to enable it to inform recipients of the information shared with them; and before that to identify which information has been shared with whom. If the data subject requests it, the controller has also to notify him or her of those recipients8. Example: right to rectification The camera-work on a natural history documentary on TV has been nominated for an award. Fred, a self-employed cameraman, did some of the dangerous underwater filming. He feels that his role has been underplayed in the press releases sent out to the media and other production companies, which incorrectly list his name only amongst the reserve cameramen and

4 5 6 7 8

GDPR, Article 12(4). GDPR, Article 19. GDPR, Article 4(9). GDPR, Article 4(10). GDPR, Article 19.

143

8.13  Other Individual Rights

women. Fred is worried that he will receive lesser offers of future work than he is due, and asks for the records to be corrected. The film company correct their records of the press releases; and also any other information they hold on which the press releases were based. They must also notify the correction to those to whom they sent the press releases, as ‘recipients’ of the information. HMRC, the income tax authority, had asked under its powers for a list of the names of production staff and their earnings for the purposes of tax and benefits. If the earnings information disclosed about Fred was correct, no rectification will arise. If HMRC had also asked, however, for a description of the work undertaken (or its level of importance), in order to assist it in later spot checks on the tax returns of self-employed people, the company would need to check what it passed to them, and to correct any misleading description. If Fred asks, the company should tell him which recipients they have notified.

8.13 There is an exemption from the duty in Article 19 to inform each recipient where doing so would be ‘impossible or involves disproportionate effort’. The ICO offers no further guidance in her initial advice. From the wording, it can be suggested that this should be assessed on a case by case basis, in relation to each recipient (or class of recipients). The test that informing recipients is ‘impossible’ implies that some attempt to do so (or at least to assess its practicability) should be made before the exemption is claimed. Where it is possible to inform some persons, without the effort being disproportionate, those should be informed. Where others cannot be found or contacted, or the effort would appear to be disproportionate, those can be omitted. Whether an effort is disproportionate appears likely to vary with the significance of the accuracy of the data; on a similar basis to the test applying above to what are ‘reasonable steps’ to check the accuracy of the data in any given case. 8.14 As with other individual rights, a request can also be refused if it is ‘manifestly unfounded or excessive’; in particular, because of its ‘repetitive character’. A  fee may be charged in those circumstances as an alternative to refusal9. 8.15 A  number of the exemptions in the DPA  2018 apply to the right to rectification (such as where data are archived in the public interest; recorded for the ‘special purposes’ such as journalism; or, used for research or statistical purposes). These are listed below, and examined in Chapter 9.

9

GDPR, Article 12(5). See paras 7.33–7.37 above in the context of access requests.

144

Right to rectification – Articles 16 and 19 (and Recital 65) 8.16

Exemptions from right of rectification (Article 16) 8.16 (1) Crime and taxation: general10; (2) Information required to be disclosed by law etc; or in connection with legal proceedings11; (3) Functions designed to protect the public etc12; (4) Audit functions13; (5) Functions of Bank of England14; (6) Regulatory functions relating to legal services, health service and children’s services15; (7) Regulatory functions of other bodies16; (8) Parliamentary privilege17; (9) Judicial Appointments, Judicial independence, judicial proceedings18; (10) Crown honours, dignities and appointments19; (11) Journalistic, academic, artistic and literary purposes20; (12) Research and statistics21; (13) Archiving in the public interest22; (14) Health data processed by a court23; (15) Data subject’s expectations and wishes with respect to health data24; (16) Social work data processed by a court25; (17) Data subject’s expectations and wishes with respect to social work data26; (18) Education data processed by a court27.

DPA 2018, Sch 2, para 2; see paras 9.12–9.19 below. DPA 2018, Sch 2, para 5; see paras 9.28–9.30 below. DPA 2018, Sch 2, para 7; see paras 9.32–9.34 below. DPA 2018, Sch 2, para 8; see paras 9.35–9.37 below. DPA 2018, Sch 2, para 9; see paras 9.38–9.39 below. DPA 2018, Sch 2, para 10; see paras 9.40–9.42 below. DPA 2018, Sch 2, para 11; see paras 9.43–9.48 below. DPA 2018, Sch 2, para 13; see paras 9.49–9.51 below. DPA 2018, Sch 2, para 14; see paras 9.52–9.56 below. DPA 2018, Sch 2, para 15; see paras 9.57–9.59 below. DPA 2018, Sch 2, para 26; see paras 9.93–9.100 below. DPA 2018, Sch 2, para 27; see paras 9.102–9.108 below. DPA 2018, Sch 2, para 28; see paras 9.109–9.113 below. DPA 2018, Sch 3, para 3; see paras 9.116–9.117 below. DPA 2018. Sch 3, para 4; see paras 9.118–9.120 below. On a literal reading of para 4(2), this right appears to be included, although it may be difficult to envisage how it would apply, or to reconcile this with the rest of the provision. 25 DPA 2018, Sch 3, para 9; see paras 9.130–9.131 below. 26 DPA 2018, Sch 3, para 10; see paras 9.132–9.134 below. See footnote 24 above. 27 DPA 2018, Sch 3, para 18; see paras 9.140–9.141 below.

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

145

8.17  Other Individual Rights

RIGHT TO ERASURE – ARTICLES 17 AND 19 (AND RECITALS 65 AND 66) 8.17 The right to erasure or ‘right to be forgotten’, in the form incorporated into the GDPR, has received wide publicity. It represents a version of the right established under the previous Directive in the Google Spain case, incorporated into legislation28. It enables an individual to request the deletion of personal data where one of a number of reasons for its continued processing does not apply. It is not, therefore, an absolute right. 8.18 The data subject has the right to obtain the erasure of his or her data, without undue delay, where one of the following grounds applies: • the personal data (and thus, their processing) are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the controller; •

the processing has been based on consent (or explicit consent, in the case of special category data), the data subject has withdrawn their consent, and there is no other lawful basis for the processing;

• the data subject has exercised their right to object under Article  21(1) to processing on the ‘legitimate interests’ basis, and the controller cannot show overriding legitimate grounds for the processing which would enable it to continue. (See para 8.49ff below); •

the data subject has objected to direct marketing under Article 21(2) (See para 8.59ff below);

• the personal data have been unlawfully processed (ie  the controller has breached the first data protection principle); •

the personal data have to be erased in order to comply with a legal obligation (under EU or domestic law; or, after Brexit, domestic law) to which the controller is subject; or

•

the personal data have been collected from a child (ie an individual under 18 years) in relation to an offer of ‘information society services’29.

8.19 The right to erasure in Article 17(1) does not apply to the extent that the processing is necessary for the following purposes30: •

to exercise the right of freedom of expression and information;

• to comply with a legal obligation requiring the processing, to which the controller is subject under EU or member state law (or, after Brexit, under domestic law);

28 Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Consteja Gonzalez Case C-131/12; see also para 3.64 above. 29 To which Article 8(1) applies. In other words, in the UK, internet services which have been provided to a child, whether requiring parental consent (up to age 13 years), or between 14–17 years, at the time when the services were offered. 30 GDPR. Article 17(3).

146

Right to Erasure – Articles 17 and 19 (and Recitals 65 and 66) 8.22

• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; •

for reasons of public interest in the area of public health (under the lawful bases in Articles 9(2)((h), 9(2)(i), or 9(3))31;

•

for archiving purposes in the public interest, scientific or historical research, or statistical purposes, insofar as complying with the right would be likely to render impossible, or seriously to impair, the achievement of the objectives of such processing; or

•

for the establishment, exercise or defence of legal claims.

8.20 Requests may be made orally or in writing. The provisions in Article 12 as to checking identity, refusal of manifestly unreasonable requests, and the time limits, apply as for other rights. 8.21 Recital 65 draws attention in particular to the relevance of the right to situations where a child gave his or her consent to the provision of information society services, where he or she is ‘not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet’. The data subject should be able to exercise this right, notwithstanding that they are no longer a child. A controller which processes social media or other internet data concerning children (or data which originated while individuals were children) should pay particular attention to ensuring that it complies with this right to erasure. The Recital also expresses the view that other exemptions should be permitted, such as in the exercise of official authority, as broadly reflected in the exemptions listed below.

Notification to other controllers 8.22 There is also an obligation to make other controllers aware of the request. This is split between Articles 17(2) and 19. The Commissioner conflates the two in her guidance, although they are technically separate: • Article  17(2): where the controller had previously made the information ‘public’, and is now obliged under the right to erase it, it shall take ‘reasonable steps’ to inform other controllers processing it that the data subject has requested that those controllers erase any links to, or copies or replication of, the personal data concerned. This applies where the controller has put the individual’s data into the public domain. The controller’s obligation extends to taking reasonable steps to contact those controllers who are now processing the data. These may be far more numerous than those who obtained it when it was originally published. The Commissioner’s initial guidance describes the duty as applying where the information has been published in an ‘online environment’, such as a website (thus limiting it). While this will doubtless cover the great majority 31 Ie health, public health, or health under a professional secrecy obligation. See section on lawful bases for the processing of special category data, Chapter 5.

147

8.23  Other Individual Rights

of cases of publication, it appears that Article 17(2) applies to any form of publication, such as in a magazine or a public notice. •

Article 19: where the controller had previously shared the information with one or more other recipients (ie  passed it directly to them), and has now erased it as a result of a request, it must (in addition to any notification as above) inform each of those recipients of the erasure, unless this proves impossible or involves disproportionate effort.

8.23 In taking ‘reasonable steps’ to inform other controllers, where the controller has published the data that it has now been requested to erase, it may take account of the available technology and the means, including technical measures, available to it to do so32. The controller may, therefore, make an assessment of what it is reasonable to expect it to do, in the light of these considerations. The obligation does not go beyond conveying the erasure made; the controller is not obliged to enforce the request that other controllers end their processing. 8.24 A request may be refused (or made subject to a fee) where it is manifestly unfounded or excessive (see paras 7.33–7.37 in the context of the right of access, and Article  12(5)). The obligation does not commence in those circumstances until any fee due has been received.

Exemptions from right to erasure 8.25 Apart from the general exceptions outlined above, a number of the other exemptions in the DPA 2018 apply to the right to erasure. These are listed below, and described in Chapter 9: (1) Crime and taxation: general33; (2) Immigration34; (3) Information required to be disclosed by law etc; or in connection with legal proceedings35; (4) Functions designed to protect the public etc36; (5) Audit functions37; (6) Functions of Bank of England38; (7) Regulatory functions relating to legal services, health service and children’s services39; 32 33 34 35 36 37 38 39

GDPR, Recital 66. DPA 2018, Sch 2, para 2; see paras 9.12–9.19 below. DPA 2018, Sch 2, para 4; see paras 9.23–9.27 below. DPA 2018, Sch 2, para 5; see paras 9.28–9.30 below. DPA 2018, Sch 2, para 7; see paras 9.32–9.34 below. DPA 2018, Sch 2, para 8; see paras 9.35–9.37 below. DPA 2018, Sch 2, para 9; see paras 9.38–9.39 below. DPA 2018, Sch 2, para 10; see paras 9.40–9.42 below.

148

Right to restriction of processing – Articles 18 and 19 (and Recital 67) 8.27

(8) Regulatory functions of other bodies40; (9) Parliamentary privilege41; (10) Judicial Appointments, Judicial independence, judicial proceedings42; (11) Crown honours, dignities and appointments43; (12) Journalistic, academic, artistic and literary purposes44; (13) Health data processed by a court45; (14) Data subject’s expectations and wishes with respect to health data46; (15) Social work data processed by a court47; (16) Data subject’s expectations and wishes with respect to social work data48; (17) Education data processed by a court49.

RIGHT TO RESTRICTION OF PROCESSING – ARTICLES 18 AND 19 (AND RECITAL 67) 8.26 Restriction of processing means that the data subject can oblige the controller to block or suppress their personal data; allowing the controller to store the information, but not to use it in other ways. It will often arise for a temporary period, and may be an alternative to its rectification or erasure. There is no set format. Examples, suggested in Recital 67, include: — temporarily moving the data to a different processing system; — making the data unavailable to users; — temporarily removing published data from a website; — using technical means to prevent data in an automated system from being further processed, or amended. 8.27

The right may arise for a number of different reasons:

(i) the data subject contests the accuracy of the data, so that restriction is applied for a period to enable the controller to verify their accuracy; DPA 2018, Sch 2, para 11; see paras 9.43–9.48 below. DPA 2018, Sch 2, para 13; see paras 9.49–9.51 below. DPA 2018, Sch 2, para 14; see paras 9.52–9.56 below. DPA 2018, Sch 2, para 15; see paras 9.57–9.59 below. DPA 2018, Sch 2, para 26; see paras 9.93–9.100 below. DPA 2018, Sch 3, para 3; see paras 9.116–9.117 below. DPA 2018. Sch 3, para 4; see paras 9.118–9.120 below. On a literal reading of para 4(2), this right appears to be included, although it may be difficult to envisage how it would apply, or to reconcile this with the rest of the provision. 47 DPA 2018, Sch 3, para 9; see paras 9.130–9.131 below. 48 DPA 2018, Sch 3, para 10; see paras 9.132–9.134 below. See footnote 46. 49 DPA 2018, Sch 3, para 18; see paras 9.140–9.141 below.

40 41 42 43 44 45 46

149

8.28  Other Individual Rights

(ii) the processing is unlawful (ie contrary to the first data protection principle in Article 5(1)(a)); but the data subject does not want the data to be erased, and requests the restriction of the information instead. (This could arise, for example, because the data subject wishes to consider what may be done with the data); (iii) the controller no longer needs the data, because the purpose of the processing has expired; but the data subject wishes the controller to continue to hold the data in order to enable him or her to pursue or defend a legal claim; or (iv) the data subject has exercised his or her right to object under Article 21(1) (see para  8.49ff below), and restriction suspends the processing while the controller verifies whether its legitimate grounds for processing override the interests of the data subject50. 8.28 According to the ICO’s guidance, where processing has been restricted, the controller should do nothing with the data other than store it, except: •

with the consent of the data subject;

•

for the establishment, exercise or defence of legal claims;

•

for the protection of the rights of another individual or legal person; or

•

for reasons of important public interest.

8.29 Recital 67 suggests potential methods for restriction, including: moving the data to another processing system; making the data unavailable to users; or, temporarily removing the data from a website. It also suggests that, in automated filing systems, restriction should be ‘ensured by technical means’ so that the data cannot be processed or changed. Where data have been restricted, this should be clearly shown in the system used to store the information51. If the restriction is lifted, the data subject should be informed52. If the information is subsequently erased, just enough information may be retained about the individual to ensure that the restriction continues to be observed in the future. 8.30 Any person to whom the data had previously been communicated should be informed, as a recipient, of the restriction; unless (as with the rights to rectification or erasure) this proves to be impossible, or to involve disproportionate effort. The controller should likewise inform the data subject of the recipients, if he or she requests it53. 8.31 In instances (i) and (iv) in para 8.27 above, if the controller decides that the data are accurate, or that its interests should prevail, it may end the restriction; but it should notify the data subject first, and explain its reasons. In the instances (ii) and (iii) in para 8.27, where the controller is effectively maintaining the data (under restriction) at the request of the data subject, the controller appears to 50 51 52 53

GDPR, Article 18(1)(a)–(d). GDPR, Recital 67. GDPR, Article 18(3). GDPR, Article 19.

150

Right to restriction of processing – Articles 18 and 19 (and Recital 67) 8.33

have no right to lift the restriction, other than when asked to do so by the data subject. 8.32 The rules as to the format for requests, whether to request proof of identity, and the timing of responses are the same as for the other individual rights. As in those cases, requests may be refused (or a fee charged) if they are manifestly unfounded or excessive. If a request to restrict processing is refused, the controller should give its reasons in writing, and inform the data subject of their right to complain to the ICO, or to seek a remedy through a court54.

Exemptions from right to restriction 8.33 As well as the general exceptions indicated above, a number of exemptions in the DPA 2018 apply to the right to restrict processing. These are listed below and examined in Chapter 9: (1) Crime and taxation: general55; (2) Immigration56; (3) Information required to be disclosed by law etc; or in connection with legal proceedings57; (4) Functions designed to protect the public etc58; (5) Audit functions59; (6) Functions of Bank of England60; (7) Regulatory functions relating to legal services, health service and children’s services61; (8) Regulatory functions of other bodies62; (9) Parliamentary privilege63; (10) Judicial Appointments, Judicial independence, judicial proceedings64; (11) Crown honours, dignities and appointments65; (12) Journalistic, academic, artistic and literary purposes66; 54 55 56 57 58 59 60 61 62 63 64 65 66

See GDPR, Articles 12(3)-(6), and descriptions at paras 7.14, 7.21–7.25, and 7.39–7.45 above. DPA 2018, Sch 2, para 2; see paras 9.12–9.19 below. DPA 2018, Sch 2, para 4; see paras 9.23–9.27 below. DPA 2018, Sch 2, para 5; see paras 9.28–9.30 below. DPA 2018, Sch 2, para 7; see paras 9.32–9.34 below. DPA 2018, Sch 2, para 8; see paras 9.35–9.37 below. DPA 2018, Sch 2, para 9; see paras 9.38–9.39 below. DPA 2018, Sch 2, para 10; see paras 9.40–9.42 below. DPA 2018, Sch 2, para 11; see paras 9.43–9.48 below. DPA 2018, Sch 2, para 13; see paras 9.49–9.51 below. DPA 2018, Sch 2, para 14; see paras 9.52–9.56 below. DPA 2018, Sch 2, para 15; see paras 9.57–9.59 below. DPA 2018, Sch 2, para 26; see paras 9.93–9.100 below.

151

8.34  Other Individual Rights

(13) Research and statistics67; (14) Archiving in the public interest68; (15) Health data processed by a court69; (16) Data subject’s expectations and wishes with respect to health data70; (17) Social work data processed by a court71; (18) Data subject’s expectations and wishes with respect to social work data72; (19) Education data processed by a court73.

RIGHT TO DATA PORTABILITY – ARTICLE 20 (AND RECITAL 68) 8.34 Under the right to data portability, a data subject has the right to receive personal data about him- or herself, which he or she has originally provided to a controller, in a ‘structured, commonly used and machine-readable format’. (The Recital adds that the data should also be in an ‘interoperable format’, and that the controller should be encouraged to develop such formats). 8.35 The meaning of ‘information which [the data subject] has provided to a controller’ is broader than it appears. While it includes standard information provided directly by the individual, such as their name and address, it also encompasses information arising from observation of the individual concerned (eg their website useage or location data). It will not include, however, additional information generated by the controller in order to analyse such observed data (for example, to create a profile); or the results of such an analysis. 8.36 ‘Commonly-used’ means merely that the format is one that is widely used. The other phrases are more important in this context. ‘Structured’: means that ‘software must be extracted and able to extract specific elements of the data’74; in other words, that the information is organised and consistent, so that comparable parts of the information can be analysed together. ‘Machinereadable’ means that the text can be read by a computer. In the Re-use of Public Sector Information Regulations 201575, reg 2 includes a definition that the format is structured so that: ‘software applications can easily identify, recognise and

DPA 2018, Sch 2, para 27; see paras 9.102–9.108 below. DPA 2018, Sch 2, para 28; see paras 9.109–9.113 below. DPA 2018, Sch 3, para 3; see paras 9.116–9.117 below. DPA 2018. Sch 3, para 4; see paras 9.118–9.120 below. On a literal reading of para 4(2), this right appears to be included, although it may be difficult to envisage how it would apply, or to reconcile this with the rest of the provision. 71 DPA 2018, Sch 3, para 9; see paras 9.130–9.131 below. 72 DPA 2018, Sch 3, para 10; see paras 9.132–9.134 below. See footnote 70. 73 DPA 2018, Sch 3, para 18; see paras 9.140–9.141 below. 74 See ICO’s initial guidance on data portability. 75 SI 2015/1415.

67 68 69 70

152

Right to data portability – Article 20 (and Recital 68) 8.43

extract specific data, including individual statements of fact, and their internal structure’. ‘Interoperable’ formats allow data to be passed between different systems and to be understandable to both. 8.37 The data subject further has the right to transmit his or her data to another controller ‘without hindrance’ from the controller to whom the request is made (ie without technical, legal or financial obstacles)76; or, where ‘technically feasible’, to require the controller who holds the data to transmit the information direct to another controller77. This right is not absolute, however: there may be good reasons why information should not be transmissible ‘without hindrance’ to another controller (eg see para 8.46 below). 8.38 The Commissioner considers that the purpose of the right is to allow individuals to obtain and re-use their personal data ‘for their own purposes across different services’. By means of the right, they may ‘move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability’. This will enable them to take advantage of applications (‘apps’) and services that can use this data to find them a better deal, or to provide information on how they spend their money. 8.39 The right applies only where one of two lawful bases is being used for the processing, namely: •

consent (or explicit consent, in the case of special category data)78; or

•

the performance of a contract with the data subject; or in order to take steps prior to entering a contract, at the request of the data subject79. (This will not apply, therefore, to special category data).

8.40 The processing must, moreover, be carried out by automated means (eg electronically) in order to qualify under the right. 8.41 Article  20(4) expressly rules out the application of data portability to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (ie  processing under Article  6(1)(e); typically by, or for, public authorities carrying out their functions). 8.42 The right can be exercised without prejudice to the right of erasure in Article 17. In practice this should mean that (in relation to personal data to which the right of erasure applies) an individual can request that the data are made available to them, or sent on to another controller, in the prescribed format; and that the first set of data are deleted by the original controller. 8.43 There is a limitation on the right to data portability in that it is not adversely to affect the right and freedoms of others80. The rule here is not so 76 77 78 79 80

GDPR, Article 20(1). GDPR, Article 20(2). GDPR, Articles 6(1)(a) or 9(2)(a). GDPR, Article 6(1)(b). GDPR, Article 20(4). See also Recital 68.

153

8.44  Other Individual Rights

strict as in relation to third party data under the right of access, where the test is whether it is reasonable to disclose the data (relating to both individuals A and B), to A without B’s consent (see paras 7.52–7.59, and 9.60–9.63). Here the test is whether there will be an adverse effect on B from the sending to A of their combined data in a machine-readable format. Given that their combined data were provided to the controller by A  in the first place, there may be no harm to B  from its return to A  in that format. One example, however, of potential harm might be if location data referred to the movements of A and B together; including some record of their movements whose passing to A would be to B’s detriment. The Commissioner advises that the controller should always consider whether there may be harm from the exercise of the right; particularly where the data will be sent on to other controllers. Where data have been provided by multiple data subjects (as opposed to merely referring to them), the controller should establish that all parties agree to the portability before releasing the data in that form.

Format and timing 8.44 The same rules as to the format for requests, whether to request proof of identity, and the timing of responses apply as for the other individual rights81. As in those cases, requests may be refused (or a fee charged) if they are manifestly unfounded or excessive82. 8.45 Based on Recital 68, the ICO makes clear that, while desirable, there is no requirement on controllers to acquire new systems to administer the right. On the other hand, if a controller’s internal systems are such that individuals would not be able to gain access to the data if provided to them, it will need to do some additional processing on the personal data before disclosure to enable such access. 8.46 The controller may use a preferred means of transmitting the data, or a tool that allows the data subject to extract the requested information themselves, but must always ensure the security of the information. The controller is not liable for any subsequent processing of the data, but it should have measures in place before transfer to ensure that the data are accurate, in accordance with the fourth data protection principle (principle (d)). 8.47 The ICO’s initial guidance includes additional technical advice on acceptable IT formats, and further sources of technical information. It also includes guidance for new controllers receiving such information, who will need to apply the data processing principles to any information they receive.

81 See GDPR, Article 12(3)–(6), and paras 7.14, 7.21–7.25, and 7.39–7.45 above. 82 GDPR, Article 12(5).

154

Right to data portability – Article 20 (and Recital 68) 8.48

Exemptions from right to data portability 8.48 In addition to the general exceptions above, a number of the specific exemptions in the DPA 2018 apply to data portability. These are listed below and described in Chapter 9: (1) Crime and taxation: general83; (2) Information required to be disclosed by law etc; or in connection with legal proceedings84; (3) Functions designed to protect the public etc85; (4) Audit functions86; (5) Functions of Bank of England87; (6) Regulatory functions relating to legal services, health service and children’s services88; (7) Regulatory functions of other bodies89; (8) Parliamentary privilege90; (9) Judicial Appointments, judicial independence, judicial proceedings91; (10) Crown honours, dignities and appointments92; (11) Journalistic, academic, artistic and literary purposes93; (12) Archiving in the public interest94; (13) Health data processed by a court95; (14) Data subject’s expectations and wishes with respect to health data96; (15) Social work data processed by a court97; (16) Data subject’s expectations and wishes with respect to social work data98; (17) Education data processed by a court99. DPA 2018, Sch 2, para 2; see paras 9.12–9.19 below. DPA 2018, Sch 2, para 5; see paras 9.28–9.30 below. DPA 2018, Sch 2, para 7; see paras 9.32–9.34 below. DPA 2018, Sch 2, para 8; see paras 9.35–9.37 below. DPA 2018, Sch 2, para 9; see paras 9.38–9.39 below. DPA 2018, Sch 2, para 10; see paras 9.40–9.42 below. DPA 2018, Sch 2, para 11; see paras 9.43–9.48 below. DPA 2018, Sch 2, para 13; see paras 9.49–9.51 below. DPA 2018, Sch 2, para 14; see paras 9.52–9.56 below. DPA 2018, Sch 2, para 15; see paras 9.57–9.59 below. DPA 2018, Sch 2, para 26; see paras 9.93–9.100 below. DPA 2018, Sch 2, para 28; see paras 9.109–9.113 below. DPA 2018, Sch 3, para 3; see paras 9.116–9.117 below. DPA 2018. Sch 3, para 4; see paras 9.118–9.120 below. On a literal reading of para 4(2), this right appears to be included, although it may be difficult to envisage how it would apply, or to reconcile this with the rest of the provision. 97 DPA 2018, Sch 3, para 9; see paras 9.130–9.131 below. 98 DPA 2018, Sch 3, para 10; see paras 9.132–9.134 below. See footnote 95 above. 99 DPA 2018, Sch 3, para 18; see paras 9.140–9.141 below.

83 84 85 86 87 88 89 90 91 92 93 94 95 96

155

8.49  Other Individual Rights

RIGHT TO OBJECT – ARTICLE 21(1) (AND RECITAL 69) 8.49

The right to object has four parts:

(i) where processing is being carried out as part of a public task (under Article 21(1)); (ii) where the processing is for direct marketing (under Article 21(2)); (iii) where the processing is being undertaken on the basis of the legitimate interests of the controller (under Article 21(1)); or (iv) (in some cases) where the processing is for scientific or historical research purposes, or statistical purposes (under Article 21(6)). 8.50 Where processing is being carried on for direct marketing purposes under (ii) above, the data subject has an absolute right to object at any time to the processing, including profiling to the extent that it is related, and the processing must cease100. 8.51 Where processing is being carried out on either of the lawful bases in (i) or (iii) above (ie public task, or legitimate interests), an individual has a right to object at any time to the processing. The outcome is different from under (ii). The controller must no longer process the data, unless it can demonstrate ‘compelling legitimate grounds’ which override the rights and freedoms of the data subject; or, which are for the exercise of or defence of legal claims. 8.52 Where processing is being undertaken for scientific or historical research, or statistical purposes, under (iv), the right is narrower. The data subject has the right to object to the processing, unless it is necessary for the performance of a task carried out for reasons of the public interest (see para 8.64 below).

(i)

Public task basis and right to object

8.53 The right applies to processing arising from either type of activity under the public authority’s public task, ie: — the performance of a task carried out in the public interest; or — the exercise of official authority vested in the controller. The first limb applies to individual tasks; eg  carried out on behalf of a public authority (such as by a contractor). The carrying out by public authorities themselves of their functions (powers and duties) is undertaken under the second limb101.

100 GDPR, Articles 21(2) and 21(3). It is acceptable, however, to retain enough personal data to ensure that the processing does not resume. See para 8.60. 101 See paras 5.30–5.39 above for a fuller discussion of the two limbs of this lawful basis.

156

Right to object – Article 21(1) (and Recital 69) 8.58

8.54 Section 8 of the DPA 2018 makes no such distinction between the two limbs. Carrying over the structure of the equivalent ‘data processing condition’ under the former Data Protection Act 1998, it provides that the following fall within the lawful basis in Article 6(1)(e) as a whole: (a) the administration of justice; (b) the exercise of a function of either House of Parliament; (c) the exercise of a function conferred on a person by an enactment; (d) the exercise of a function of the Crown, a Minister of the Crown or a government department; or (e) an activity that supports or promotes democratic engagement. 8.55 This is not an exclusive list, and the Commissioner advises that ‘other official non-statutory functions or public interest tasks’ can be undertaken under the public task basis as a whole, provided the ‘underlying legal basis for that function or task is clear and foreseeable’102. 8.56 As well as data already held, the right applies to new data that the controller creates by the profiling of the person (provided that the profiling is being done under either the public task basis, or the legitimate interests basis). 8.57 Where the right to object is exercised, the data subject has to give reasons (‘grounds relating to his or her situation’), which can be weighed against reasons the controller may have to continue the processing. Public authorities will need, therefore, to be prepared to conduct balancing exercises; and may wish to review in advance their general case for keeping certain types of data. 8.58 If contesting the request, the controller will need to balance its grounds for the processing against the reasons given by the data subject why the activity should cease. If the data subject points to grounds arising from the processing such as harm to their financial interests, or substantial distress, these can be expected to have greater weight. The controller’s reasons for continuing the processing need to outweigh (not merely be of the same weight as) the data subject’s grounds, in order for the processing to continue. Example: right to object Dan’s local council took court action against him two years ago for unpaid council tax. It secured an order for payment, with which he complied. Dan now objects to the council continuing to hold information about the matter. The council investigates. It finds that the processing has been part of its public task. Dan’s personal data were validly collected at the time, as part of its function of enforcing council tax payments. It no longer needs to hold the information about the hearing, as the matter is now closed; so is no longer necessary for the exercise of its functions. 102 ICO initial guidance on ‘public task’ basis.

157

8.59  Other Individual Rights

The Ministry of Housing, Communities and Local Government does want the council to keep a record, however, of addresses against which there has been enforcement, so that swift action can be taken if there is a falling-behind in payments over the next five years. It bases this on regulations issued last year. The council deletes the information within one month, apart from the fact and date of the enforcement concerning that address; checking that copies have not been kept separately by officers in its council tax section, and notifying Dan that it has done so.

(ii)

Direct marketing and right to object

8.59 An individual may ask a controller to stop processing their personal data for direct marketing at any time. This will include any profiling data about the individual (eg  their browsing or purchasing preferences) that is related to direct marketing. As already indicated (at para  8.50), there are no grounds on which the controller can refuse the request: the controller must stop processing the data for direct marketing purposes103. Recital 70 says that the right should be brought explicitly to the attention of the data subject and ‘presented clearly and separately from any other information’. 8.60 This is not the same, however, as deleting the data. The better course in such a case may well be to ‘suppress’ the data; meaning that, while most (related to direct marketing) is deleted, just enough information about the marketing to the data subject is retained to ensure that the request (ie that processing of their data for direct marketing purposes should cease) will continue to be observed in the future. 8.61 Further, there is some doubt over the scope of the right, in terms of how much processing about them actually has to cease. There may be a clue in the Commissioner’s description of the data subject’s preference as being ‘not to receive direct marketing’104. The wording in Article 21(2) refers to the cessation of any profiling about the individual ‘to the extent that it is related to such direct marketing’. Both suggest that while that this type of processing will have to cease, other processing of the data can continue, provided that it does not involve direct marketing (and assuming that the data subject has not exercised their right to object more broadly). This approach may need to be tested.

(iii)

Legitimate interests basis and right to object

8.62 As with the public task basis, where processing is being undertaken on the basis of the legitimate interests of the controller, under Article  6(1)(f) 103 GDPR, Article 21(3). 104 ICO initial guidance, on ‘Right to object’.

158

Right to object – Article 21(1) (and Recital 69) 8.66

(including profiling105), the data subject may object at any time; likewise on ‘grounds relating to his or her particular situation’. The requester will, therefore, likewise need to provide reasons. The controller must cease the processing, unless it can (as above) demonstrate that there are compelling legitimate grounds for the processing which override the interests of the data subject (taking account of his or her reasons); or, that the processing is in connection with legal claims. 8.63 This version of the right is more likely to be exercised in relation to the private sector, given that the lawful basis is not available to bodies in the public sector; at least while carrying out their core public functions. Companies and other private sector bodies will similarly need to be prepared to balance arguments in the way described in paras 8.57–8.58 above.

(iv) Processing for research and statistics and the right to object 8.64 This variant of the right is narrower. Where personal data are being processed for scientific or historical research purposes, or for statistical purposes, in accordance with the safeguards in Article 89(1), the data subject has the right to object, where the processing is being carried out under the second limb of the public task basis (exercise of official authority), or on the legitimate interests basis106. If the processing is being carried out under the first limb of the public task basis (ie a task carried out for reasons of the public interest), the processing is exempt from the right to object under Article 21(6). The range of processing that is subject to the right to object is, therefore, narrower under this variant (see example below). As the ICO points out, the distinction may not be clear-cut in relation to some research projects. (An example might be where a private research organisation and a public authority are jointly conducting a piece of research). 8.65 An individual’s objection has (as above) to be on ‘grounds relating to his or her particular situation’; thus requiring the data subject to produce reasons, which have to be balanced with those of the public authority. 8.66 The exemption will apply only if the research is being conducted under the privacy safeguards set out in Article  89(1), such as data minimisation, or pseudonymisation. DPA 2018, s 19(2) and (3), provides that the processing will not satisfy these requirements for safeguards if: — it is likely to cause substantial damage or substantial distress to an individual; or — it is carried out for the purposes of measures or decisions with respect to one particular data subject. An example of the first might be where the research would expose an individual to criticism or ridicule over a past event. An example of the second might be if the processing would lead to a reduction in an individual’s entitlement to a public 105 If the profiling is also being carried out on that lawful basis. 106 GDPR, Article 21(6).

159

8.67  Other Individual Rights

benefit. If either of these conditions is not met, the exemption on that ground from the right to object will not be available. 8.67 Where an exercise of the right is claimed, in relation to scientific or historical research, or statistical purposes, the controller may resist it where (as above) it can demonstrate that it has a compelling legitimate ground for the processing which overrides the interests of the data subject. The DPA 2018 interprets this to mean that the exemption applies where the right to object would ‘prevent or seriously impair the achievement of the purposes in question’107. Example: no right to object to research carried out for reasons of public interest The (imaginary) Fishing Subsidy Authority, a public body which makes subsidy payments to the fishing industry, engages researchers to produce a study of levels of income amongst different groups of trawler owners. This involves seeking sample income information about individuals, obtained from their representative body, the Trawler Owners Alliance. Sam, an owner of several large trawlers from an area of the country where fishing income is higher than elsewhere, is concerned that if her figures are used, and if the study leads to a new scheme, her future income from subsidy may suffer. She seeks to exercise her right to object. The authority claims that the processing is necessary for the performance of a task carried out for reasons of public interest (to inform the subsidy scheme) by the researchers. (NB If the research were being done in-house, as part of the Authority’s functions, the exemption would be ruled out). To claim the exemption from the right to object, the Authority would need to be satisfied that the processing is not likely to cause substantial damage to the interests of a given data subject, such as Sam, because no particular outcome will follow directly from the processing. The Authority would also need to be able to show that the research is not being carried out for the purposes of measures or decisions with respect to Sam (or any other specific individual). While the second is clearly the case, the first is more open to argument. If Sam can show that the outcome of the research is likely directly to cause her substantial harm, the research will not conform to the safeguards required by Article 89(1), as interpreted by s 19(2), and the automatic exemption from the right to object, where the processing is necessary for the performance of a task carried out for reasons of public interest (in Article 21(6)), will not apply. To resist Sam’s right to object in those circumstances, so that it can continue to use her data, the Authority would need to be able to show that abiding by her right to object would seriously impair the achievement of the purposes of the research (eg if the data from her company was an important element of the work).

107 DPA 2018, Sch 2, Pt 6, para 27(1) and 27(2)(d). It may be noted that the test is not ‘would be likely’; and so is at the 51% level of likelihood.

160

Right to object – Article 21(1) (and Recital 69) 8.71

8.68 Where the controller is either processing personal data for direct marketing, or using the public task basis, or the legitimate interests basis, to support its processing, it should bring the relevant variants of the right to object explicitly to the attention of the data subjects concerned; as well as including it in its Privacy Notices. This should be done ‘at the latest’ when the controller first communicates with the data subject (Article 21(4)). The information should be presented clearly and separately from any other information. If the controller is processing personal data for research or statistical purposes, it should likewise include information about the right to object (as well as information about the other individual rights) in the relevant privacy notice.

General exceptions 8.69 The same rules as to the format for requests, whether to request proof of identity, and the timing of responses apply as for the other individual rights. As with the other individual rights, requests may be refused (or a fee charged) if they are manifestly unfounded or excessive108. A data subject may exercise the right to object by automated means109. 8.70 When a request has been received, and if no exemption applies, the controller will need to cease the processing. This will not necessarily mean that the data should be deleted; even though storage forms part of processing. The controller may need the data for another purpose (eg  if it has more than one relationship with the requester). Or, as noted above, it will be entitled to retain (‘suppress’) sufficient data to enable it to continue to respect the data subject’s wishes in the future. Controllers will need to establish systems to identify, remove or ‘suppress’ data, and to determine what may be retained, reliably and comprehensively.

Exemptions from right to object 8.71 As well as the general exceptions above, a number of the specific exemptions in the DPA 2018 apply to the right to object. These are listed below, and described in Chapter 9: (NB None of the following applies to the right in Article 21(2) to object to direct marketing). (1) Crime and taxation: general110;

108 GDPR, Articles 12(3)–(6), and paras 7.14, 7.21–7.25, 7.33–7.37, and 7.39–7.45. 109 GDPR, Article 21(5). This right is exercisable notwithstanding the ‘e-privacy’ directive (Directive 2002/58/EC); or (as made express, post-Brexit, by the DPPEC Regulations, Sch 1, para 17) notwithstanding domestic legislation which implemented the Directive before exit day (such as the Privacy and Electronic Communications Regulations 2003; on which see Chapter 12). 110 DPA 2018, Sch 2, para 2; see paras 9.12–9.19 below.

161

8.71  Other Individual Rights

(2) Immigration111; (3) Information required to be disclosed by law etc; or in connection with legal proceedings112; (4) Functions designed to protect the public etc113; (5) Audit functions114; (6) Functions of Bank of England115; (7) Regulatory functions relating to legal services, health service and children’s services116; (8) Regulatory functions of other bodies117; (9) Parliamentary privilege118; (10) Judicial Appointments, Judicial independence, judicial proceedings119; (11) Crown honours, dignities and appointments120; (12) Journalistic, academic, artistic and literary purposes121; (13) Research and statistics122; (14) Archiving in the public interest123; (15) Health data processed by a court124; (16) Data subject’s expectations and wishes with respect to health data125; (17) Social work data processed by a court126; (18) Data subject’s expectations and wishes with respect to social work data127; (19) Education data processed by a court128.

111 DPA 2018, Sch 2, para 4; see paras 9.23–9.27 below. 112 DPA 2018, Sch 2, para 5; see paras 9.28–9.30 below. 113 DPA 2018, Sch 2, para 7; see paras 9.32–9.34 below. 114 DPA 2018, Sch 2, para 8; see paras 9.35–9.37 below. 115 DPA 2018, Sch 2, para 9; see paras 9.38–9.39 below. 116 DPA 2018, Sch 2, para 10; see paras 9.40–9.42 below. 117 DPA 2018, Sch 2, para 11; see paras 9.43–9.48 below. 118 DPA 2018, Sch 2, para 13; see paras 9.49–9.51 below. 119 DPA 2018, Sch 2, para 14; see paras 9.52–9.56 below. 120 DPA 2018, Sch 2, para 15; see paras 9.57–9.59 below. 121 DPA 2018, Sch 2, para 26; see paras 9.93–9.100 below. 122 DPA 2018, Sch 2, para 27; see paras 9.102–9.108 below. 123 DPA 2018, Sch 2, para 28; see paras 9.109–9.113 below. 124 DPA 2018, Sch 3, para 3; see paras 9.116–9.117 below. 125 DPA 2018. Sch 3, para 4; see paras 9.118–9.120 below. On a literal reading of para 4(2), this right appears to be included, although it may be difficult to envisage how it would apply, or to reconcile this with the rest of the provision. 126 DPA 2018, Sch 3, para 9; see paras 9.130–9.131 below. 127 DPA 2018, Sch 3, para 10; see paras 9.132–9.134 below. See footnote 125 above. 128 DPA 2018, Sch 3, para 18; see paras 9.140–9.141 below.

162

Automated decision-making, including profiling – Article 22 (and Recital 71) 8.75

AUTOMATED DECISION-MAKING, INCLUDING PROFILING – ARTICLE 22 (AND RECITAL 71) 8.72 This is an important area of activity, which is likely to increase in future years. Connections between the relevant parts of the GDPR underline its enhanced significance. A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her; or which similarly significantly affects him or her129 In relation to large areas of commercial relations (including retail transactions), and also public service provision, the right is not a prohibition, however, but an entitlement to ask on an individual basis for a decision taken automatically to be reviewed. 8.73 ‘Automated decision-making’ means that a decision is taken solely by automated (eg  electronic) means, without human involvement. ’Profiling’ refers to the automated monitoring or processing of personal data to evaluate certain characteristic features of an individual, such as their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. ‘Legal effects’ means a change in an individual’s legal rights. (NB The Commissioner takes the view that only adverse effects are included). ‘Significant effects’ are not defined, but the Commissioner again takes the view that these will be adverse only, and will need to have a ‘serious negative impact’ on the individual in order to qualify130. Recital 71 gives the examples of an automatic refusal of an online credit application, or conducting e-recruiting without human intervention. 8.74

The right does not apply if the decision concerned is:

(i) necessary for the entering or performance of a contract with the data subject (which will probably be claimed to cover the majority of such commercial decisions; the issue potentially being whether automated processing is ‘necessary’ in a given case); (ii) authorised by European or member state law (or, after Brexit, by domestic law) which lays down suitable safeguards for the data subject’s interests. (Recital 71 gives examples of fraud, or tax-evasion monitoring); or (iii) based on the explicit consent of the individual.131. 8.75 If the processing is based on the first or third of these grounds, the controller is to implement suitable measures to safeguard the interests of the data subject. As a minimum, these are to include132: — enabling the data subject to obtain human intervention in the decision; — the right to express his or her point of view; and — the right to contest the decision. 129 GDPR, Article 22(1). 130 ICO summary guidance on GDPR Article 22: ‘Rights related to automated decision making, including profiling’. 131 GDPR, Article 22(2). 132 GDPR, Article 22(3).

163

8.76  Other Individual Rights

8.76 In relation to the second ground above, s 14 of the DPA 2018 makes the relevant provision for safeguards for automated processing authorised by law. It creates a category of ‘qualifying’ significant decision, which has significant effects for the data subject, but which is required or authorised by law; and for which the automated processing is not based on contract or explicit consent. The controller must notify the data subject of the decision in writing as soon as reasonably practicable. The data subject has one month from receipt to request a reconsideration, or human intervention in the decision. The controller then has a month to consider the request, comply with it, and notify the data subject of the steps to be taken. The controller has the same powers and obligations as in Article  12 (eg  to extend time, or to refuse a manifestly unfounded request or charge a fee) but also the transparency obligations applying generally to individual rights The Secretary of State may amend these rules in regulations133. 8.77 Recital 71 states that such automated decision-making should not involve a child (although this exclusion does not appear in the Article). It also indicates (in its second paragraph) further technical measures that should be considered to improve the reliability of profiling activities, and to counteract risks of discrimination. 8.78 As can be seen, therefore, while there is no ban on solely automated decision-making in those three areas, an individual who chooses to exercise the right is nonetheless in general to be put by the controller into a position of being able to secure a human intervention. 8.79 The three grounds above are not to be used to process special category data, unless the processing is on the basis of either: — the explicit consent of the data subject (Article 9(2)(a)); or — the substantial public interest (as set out in law) (Article 9(2)(g)). and, in either case, provided that suitable safeguards for the interests of the data subject are in place134. In the second case, the relevant lawful bases will be found in DPA 2018, Sch 1, Pt 2135. 8.80 The ICO advises that controllers should examine their processing to identify activity falling under Article 22. If it does, they should ensure that data subjects are informed; create a simple means for them to seek human intervention, or to challenge a decision; and, check regularly that their automated decisionmaking remains compliant. 8.81 The ICO also advises that a Data Protection Impact Assessment (DPIA) should be conducted for each new instance of automated decision-making or profiling, on the basis that it will qualify as ‘high risk’. Such an assessment is specifically required by the GDPR where systematic and extensive automated

133 DPA 2018, s 14(1)–(8), read with GDPR Articles 22 and 12(3)–(6). The DPPEC Regulations, Sch 1, para 18, and Sch 2, para 17, make minor clarifying amendments to Article 22 and s 14. 134 GDPR, Article 22(4). 135 See DPA 2018, s 10(3) and Sch 1, Pt 2 (paras 5–28). See also Pt 4 (paras 38–41).

164

Automated decision-making, including profiling – Article 22 (and Recital 71) 8.84

processing will produce legal or significant effects for the individual, under Article 35(3)(a). 8.82 The Commissioner points in addition to the obligation to provide meaningful information in Privacy Notices about the logic involved in an automated decision-making process, the significance, and its envisaged consequences for the individual136. The guidance also emphasises the ways in which the GPDR’s requirements as a whole apply to solely automated processing, whether or not it has legal or significant effects for the individual, and of the need for secure processing and transparency. 8.83 The same rules in Article  12 apply as for other individual rights in relation to the time limits for responses, and the possibility of refusal (or the charging of a fee) for a request that is manifestly unfounded or excessive. The power in Article 12(6) to require evidence of identity does not apply to this right.

Exemptions: automated processing 8.84 Apart from the exceptions referred to above, none of the specific exemptions in DPA 2018, Schs 2–4, which variously apply to the other individual rights, apply to the right in Article 22.

136 GDPR, Articles 13(2)(f) and 14(2)(g).

165

Section C

Exemptions

CHAPTER 9

Exemptions Under the DPA 2018 9.1 There are a significant number of exemptions (38) and practitioners will wish to be familiar with those applying in areas of most relevance to their organisation; while retaining an overview of their range as a whole. All are set out in the Data Protection Act 2018 (‘DPA 2018’), while deriving from powers or duties passed to member states by the GDPR. Many (but not all) have been carried over from the Data Protection Act 1998 (‘DPA  1998’), or secondary legislation under it. Most have been simplified, and several have been extended. Groups of them, or individual exemptions, apply in different ways to various data protection requirements. Many give exemption, in certain circumstances, from some or all of the individual rights under the GDPR and DPA 2018 (notably the access right); while also modifying the relevant data protection principles for consistency. Others provide exemptions from the data protection principles in their own right (eg the requirements for processing to be transparent and fair; although the requirement for a ‘lawful basis’ generally remains in place). Others modify data protection rights to allow for existing restrictions or prohibitions in statute. Some are absolute; but most rely on conditions being met before they apply. Given all these variations, it is vital to examine precisely how far, to what activity, or in respect of which type of personal data, any given exemption applies. For this reason, the scope of each exemption is summarised below in relation to it. 9.2 Section 15 of the Act, and Schedules 2–4, set out the exemptions, and their groupings1. Each Schedule, or Part, specifies the data protection requirements (usually described as ‘listed GDPR provisions’) to which it applies. Care is needed, however, as some exemptions contain a different scope within their drafting from that listed at the beginning of the relevant Part or Schedule.

OUTLINE OF EXEMPTIONS (i)

Exemptions in Sch 2

9.3 The exemptions in Sch  2 are based, pre-Brexit, on powers or duties in the GDPR for member states to make exemptions for specific purposes. (Post-Brexit, consequential amendments to the GDPR reflect that the need for reliance on these provisions falls away; although they remain as descriptions of

1 See DPA 2018, s 15(2)–(5). The DPPEC Regulations make consequential amendments, postBrexit, to s 15; of which the only one of significance is the insertion of a new s 15(4), recognising that processing of manual unstructured data is moved, after Brexit, from DPA 2018, s 21(2) to GDPR, Article 2(1A).

169

9.4  Exemptions Under the DPA 2018

the purpose). They are grouped according to the one or more originating GDPR provisions, and the purposes of their use (and this continues, post-Brexit), as follows: Schedule 2, Part 1: exemptions based (pre-Brexit) on powers in the GDPR: (a) to adapt or restrict processing which is based on the lawful bases of compliance with a legal obligation (Article 6(1)(c), or being necessary for the performance of a task in the public interest or in the exercise of official authority (Article 6(1)(e))2; or (b) to restrict the individual rights in Articles  12–22, and 34 (notification to individual of data breach) for a list of ‘public’ purposes such as the prevention of crime, regulatory functions, or the protection of the interests of data subjects or others3. 9.4

The exemptions in Schedule 2, Part 1 concern:

— Crime and taxation: general (para 2); — Crime and taxation: risk assessment systems (para 3); — Immigration (para 4); — Information required to be disclosed for legal proceedings (para 5). Schedule  2, Part 2: restrictions based on the power in Article  23(1) to restrict individual rights4. The exemptions in Part 2 are: — Functions designed to protect the public (para 7); — Audit functions (para 8); — Functions of the Bank of England (para 9); — Regulatory functions relating to legal services, health service and children’s services (para 10); — Regulatory functions of certain other persons (para 11); — Parliamentary privilege (para 13); — Judicial appointments, independence and proceedings (para 14); — Crown honours, dignities and appointments (para 15). Schedule 2, Part 3: restrictions (based on the power in Article 23(1)(i)) to restrict the right of access in relation to ‘third party’ data in such requests (para 16)). NB. Paragraph 17 contains an exception to this exemption, so that there is lesser protection for the personal data of health workers, social workers and education staff. 2 3 4

GDPR, Article 6(3). GDPR, Article 23(1) and (2). GDPR, Article 23(1).

170

Outline of exemptions 9.5

Schedule 2, Part 4: restrictions on privacy notices and the right of access (also based on the power in Article 23(1)). The exemptions in Part 4 concern: — Legal professional privilege (para 18); — Self-incrimination (para 20); — Corporate finance (para 21); — Management forecasts (para 22); — Negotiations (para 23); — Confidential references (para 24); — Exam scripts and marks (para 25). Schedule  2, Part 5: the exemption for ‘special purposes’, based on the duty (pre-Brexit) on member states in Article  85(2) to make exemptions for those purposes, if necessary in order to reconcile the protection of personal data with the right to freedom of expression (The duty is removed after Brexit by the DPPEC Regulations (Sch 1, para 64(2)); while adapting the regulation-making power). The exemption covers: — Journalistic, academic, artistic and literary purposes (para 26). Schedule  2, Part 6: derogations from certain data protection requirements for research, statistics and archiving, based on a power to derogate for those purposes in Article 89(2). This applies where the requirements would be likely otherwise to render impossible, or seriously to impair, the achievement of the purposes; and the derogation is necessary to achieve them. This power is replaced, post-Brexit, by a power to make regulations in DPA 2018, s 195 The exemptions concern: — Research and statistics (para 27); — Archiving in the public interest (para 28).

(ii)

Exemptions in Sch 3

9.5 The exemptions in Schedule  3 are to the individual rights in Articles  13–21, and concern information about health, social work, education and child abuse personal data; based on the power in Article  23(1) to restrict individual rights, and obligations in relation to them. This power is limited, postBrexit, to a power to make further changes to the exemptions, by regulations under DPA 2018, s 166. The exemptions are: Schedule 3, Part 1: setting out the listed GDPR provisions potentially subject to exemption. Schedule 3, Part 2 (Health data). The exemptions in Part 2 concern: — Health data processed by a court (para 3); 5 6

DPPEC Regulations, Sch 1, para 69. See DPPEC Regulations, Sch 1, para 19.

171

9.6  Exemptions Under the DPA 2018

— Health data and the data subject’s expectations and wishes (para 4); — Health data: a ‘serious harm’ exemption from the access right (para 5). Schedule 3, Part 3 (Social work data). The exemptions concern: — Social work data processed by a court (para 9); — Social work data and the data subject’s expectations and wishes (para 10); — Social work data: a ‘serious harm’ exemption from the access right (para 11). Schedule 3, Part 4 (Education data). The exemptions concern: — Education data processed by a court (para 18); — Education data: a ‘serious harm’ exemption from the access right (para 19); — Prior opinion of Principal Reporter (Scotland only) (para 20). Schedule 3, Part 5 (Child abuse data): an exemption from the right of access in respect of child abuse data in the best interests of data subject (para 21).

(iii)

Exemptions in Sch 4

9.6 The exemptions in Schedule  4 apply to the individual rights (Articles  13–21) where disclosure is contrary to, or restricted by, another enactment. They are based on the power in Article 23(1) which (as with Sch 3) is limited after Brexit to a power to make changes to exemptions by regulations under DPA 2018, s 16.. The exemptions in Sch 4 concern: — Human fertilisation and embryology information (para 2); — Adoption records and reports (para 3); — Statements of special educational needs (para 4); — Parental order records and reports (para 5).

(iv)

Exemption in s 26

9.7 There is also a wide-ranging exemption in DPA 2018, s 26, for national security and defence. Applying before Brexit in relation to the ‘applied GDPR’, it is applied after Brexit to the ‘UK GDPR’ as a whole7.

(v)

Further exemptions in regulations

9.8 As indicated above, there are powers in DPA 2018, s 16, for the Secretary of State to add, omit or amend certain groups of exemptions by regulations. This applies to all of the exemptions above save for those in Sch  2, Pt  6, and the defence/national security exemption. 7

DPPEC Regulations, Sch 1, para 19(2)(b), and Sch 2, para 34(2).

172

Exemptions in detail 9.12

Likelihood of harm 9.9 Many of the exemptions require either that the harm ‘would’ occur, or that it ‘would be likely’ to occur; without these being alternatives. The former means that the level of likelihood must be 50% + 1. In the case of Lord v Home Department, Munby J said, in a judgment which has been widely followed on this point: ‘In my judgment “likely” …. connotes a degree of probability where there is a very significant and weighty chance of prejudice to the identified public interests. The degree of risk must be such that there “may very well” be prejudice to those interests, even if the risk falls short of being more probable than not.’8 As an informal rule of thumb – although this is not stated in guidance or authorities – the author suggests that it might be reasonable to take a minimum estimate of that level of likelihood to mean about a 15–20% chance (although this should not be taken to be legal advice).

Use of the exemptions 9.10 The exemptions are significant, as well as numerous. They have sometimes been poorly understood in the past, frequently under-used, and inconsistently applied. They represent a well thought-through and (in most cases) realistic balance between individual rights, the rights of third parties, and the need for controllers to be able to undertake data processing in an effective manner; whether in a commercial context or in the public interest. Achieving that balance requires them to be used, it is suggested, in the way intended by the framers of the legislation.

EXEMPTIONS IN DETAIL Schedule 2, Part 1 9.11 The ‘listed GDPR provisions’ to which exemptions in Part 1 may apply are set out in paragraph 1 of the Schedule. 1.  Crime and Taxation (including a risk assessment system) –DPA 2018, Sch 2, para 2 9.12 This is a broad exemption where the data are processed for the purposes of the prevention or detection of crime, the apprehension or prosecution of 8

R  (on the application of Alan Lord) v Secretary of State for the Home Department [2003]  EWHC  2073 (Admin), para  100. See also paras 19.7, 23.3, 24.92a and 25.45 for applications of this test under the environmental information and FOI regimes.

173

9.13  Exemptions Under the DPA 2018

offenders, or the assessment or collection of a tax or duty (or a similar type of imposition). It applies to the extent, in any of these cases, that processing the personal data without applying the exemption would be likely to ‘prejudice’ (ie harm) any of those matters9 – see Example 1. 9.13 The exemption applies to: privacy notices; access right; right to rectification; right to erasure; right to object; and any of the data protection principles, to the extent that they correspond with those rights. There is also an exemption from the fair and transparent requirements in Article 5(1)(a), but not the requirement for the processing to have a lawful basis in Article 6; and also from the ‘purpose limitation’ principle in Article 5(1)(b). 9.14 In addition to the above, there is an exemption under this heading from the requirement to notify data subjects of a personal data breach under Article 34(1) and (4), in cases where there would similarly be likely to be harm to the crime or tax-related matters listed10. 9.15 In a separate exemption under this heading, if Controller 1 holds personal data for crime-fighting or tax assessment purposes, and Controller 2 obtains the data from it for the purposes of discharging statutory functions, Controller 2 will likewise have an exemption to the same extent as Controller 1, if processing the data according to the relevant requirements would be likely to harm the crime-fighting or tax assessment purpose. (The functions to be discharged by the processing may be those of either controller). The exemption is narrower in scope, however, than the one above; applying only to privacy notices or the right of access; and to the data protection principles, to any extent that they correspond to those rights11. See Example 2. 9.16

These provisions broadly replicate those in the former DPA 1998, s 29.

9.17 Exempt from (Crime exemption, para  2(1)): Privacy Notices (Articles 13(1)–(3) or 14(1) –(4)); right of access (Article 15(1)–(3)); right of rectification (Article  16); right to erasure (Article  17(1)–(2)); right to restrict processing (Article  18(1)); notification (Article  19); right to data portability (Article  20(1)–(2)); right to object (Article  21(1)); and, the data protection principles, so far as they correspond with those rights (Article 5); duty to notify data subject of data breach (Article 34(1) and (4)). 9.18 To the extent that the harm would occur, or is likely, there is also an exemption from the fairness and transparency requirements in Article 5(1)(a) (but not from the requirement for the processing to have a lawful basis in Article 6); and, from the purpose limitation principle in Article 5(1)(b). 9.19 Exempt from: (Crime exemption for second controller, para  2(2)): Privacy Notices (Articles 13(1)–(3) or 14(1)-(4)); right of access (Article 15(1)– (3)); data protection principles (to any extent that they correspond to those rights); all to same extent as first Controller is exempt). 9 DPA 2018, Sch 2, Pt 1, para 2(1). 10 DPA 2018, Sch 2, Pt 1, para 2(1). 11 DPA 2018, Sch 2, Pt 1, para 2(3).

174

Exemptions in detail 9.20

Examples: crime and taxation: general Example 1: Prejudice to crime-fighting functions or tax assessment functions Nonsuch Ltd is asked by the police to confirm identifying information for an employee, Mark, whom the police suspect of shop-lifting. The personnel officer, Phyllis, records that she disclosed information to them confirming Mark’s home address, length of employment, and attendance at work on the day in question. Later, Mark makes an access request to Nonsuch. Phyllis shows the record to the data protection officer. Nonsuch should ask the police whether disclosing the record to Mark would be likely to harm their investigation. If the police state that it would (eg because it is continuing, or because they believe that Mark may destroy evidence if he knew about it), Nonsuch would be exempt from the duty to disclose the information to Mark (Article 15(1)). They would also be exempt from the duty to confirm the processing under Article  15(1), if doing so would be likely to have the same result. If it would be unlikely to cause any harm to the investigation, however, from either the confirmation, or from disclosure (eg because it had ended, or because the police no longer suspected Mark), Nonsuch should either confirm the processing or disclose the record to him, or both, as the case may be. Example 2: Prejudice to Controller 2’s statutory functions from disclosing personal data obtained from Controller 1 The national body responsible for police complaints obtains data about Mark from the police, because it is investigating a complaint about the handling of crime enquiries by that force and wishes to examine a number of examples. If there would be continuing harm to the original police investigation, if the complaints authority were now to notify Mark that it holds his data (as it should otherwise do under its privacy notice obligations), it would have an exemption from the requirement to do so.

2.  Crime and taxation: risk assessment systems (Sch 2, para 3) 9.20 This is a narrower exemption than the one above (also derived from DPA 1998, s 29), applying to personal data which consist of a classification in a risk assessment system, operated by a government department, local authority or other authority which administers housing benefit, for the purposes of: — assessing or collecting tax (or a similar imposition); or — the prevention or detection of crime, where the offence involves the unlawful use of public money or an unlawful claim for payment from public money. 175

9.21  Exemptions Under the DPA 2018

9.21 The exemption applies in either case where applying the requirements in the GDPR would ‘prevent the system from operating effectively’. This condition could apply to a specific case, or generally. It will be noted, however, that the test is whether the system ‘would’ (not ‘would be likely’) to be prevented from operating effectively. 9.22 Exempt from: Privacy notices (Articles 13(1)-(3) or 14(1)-(4)); right of access (Article 15(1)-(3)); data protection principles so far as they correspond to those rights. Example: crime and taxation: risk assessment systems The local authority for the Nonsuch area is comparing its Housing Benefit data with welfare benefits data supplied to it by the DWP, in order to identify benefit fraud. Frieda’s name is on some of the lists being compared and she has been marked in the records as ‘medium risk’. The authority can refuse to disclose the information to Frieda, if she makes an access request, to any extent that doing so at this stage would hinder the investigation from being operated effectively. In justifying this, the authority records that (if the case) it believes that, if it were to disclose this information about her classification to Frieda, it would be likely that Frieda would destroy any other evidence in her possession; thus preventing the system from operating effectively in Frieda’s case.

3.  Immigration (Sch 2, para 4) 9.23 There is an exemption from a number of individual rights, including privacy notices and the access right, for the purposes of: (i) the maintenance of effective immigration control; or (ii) the investigation or detection of activities that would undermine such maintenance to the extent that, unless the exemption is applied, either activity would be likely to be harmed12 (NB the lower test of likelihood). 9.24

There was no equivalent exemption under the DPA 1998.

9.25 Exempt from: Privacy Notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); right to erasure (Article 17(1)–(2)); right to restrict processing (Article 18(1)); right to object (Article 21(1)); and the data protection principles so far as they correspond to these rights. (Subject to the latter, the principles of lawful, fair and transparent processing, and of purpose limitation, continue to apply). 12 DPA 2018, Sch 2, Pt 1, para 4(1).

176

Exemptions in detail 9.28

9.26 The exemption also applies, but to a narrower extent, where Controller 1 processes data that are then obtained and processed by Controller 2 for either of the above immigration purposes. In those circumstances, Controller 1 may claim a shorter list of exemptions (in relation to privacy notices, the right of access, and any corresponding parts of the data protection principles) to the same extent as Controller 2 may claim them13. 9.27 Exempt from: (Controller 1): Privacy Notices (Articles  13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); data protection principles so far as they correspond to these rights; all to the same extent as Controller 2. Example: immigration control The Home Office makes a request to local authorities for any information which they may have acquired about foreign nationals who have arrived illegally in the UK. A local authority passes some information, which it has acquired about a family from a local school. To the extent that the investigation of possible illegal entry to the UK would be likely to be harmed if the information were to be disclosed to any of the individuals involved, through a privacy notice or in response to an access request, the local authority would be able to claim an exemption under para 4(4) as ‘Controller 1’ (the Home Office being ‘Controller 2’). Disclosure of the investigation would be likely, the authority believes, to reveal the source of the information, which would be likely to discourage the flow of any such information to it in the future. As the controller carrying out the processing relevant to immigration control, the Home Office would be able to claim the longer list of exemptions above, if relevant, under para  4(1) (ie  exemption also from the right to erasure (Article 17), the right to restrict processing (Article 18), or the right to object (Article 21)); provided that it could demonstrate a likelihood of harm to the immigration control activities.

4. Information required to be disclosed by law etc; or in connection with legal proceedings (Sch 2, para 5) 9.28 This exemption has three parts. In each case, all the individual rights may be subject to exemption, save for the right not to be subject to solely automated decisions. The variants are: (i) where a controller is obliged by statute to make personal data available to the public, the listed provisions do not apply to the personal data involved, to the extent that otherwise the controller would be prevented from complying with the obligation14. In other words, in a case of conflict, the individual data

13 DPA 2018, Sch 2, Pt 1, para 4(4). 14 DPA 2018, Sch 2, Pt 1, para 5(1).

177

9.29  Exemptions Under the DPA 2018

protection right, such as the right to erasure, cedes priority to a statutory obligation to make the data available; (ii) where a controller is obliged by a statute, rule of law (ie a common law rule), or order of a court, to disclose the data, the relevant GDPR provisions do not apply to the extent that otherwise the controller would be prevented from making the disclosure; or (iii) where disclosure of the data is necessary: (a) for the purpose of (or in connection with) legal proceedings, including prospective proceedings; or (b) for the purpose of obtaining legal advice; or (c) is otherwise necessary for the purpose of establishing, exercising or defending legal rights to the extent (in each case) that otherwise the controller would be prevented from making the disclosure. Thus, an individual right such as the right to restrict data gives place to a need to disclose the data for these legal reasons. 9.29 The first exemption is based on the former DPA 1998, s 34. The second and third replicate the former s 35. Example: disclosure in connection with legal proceedings Harold is in dispute with his local traffic authority, which imposed a fixed penalty on him two months ago for driving in a bus lane. He has refused to pay the fine. Harold says that he entered the lane only after he had passed the markings on the road indicating the end of the bus lane. He has contested the accuracy of a CCTV picture of his car moving into the lane ahead of the markings, maintaining that it was taken from a misleading angle. Harold tries to use his right of restriction under Article  18(1)(a) of the GDPR to oblige the authority to cease actively processing the photograph, pending their verifying its accuracy. The authority wants, however, to send the picture to its external solicitors in order to start a prosecution against Harold for non-payment of the fine. The case has already taken longer than usual and, after consulting its traffic engineers, it is satisfied that the photograph is accurate. The authority may claim the exemption in Sch  2, para  5(3)(a) (processing necessary for the purpose of legal proceedings) to resist Harold’s right of restriction, so that it can disclose the photograph to the firm of solicitors.

9.30 Exempt from: Privacy Notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); right of rectification (Article 16); right to erasure (Article  17(1)–(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article 20(1)–(2)); right to object (Article 21(1)); data protection principles, so 178

Exemptions in detail 9.32

far as corresponding to these rights (Article 5); the requirements for lawful, fair and transparent processing in Article 5(1)(a) (but not the need for a lawful basis in Article 6); the purpose limitation principle (Article 5(1)(b)).

Schedule 2, Part 2 9.31 The listed GDPR provisions which may be restricted by the exemptions in Part 2 of the Schedule are listed in Sch 2, para 6. 5.  Functions designed to protect the public (Sch 2, para 7) 9.32 This exemption has six parts. A table in para 7 of the Schedule describes different functions intended to protect the public, charities or fair competition in business. The exemption attaches to each function where a certain ‘condition’ applies (eg that a function is conferred on a particular body by enactment), to the extent that applying the data protection requirement concerned would be likely to harm the proper discharge of the function. The functions and conditions are as follows: [1] Dishonesty or malpractice in financial services or corporate bodies: the function is designed to protect the public against: (a) financial loss due to: (i) dishonesty, malpractice or other seriously improper conduct by; or (ii) the unfitness or incompetence of: persons providing banking, insurance, investment or other financial services, or in managing bodies corporate; or (b) financial loss due to the conduct of bankrupt persons (whether discharged or undischarged). Depending on the context, ‘persons’ could apply to individuals, companies or other entities. The function is designed to protect the public against financial loss. The ‘condition’ in each case is that the function is: (a) conferred on a person by statute; (b) a function of the Crown, Minister of the Crown or a government department; or (c) of a public nature, exercised in the public interest (which could include a function of a private body, which is of a public nature). [2] Protection against dishonesty or incompetence: the function is designed to protect the public against: (a) dishonesty, malpractice or seriously improper conduct; or (b) unfitness or incompetence. 179

9.32  Exemptions Under the DPA 2018

The ‘condition’ is the same as in [1] above, but there is no requirement for the function to protect against financial loss, as distinct from protecting the public against dishonesty, malpractice etc. [3] Charities or community interest companies: the function is designed to protect charities or community interest companies against misconduct, mismanagement or loss, or to recover their property. The condition is the same as in [1] above. A ‘community interest company’ is a social enterprise which uses its profits or assets for the public good. [4] Health and safety: the function is designed to secure health, safety and welfare at work; or to protect non-workers from risks to health and safety from the actions of those at work. (An example of the latter would be protecting persons in a street from building work above). The ‘condition’ is the same as in [1] above. [5] Maladministration: the function is designed to protect the public against: (a) maladministration by public bodies; (b) failure in services provided by public bodies; or (c) a failure by a public body to provide a service which it is their function to provide. The ‘condition’ is that the function is conferred by statute on the Parliamentary Ombudsman, the Commissioner for Local Administration in England (the local government and social care ombudsman), the Health Service Commissioner for England, the Ombudsmen in Wales, Northern Ireland and Scotland, or the Prisons Ombudsman in Northern Ireland. [6] Fair competition: the function is designed to protect the public against harm from the conduct of a business, or to prevent unfair competition, or to regulate the abuse of a dominant market position. The ‘condition’ is that the function has been conferred by statute on the Competition and Markets Authority.

Example: functions designed to protect the public The UK Treasury appoints a distinguished panel to investigate, and advise on, alleged improper conduct by banks during the financial recession. The Treasury provides a secretariat for the inquiry, and is the controller for personal data held by it. The inquiry is asked to estimate losses caused by any malpractice, as well as the nature of any such misconduct. During the investigation, Bruce, a banker under investigation, asks to see the personal data held about him. The right of access does not apply to the personal data the inquiry has collected in the course of formulating its report, if disclosing the information would be likely to harm the investigation. 180

Exemptions in detail 9.37

In this case, the report is in draft, including comments on Bruce’s activities, but the draft has not been discussed or approved by the panel. Each person criticised will be given an opportunity to comment before publication, but the process has not yet reached that stage. Premature discussion of its content (eg by Bruce contesting the draft comments relating to him before they have been approved to go into the report) would be likely to be harmful to its deliberations, and thus prejudice the proper discharge of a function of a public nature, being exercised in the public interest, for one of the purposes under headings [1] or [2] above.

9.33 The exemptions are based on those in the former DPA 1998, s 31(2)–(4); although the range of requirements from which there may be an exemption has been expanded15. 9.34 Exempt from: Privacy Notices (Articles  13(1)–(3) or 14(1)–(4)); right of access (Article  15(1)–(3)); right of rectification (Article  16); right to erasure (Article  17(1)–(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article  20(1)–(2)); right to object (Article  21(1)); or, the data protection principles so far as corresponding to any of these rights (Article  5).

6.  Audit functions (Sch 2, para 8) 9.35 There is an exemption from the listed GDPR requirements to the extent that applying any of them in a given case would be likely to harm the proper discharge of any function conferred by statute on the Comptroller and Auditor General (who leads the National Audit Office), the Auditor General for Scotland, the Auditor General for Wales, or the Comptroller and Auditor General for Northern Ireland. 9.36 There was no directly equivalent exemption under the DPA  1998, although it originates in DPA 1998, s 31. 9.37 Exempt from: Privacy Notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); right of rectification (Article 16); right to erasure (Article  17(1)–(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article  20(1)–(2)); right to object (Article  21(1)); or, the data protection principles so far as corresponding to any of these rights (Article 5).

15 The former exemption applied only to the ‘subject information provisions’ (ie  the right of subject access, and the first data protection principle other than the requirement for one or more data processing conditions); DPA 1998, s 27(2).

181

9.38  Exemptions Under the DPA 2018

7.  Functions of the Bank of England (Sch 2, para 9) 9.38 There is an exemption where applying any of the listed provisions would be likely to harm the proper discharge of a ‘relevant function’ of the Bank of England (referring to three sets of its statutory functions, including as a monetary authority). There was no direct predecessor exemption in the DPA 1998, although having origins in DPA 1998, s 31. 9.39 Exempt from: Privacy Notices (Articles  13(1)-(3) or 14(1)-(4)); right of access (Article 15(1)-(3)); right of rectification (Article 16); right to erasure (Article  17(1)-(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article  20(1)-(2)); right to object (Article  21(1)); or, the data protection principles so far as corresponding to any of these rights (Article 5). 8. Regulatory functions relating to legal services, the health service and children’s services (Sch 2, para 10) 9.40 This exemption groups together processing for four types of regulatory function relating to complaints (derived from part of the former DPA 1998, s 31), covering legal services, or health and social care: (a) a function of the Legal Services Board (an independent body responsible for overseeing the regulation of lawyers in England and Wales); (b) a function of considering a legal complaint under Part 6 of the Legal Services Act 2007 (requirements for complaints procedure); or (c) a function of considering a complaint under: (i) the NHS  Redress Act 2006, s  14 (regulations concerning NHS complaints16); (ii) ss  113(1) or (2), or 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003 (regulations on complaints about healthcare or social services in England and Wales); (iii) Children Act 1989, ss  24D or 26, (regulations for local authority procedures for considering representations, and on reviews of lookedafter children); or (iv) Part 2A of the Public Services Ombudsman (Wales) Act 2005 (investigation of complaints relating to other persons in social care and palliative care); (d) a function of considering a complaint under the Social Services and Wellbeing (Wales) Act 2014, Pt 10, Chapter 1 (complaints and representations about social services).

16 Not in force at the time of writing.

182

Exemptions in detail 9.45

9.41 There is an exemption to the extent that applying the data protection requirements listed below to processing for the purposes of one of the functions above would be likely to harm the proper discharge of the function concerned. 9.42 Exempt from: Privacy Notices (Articles  13(1)-(3) or 14(1)-(4)); right of access (Article 15(1)-(3)); right of rectification (Article 16); right to erasure (Article  17(1)-(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article  20(1)-(2)); right to object (Article  21(1)); or, the data protection principles so far as corresponding to any of these rights (Article 5). 9.  Regulatory functions of certain other bodies (Sch 2, para 11) 9.43 This broadly-titled group of exemptions applies to a number of regulators, where applying the listed GDPR requirements would be likely to harm the proper discharge of certain of their statutory functions. The regulators include the Information Commissioner, in relation to her functions including data protection, FOI, electronic communications, and the EIR; and the Scottish Commissioner. 9.44

The other regulators are:

— The Pensions Ombudsman; — The Board of the Pension Protection Fund (and the Ombudsman for that Board); — The Pensions Regulator; — The Financial Conduct Authority; — The Financial Ombudsman; — The investigator of complaints against the financial regulators; — A  consumer protection enforcer (other than the Competition and Markets Authority); — The monitoring officer of a relevant local authority (in England) or a Welsh local authority; — The Public Services Ombudsman for Wales; — The Charity Commission. 9.45 In several instances, the statutory provisions conferring functions on them are broad in scope. In the case of the Information Commissioner, for example, the exemption potentially applies to all of her main functions. If the application of a data protection requirement would be likely to harm the proper discharge of the Commissioner’s functions conferred ‘by or under the data protection legislation’ (or, likewise, conferred by or under the Freedom of Information Act 2000, or the Environmental Information Regulations 2004, 183

9.46  Exemptions Under the DPA 2018

amongst other provisions), the Commissioner will have an exemption from the relevant data protection requirement. 9.46 It remains to be seen whether or what use the Commissioner makes of this exemption. One example might be its possible application to access requests made by complainants during an investigation of their complaint; where disclosures in response may reveal to them correspondence between the ICO and the controller which the latter may have understood to be confidential. Such a disclosure would arguably disrupt the proper exercise by the Commissioner of her investigatory function in the given case. 9.47 Although some of the exemptions derive from the former DPA  1998, s  31 (eg  in relation to a consumer protection enforcers17 and local authority monitoring officers), their scope has been expanded from the former ‘subject information provisions’ under the previous Act. Others had no predecessor in the 1998 Act; and were added to the 2018 Act during its passage through Parliament (including those in relation to the ICO). 9.48 Exempt from: Privacy Notices (Articles  13(1)-(3) or 14(1)-(4)); right of access (Article 15(1)-(3)); right of rectification (Article 16); right to erasure (Article  17(1)-(2)); right to restrict processing (Article 18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article  20(1)-(2)); right to object (Article  21(1)); or, the data protection principles so far as corresponding to any of these rights (Article 5). 10.  Parliamentary privilege (Sch 2, para 13) 9.49 An exemption applies to the listed provisions, and also the obligation to notify a data subject of a personal data breach likely to cause ‘high risk’ to their rights and freedoms18, where it is necessary to avoid an infringement of the privileges of either House of Parliament. Parliamentary privilege applies to matters forming the ‘proceedings’ of either House, and those matters are protected from being questioned in a court. There are no qualifying conditions for the exemption to apply. 9.50 The exemption is in certain respects narrower than the former DPA 1998, s 35A; but the removal of the obligation in those circumstances to notify a data subject of a data breach has been added. 9.51 Exempt from: Privacy Notices (Articles 13(1)– (3) or 14(1)–(4)); right of access (Article 15(1)–(3)); right of rectification (Article 16); right to erasure (Article  17(1)–(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Article  19); right of data portability (Article  20(1)–(2)); right to object (Article  21(1)); or, the data protection principles so far as corresponding to any of these rights (Article 5); notification of data breach to individual (Article 34(1) and (4)). 17 See DPA 2018, Sch 2, Pt 2, para 12; Enterprise Act 2002, s 213(5a); and, DPA 1998, s 31(5A). 18 GDPR, Article 34(1).

184

Exemptions in detail 9.56

11. Judicial Appointments, judicial independence and judicial proceedings (Sch 2, para 14) 9.52 There is an absolute exemption from the listed provisions for personal data processed for the purposes of assessing a person’s suitability for appointment as a judge or Queen’s Counsel (ie  a senior barrister). A disappointed candidate is not able, for example, to have access to the papers relevant to their application. 9.53 There is also an absolute exemption for personal data processed by an individual acting in a judicial capacity, or by a court or tribunal acting in its judicial capacity (eg  in the first case, the notes made by a judge during a trial). 9.54 There is a further exemption, applying to any personal data not falling within either of the above exemptions, where applying any of the listed data protection requirements would be likely to harm judicial independence or judicial proceedings. The Explanatory Notes to the Act, when it was a Bill, described the latter as ensuring that ‘the administration of justice is not undermined by the application of the GDPR.’ No attempt may be made, for example, to seek to use the right to rectification to change a disobliging part of the court record about oneself on grounds of claimed inaccuracy (as a litigant or witness might see it); nor to use the right of erasure to seek to remove correspondence relating to oneself from the court’s records. 9.55 Other than in relation to judicial appointments, and those of QCs, these exemptions were not contained in the DPA 1998. 9.56 Exempt from: Privacy Notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); right of rectification (Article 16); right to erasure (Article  17(1)–(2)); right to restrict processing (Article  18(1)); notification of rectification, erasure or restriction (Art 19); right of data portability (Article 20(1)– (2)); right to object (Article 21(1)); or, the data protection principles so far as corresponding to any of these rights (Article 5). Example: individual acting in judicial capacity; and, judicial proceedings Rex is very unhappy at the result of his appeal to the Information Rights Tribunal, which he lost. He is particularly incensed at the view taken in the judgment of the evidence he gave, and of the outcome of his crossexamination by the Commissioner’s advocate. He cannot use the right of access to secure a copy of the notes made by the judge or panel members (so far as they form his personal data) about his oral evidence, or the crossexamination on it, because they form personal data processed by a individual acting in a judicial capacity, for which there is an absolute exemption (Sch 2, para 14(2)). He also believes that the tribunal officials did not respond correctly to his repeated telephone calls and emails before the hearing, in which he sought 185

9.57  Exemptions Under the DPA 2018

to challenge several aspects of the preparations for it. He has indicated that his access request includes any internal communications concerning his case within the Tribunal. If the Tribunal concludes, however, that releasing these internal emails etc would be likely to prejudice judicial independence, by opening its internal deliberations to external scrutiny and comment, it will be able to apply the exemption in para 14(3) to refuse to disclose the personal data about Rex contained in those communications.

12.  Crown honours, dignities and appointments (Sch 2, para 15) 9.57 The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity (eg a medal for public service)19; replicating an exemption in the DPA 1998, but expanding its range. The exemption is absolute. Example: Vera was told by her neighbours that they had nominated her for an MBE because of her community work, but she has not been awarded one in the Queen’s birthday honours list. She writes to ask for a reason, but the information about the consideration of her nomination for the award (which is her personal data) is exempt from the right of access.

9.58 There is also an absolute exemption for personal data processed for the purposes of assessing individuals’ suitability for appointment to senior positions in the Church of England; as bishops and archbishops, cathedral deans, deans and canons of the two Royal Peculiars (ie Westminster Abbey and St George’ Chapel, Windsor); or, the First and Second Estates Commissioners of the Church of England. Data processed for assessing persons for appointment as: LordLieutenants; the Masters of Trinity College or Churchill College, Cambridge; the Provost of Eton; the Poet Laureate; or, the Astronomer Royal, are also exempt. The list may be amended by Regulations. 9.59 Exempt from: Privacy Notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3); right to rectification (Article 16); right to erasure (Article  17(1)–(2)); restriction of processing (Article  18(1)); notification of rectification, erasure or restriction (Art 19); Right to data portability (Article 20(1) and (2)); right to object (Article 21(1)); or, the corresponding aspects of the data protection principles in each case (Article 5).

19 DPA 2018, Sch 2, Pt 2, para 15(1).

186

Exemptions in detail 9.63

Schedule 2, Part 3 13.  Protection of the rights of others (or ‘third party data’) (Sch 2, para 16) 9.60 This is the exemption which enables a controller not to disclose personal data to an individual making an access request, where the information also forms the personal data of another individual (known as ‘third party data’); unless either the third party consents to the disclosure, or it is reasonable to disclose the information without the consent of the third party20. Where it applies, there is also an exemption from any of the data protection principles in Article 5, to the extent that the requirements of the latter correspond with the access right. 9.61 The category of ‘information relating to another individual’ (ie  information that forms the personal data of both individuals) includes information that identifies the other individual as the source of the information held about the data subject21. An individual (ie the third party) can be identified from the information to be provided to a data subject if the person can be identified either from that information; or from that information and any other information which the controller reasonably believes the data subject is likely to possess or obtain22. 9.62 The purpose of the exemption is to balance the rights of two or more parties, where the person making the access request wishes to see information about himself or herself which is also about the other person (or possibly more than one other person). The operation of the exemption is described in detail at paras 7.52–7.59 above23. 9.63 Exempt from: right of access (Article  15(1) and (3); and, the data protection principles (Article 5) so far as they correspond with those provisions of the right of access.

Example: third party data An HR record states: ‘Bertha informed us that Ian rang in sick on Monday, but that he was actually at the races that day’. The information is the personal data of both Ian (describing his alleged activity and whereabouts that day); and of Bertha, since it records that she was the source of the allegation, and what she said.

20 Formerly contained in DPA  1998, ss  7(4)–(6), and 8(7). In that Act, it was an absence of obligation, so that the right of access did not apply. It is now treated instead as an exemption. 21 DPA 2018, Sch 2, para 16(4)(a). 22 DPA 2018, Sch 2, para 16(4)(b). 23 See also paras 7.9–7.11 above.

187

9.64  Exemptions Under the DPA 2018

Exception to exemption: 3rd party data of health workers, social workers and education workers (Sch 2, para 17) 9.64 This exception deals with what has previously been recognised as the special position of these three groups of professional workers in relation to access rights; and whether it is reasonable to disclose their personal data to a requester, where information about them forms the personal data of both the worker and the requester. This situation will often arise: records of the social care, health care, or education of the individuals about whom they are written will often refer as well to the workers most directly involved; often at a detailed personal level in both cases. The staff will often, moreover, have created the records, or contributed professional judgments to them, so that they constitute their personal data for that reason as well. A doctor’s diagnosis of her patient is her personal data, as well as his. For both reasons, therefore, the information in such records will often form the personal data of both the service user and the professional worker. 9.65 The DPA 2018 continues the substance of exceptions contained in three former statutory instruments, for each of the types of service, made under the former DPA 1998, s 3024, with one important difference (see para 9.66). The basic premise is that, in relation to access requests, health workers, social workers and teachers or other educational staff, should have lesser rights to privacy than other third parties, by reason of their professional obligations to both the user and their employer. The test of reasonableness, as to whether ‘third party’ data should be disclosed to the access requester without the other person’s consent, is to be treated as satisfied, in the case of these workers, where they meet the health, social work, or education ‘data tests’25: — the health data test is met if the information in question is in a health record, and the other individual is a health professional26 who has compiled or contributed to it; or who has, in his or her capacity as a health professional, been involved in the diagnosis, care or treatment of the data subject.27 — the social work data test is met if the other individual is a children’s court officer, an employee of a social care authority or similar body28, or a person who provides for reward a service which is similar to a service provided under a social services function. (This applies to a professional care worker in the private sector, such as a foster parent or a private care home worker). In each case, in order to fall within the definition, the information has to relate to the worker in an official capacity (in the public sector), or to the private care service (in the private sector).

24 The Data Protection (Subject Access Modification) (Health) Order 2000, SI  2000/413; Data Protection (Subject Access Modification) (Social Work) Order 2000, SI 2000/415; and, Data Protection (Subject Access Modification) (Education) Order 2000, SI 2000/414. 25 DPA 2018, Sch 2, Pt 3, para 17(1); the respective tests being in paras 17(2)–(4). 26 Defined in DPA 2018, s 204(1). 27 DPA 2018, Sch 2, Pt 3, para 17(2). 28 As referred to in DPA 2018, Sch 3, Pt 3, para 8.

188

Exemptions in detail 9.68

— the education data test is met if the third party is an ‘education-related worker’ (or is employed by an education authority in Scotland, and the information relates to that person in his or her capacity as such an employee, or he or she supplied the information in that capacity). An ‘education-related worker’ is defined in England and Wales as an employee of a local education authority (ie any of its staff, including teachers); or, a teacher or other employee in a variety of other types of school such as voluntary-aided schools or academies29. In Northern Ireland, the exception applies to a teacher, an employee (other than a teacher) of a local education authority, or an employee (other than a teacher) of the Council for Catholic Maintained Schools. 9.66 If any of the factual circumstances outlined above applies, therefore, the worker affected will have no protection of reasonableness against the disclosure of their personal data where it is also the data of the requester. The DPA 1998 included provision (in health or education cases) whereby the worker could seek to prevent a disclosure by satisfying a court that disclosure to the requester would be likely to cause serious harm to their physical or mental health or condition, or that of another person. In the case of social work, the harm to be proved was also linked to the continued provision of social work. These protections for those individual workers appear no longer to be available.

Schedule 2, Part 4 9.67 Schedule  2, Part 4 contains a more limited range of exemptions. The listed GDPR provisions (ie the provisions from which there may be an exemption) in paragraph 18 are limited to Privacy Notices and the right of access (and any corresponding data protection principles). 14.  Legal professional privilege (Sch 2, para 19) 9.68 Legal professional ‘privilege’ (ie  protection) exists to protect confidentiality between lawyer and client, so that both can speak and write frankly to the other without concern about whether the information will be required to be disclosed (although the client has the right to do so). See paras 23.42-23.46, and 26.195–26.210, for discussion of it (in the contexts of EIR and FOIA). This exemption is based on DPA 1998, Sch 7, para 10. In the context of data processing, there is an exemption where personal data consists of information about which a claim of legal professional privilege could be maintained in legal proceedings. In other words, the information will be protected where it forms either: (a) part or all of legal advice provided by a lawyer to a client (or part or all of the questions to the lawyer, to which the advice forms the answers); or 29 DPA 2018, Sch 2, Pt 3, para 17(5); by reference to Sch 3, Pt 4, paras 14(4)(a) or (b), or 16(4) (a), (b) or (c).

189

9.69  Exemptions Under the DPA 2018

(b) part or all of documentation drawn up for the purposes of forthcoming litigation proceedings. 9.69 It is important to note that a claim of legal privilege could not be ‘maintained’ (ie pursued successfully) if the privilege or confidentiality attaching to the advice or documentation had been ‘waived’ or, more strictly, as the ICO prefers, ‘lost’ (in the sense of given away by the client; see paras 26.201–26.202). This could occur if it has been revealed beyond the (narrow) group of persons with a ‘need to know’ the information30. 9.70 Exempt from: Privacy notices (Articles 13(1)–(3) and 14(1)–(4)); right of access (Article 15(1)–(3)); and, the data protection principles (Article 5), so far as they correspond with these rights. 15.  Self-incrimination (Sch 2, para 20) 9.71 There is an exemption where compliance would reveal evidence of the commission of an offence, and thus expose that person to proceedings for that offence. Certain offences are excluded from the exemption (including data protection offences under the Act itself31). Information disclosed to a requester under the right of access is not admissible against that person in proceedings for an offence under the Act. 9.72 The exemption replicates the exemption in the former DPA 1998, Sch 7, para 11. 9.73 Exempt from: privacy notices (Articles  13 or 14); right of access (Article 15); and data protection principles (Article 5), so far as they correspond with these rights. 16.  Corporate Finance (Sch 2, para 21) 9.74 There is an exemption for personal data processed for the purposes of, or in connection with, a ‘corporate finance service’ (which includes underwriting in respect of instruments, or advice on areas such as capital structure32) which is provided by a ‘relevant person’33, and where one of two conditions is met: — Condition A is that applying the GDPR provisions would be likely to affect the price of an instrument. — Condition B is that the relevant person reasonably believes that applying the GDPR provisions ‘could’ (NB a very low threshold) affect a person’s decision 30 See, for example, Kirkcaldie v ICO and Thanet DC EA/2006/001, where privilege was unintentionally waived. 31 See DPA 2018, Sch 2, Pt 4, para 20(2). 32 See DPA 2018, Sch 2, Pt 4, para 21(4). An instrument is defined in terms of Directive 2004/39/ EC on markets in financial instruments. This remains the case after Brexit. 33 Defined in DPA 2018, Sch 2, Pt 4, para 21(4)).

190

Exemptions in detail 9.80

as to whether to deal in an instrument, or whether to act in a way likely to have an effect on a business activity; and, in either case, that applying the data protection requirement ‘would’ (ie the 51% threshold of likelihood – see para 9.9) harm the ‘orderly functioning of financial markets’, or the ‘efficient allocation of capital within the economy’. 9.75 This exemption is based on that in the former DPA 1998, Sch 7, para 6; and the Data Protection (Corporate Finance Exemption) Order 200034. 9.76 Exempt from: Privacy Notices (Articles 13(1)–(3) and 14(1)–(4)); right of access (Article 15(1)–(3)); and any corresponding data protection principles. 17.  Management forecasts (Sch 2 para 22) 9.77 There is an exemption from the listed data protection requirements for personal data which are processed for the purposes of management forecasting or planning, in relation to a business or other activity; to the extent that applying the requirement would be likely to harm the conduct of the business or activity concerned. 9.78 The exemption broadly replicates that in the former DPA 1998, Sch 7, para 5, although with a different range. 9.79 Exempt from: Privacy Notices (Articles 13(1)–(3) and 14(1)–(4)); right of access (Article 15(1)–(3)); and, any corresponding data protection principles (Article 5). Example: management forecasts Midland Origami Ltd is considering a restructuring which would involve closing a plant which produces origami kits. Documents held by the company include one listing the staff whose jobs would be at risk. The company does not need to refer to this document (or information of this type) in its Privacy Notices – nor in response to an access request made by Nora, a member of staff affected – provided, in either case, that it reasonably considers that disclosure in either form, before it is ready to make a formal announcement, would be likely to harm its business. An example of the harm might be that early disclosure would be likely to increase the cost of redundancies, by putting negotiators for the staff on notice sooner than expected.

18.  Negotiations (with data subject) (Sch 2, para 23) 9.80 The listed data protection requirements do not apply to personal data consisting of a record of the intentions of the controller in relation to any 34 SI 2000/184.

191

9.81  Exemptions Under the DPA 2018

negotiations with the data subject; where applying those provisions would be likely to harm those negotiations. Thus, for example, an individual involved in a negotiation with the controller, cannot use an access request to find out the controller’s negotiating strategy. 9.81 It is unclear whether a controller could refuse access where disclosure would be likely to harm negotiations with persons negotiating on behalf of the data subject (eg with his or her trade union); or whether the negotiations have to be with the data subject personally for the exemption to apply.

Example: negotiations with data subject Polly works for Midland Origami (see preceding example). She makes an access request for her personnel file. On the file is a copy of the management plan referred to in the previous example. One section of the plan refers to redundancies proposed in Polly’s team, including herself. Polly has discussed its plan with the company, but does not know the outcome in her case. If releasing the personal data in this part of the plan to Polly now would be likely, in the company’s reasonable view, to hamper its negotiations with her over redundancy, it may apply the exemption. If, on the other hand, there would be no likely harm to these negotiations, the exemption would not apply, and it should disclose. (The exemption would similarly not apply to a future request if, with the passage of time, any harm had declined to the point where it was unlikely to occur)

9.82 This exemption replicates the exemption in the former DPA 1998, Sch 7, para 7. 9.83 Exempt from: Privacy Notices (Articles 13(1)–(3) and 14(1)–(4)); right of access (Article 15(1)–(3)); and, any corresponding data protection principles (Article 5).

19.  Confidential references (Sch 2, para 24) 9.84 There is an exemption from the listed data protection requirements if the personal data consist of a reference that has been (or will be) given by the controller, or received by it, in confidence about the data subject. The reference has to be for the purposes of one of the following: (a) the data subject’s education, training or employment (or prospective education, training or employment); (b) his or her placement (or prospective placement) as a volunteer; 192

Exemptions in detail 9.90

(c) his or her appointment (or prospective appointment) to any office; or (d) the provision (or prospective provision) by him or her of any service. 9.85 The scope of the exemption has been changed. The previous limitation under the DPA 1998, that the exemption applied only to ‘a reference given or to be given in confidence by the data controller’ [emphasis added] has been removed35. The exemption thus applies to a confidential reference given or received by the controller; and, it appears to follow, also to such a reference which may be passed to or held by a person who is neither its giver nor the (original) recipient. 9.86 Exempt from: Privacy Notices (Articles 13(1)–(3) and 14(1)–(4)); right of access (Article 15(1)–(3)); and, the data protection principles (Article 5) so far as they correspond with these rights. 20.  Examination scripts and marks (Sch 2, para 25) 9.87

This exemption has two aspects, with differing effects:

(a) Examination scripts: there is an exemption where personal data consist of ‘information recorded by candidates during an exam’ (para 25(1)). In other words, the examination script, or other information in an examination, produced by the candidate (which is the personal data of that person) is not subject to the right of access or to a privacy notice. This would apply also to any tests undertaken by the candidate, such as modular course work, since an ‘exam’ is defined broadly as an academic, professional or other examination of ‘knowledge, intelligence, skill or ability’; and may include an assessment ‘while undertaking work or any other activity.’(Sch 2, para 25(4)). 9.88 Exempt from (examination scripts): privacy notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); and data protection principles (Article 5) so far as they correspond with these rights 9.89 (b) Examination marks: in relation to examination marks (including the information recorded by the marker), the normal deadlines for compliance with the access right are altered, in order to stop the process of examination marking, or the publication dates of the marks, being disrupted by such requests. Thus disclosure of examination results, in response to an access request made before they are announced, is treated as due for reply on whichever is the earlier date of: the end of five months from the access request; or, the end of 40 days from the announcement of the results. 9.90 Exempt from (examination marks): time limit, and giving of reasons for non-compliance within time limit, in Article 12(3) or (4)), as applying to the access right in Article 15.

35 DPA 1998, Sch 7, para 1.

193

9.91  Exemptions Under the DPA 2018

Example: examination marks Rita’s GCSE results are due on 24th August. She would like to know her results sooner, and makes an access request on 30th June, calculating that she will then receive her result by the end of July, some three weeks early. However, the examination body does not need to release them to her in response to her request until 40 days after the date on which they are to be announced (the shorter date of the two applicable dates). Rita thus cannot obtain access to them sooner under the access right, and will have to await the date of the announcement.

9.91 This exemption replicates and expands those in the former DPA 1998, Sch 7, paras 9 and 8 respectively.

Schedule 2, Part 5 9.92 This Part, which comprises para 26 only, contains extensive exemptions for journalistic, academic, artistic and literary purposes. The GDPR provisions from which there may be an exemption are listed in sub-paragraph (9). 21.  Journalistic, academic, artistic and literary purposes (Sch 2, para 26) 9.93 Most of the important GDPR provisions do not apply where personal data are being processed for the ‘special purposes’, provided certain conditions are met. The requirements which are exempted include: — the data protection principles, save for security (Article 5(1)(a)–(e)); — the need for lawful bases for processing (Articles 6 and 9); and, the rules for consent (Article 7); — the main individual rights in Articles  13–21, other than: the right to restriction for a legal claim (Article  18(1)(c)); or, the right to object to direct marketing (Article  21(2)). The right not to be subject to automated processing (Article 22) is also not included in the exemption; — the duty to inform data subjects of personal data breaches (Article 34(1) and (4)); — the duty to consult the ICO prior to high risk processing (ie  after a Data Protection Impact Assessment) (Article 36); — principles for international transfers (GDPR, Chapter V). 9.94

The ‘special purposes’ are one or more of the following:

— the purposes of journalism; — academic purposes; 194

Exemptions in detail 9.98

— artistic purposes; — literary purposes. 9.95 The listed GDPR provisions will not apply to personal data being processed only for these purposes, to the extent that (Sch 2, Part 5, para 26(2) and 26(3)): (a) the data are being processed with a view to the publication of journalistic, academic, artistic or literary material; (b) the controller reasonably believes that publication of the material would be in the public interest; and (c) the controller reasonably believes that applying the relevant data protection rule or right would be ‘incompatible’ with the special purposes. 9.96 Publication in this context means making available to the public, or to a section of the public (with related expressions being read accordingly)36. While journalistic work is highly likely to be linked to publication by its nature, it is worth noting that, in relation to an academic, literary, or artistic work, the exemptions would apply only in the context of its publication, in the way defined; rather than to all aspects of the processing, particularly if it did not necessarily take place at the time with a view to publication. 9.97 In determining whether publication would be in the public interest as described in para 9.95(b) above, the controller must take into account the ‘special importance’ of the public interest in freedom of expression and information (Sch 2, para 26(4)). In determining whether it is reasonable to believe that publication would be in the public interest, the controller must have regard to three Codes, so far as relevant to the publication in question: the BBC’s Editorial Guidelines; the Ofcom Broadcasting Code; and, the Editors’ Code of Practice (or any codes added or amended by regulations)37. After Brexit, changes to the scope of the exemptions are only to be made by regulations under s 16 of the Act (GDPR, Article 85(2A), as inserted by the DPPEC Regulations, Sch 1, para 64(4)). 9.98 Exempt from: the principles of processing in Article 5(1)(a)–(e) (save for the security principle in Article  5(1)(f)); lawful processing (Article  6); conditions as to consent, and children’s consent (Articles 7 and 8(1) and (2)); lawful bases for special category processing (Article 9); Article 10 (data relating to criminal convictions etc); Article 11(2) (processing not requiring identification; notification to data subject); Privacy Notices (Articles 13(1)–(3) and 14(1)–(4)); Right of access (Article 15(1)–(3)); Right to rectification (Article 16); Right to erasure (Article  17(1) and (2)); Restriction of processing (Article  18(1)(a),(b) and (d)); Notification of rectification, erasure, or restriction (Article  19); Data portability (Article 20(1) and (2)); Right to object (Article 21(1)); Communication of personal data breach to data subject (Article 34(1) and (4)); Consultation with ICO before high-risk processing (Article 36); general principles for international transfers (Article 44). 36 DPA 2018, s 205. 37 DPA 2018, Sch 2, Pt 5, para 26(5)–(7).

195

9.99  Exemptions Under the DPA 2018

9.99 In addition, pre-Brexit, the arrangements for the EU supervisory authorities to co-operate and to seek to act consistently under Articles 60–67 do not apply where this exemption applies. This provision is removed, post-Brexit, by the DPPEC regulations38. 9.100 The regime is similar to that in the former DPA 1998, s 32. While there is perhaps a view that the protections for press freedom in the 1998 Act were not as effective as some had hoped, it should be recognised that the exemptions from data protection requirements for journalists, academics, artists and writers are very substantial; to the point where much of the substance of the regime does not apply to them, in the context of processing undertaken with a view to publication, where publication is reasonably considered by the controller to be in the public interest.

Schedule 2, Part 6 9.101 The listed GDPR provisions in Part 6 are set out separately within the two paragraphs (Sch 2, paras 27 and 28) which comprise it. The Part is concerned with derogations for scientific or historical research, statistics, or archiving in the public interest. 22.  Research and statistics (Sch 2, para 27) 9.102 The individual rights listed do not apply to personal data processed for the purposes of scientific or historical research, or for statistical purposes, to the extent that applying those rights ‘would prevent or seriously impair’ the achievement of the research/statistical purpose in question39. The test thus requires a 51% likelihood of harm for either exemption to apply. 9.103 The exemption is only available where the data are being processed in accordance with safeguards required by Article  89(1) of the GDPR, as supplemented by DPA 2018, s 19. Section 19(2) and (3) of the 2018 Act define these as excluding from the exemption any processing for research, or statistical purposes, which is either: — likely to cause substantial damage or substantial distress to an individual40; or — carried out for the purposes of a measure or decision with respect to a particular data subject (other than in the sole case of ‘approved medical research’41). 9.104 In relation to the right of access in GDPR, Article 15, in order to qualify for the exemption, the results of the research, or any resulting statistics, are not to 38 39 40 41

Sch 2, para 92(21)(c). DPA 2018, Sch 2, Pt 6, para 27(1). DPA 2018, s 19(2). See also para 5.113 as to these safeguards. DPA 2018, s 19(3). Approved medical research is defined in s 19(4).

196

Exemptions in detail 9.108

be made available in a form which identifies a data subject42. In a limitation which is moved, post-Brexit, by the DPPEC Regulations (from the GDPR, Article 89(4) to the DPA 2018, Sch 2, para 27(4)), where the processing serves both a research or a statistical purpose, and another purpose, the exemption is available only where the personal data are processed for the former of those purposes. 9.105 The exemption is developed from former exemptions in DPA  1998, s 33; but reflects also the requirements of GDPR, Article 89(1), 9.106 Exempt from (scientific or historical research, or statistical purposes): right of access (Article  15(1)–(3)); right to rectification (Article  16); right to restriction of processing (Article 18(1)); right to object (Article 21(1)). Privacy Notices 9.107 Privacy Notices are not listed as included in the exemption in Sch  2, para  27(1) (by virtue of the list contained in para  27(2)). There is, however, provision to cover them by a general exemption in GDPR, Article 14(5)(b) (in cases where the personal data have been supplied by a third party) in respect of scientific or historical research, statistical purposes, or archiving purposes in the public interest. To fall within the exemption in Sch 2, para 27, these activities would have to conform to the safeguards in Article 89(1) (as defined in s 19(2) and (3) of the 2018 Act; and set out in paras 9.103-9.104) and they have been excluded from those safeguards by the scope of paras 27(1) and 27(2). There is, however, a general exemption from the requirements of Privacy Notices to the extent that requiring those activities to be referred to in a notice would either prove to be impossible, would involve disproportionate effort, or would be likely to ‘render impossible or seriously impair’ the achievement of the objectives of the processing43 (The lower level of likelihood than for the exemption in Sch 2, para 27, should be noted). Instead, the controller has to take ‘appropriate measures’ to protect the data subject’s rights, freedoms and interests, including by making the information publicly available. 9.108 Thus there appears to be a separate route by which a similar test (of serious impairment of the purposes of the research or statistical exercise; but applying where such a result is only likely, as opposed to being more probable than not), applies to Privacy Notices (where the personal data have not been obtained from the data subject). The DPPEC Regulations leave the separate partial exclusion in Article 14(5)(b) in place, post-Brexit. Example: research and statistics Uptown council, the local housing authority, has allocated additional resources to make more social housing available in its area, and to assist low-income families to find private rented accommodation in the town. 42 DPA 2018, Sch 2, Pt 6, para 27(3)(b). DPPEC Regulations, Sch 2, para 92(23)(a) and (d). 43 GDPR, Article 14(5)(b).

197

9.109  Exemptions Under the DPA 2018

The local University’s social sciences department is conducting research on the effectiveness of local schemes designed to assist low-paid workers to find rented housing. The University has interviewed 100 families who have been on the housing waiting list in Uptown for over two years, and recorded their experiences; and also interviewed another 100 families in similar circumstances, spread across the rest of the country, for the purposes of comparison. It has conducted the processing on the ‘legitimate interests’ lawful basis (Article 6(1)(f)). (i) Dale was one of those interviewed from Uptown. He has now made an access request to the University. An exemption will apply only if disclosure to him of his personal data would prevent, or seriously impair, the research. This may be difficult to demonstrate; unless perhaps further work is needed on his data, which would be pre-empted if the information were released at this stage. To claim the exemption, the University would need to satisfy itself that the research was not being done to affect the individual position of Dale, or any other person; and would not be likely to cause substantial damage or distress to Dale or anyone else. (From the limited facts available, these conditions appear likely to be met).There may be an issue, however, as to whether the small numbers on the scheme could mean that the results would identify data subjects; at least in relation to those from Uptown who have taken part. (ii) Colette was one of those interviewed from elsewhere in the country. She now objects to her data being used in the project, and can exercise the right to object because the processing is based on Article 6(1)(f). As with Dale, the University will need to satisfy itself that the safeguards are met before claiming the exemption. Given that Colette has objected, they should look in particular at whether the research would be likely to cause substantial damage or substantial distress to a data subject. To claim the exemption, they would need to demonstrate that withdrawing Colette’s data from the research would prevent or seriously impair its purposes. While this might seem to be unlikely it might depend, given the small sample size, on the categories identified and the findings relating to Colette’s data.

23.  Archiving in the public interest (Sch 2, para 28) 9.109 There is an exemption from a slightly longer list of individual rights, where personal data are processed for archiving purposes ‘in the public interest’. The exemption applies, in the same way as above, to the extent that otherwise the achievement of the archiving purposes would be prevented or seriously impaired. It is suggested that archiving ‘in the public interest’ should be understood to refer to archiving either by (or for) public bodies; or by (or for) another controller, whether or not it is in the public sector, where the purpose of the archiving is to serve the public interest. 9.110 It will be noted that the test of likelihood is (as with the research and statistics exemption) set at the higher level of 51% (that the purposes would 198

Exemptions in detail 9.115

be prevented or seriously impaired; rather that they would be likely to be so harmed). 9.111 As with the research and statistics exemption above, the exemption applies only where the data are processed subject to the safeguards required in GDPR, Article 89(1), as supplemented by s 19 of the 2018 Act. This again excludes from the exemption any archiving in the public interest which is: — carried out for the purposes of a measure or decision with respect to a particular data subject; or — likely to cause substantial damage or substantial distress to an individual (set, it will be noted, at the lower level of likelihood). In a limitation which is moved, post-Brexit, by the DPPEC Regulations (from GDPR, Article 89(4), to the DPA 2018, Sch 2, para 28(4)), where the processing serves both an archiving purpose in the public interest, and another purpose, the exemption is available only where the personal data are processed for the former of those purposes. 9.112 Exempt from: right of access (Article 15(1)–(3)); right to rectification (Article  16); right to restriction of processing (Article  18(1)); notification re rectification, erasure or restriction (Article  19); right to data portability (Article 20(1)); right to object (Article 21(1)). Privacy Notices 9.113 The same separate route to a general exception in certain circumstances in GDPR, Article 14(5)(b), in relation to Privacy Notices (where the information has come from a third party) applies in respect of research and statistics; with the necessary level of likelihood likewise being at the lower level, in contrast to the main exemption. (See paras 9.107–9.108).

Schedule 3, Part 1 9.114 Schedule 3 provides for exemptions from, or restrictions in relation to, data protection requirements for health, social work, or education purposes; and also in relation to child abuse data. 9.115 Part 1 (consisting of paragraph 1) lists the GDPR provisions to which the exemptions in Part 2 (Health Data), Part 3 (Social Work Data) and Part 4 (Education Data) of the Schedule apply. They cover most of the individual rights, including the right to erasure (Article 17) and the right to data portability (Article 20); but excluding the right to notification (Article 19) and the right not to be subject to automated decisions (Article 22). There is also a new exemption from the right of access in respect of child abuse data (Part 5). The exemptions continue the main (but not all) features of three statutory instruments made under the former DPA 1998, s 3044. 44 See references in footnote 24 above, and paras 9.64–9.66 above in respect of the third party data of health, social and education workers.

199

9.116  Exemptions Under the DPA 2018

Schedule 3, Part 2 (Health Data) 24.  Health data processed by a court (Sch 3, para 3) 9.116 There are exemptions from the listed GDPR provisions in relation to data concerning health, if the data: — are processed by a court; — consist of information supplied in a report or evidence given to the court, in the course of proceedings to which rules in family proceedings (specified in para 3(2)) apply; and — may wholly or partly be withheld by the court from the data subject under those rules. 9.117 Exempt from: Privacy notices (Articles  13(1)–(3) or 14(1)–(4)); right of access (Articles 15(1)–(3); right to rectification (Article 16); right to erasure (Article  17(1) and (2)); restriction of processing (Article  18(1)); right to data portability (Article  20(1) and (2)); right to object (Article  21(1)); and, any parts of the data protection principles (Article  5) which correspond to these rights. 25. Data subject’s wishes and expectations (with respect to health data) (Sch 3, para 4) 9.118 The data protection requirements listed below do not apply where data concerning health has been requested under a power contained in a statute or a rule of law (ie including the right of access, but not limited to it). The exemption applies in England, Wales and Northern Ireland, in relation to a person under 18 years (or 16 years in Scotland), where the person making the request has parental responsibility for the data subject; or, where the data subject is incapable of managing their own affairs, and the person making the request has been appointed by a court to manage those affairs. 9.119 The data will be exempt, from the provisions listed below, if complying with the request would disclose information: (a) which was provided by the data subject in the expectation that the data would not be disclosed to the person making the request (unless the data subject has expressly indicated since that he or she has changed their mind); (b) which was obtained as a result of an examination or investigation to which the data subject gave their consent, in the expectation that the resulting information would not be so disclosed (unless the data subject has expressly indicated that he or she has changed their mind); or (c) which the data subject has indicated expressly should not be so disclosed45.

45 DPA 2018, Sch 3, Pt 2, para 4(2)(a)–(c).

200

Exemptions in detail 9.122

9.120 Exempt from: Privacy notices (Articles 13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); right to rectification (Article 16); right to erasure (Article  17(1)–(2)); restriction of processing (Article  18(1)); right to data portability (Article 20(1) and (2)); right to object (Article 21(1)); and, any parts of the data protection principles (Article 5) which may correspond to them. Example: data subject’s wishes about health data Heidi (aged 17, living in Birmingham) had an abortion last year without her parents’ knowledge. She told the clinic at the time that her parents were unaware of the position. Her parents have now become aware of some of what has happened, and have sought details from the clinic, via an access request which they say they are making on her behalf. The information concerned is data concerning Heidi’s health. The clinic has had no indication from Heidi that she has changed her mind about giving her parents access to the information. The exemption applies, so that there is no right of access in respect of the information provided by Heidi, under Sch 3, paras 4(2)(a) or (b). The clinic is obliged to refuse the request.

26.  Serious harm to health (Sch 3, para 5; and restriction in para 6) 9.121 The right of access does not apply to data concerning health where (or to the extent that) the ‘serious harm test’ is met with respect to those data. The test is met if the application of the right of access in Article 15(1)-(3) would be likely to cause serious harm to the physical or mental health of the data subject or another individual46. This means that a requester has no entitlement to access to their personal data, or the other information normally accompanying an access request, in those circumstances. The exemption may arise most commonly in relation to vulnerable or elderly persons. 9.122 A controller may not rely on this exemption to withhold data concerning health, however, unless it has obtained an opinion from the person who appears to the controller to be the ‘appropriate health professional’, to the effect that the serious harm test is met is respect of those data. In this context, ‘the appropriate health professional’ means: — the health professional who is currently or was most recently diagnosing or treating the individual; or — the most suitable such professional (if there is more than one) to provide an opinion; or,

46 DPA 2018, Sch 3, Pt 2, para 2(2).

201

9.123  Exemptions Under the DPA 2018

— if none is available (or in certain other cases relating to child support, where the government is the controller) a health professional with the necessary experience and qualifications to provide an opinion on the question47. 9.123 There is also a time limit. An opinion does not count under the exemption if (para 5(3)): (a) it was obtained more than six months before the date on which it would be relied upon; or (b) it was obtained later than six months before that date, but it is reasonable in all the circumstances to re-consult the health professional. (An example might be if the health of the person concerned had changed significantly in that period). 9.124 There are further restrictions, however, on disclosing data concerning health in access requests (para 6). Unless the controller is a health professional, it has a duty, when dealing with access requests which involve data concerning health, to consult the appropriate health professional in order to obtain an opinion from them, to the effect that the serious harm test is not met, before disclosing the information to the requester. The restriction is not limited to vulnerable persons. Apart from situations where the controller is satisfied that the health data has already been seen by the data subject, or is known to them, the restriction applies generally. The same timings as above apply in relation to whether an opinion counts for this purpose48. 9.125 A  controller handling access requests about data concerning health needs, therefore, to have in place systems to identify, and to consult at relatively short notice, a suitable health professional in respect of any relevant such request. A large employer, which holds sickness records about which there may be access requests, may need to have collected contact information from their staff about their GPs or other relevant health professionals (including any changes); so that the health professional can be consulted without alerting the requester, as to whether the test is, or positively is not, met. It appears that this information will be needed generally; not merely in relation to persons who may be vulnerable. 9.126 Exempt from: (where the serious harm test is met): right of access (Articles 15(1)–(3)). Example (i): serious harm test, re data concerning health: test met Bill, a pensioner who suffers from mild dementia, is a resident of a care home. With the assistance of his family, he makes a request to see all the data they hold on him. A note in the care home’s files from his doctor concerns his medication for the dementia, and records that: ‘I have thought it best not to tell Bill that I think the prognosis is poor after about another year, as I think

47 DPA 2018, Sch 3, Pt 2, para 2(1)(c). 48 DPA 2018, Sch 3, Pt 2, para 6(1) and (2).

202

Exemptions in detail 9.127

that knowing this would make him anxious and worsen his condition.’ The care home asks the doctor for an opinion. The doctor confirms (in writing) that the serious harm test is met in respect of the note; ie that disclosure of it to Bill is likely to cause serious harm to Bill’s physical or mental health. The care home relies on the exemption to exclude the note from the personal data disclosed to Bill.

Example (ii): serious harm test, re data concerning health: test not met Bill’s file contains other medical notes. The care home staff are not health professionals. They need the opinion of an appropriate health professional that the remainder of the notes do not meet the serious harm test before they can disclose them to Bill. They ask Bill’s GP for his opinion on the release to him of the other notes. The GP points out that some of the records, about Bill’s daily tablets and exercise regime, are known to Bill already; and for that reason those passages do not need the GP’s opinion before they can be released to him. The GP also takes the view that releasing the remainder of the record to Bill will not cause him (or members of his family) serious harm. The GP confirms (in writing), therefore, that the remainder of the notes (ie apart from the note referred to in example (i) above) can be released to Bill, since in his opinion the serious harm test will not be met in respect of that information. Without that confirmation, the care home would be prevented from disclosing any information about Bill’s health to him in response to his request.

Schedule 3, Part 3 (Social Work Data) 9.127 Part 3 of Schedule 3 contains very detailed definitions which are relevant to the social care exemptions in this area, but which go beyond the level of detail appropriate to this work. Only an overall description is given here. Practitioners to whom this is directly relevant should refer to the Schedule (paras 7–8). Key background definitions are: — ‘social work data’: personal data to which para 8 of Sch 3 applies (ie a list of data processed by different types of social work bodies); but which are not education data, or data concerning health49; — ‘education data’: personal data that constitute an educational record, but are not data concerning health50. (‘Pupil’, ‘school’ and ‘teacher’ are defined in the same sub-paragraph). 49 DPA 2018, Sch 3, Pt 3, para 7(1). 50 DPA 2018, Sch 3, Pt 4, para 17(1).

203

9.128  Exemptions Under the DPA 2018

9.128 The ‘serious harm test’, for the purposes of Part 3, will be met with respect to social work data if applying the right of access (ie disclosing the data to the requester) would be likely to prejudice the carrying out of social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual51. In other words, there are two levels of harm in this instance: to the social work; and (by causing the harm to the social work) to the individual’s health. There is no requirement to obtain a professional opinion before the exemption can apply. 9.129 Against this background, there are three social work exemptions. 27.  Social work (or other) data processed by a court (Sch 3, para 9) 9.130 There is an exemption from most of the individual rights in relation to data that are not education data, or data concerning health, if the data are processed by a court under the rules in types of children’s or family proceedings specified in para 9(2)52. The data must have been supplied in a report or evidence given to the court in the course of proceedings to which the rules apply, and the court must be able wholly or partly to withhold the data from the data subject under those rules. 9.131 Exempt from: Privacy notices (Articles  13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); Right to rectification (Article 16); right to erasure (Article  17(1)–(2)); restriction of processing (Article  18(1)); right to data portability (Article 20(1) and (2)); right to object (Article 21(1)); and, any parts of the data protection principles (Article 5) which correspond to them. 28. Data subject’s wishes and expectations (with respect to social work data) (Sch 3, para 10) 9.132 The data protection requirements listed below do not apply to ‘social work data’53 which have been requested under a power contained in a statute or a rule of law (ie including, but not limited to, the right of access), and which relate to a person under 18 years (or 16 years in Scotland); where the person making the request has parental responsibility for the data subject. The exemption also applies where the data subject is incapable of managing their own affairs, and the person making the request has been appointed by a court to manage those affairs. In other words (as with the exemption numbered 25 at para 9.118 above), the purpose is to protect the privacy of young or vulnerable people.

51 DPA 2018, Sch 3, Pt 3, para 7(2). See para 9.135 below. 52 DPA  2018, Sch  3, Pt  3, para  9(1). The rules (in para  9(2)) include the Magistrates’ Courts (Children and Young Persons) Rules 1992, SI 1992/2071. The list of rules is the same as those specified in relation to the exemption for health data processed by a court (see para  9.116 above). 53 See para 9.127 above.

204

Exemptions in detail 9.137

9.133 The data involved will be exempt if complying with the request would disclose information: (a) which was provided by the data subject in the expectation that the data would not be disclosed to the person making the request (unless the data subject has expressly indicated since that they have changed their mind); (b) which was obtained as a result of an examination or investigation to which the data subject gave their consent, in the expectation that the resulting information would not be so disclosed (unless the data subject has since expressly indicated that they have changed their mind); or (c) which the data subject has indicated expressly should not be so disclosed54. 9.134 Exempt from: Privacy notices (Articles  13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); Right to rectification (Article 16); right to erasure (Article  17(1)–(2)); restriction of processing (Article  18(1)); right to data portability (Article 20(1) and (2)); right to object (Article 21(1)); and, any parts of the data protection principles in Article 5 which correspond to them. 29. Serious harm from disclosure of social work data (Sch 3, para 11). (Also Scottish restriction in para 12) 9.135 The right of access does not apply to social work data where (and to the extent that) the ‘serious harm test’55 is met with respect to those data. In this case, the test means that there is no duty to disclose social work data to the requester if doing so would be likely to prejudice the carrying out of social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual. (In effect, the serious harm test in relation to health data is adapted to apply also to personal data arising in social work). In contrast to the position with data concerning health, however, there is no requirement to obtain the opinion of an appropriate health (or other) professional before this exemption can be applied. (Nor is there a requirement to check with a health professional that there is no serious harm before disclosing the data). The controller may thus make its own judgements (provided they are reasonable ones) about whether there would be likely to be serious harm to health from disclosure; and (if so) whether there would be likely to be harm in consequence to the carrying out of social work. (See also para 9.128 above). 9.136 Exempt from: right of access (Article 15(1)–(3)). 9.137 There is also a restriction, applying to Scottish social work authorities, in respect of their disclosing data that were originally supplied by the ‘Principal Reporter’ (the Scottish Children’s Reporter Administration), where the data subject is not entitled to receive those data from the Reporter56. The restriction

54 DPA 2018, Sch 3, Pt 3, para 10(2) and (3). 55 Defined in DPA 2018, Sch 3, Part 3, para 7(2). 56 DPA 2018, Sch 3, Pt 3, para 12.

205

9.138  Exemptions Under the DPA 2018

applies unless the Reporter is of the opinion that the serious harm test is not met. Those affected by this exemption should refer to the Schedule direct, including in respect of the 14-day deadline in para 12(2) for informing the Reporter. 9.138 Exempt from: right of access (Article 15(1)–(3)).

Schedule 3, Part 4 (Education data) 9.139 An ‘educational record’ is defined for the purposes of Part 4 in England and Wales, Scotland and Northern Ireland, in Schedule  3, paragraphs 14–16 respectively. ‘Education data’ are defined as information which consists of an educational record, but is not data concerning health57. 30.  Education data processed by a court (Sch 3, para 18) 9.140 Education data are exempt from the data protection requirements listed below, if they are processed by a court under the same rules as those specified above for various types of children’s or family proceedings; where the data consist of information supplied in a report or evidence given to the court, and the data may be withheld by the court (wholly or partly) from the data subject under those rules58. 9.141 Exempt from: Privacy notices (Articles  13(1)–(3) or 14(1)–(4)); right of access (Article 15(1)–(3)); Right to rectification (Article 16); right to erasure (Article 17(1)–(2)); restriction of processing (Article 18(1)); right to data portability (Article 20(1) and (2)); right to object (Article 21(1)); and, any parts of the data protection principles in Article 5 which correspond to them. 31. Serious harm from disclosure of education data (Sch 3, para 19). (Also Scottish restriction in para 20) 9.142 The ‘serious harm test’ is extended in this exemption to education data (on the same pattern as under the exemptions numbered 26 and 29 above59). The right of access does not apply to education data where (and to the extent that) the serious harm test is met with respect to those data. The test is met if disclosing the data under the right of access would be likely to cause serious harm to the physical or mental health of the data subject or another individual60. (Unlike social work data, there is no link to harm to the provision of the service, as a result of harm to health). In the same way as with social work data, however, there is no requirement to obtain a professional opinion before the exemption can be applied (but see para 9.144, in relation to Scotland, below). 57 58 59 60

DPA 2018, Sch 3, Pt 4, para 17(1). DPA 2018, Sch 3, Pt 4, para 18. See paras 9.116 and 9.130 above. See paras 9.121ff and 9.135 above. DPA 2018, Sch 3, Pt 4, para 17(2).

206

Exemptions in detail 9.150

9.143 Exempt from: right of access (Article 15(1)–(3)). 9.144 In Scotland, education authorities are under a restriction, in respect of their disclosing data that were originally supplied by the ‘Principal Reporter’, where the data subject is not entitled to receive those data from the Reporter61. The restriction applies unless the Reporter is of the opinion that the serious harm test is not met62. Authorities affected by this exemption should refer to the Schedule direct, including in respect of the 14-day deadline for informing the Reporter. The same restriction does not apply to education data in England, Wales, or Northern Ireland.

Schedule 3, Part 5 (Child abuse data) 32.  Child abuse data (Sch 3, para 21) 9.145 This new exemption applies to ‘child abuse data’; defined as personal data consisting of information as to whether the data subject is or has been, the subject of, or may be at risk of, child abuse. ‘Child abuse’ includes for this purpose physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment, or sexual abuse of, an individual aged under 1863. 9.146 The exemption applies where a request is made for ‘child abuse data’, under a power contained in a statute or a rule of law; and, where the data subject is an individual under 18 years, and the person making the request has parental responsibility for the data subject; or, where the data subject is incapable of managing their own affairs, and the person making the request has been appointed by a court to manage those affairs. 9.147 The child abuse data involved will be exempt from the duties in the GDPR, Article 15(1)–(3) to the extent that complying with the request would not be in the best interests of the data subject64. This applies, therefore, an objective test on which a professional judgment on safeguarding grounds should be established. 9.148 The exemption does not apply in Scotland65. 9.149 Exempt from: right of access (Article 15(1)–(3)).

Schedule 4 (disclosures prohibited or restricted by enactment) 9.150 Schedule 4 gives exemption only from the right of access (Article 15(1)– (3)), and any data protection principles in Article  5 so far as they correspond 61 62 63 64 65

The Principal Reporter is defined for the purposes of Part 4 in DPA 2018, Sch 3, Pt 4, para 17(1). DPA 2018, Sch 3, Pt 4, para 20. DPA 2018, Sch 3, Pt 5, para 21(3) and (4). DPA 2018, Sch 3, Pt 5, para 21(2). DPA 2018, Sch 3, Pt 5, para 21(5).

207

9.151  Exemptions Under the DPA 2018

to that right. It seeks to preserve the main substance of the Data Protection (Miscellaneous Subject Access Exemptions) Order 200066.’ 9.151 The restrictions on disclosure relate to human fertilisation and embryology, information contained in adoption and parental order records and reports, and statements and records of special educational needs. The Schedule is based on the former Data Protection (Miscellaneous Subject Access Exemptions) Order 200067, and is intended to carry across the substance of that measure to safeguard data subjects, or the interests of others. In Scotland, the information protected also includes information provided by reporters for the purpose of a children’s hearing. 33.  Human Fertilisation and Embryology information (Sch 4, para 2) 9.152 There is an exemption, from disclosure under the right of access, for personal data consisting of information whose disclosure is prohibited or restricted by a number of the provisions of the Human Fertilisation and Embryology Act 1990. These include information on: genetic parentage; intended spouses; and, children resulting from sperm donation. 9.153 Exempt from: right of access (Article 15(1)–(3), and any corresponding requirements of the data protection principles (Article 5). 34.  Adoption records and reports (Sch 4, para 3) 9.154 The right of access does not apply to personal data consisting of information in adoption records and reports, whose disclosure is prohibited or restricted by enactments in respectively England and Wales, Scotland and Northern Ireland68. Those affected should refer directly to paragraphs 3(2)–(4) of the Schedule as relevant. 9.155 Exempt from: right of access (Article  15(1)–(3), and corresponding requirements of the data protection principles (Article 5). 35.  Statements of special educational needs (Sch 4, para 4) 9.156 The right of access does not apply to information concerning the special educational needs of pupils, where disclosure is prohibited or restricted under the Special Educational Needs and Disability Regulations 201469, in England and Wales; or regulations specified in paragraph 4(2) of the Schedule for Scotland or Northern Ireland.

66 SI 2000419 67 SI 2000/419. 68 DPA 2018, Sch 4, para 3(1)–(4). 69 SI 2014/1530.

208

Exemptions in detail 9.162

9.157 Exempt from: right of access (Article 15(1)–(3), and any corresponding requirements of the data protection principles (Article 5).

36.  Parental order records and reports (Sch 4, para 5) 9.158 The right of access does not apply to information concerning parental order records and reports, under enactments which prohibit or restrict their disclosure as listed in para 5(2)–(4) of the Schedule; applying to England and Wales, Scotland, and Northern Ireland respectively. 9.159 Exempt from: right of access (Article 15(1)–(3), and any corresponding requirements of the data protection principles (Article 5).

37. Information provided by the Principal Reporter for a children’s hearing (Scotland) (Schedule 4, paragraph 6) 9.160 In Scotland, the right of access does not apply to information provided by the Principal Reporter for the purposes of a children’s hearing, where disclosure is prohibited or restricted by two provisions of the Children’s Hearings (Scotland) Act 2011, specified in Sch 4, para 6(a) and (b). 9.161 Exempt from: right of access (Article 15(1)–(3), and any corresponding requirements of the data protection principles (Article 5).

Section 26 (national security and defence) 38.  National Security and Defence 9.162 Section 26 exempts personal data, if required for the purpose of safeguarding national security, or for defence purposes, from a wide range of data protection requirements under the ‘applied GDPR’.70 This is consolidated after Brexit to apply to processing under the UK GDPR71. These are set out in a comprehensive list in s 26(2), and include: — the data protection principle as to lawfulness, and the requirements of GDPR Articles 6 and 9 (see also s 28(1)); — the rights of data subjects in GDPR, Chapter III; — breach notification requirements in Articles 33 and 34; — international transfers of data.

70 See paras 2.23–2.24, and 2.27, above. 71 DPPEC Regulations, Sch 2, para 34.

209

9.163  Exemptions Under the DPA 2018

9.163 A certificate signed by a Cabinet Minister or the Attorney General, or Advocate General for Scotland, is conclusive evidence of the application of the exemption; although a certificate may be appealed, by a person directly affected, to the First-tier Tribunal (Information Rights)72.

72 DPA 2018, s 27(1), (3) and (10).

210

Section D

Types of Data Processing Activity

CHAPTER 10

Sharing Personal Data 10.1 ‘Data sharing’ is an important, and ever-growing, area of data protection. It is the description given to the disclosure by one controller to another of the personal data of someone else (ie a third party); or the pooling between controllers of the personal data of such third parties. In statute, data sharing is defined as the ‘disclosure of personal data by transmission, dissemination or otherwise making it available’1. The definition merely delimits, however, the scope of the Code of Practice which that section obliges the Commissioner to produce. The definition has no greater prominence or role in the Data Protection Act 2018 (‘DPA 2018’); and it does not appear at all in the GDPR. 10.2 This underlines that it is important to understand data sharing through the data protection rules generally. In essence, data sharing is merely one type of data protection activity, which has to comply with the normal rules of data processing as much as any other such activity. What differs in relation to data sharing is simply that the activity itself gives rise to particular challenges, in data protection terms, which need to be met if the resulting processing is to be lawful. 10.3 In her Data Sharing Code of Practice, issued under the Data Protection Act 1998 (‘DPA 1998’), but still current at the time of writing, the Commissioner describes data sharing as the: ‘disclosure of data from one or more organisations to a third party organisation or organisations or the sharing of the data between different parts of an organisation’ [Emphasis added]2. This description appears to expand data sharing to encompass movements of personal data within organisations as well as between them. This has caused some confusion. Strictly speaking there cannot be ‘disclosure’ within a single controller (however large the organisation may be). There may be several departments in a hospital, or a local authority; but only the hospital or the authority itself is a controller. The Commissioner’s statement should not be understood as altering the basic definition. It underlines, however, that there is no separate category of law devoted to ‘data sharing’, and no different rules that apply to it. 10.4 Notwithstanding the Commissioner’s description, the main focus is on sharing between controllers, as ‘equals’ in data protection terms. The passing of personal data to a processor, in order to enable them to carry out processing for a controller at the latter’s instruction, is not data sharing. The GDPR requires processing by a processor, which is done on behalf of a controller, to be determined by a ‘contract or other legal act’, and sets out detailed requirements as to the matters to be covered in it3. The transmission of personal data between them will 1 2 3

DPA 2018, s 121(5). ICO: ‘Data Sharing Code of Practice’ (2011), page 9. GDPR, Article 28(3). See para 3.21ff above.

213

10.5  Sharing Personal Data

be done under this contract or agreement, within the statutory framework. This is wholly different from a data sharing agreement, which is voluntary as between parties with equivalent status and obligations in data protection terms, and has no specific requirements attached to it by statute (albeit the guidance advises on the main headings to be included). 10.5 Disclosures, whether between controllers, or between a controller and a processor (or between either and individuals), are made between separate legal persons. In legal terms, ‘data sharing’ strictly can take place only between two or more legal persons who are controllers. The GDPR sets out clearly, in Article 28, the requirements that have to be in place between a controller and a processor. It can readily be inferred that each of those entering (or capable of entering) a negotiated agreement to share data is a controller. This accords too with the previous development of data sharing practice. 10.6 There is no legal difference between data sharing in the public and private sectors; save that public sector organisations need to be able to show that they have a legal power to make the relevant disclosure(s) to other controllers (ie  to share the data); in addition to the need for compliance with the data protection requirements as a whole. The private or third sectors, or individuals who are controllers, do not need such a power (or duty); having the same powers as private individuals to act as they wish in legal terms, unless prohibited by law. 10.7 The core issue being flagged by the Commissioner, in referring to moving data within an organisation as ‘sharing’, is important. Just as data sharing involves no new data protection requirements (as opposed to new ways of looking at how compliance is achieved), so moving data between departments of a large organisation similarly needs to be compliant with the data protection rules. It is not the case that internal ‘movements’ of data can in principle be made at a lower standard of data protection than external disclosures of personal data to other organisations. The same rules apply to both; even if the external ones may seem raise more data protection questions because more organisations are involved. Both should meet the same standard.

ICO DATA SHARING CODE 10.8 DPA 2018, s 121, requires the Commissioner to prepare, or amend, or replace from time to time, a Code of Practice containing practical guidance as to the sharing of data, and such other guidance as she considers appropriate in order to promote good practice. The Code is not law, but a controller can be expected to explain why they have pursued a different course. The former DPA 1998, s 52E, provided that the Code did not render a person liable to legal proceedings, but that if the Commissioner, Information Tribunal or a court considered any of its provisions to be relevant, they had to take the Code into account in determining the question before them. This has been omitted from the new Act. 10.9 The Code sets out, in everyday language, the main data protection considerations that may arise in relation to data sharing. While the present Code 214

ICO Data Sharing Code 10.13

was issued under the DPA 1998, the key features of data sharing have not been altered by the introduction of the GDPR. (In September 2018, the ICO issued a call for views on a revised Code). 10.10 Lawful data sharing requires the following: (a) Clarity as to the objectives of sharing; and as to its scope and means; (b) A legal power to share (for organisations in the public sector); (c) One or more suitable ‘lawful bases’ (depending on the personal data involved); (d) Suitable measures to make individuals aware of the sharing (unless an exemption from Privacy Notices applies); (e) The conduct of a Data Protection Impact Assessment (advisable in many cases; mandatory in others); (f) Appropriate levels of security; (g) A data sharing agreement which is at least strongly advisable for all external sharing; (h) Suitable provision as to the handling of the personal data at the end of the arrangement. Each of these is examined in turn. 10.11 It is important for practitioners to examine the Code (or any successor) for issues and guidance that may be relevant to the data sharing which the controller proposes.

(a)  Objectives of sharing; scope and means 10.12 Each of the controllers involved in a proposed data sharing agreement should have, in the language of the Code, a ‘clear objective, or set of objectives’. These should be documented. Clarity as to objectives will more easily enable the controller to decide which data it needs to share, and with whom. This too should be documented, and should form part of any data sharing agreement between the parties. 10.13 As described in the Code, from the determination of the objectives should flow the following questions or decisions: (i)

what information needs to be shared: the personal data shared should be minimised. Only personal data necessary to the objectives of the sharing should be shared; excluding other surrounding data that an organisation holds about the individual. Data may need, therefore, to be extracted from other surrounding information which it is not appropriate to share, and planning for the processes to do this (which can be time-consuming) should form part of the preparations to share;

(ii) who needs access to the shared data: this should be on a ‘need to know’ basis only; both within the controller itself (in editing data it is sharing; and 215

10.14  Sharing Personal Data

in receiving data from other partners) and within its partner organisations. In many cases, only a handful of staff will need to see or use the data moving in either direction. The roles of postholders who need to see or hold the data in each organisation should form part of any agreement. Any proposed ‘onward sharing’ should also be specified in the same way; as to its purpose, limits, and who will have access to the data; (iii) when the data should be shared: the parties need to decide when the sharing will take place; whether it will be ongoing, or whether it will arise only in response to particular activities or developments. This should likewise be documented; (iv) how the information should be shared: the security surrounding the transmission and access to the information; and common rules and standards for its security, once received by each party, should be agreed from the outset; (vi) what information data subjects should be given: information about the sharing needs to go into Privacy Notices (unless an exemption from them applies). Under the GDPR, such Notices have to conform to either Article 13 or 14 of the Regulation4. Which Article will apply depends on whether the information came originally from the data subject, as may often be the case with what an organisation shares; or whether it came from a third party, as will almost always be the case with the information it receives through the sharing arrangement (see further paras 10.29–10.31 below); (vii) reviewing whether the objectives of the sharing have been achieved: it will be important to examine whether the sharing continues to be appropriate (which it will not be if it has not met its objectives; or, conversely, if they have been fully achieved). Those involved should also review whether any safeguards are still satisfactorily aligned with the risks they are intended to cover; or whether they need to be updated. The timing and scope of a future review should be agreed from the outset; (viii) what risks are posed: whether the processing is likely to cause damage to any individual, or whether a person may object to the processing. Any consequences for public trust in the bodies concerned should also be considered; (ix) whether the objective could be achieved without the sharing (eg  by anonymising the data; or, without using personal data); and (x) whether there will be any international transfers of data; including accidentally (such as by storing the data on a server based in the United States; see Chapter 11).

(b)  Legal power to share 10.14 For a public authority, the starting point should be whether it has a power to share the data, since it may not act in excess of its powers. There is a hierarchy 4 See Chapter 6.

216

ICO Data Sharing Code 10.16

of duties or powers in relation to data sharing. At the highest end, there may be a duty on a data controller to share data; although these are comparatively rare. In other cases, an express power to share data may exist (such as the power in the Crime and Disorder Act 1998, s 115; empowering any legal person, who would not otherwise have a power to disclose information to a ‘relevant authority’, to do so where it is necessary or expedient for the purposes of preventing crime and disorder). A ‘relevant authority’ in that context includes the police and local authorities. 10.15 For public bodies covered as a ‘specified person’ by the Digital Economy Act 2017, s 35, there is a power to disclose information, held for the purposes of their functions, to another specified person for a ‘specified objective’. Specified persons include public authorities ranging from the Secretary of State for Justice, to a fire authority or a school proprietor. The sharing activity must be concerned with improving the delivery of public services, and must operate for the wellbeing of individuals or households. In England and Wales, specified objectives are set out in regulations. These include assistance to individuals or households affected by multiple disadvantages, fuel poverty, or water poverty5. 10.16 If none of the above powers applies, it will be necessary for a public authority to establish that it has an implied power, in order to be able to undertake the sharing. This arises where an express statutory power to undertake the main activity, or to provide the service, is capable of being interpreted by implication to include the performance of an act (such as data sharing) that is reasonably incidental to the exercise of the main power. It will be necessary to look at the content and scope of the main power, possibly with legal advice, to determine whether an incidental power to share can be implied from it. Example: implied powers The (imaginary) Beach Hut Licensing Board controls the rental of pitches on which to erect beach huts around the coast of England. The power given to it by the Beach Hut Licensing Act 1894 enables it to ‘license the use of spaces allocated for the erection of beach huts to persons desirous of so doing, subject to the licensee erecting a beach hut of a type which the Board considers to be satisfactory’. The standards for the construction and erection of beach huts are set and enforced by the Board under the Act, but the huts are inspected on its behalf by the local authority for the area concerned. The Board has an implied power to share the (minimum) contact details of new and existing hut owners with the relevant local authority, in order that local inspections can be arranged. This sharing is reasonably incidental to the Board’s power to enforce the standards which it sets, via such inspections. The Board will need to make sure that its Privacy Notices reflect this arrangement.

5 Digital Government (Disclosure of Information) Regulations 2018, SI  2018/912. Separate regulations have been made for Scotland (SI  2018/243), and additionally for Wales (SI 2018/551).

217

10.17  Sharing Personal Data

10.17 As well as express statutory powers, or implied powers deriving from statute, Government Departments headed by a Minister may also have common law powers, or ‘prerogative’ powers (the residual powers left to the Crown, and exercisable by Ministers, consistent with Parliamentary legislation)6. The former enable the Crown (ie Government Departments headed by a Minister) to do what a natural person may do. Prerogative powers apply principally in relation to areas such as foreign affairs and defence. 10.18 Local authorities in England have their own general power of competence, which will cover the sharing of data in the Localism Act 2011, s  17. Local authorities in Wales have the ‘well-being power’ under the Local Government Act 2000, s  2. In addition, all local authorities in England and Wales have a general power under the Local Government Act 1972, s  111, to do anything which is calculated to facilitate, or is conducive or incidental to, the discharge of any of their functions. This would also encompass the sharing of data, where this activity fell within these conditions. Potential limitations on sharing 10.19 Once an express or implied power to share the data has been identified, it is necessary also to consider whether there are any express or implied limitations on disclosure which may prevent the sharing. If the information was given to an organisation on terms of confidentiality, for example, this is likely to be a barrier to its sharing, unless an exemption applies. 10.20 Confidentiality may be express in statute; or implied from the circumstances (eg  the seeking or giving of advice, in the context of a client’s relationship with a professional person). Under the common law duty of confidence, information (whether or not it is personal data) is protected where it was imparted in circumstances giving rise to an obligation of confidence on the part of the recipient. Confidentiality arises under common law where the information: (a) is not trivial, and not in the public domain; (b) was communicated from A to B in circumstances importing an obligation of confidence (ie where the reasonable man or woman would have realised that the information was being given to him or her in confidence); and (c) there is an unauthorised use of the information to the detriment of the confider. 10.21 Confidentiality is not an absolute, however, and confidential information may be disclosed: (a) with consent; 6 See R (Miller) v Secretary of State for Exiting the EU [2017] UKSC 5, paras 41ff. See also legal guidance by Ministry of Justice, ‘Public Sector Data Sharing: Guidance on the Law’, section 3 (National Archives); see Appendix 3. 7 See Local Government Act (NI) 2014, s 79, in respect of local authorities in Northern Ireland.

218

ICO Data Sharing Code 10.24

(b) if the disclosure is a matter of a statutory obligation; or (c) if there is a strong public interest in disclosure, which is greater than the public interest in maintaining the principle of confidentiality.

Example: disclosing confidential information A  social care authority wishes to disclose information (‘Fact X’) about a family, to which it provides social work support, in a case conference called with the police and other agencies to discuss the family’s care. Fact X was imparted by the mother of the family to her social worker, about the mother’s view of her partner’s ability safely to look after their young child alone. Information imparted to a social worker in those circumstances is treated as confidential. The authority may, however, disclose the information in the case conference; if it can show that there is a public interest in its doing so, which is of greater weight than upholding the principle of confidentiality. This may well be the case, either to allow the case conference to consider the protection of the child, or to enable the police to investigate any relevant incident.

(c)  Lawful basis or bases ‘Non-sensitive’ personal data – GDPR, Article 6 10.22 All processing, including making a disclosure by sharing personal data, has to be backed by a relevant lawful basis under Article 6. If special category (formerly ‘sensitive’) data are being processed, the processing must rely also on a lawful basis (or, strictly, an exemption from the prohibition on processing) in GDPR, Article 9, or in DPA 2018, Sch 1, Pts 1–2. In the absence of the necessary data protection lawful basis or bases, the data sharing will not comply with the GDPR; and thus be unlawful. 10.23 It is, therefore, essential to: (a) identify the one or more relevant lawful bases required; (b) ensure that any sharing accords with any conditions attached to those lawful bases; and (c) ensure that the controller’s partners are similarly in compliance. 10.24 A partner of a public authority in a data sharing arrangement may be able to rely on the public authority’s lawful basis. Thus, for example, if the sharing of personal data held by a private company with its statutory regulator is necessary to the exercise of the regulator’s statutory obligations, the company will be able to rely, as the basis for its own processing, on the lawful basis that the sharing is necessary to the regulator’s exercise of its function. Thus both the regulator, 219

10.25  Sharing Personal Data

and the company providing the personal data that it needs, may rely on the same lawful basis. 10.25 Of the lawful bases in the GDPR, Article  6, the most likely to be applicable in the context of data sharing will be those in: (d) Article 6(1)(c) (legal obligation [on the controller]); (e) Article 6(1)(e) (‘public task’, or official authority vested in the controller); or (f) Article 6(1)(f) (‘legitimate interests’ of the controller or a third party). This basis is unavailable to a public authority when the processing is carried out in ‘the performance of their tasks’8. In the view of the Commissioner, however, this does not rule out the use of this lawful basis where it is operating outside its tasks as a public authority9. 10.26 The lawful basis in Article 6(1)(b) (necessary for the performance of a contract to which the data subject is a party) may also be relevant; provided the contract is with the data subject (not between the two controllers wishing to share the data) or, the sharing is part of steps requested by the data subject to enter a contract. Special category data – GDPR, Article 9; and DPA 2018, Schedule 1, Parts 1–2 10.27 For an analysis of the individual lawful bases for processing special category data, see Chapter 5. In summary, those most likely to be relevant to the sharing of special category data are as follows: (a) the data subject has given his or her explicit consent to the processing (although probably rare, outside a contractual context) (Article 9(2)(a)); (b) the processing is necessary for employment or social security, or for ‘social protection’, under EU or UK law (or, after Brexit, by domestic law), or under a collective agreement10. An ‘appropriate policy document’ needs to be available to assist with the processing11; (c) the processing is necessary for reasons of the ‘substantial public interest’, under EU or UK law (or, after Brexit, domestic law); of which (in summary) lawful bases likely to be relevant to data sharing would be12: •

statutory and government purposes: where the processing is necessary, for reasons of the substantial public interest, for the exercise of a function conferred on a legal person; or, for the exercise of a function of the Crown, a Minister of the Crown, or a government department. This basis is likely to cover the majority of such processing by the public sector. An appropriate policy document is required. (Sch 1, para 6);

8 9

GDPR, Article 6(1)(f). See ICO: ‘When can we reply on legitimate interests?’ (GDPR detailed guidance on legitimate interests). See also paras 5.80–5.81 above. 10 DPA 2018, Sch 1, para 1; based on Article 9(2)(b). 11 See paras 5.89–5.91 above. 12 See paras 5.105–5.106, and 5.115ff above.

220

ICO Data Sharing Code 10.29

• the administration of justice or Parliamentary purposes. An appropriate policy document is required. (Sch 1, para 7); •

equality of opportunity or treatment: where the processing of certain special category data is necessary to identify or review the existence or absence of such equality. An appropriate policy document is required. (Sch 1, para 8);

•

preventing or detecting unlawful acts. An appropriate policy document is not required, where the processing consists of a disclosure to a ‘competent authority’, or in preparation to do so13 (Sch 1, para 10);

•

protecting the public against dishonesty. An appropriate policy document is required. (Sch 1, para 11);

• necessary to make a disclosure in good faith within the ‘regulated sector’ concerning suspected terrorist financing or money laundering. An appropriate policy document is required. (Sch 1, para 15); •

necessary to safeguard children or individuals at risk. An appropriate policy document is required. (Sch 1, para 18);

•

insurance: the processing of certain special category data is necessary for an ‘insurance purpose’. An appropriate policy document is required. (Sch 1, para 20);

•

disclosure to elected representatives. An appropriate policy document is required. (Sch 1, para 24);

(d) health and social care: where processing is necessary for (eg) preventive or occupational medicine; medical diagnosis or treatment; or, for the management of health or social care systems and services (Article 9(2)(h)); (e) the processing is necessary for public health (Article 9(2)(i)); (f) the processing is necessary for archiving in the public interest, scientific or historical research purposes, or statistical purposes (provided the processing contains certain safeguards; see section (Article  9(2)(j), and DPA  2018, s 19). 10.28 As noted above, most of these lawful bases can only be relied upon where the controller has in place an ‘appropriate policy document’14.

(d)  Privacy Notices about data sharing 10.29 The GDPR’s requirements as to Privacy Notices, in Articles  13 and 14 (see Chapter 6), have to be applied in the context of sharing. In practice,

13 Such as by an employer to the police, in answer to enquiries by the latter about a member of the employer’s staff. See Chapter 17 in relation to a ‘competent authority’. 14 As defined in DPA 2018, Sch 1, Pt 4, paras 39–41. See paras 5.89–5.91.

221

10.30  Sharing Personal Data

a sharing scheme will need to be worked out thoroughly in advance in data protection terms, in order to enable the Privacy Notices to be properly drafted. 10.30 Privacy Notices that are relevant to data sharing should include: — the purposes; — the lawful basis or bases relied upon; — the ‘legitimate interest’, if that basis is being relied upon; — the recipients; — any further processing for a new purpose; — whether the data have to be provided or shared under an obligation; — any transfers outside the EU (even if only to a server); — how long the data will be stored; — the rights available to individuals (which in turn would be affected by any exemptions), and how they may be exercised; — whether any solely automated decision-making or profiling will result from the sharing (with, if so, meaningful information about the logic and consequences); and — the source (if the data were not provided by the data subject). 10.31 The ICO makes clear in her guidance that it is no longer sufficient merely to refer to the sharing in a Privacy Notice, without proactively drawing the Notice to the attention of the data subjects affected. The wording in Articles 13 and 14 is that the controller shall ‘provide’ the specified information to the data subject. While it is not required that the Notice itself has to be sent to the data subject (although doubtless this would be good practice in many instances), a communication informing them of it, and making it easily accessible to them, is required15. The right to be informed is subject to general exceptions, and to specific exemptions. Exceptions and exemptions from Privacy Notice requirements about sharing 10.32 There are a number of exceptions in the GDPR from the general requirements as to privacy notices, which were set in Chapter 6 above16. These include, for data collected from the data subject, that the data subject already has the information17. For data collected from elsewhere, they include:

15 See the ICO’s detailed guidance on her website on the Right to be Informed: ‘When should we provide privacy information to individuals?’ 16 See para 6.18 above. 17 GDPR, Article 13(4).

222

ICO Data Sharing Code 10.37

— where the provision of the information would be impossible, or would involve a disproportionate effort (especially in relation to research etc); — if providing the information would be likely to render impossible, or seriously to impair, the achievement of the objectives of the processing; — if the disclosure (ie the sharing) is required by law; or — if the data must remain confidential because the controller is subject to an obligation of professional secrecy. 10.33 In addition, most of the specific exemptions from individual data protection rights cover privacy notices18. Both types are likely to be highly relevant to data sharing activities, as to what a privacy notice referring to the sharing will need (or not) to contain. Timing of Privacy Notices about sharing 10.34 In terms of the timing of Privacy Notices about data sharing, the controller is to provide the Notice and accompanying information (where the data are supplied by the data subject) at the time of collection. 10.35 Otherwise, where the data are provided other than by the data subject (which will apply to any personal data received by the controller under a sharing arrangement, unless it already held those data), the Notice and information are to be available: • within a reasonable period after obtaining the data, having regard to the circumstances, but at the latest within one month; •

if the data are to be used to communicate with the data subject, at the latest at the time of the first such communication; or

•

if disclosure to another recipient is envisaged, at the latest when the data are first disclosed to them.

10.36 If the second or third deadlines above will fall later than one month after receipt, however, the one month deadline still applies. 10.37 The controller must proactively make individuals aware of the Privacy Notice, and give them an easy way to gain access to it, for the reason above (para 10.31). The Notice itself may be displayed on a website, if it is not sent directly to them. This is a change from the previous practice, where it was considered necessary to alert individuals directly to a new form of processing only if, for example, it would be likely to be unexpected to them, or damaging.

18 See list at para 6.19 above, and application of individual exemptions in Chapter 9. On general exceptions from Privacy Notices, in the context of research, statistics or archiving, see also paras 9.107–9.108, and 9.113.

223

10.38  Sharing Personal Data

(e)  Data Protection Impact Assessments (DPIAs) and sharing 10.38 Data Protection Impact Assessments (‘DPIAs’) are mandatory when a proposed form of processing is considered by the controller to be ‘high risk’ in relation to the rights and freedoms of data subjects19. Such processing may, in particular, use new technologies; or, it may be that the nature, scope, context, or purposes of the processing give rise to that level of risk. 10.39 The rules on DPIAs apply to data sharing as much as to any other data processing activity undertaken by a controller. In her GDPR guidance, the Commissioner does not directly address whether DPIAs should have a role in data sharing. (In fact, data sharing is almost invisible from the guidance on the GDPR; at the time of writing practitioners should continue to rely on the Data Sharing Code). She does, however, advise in the DPIA guidance that they should always be used where the controller proposes to20: • use systematic and extensive profiling or automated decision-making to make significant decisions about people; •

process special category data or criminal offence data on a large scale;

•

use new technologies;

•

carry out profiling on a large scale;

•

process biometric or genetic data;

•

combine, compare or match data from multiple sources;

• process personal data without providing a Privacy Notice directly to the individual; •

process children’s personal data for profiling or automated decision-making, or for marketing purposes, or to offer online services directly to them.

10.40 In addition, according to the guidance, a DPIA should be considered where the processing: •

involves any evaluation or scoring;

•

is of sensitive data or data of a highly personal nature;

•

is of data concerning vulnerable data subjects.

10.41 Any of the above types of processing could be linked to the sharing of data; including its collection from other controllers in order to carry out one or more of those activities. Given that sharing will inevitably give rise to additional issues of security in handling, or to issues of compatibility of database systems or formatting, and will often involve large amounts of personal data, the view could prudently be taken that the question of whether to undertake a DPIA should

19 GDPR, Article 35. See Chapter 13. 20 ICO: ‘Data Protection Impact Assessments’ (DPIA summary guidance).

224

ICO Data Sharing Code 10.45

always be considered, in the context of a proposal to share personal data (and with a high expectation that one will be necessary). 10.42 For the same reasons, since a DPIA is mandatory where the initial position is that there is likely to be a ‘high risk’, and data sharing is likely to involve many of the types of risk outlined in the guidance, it is necessary to take at least the initial steps under the process – up to the point where the risks are assessed21 – since otherwise the controller cannot say with confidence that there is no ‘high risk’.

(f)  Security and data sharing 10.43 The level of security that is appropriate has to be determined by the controllers involved in the sharing arrangement. The Code sets out some considerations relevant to physical security (eg  access control systems on the building, or in office areas); and, technical security (eg security measures applying to staff working at home). It also points to the difficulties facing organisations wishing to share, where they have differing standards of security. 10.44 The Government has its own rules applicable to security, following several high profile data losses in 2007/08, which led it to review its data security arrangements. This produced a number of proposals including: the obligatory use of protective measures such as encryption; the adoption of a working culture of the ‘proper use of information’; standardised management of information risk; enhanced transparency; and, an e-learning programme.

(g)  Data Sharing Agreements 10.45 A  data sharing agreement is highly advisable, to clarify roles and responsibilities and to address likely problems in advance; whether in the form of a single document, or reflected in different ones. Based on Chapter 14 of the Data Sharing Code, the following is a short checklist for what a data sharing agreement should contain: — Purpose of processing (documented precisely). — Organisations to be involved (contacts, procedures for change). — Data items to be shared (specified in detail); and limited under the data minimisation principle. It may be necessary to limit access to certain staff only. — Legal basis (or bases) of sharing for both general personal data (ie  data processed on the Article 6 basis) and for special category data. — Privacy Notices or direct communication: what data subjects need to be told about the sharing; when this will be done; and, in what form. 21 See para 13.20 below.

225

10.46  Sharing Personal Data

— Access and individual rights (who is responsible; and what is to be acknowledged as normally to be disclosable). — Information governance: •

what datasets will be shared (as above in this paragraph);

• accuracy (how the data are to be checked before sharing commences and; during the sharing, how errors are to be corrected, and corrections are to be made on a consistent basis between the different holdings of data); • compatibility (of the systems holding the data, which needs to be checked before sharing commences); •

retention and deletion (agreed periods, systems, and methods of deletion policies);

•

security (agreed standards; technical and organisational measures);

•

access or Freedom of Information requests (how they will be handled; and by whom);

•

timescale for a review;

• termination process (how data will be returned or destroyed; how electronic data will be ‘deleted’). — An appendix may also be helpful: containing: •

a glossary;

•

key legislation;

•

a diagram of the sharing.

(h)  End of the sharing arrangement 10.46 The circumstances and timing of, and the process for, the termination of the arrangement should be established from the outset; and will form an important element of a data sharing agreement.

(i)  Exemptions and data sharing 10.47 Reference was made above to exceptions and exemptions from the requirements as to Privacy Notices, which may be relevant to sharing22. There are likely to be a number of other exemptions from different requirements, under the GDPR and the DPA  2018, which will be relevant to sharing in any given case; including exemptions from the right of access, or from individual rights such as rectification, data portability, or the right to object. Some 22 See paras 10.32–10.33.

226

ICO Data Sharing Code 10.49

examples are given below. A  knowledge in advance of which exemptions are likely to arise in relation to the sharing (and thus, conversely, the extent of the various controllers’ obligations) should play an important part in preparing to share; and form a helpful feature of a comprehensively-drafted Data Sharing Agreement. 10.48 The list of exemptions in Chapter 9 applies to data sharing as much (or as little) as to any other aspect of data processing. Each exemption likely to arise should, therefore, be examined to see how far it is relevant to the particular sharing envisaged. Example: exemptions potentially relevant to data sharing for the following purposes (a) Crime prevention and taxation (potentially exempting the sharing arrangement from the requirements as to: Privacy Notices (Articles 13 or 14); the right of access (Article 15); the right of rectification (Article  16); the right to restrict processing (Article 18); or, the right to object (Article 21)); (b) Regulatory activity by certain regulatory bodies (potentially exempting the arrangement from Privacy Notices or the right of access); (c) Research: provided it is not carried out for the purposes of a measure or decision with respect to a particular data subject; or likely to cause substantial damage or substantial distress to an individual; and (in relation to the exemption from the right of access) the results will not be in a form which identifies a data subject. This would potentially exempt the arrangement from: •  the right of access; • the right to object (if the sharing were based on Article 6(1)(e) (public task); or Article 6(1)(f) (legitimate interests)).

(j)  Key steps to take 10.49 Chapter 15 of the Data Sharing Code sets out a checklist of steps to take to undertake sharing, on either a systematic or a one-off basis: (i) Systematic sharing: The controller should: (a) consider whether sharing is justified, in terms of the: objectives; benefits and risks; the proportionality of the sharing to the issue; and, whether the objectives are achievable without (or by less) sharing; 227

10.49  Sharing Personal Data

(b) establish whether a legal power to share exists (if the organisation is a public authority); and, examine any legal obstacles to sharing (eg confidential information); (c) create a data sharing agreement as good practice (see para  10.45) setting out: – what needs to be shared in terms of proportionality; – the organisations involved; – the terms of necessary privacy notices/communications with data subjects; – security issues; –

access rights (who will handle requests, and the process between the sharing partners);

– retention and deletion policies. (ii) One-off sharing (eg at the request of another organisation): The controller should: (a) consider whether the sharing is justified as to: – whether the information should be shared; – what the potential benefits and risks are; – whether there are any concerns about serious harm to individuals; – whether there is an exemption from data protection requirements allowing (or otherwise affecting) any of the sharing. (b) consider (in relation to a public authority) whether there is a power to share: – what type of organisation is the controller; –

whether, if the organisation is a public authority, it has any functions to which sharing may be incidental;

– what information it has been asked to share (and whether it is confidential); – whether there are any legal obligations affecting the proposal to share (eg any statutory requirements). (c) consider (if the controller decides to share): – What information it needs to share (ie only what is necessary); – how should it be shared (eg securely, and to the right person); – whether it is appropriate or safe to inform X that you have shared his or her data (or whether an exception or exemption from Privacy Notice requirements make this unnecessary). 228

ICO Data Sharing Code 10.49

(d) record the decision: – whether or not the sharing occurred, the decision and reasoning should be recorded. If it has occurred, the record should cover: what was shared; for what purpose; with whom; when; the justification; and, whether the data were shared with, or without, the consent of the data subject(s) involved.

229

CHAPTER 11

International Transfers1 11.1 The GDPR formally prohibits, unless conditions are met, the transfer of personal data outside the area within which its data protection rules automatically apply; namely the European Economic Area (the ‘EEA’); comprising the EU countries, plus Iceland, Liechtenstein and Norway. The latter three countries apply the EU’s single market rules, and thus observe the same data protection regime2. Post-Brexit, the UK intends to operate parallel rules. 11.2 A complete ban would obviously make international trade, migration, or cultural exchange, outside the EEA, almost impossible. There are, therefore, a considerable number of routes (which might be called ‘pathways’) by means of which personal data can be transferred outside the EEA3. The rules under the GDPR allow more pathways to be created under which such transfers can take place, in addition to those which applied under the former eighth data protection principle in the Data Protection Act 1998 (‘DPA 1998’). While that Act treated the rules on international transfers as one of the data protection principles (although the Directive did not), they now appear as Chapter V of the GDPR. 11.3

The important issues in this area are:

(a) to identify correctly when an international transfer of personal data will take place (since they occur more frequently than is often realised; including where the controller or processor does not intend to make a transfer, but does so involuntarily by virtue of the location of the servers it uses); and (b) to ensure that the organisation (whether controller or processor) is using an available pathway, and a correct one, for any international transfer it makes. 11.4

The five available pathways for transfers are as follows:

(a) the third country ensures an ‘adequate level’of data protection (and is recognised, pre-Brexit, by the EU Commission as doing so). After Brexit, this assessment is to be based on ‘adequacy regulations’ made by the Secretary of State under DPA 2018, s 17A; although see paras 11.36–11.37 as to transitional provisions4; (b) the transfer (if to the USA) is made under the ‘Privacy Shield’ arrangement; (c) one or more of six ‘appropriate safeguards’ are in place to protect the interests of data subjects. New variants were introduced by the GDPR, although in practice two are unlikely to be available before the medium-term; 1 2 3 4

See GDPR, Articles 44–49, 83–84, and Recitals 101–115. GDPR, Article 44. Some observers see them, however, as a significant barrier to trade. See DPPEC Regulations, Sch 1, para 38; Sch 2, para 23; and Sch 2, para 102 (inserting the transitional provisions into the DPA 2018, as Sch 21).

230

‘Adequate level’ of protection 11.7

(d) one or more of a list of seven derogations applies; or (e) none of the above applies, but the transfer is ‘not repetitive’, concerns only a few data subjects, and other safeguards have been applied. 11.5 An international data transfer is not defined in the GDPR, but we know that it does not include mere transit through a non-EEA country. It also does not include placing personal data onto the internet, with the effect that it can be viewed from such a country5. Nor does it apply to the viewing carried out by a person in that situation: some processing operation (going beyond downloading) needs to take place in that country in order for the rules to apply. This could include, however, storing it on a server in that country (eg in the USA; or, postBrexit, in an EU member state such as Ireland). It could also include passing information verbally to a person in such a ‘third country’, for a use by them in that country which then amounts to processing (eg such as that person sending an email which incorporates some of the personal data).

‘ADEQUATE LEVEL’ OF PROTECTION 11.6 An ‘adequate level’ of protection arises when the EU Commission (or, post-Brexit, the Secretary of State by means of the s 17A regulations), has decided, under a procedure of assessment, that a third country, territory, sector within a third country, or an international organisation6, ensures such a level of protection7. This ground of transfer continues from the DPA 1998. The tests include: a system based on the rule of law; the data protection and other professional rules applying in that country; the existence of an independent supervisory and enforcement body; and, international commitments, notably in relation to personal data8. At the time of writing there are 12 countries or territories on the EU list. Those placed on it under the Directive, under decisions going back in some cases to 2000, will remain listed until it is amended or replaced by another Commission decision. 11.7 What might be called the ‘safe countries’ (or territories) are (in addition to those in the EU or the European Economic Area): Switzerland Canada Argentina Guernsey Isle of Man

5 6 7

Bodil Linqvist v Kammaraklagaren Case C-101/01, November 2003. Such as the United Nations. GDPR, Article 45(3); or Article 45(1), after Brexit, by virtue of the DPPEC Regulations, Sch 1, para 38(2) and (4). 8 See GDPR, Article  45(2) and Recitals 104–105. The twelfth country, Japan, was added in January 2019, with immediate effect.

231

11.8  International Transfers

Jersey Faroe Islands Andorra Israel Uruguay New Zealand Japan 11.8 The EU Commission is obliged to monitor the functioning of decisions in these countries. (Post-Brexit, the Secretary of State acquires a duty to review adequacy decisions under DPA  2018, s  17B). Adequacy decisions may be revoked9. 11.9 Whether the UK is added to the EU’s list after Brexit remains unclear at the time of writing. The outline Political Declaration which accompanied the Withdrawal Agreement negotiated between the UK government and the EU (which had not been agreed by the UK Parliament at the time of writing), provided for the EU to start its consideration of adequacy decisions in respect of the UK in the transitional period envisaged to follow the UK’s planned departure from the EU on a date up to 31  October 2019; with a view to adopting such decisions by the end of the transitional period. The UK government had agreed to take steps to ensure comparable facilitation of personal data flows to the EU in the same timeframe10; and this gave rise to the DPPEC  Regulations 2019, creating the power in DPA 2018, s 17A, to make adequacy regulations, as a first step. At the same time, the regulations insert Sch 21 into the DPA 2018. Part 3 of the Schedule makes transitional provision for transfers from the UK from exit day. See paras 11.36–11.37 below.

USA TRANSFERS – SAFE HARBOR AND PRIVACY SHIELD 11.10 Data processing involving certain American companies and organisations has rested since 2000 on the voluntary adoption by them of standards of data protection which are treated as sufficiently equivalent to those in Europe, when transferring data involving individuals in EU member states. The ‘Safe Harbor’ arrangement was criticised, however, as relying on self-regulation and selfcertification, without active enforcement by the United States Federal Trade

9 GDPR, Article 45(5). See also Recitals 106–107. 10 ‘Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as endorsed by leaders at a special meeting of the European Council on 25 November 2018’; ‘Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom’; ‘Explainer for the agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union’, HM Government, 14 November 2018.

232

USA transfers – Safe Harbor and Privacy Shield 11.14

Commission. The revelations made in 2013 by Edward Snowden about mass surveillance by the US  National Security Agency led the EU  Commission to announce the renegotiation of the Safe Harbor arrangement. 11.11 In the meantime, the issue of mass security surveillance led to a challenge to Safe Harbor by Maximillian Schrems, an Austrian citizen. He complained to the Irish Data Protection Commissioner that Facebook Ireland (which controls the data of Facebook’s European users) could not rely on the Safe Harbor to legitimise data transfers to the USA, given the degree of access accorded to the security agencies in that country, and the consequences of such access for his privacy. The complaint went to the Irish High Court; and thence to the European Court of Justice (‘ECJ’). The ECJ ruled in October 2015 that the adequacy decision that had been given to the Safe Harbor scheme was invalid11. 11.12 The replacement has been the EU-US ‘Privacy Shield’, on which the EU Commission gave a draft decision on adequacy in February 2016. The Shield includes more detailed safeguards for individuals’ data, including the creation of an Ombudsman scheme to hear complaints. Other criticisms, over the continuing degree of potential access by the US intelligence services, redress, and the protections against onwards transfers, continued. The Commission confirmed its adequacy decision in July 2016, and the scheme became operational on 1st August 2016. A number of US companies and institutions are not eligible to join the scheme. The European Commission published its report on its second annual review of the functioning of the EU-US Privacy Shield in December 2018, which showed that in its view the United States continued to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US. Certain steps, recommended by the EU, had been taken by the US to improve the functioning of the arrangement. The Commission called on the US authorities to appoint a permanent (rather than an acting) Ombudsman. More than 3850 companies had been certified under the scheme. 11.13 A  further challenge to the Privacy Shield was launched by Irish campaigners, but ruled inadmissible for lack of standing by the General Court of the European Union (court of first instance) in November 2017. At the time of writing, Mr Schrems had challenged Facebook’s use of standard contractual clauses to transfer personal data from the EU to the USA. After the Irish High Court referred 11 questions from the case to the European Court of Justice, Facebook appealed to the Irish Supreme Court over whether the court was entitled to refer the matter to the ECJ, over which a hearing took place in January 2019. 11.14 Pending the outcome of any challenges, transfers of personal data to and from the USA may take place within the boundaries of the Privacy Shield arrangement, where it applies. Controllers and processors in the UK should make themselves aware of whether their organisation has dealings with the USA, or sends its personal data (even inadvertently) to servers located in that country; and, if so, whether the other controller or processor concerned is covered by the Privacy Shield.

11 Maximillian Schrems v Data Protection Commissioner Case C 362/14, October 2015.

233

11.15  International Transfers

APPROPRIATE SAFEGUARDS 11.15 The following forms of ‘appropriate safeguard’ exist under Article 46. Only standard contractual clauses created by the EU Commission had a place in the previous Directive. Under the GDPR, it is a condition of the application of these safeguards in each case that enforceable rights, and ‘effective legal remedies’ for data subjects, are available. Any of these safeguards may be provided, and relied upon, without requiring any specific authorisation from the supervisory authority in the country concerned: (a) a legally binding and enforceable ‘instrument’ (ie agreement) between public authorities or bodies; (b) ‘binding corporate rules’; (c) standard data protection clauses in a contract, which have been adopted by the European Commission or, after Brexit, standard data protection clauses specified by the Secretary of State in regulations made under DPA  2018, s 17C(1); (d) standard data protection clauses in a contract, adopted by the supervisory authority (ie the ICO) and approved by the Commission. After Brexit, these are replaced by standard clauses issued in a document by the ICO (subject to Parliamentary scrutiny) under DPA 2018, s 119A; (e) an approved code of conduct (made under GDPR, Article 40) together with binding and enforceable commitments made by the controller or processor in the third country to apply the safeguards, including as to data subjects’ rights; or (f) an approved ‘certification mechanism’ under GDPR, Article  42, together with binding commitments as in (e) above. 11.16 In relation to (e) and (f) above, the development of codes of conduct by industry or trade bodies, overseen by the ICO (and, within the EU, in some cases also by the European Data Protection Board); and the establishment similarly of certification schemes within different sectors, will take time. The UK  Commissioner tried for some time before the GDPR to introduce a data protection ‘seal’. It seems unlikely that either route will be generally available in the UK before the medium-term. 11.17 Bespoke contractual clauses, or administrative arrangements between public authorities, which differ from the standard template clauses and which have been separately negotiated between the parties, may also be approved by the competent supervisory authority. The former may be made between controller and processor; or between controller, processor and the recipient of the data in the third country or international organisation. The latter administrative arrangements would need to include rights for data subjects which are enforceable and effective12. 12 GDPR, Article 46(3); as amended (after Brexit) by the DPPEC Regulations, Sch 1, para 39(4).

234

Appropriate Safeguards 11.19

11.18 Binding corporate rules (‘BCRs’) are a mechanism for multinational corporations and groups of companies voluntarily to apply EU (or after Brexit, UK) data protection rules to intra-organisational transfers of personal data across boundaries; without having to check their compliance on each occasion with those rules, or to enter contracts (where there are separate legal actors within the group). Those that may undertake BCRs are described in Recital 110 as a ‘group of undertakings, or a group of enterprises engaged in a joint economic activity’. BCRs were devised originally by the former Article 29 working party (now the European Data Protection Board, or ‘EDPB’)13; and their significance has been recognised by their inclusion in GDPR, Article  47, which sets out minimum requirements for them to apply. This provides that the ‘competent authority’ (the supervisory authority or, after Brexit, the UK Commissioner) is to approve BCRs, after application by the undertakings concerned. In the EU, this is through the ‘consistency mechanism’ (ie in consultation with other supervisory authorities, or the EDPB, to ensure a consistent approach)14. 11.19 The minimum requirements (in both the EU and, after Brexit, the UK) are that BCRs are: (a) legally binding, and apply to (and are enforced by) every member concerned of a group of undertakings, or group of enterprises involved in a joint economic activity; including their employees; (b) expressly confer enforceable rights on data subjects concerning the processing of their data; (c) specify a list of matters in Article 47(2), including: (i) the structure and contact details of the group of undertakings; (ii) the data transfers, including the categories of data, type of processing, purposes, type of data subjects affected, and, the third country or countries in question; (iii) their legally binding nature; (iv) the application of the data protection principles (eg purpose limitation, data minimisation, legal basis for processing) to the BCR; (v) the rights of data subjects (eg  not to be subject to decisions based wholly on automated decision-making, including profiling); and how they may exercise them, complain to the ICO or the courts, or obtain redress or compensation; (vi) acceptance by the controller or processor of liability for any breaches of the rules by any member (ie within the conglomerate) which is not established in the EU (or the UK, after Brexit) unless it can prove that the member was not responsible for the event; (vii) how information about the BCRs is provided to data subjects through Privacy Notices; and 13 Former Article 29 Working Party: Working Document WP 74. 14 GDPR, Article 63.

235

11.20  International Transfers

(viii) mechanisms for verifying compliance with the rules (and communication of the results to the data protection officer (‘DPO’) and Board of the controlling undertaking; which are also to be available on request to the competent supervisory authority). 11.20 Changes to the rules are to be recorded and reported to the supervisory authority (ie the ICO, including after Brexit); as are any legal requirements in a third country which are likely to have a substantial adverse effect on the guarantees provided by the BCRs15. (An example might be a local law requiring an unusually detailed level of reporting of personal data about foreign employees to the state authorities in the third country concerned). Staff who have permanent or regular access to personal data are to receive appropriate data protection training16. 11.21 The former Article  29 Working Party produced updated guidance as to what should go into a BCR application from controllers and processors respectively; and practitioners considering an application within the EU should refer to these17. Applications have to be accompanied by Privacy statements and policies on areas such as data quality and procedures for individuals’ rights. Practical measures also need to be demonstrated, such as processes for complaints and internal audit. Individuals are to be able to exercise their rights via the supervisory authority or the courts of their own country. 11.22 Standard clauses: these may be used for transfers between controllers, or between controller and processors; and there have been successive versions of both types. For transfers to processors, the applicable law is always that of the ‘data exporter’ (ie the controller). The ‘data importer’ (ie the processor in a third country) remains liable for breaches of the clauses; notwithstanding that these may arise from contrary obligations placed upon it by local law. 11.23 Standard clauses may be included in other contracts, or other terms may be added to them, provided these do not conflict with the standard contractual clauses18. 11.24 In the most recent version of the model clauses between controllers and processors, a processor wishing to sub-contract an activity has first to obtain the written consent of the controller. The processor and sub-processor have to enter an agreement, with the same obligations as under the controller/processor clauses. The processor accepts liability for breaches by the sub-contractor, while the sub-processor is subject to the law of the country of the exporter, and to the rights of third parties (eg for individuals to be able to complain to the supervisory authority in their member state). On termination, the sub-processor must destroy or return the data, and the controller may arrange to audit the sub-processor’s compliance with this obligation. The exporter/controller has to keep a list of all sub-processing agreements, which is to be available to the supervisory authority on request. 15 16 17 18

GDPR, Articles 47(2)(k) and (m) respectively. GDPR, Article 47(2)(n). Former Article 29 Working Party/EDPB, WP 256 and WP 257. See GDPR, Recital 109.

236

Derogations 11.26

11.25 For the first time, GDPR, Article  46(2)(d), allows the supervisory authorities of member states to approve standard clauses, where these have previously been approved by the EU Commission19. This is amended after Brexit to refer to the ICO, without the involvement of the EU Commission. As a result, after Brexit, both the ICO (by means of a document issued under s 119A, subject to Parliamentary scrutiny), and the Secretary of State (by means of regulations made under s 17C), may issue standard clauses.

DEROGATIONS 11.26 The derogations in Article 49 are similar to those in the former DPA 1998, Sch 4. In the absence of any of the above pathways, a transfer or set of transfers to a third country or international institution may take place under one of the following conditions20: (a) the explicit consent of the data subject to the proposed transfer; after he or she has been informed of the risks arising from the lack of an adequacy decision, and of appropriate safeguards for their data; (b) the transfer is necessary for the performance of a contract between the controller and the data subject, or for implementing pre-contractual measures taken at the data subject’s request; (c) the transfer is necessary for the conclusion or performance of a contract which has been concluded in the interests of the data subject, between the controller and another legal or natural person. [An example would be a contract between the controller and a pharmacist in a third country to supply drugs to a sick patient who is visiting that country; where the controller needs to release medical information about the patient to the pharmacist to ensure that the correct prescription is issued]; (d) the transfer is necessary for important reasons of public interest, as defined in member state law (see para 11.28 below); (e) the transfer is necessary for the establishment, exercise or defence of legal claims; (f) the transfer is necessary to protect the vital interests of the data subject, or other persons, where the former is physically or legally incapable of giving consent; (g) the transfer is made from a register intended to provide information to the public, which is open either to general consultation or on demonstration of a legitimate interest; subject to any conditions in the local law. (In this case, the entirety of the personal data, or of categories of such data, may not be transferred on this basis. Where the register is intended to be consulted by those with a legitimate interest, the transfer is to take place only at their 19 Under the EU’s examination procedure, under Regulation (EU) No 182/2011, Article 5. 20 GDPR, Article 49(1).

237

11.27  International Transfers

request; or, if they are to be the recipients, taking into full account the interests and rights of the data subject21). 11.27 Public authorities are denied the derogations in (a), (b) and (c) above (and also the one-off fallback below; see para 11.32) for activities carried out ‘in the exercise of their public powers’22. This exclusion differs from that applying to public authorities’ use of the legitimate interests basis where they are acting ‘in the performance of their tasks’. 11.28 In respect of the derogation for ‘important reasons of public interest’, the Secretary of State has power under s 18(1) of the Data Protection Act 2018 (‘DPA 2018’) to make regulations (subject to various Parliamentary procedures) to specify the circumstances in which these are to apply. At the time of writing, no such regulations had been made23. 11.29 Where there is no adequacy decision in respect of a third country or international organisation, member state law may also, for similar ‘important reasons of public interest’, set express limits on the transfer of specific categories of personal data to that country or organisation24. This provision is replaced in the UK by a power to make regulations in DPA 2018, s 18(2). EU member states, and thus including the UK prior to Brexit, must notify the EU Commission if they make such a determination. (This might be applied by an EU country, for example, to prevent or limit a transfer of personal data to another country, where this could be expected to hamper a money laundering investigation). As above, at the time of writing, no such regulations had been made under DPA 2018, s 18(2). 11.30 GDPR, Article  48, and Recital 115, state that decisions of a third country’s authorities, courts or tribunals (eg a court order that certain personal data must be produced) are not in themselves legitimate grounds for a data transfer to be made to that country. Such decisions will only be lawful under the GDPR if they meet the conditions in Chapter V. Post-Brexit, this provision is removed by the DPPEC Regulations (Sch 1, para 41).

EDPB guidelines 11.31 The EDPB, as one of its first acts in taking over the Article 29 Working Party, endorsed on 25 May 2018 guidelines for the detailed application of the derogations on which the working party had previously consulted. These should be referred to by practitioners considering the derogations, including after Brexit25. As well as commenting on the derogations individually, the guidelines make the following general points, underlining that a restrictive approach should be taken to their use: 21 See GDPR, Recital 111. 22 GDPR, Article 49(3). 23 See also GDPR, Recital 112. 24 GDPR, Article 49(5). 25 ‘Guidelines 2/2018 on derogations of Article  49 under Regulation 2016/679’, EDPB, 25 May 2018.

238

Fallback: non-repetitive transfer 11.35

• when relying on a derogation, all other data protection requirements (including those in GDPR, Articles 5 and 6) have to be complied with, in addition to those in Chapter V relating to the transfer itself. •

the derogations in Article 49 should follow consideration of the mechanisms in Article 45 (adequacy decision) and Article 46 (appropriate safeguards); in other words, they should be applied only if the other mechanisms are not available. Derogations should be seen as exceptions from the principle, and interpreted restrictively so that ‘the exception does not become the rule’.

• in general, use of the derogations may happen more than once, but not regularly, and outside the regular course of actions. Recital 111 refers to ‘occasional’ use ‘in relation to a contract or a legal claim.’

FALLBACK: NON-REPETITIVE TRANSFER 11.32 The final pathway may be found in the second (and un-numbered) subparagraph of paragraph  1 of Article  4926. Where none of the other pathways applies, a transfer may take place only if it: — is not repetitive; — concerns only a limited number of data subjects; — is necessary for the purpose of compelling legitimate interests, pursued by the controller (NB not another party), which are not overridden by the interests or rights and freedoms of the data subject; and — the controller has assessed all the surrounding circumstances and provided suitable safeguards to protect the personal data. 11.33 The controller is to inform the supervisory authority (ie  the ICO, in the UK). It is also to inform the data subject of the transfer (in addition to the information contained in a Privacy Notice); and of the compelling legitimate interests being pursued. 11.34 As noted above, this fallback is not available to a public authority exercising its public powers27. 11.35 The EDPB, in its guidelines on Article 4928, states the following: • this derogation is a ‘last resort’, and the data exporter should be able to demonstrate ‘serious attempts’ to establish that the transfer cannot be undertaken under Article  45 or 46, or one of the other derogations in Article 49 (or that, perhaps for a small company, the ‘appropriate safeguards’ would not be a ‘realistic option’);

26 See also GDPR, Recital 113. 27 GDPR, Article 49(3). 28 See footnote 25 above.

239

11.36  International Transfers

•

the ‘compelling legitimate interest’ necessary to its use should mean that it is essential for the data controller (eg to protect its systems from immediate harm);

•

the safeguards for the data subject have to be ‘additional’ to those otherwise in place (eg  requiring deletion after transfer; or limiting the purposes of processing after transfer).

CROSS-BORDER FLOWS OF DATA AFTER BREXIT 11.36 On 13  December 2018, the UK government updated previous guidance on cross-border flows of data in the event that the UK left the EU without a withdrawal agreement29. This indicated that regulations under the EU (Withdrawal) Act 2018, expected early in 2019, would do the following to enable transfers from the UK to those countries to continue after Brexit. As a result of the DPPEC Regulations 2019, Sch 21, Part 3, of the 2018 Act provides: • Recognise all countries in the European Economic Area (including EU member states) and Gibraltar as ‘adequate’. (Sch 21, para 4(1) and 5(a)–(b) and (d)). •

Preserve the effect, on a transitional basis, of existing adequacy decisions made by the EU, in respect of third countries, and EU or other equivalent institutions (Sch 21, paras 5(1)(c) and (e), and 5(2)(a)–(k)).

•

Recognise the EU Commission’s Implementing Decision on the adequacy of the EU-US Privacy Shield (Sch 21, para 5(2)(l)).

•

Recognise EU Standard Contractual Clauses in UK law, and give the ICO power to issue new clauses (Sch 21, paras 7–8).

•

Recognise Binding Corporate Rules authorised before the date of the UK’s withdrawal from the EU (Sch 21, para 9).

There are equivalent transitional provisions in relation to law enforcement processing and adequacy in Sch 21, paras 10–12. 11.37 As the guidance stated, however, the UK could not provide for the free flow of personal data into the UK, which was a matter for the other jurisdictions concerned. Under EU law, the Commission could not commence such an assessment until the UK is a third country (and some estimates have been that the assessment process could take up to two years after Brexit). Thus transfers from the EU would, in the absence of such an adequacy decision, need to be made under one of the other lawful routes described in this Chapter. As noted above, 29 Department for Digital, Culture, Media and Sport: ‘Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019’, 13 December 2018; updating technical note entitled ‘Data protection if there’s no Brexit deal’, issued on 13 September 2018. The draft regulations were, at the time of going to press, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (draft).

240

Cross-border flows of data after Brexit 11.37

transfers under the EU/US  Privacy Shield are recognised in the transitional measures. The guidance advised those in the UK relying on data transfers from the EU to work with their counterparts in those countries to make sure that a mechanism, such as standard contractual clauses, was in place.

241

CHAPTER 12

Electronic Communications and Marketing 12.1 Separate rules apply to marketing which is sent direct to a particular individual, which amounts to processing their personal data. This is not limited to selling or commercial marketing, but also includes the sending of campaigning or other promotional materials, or the use of such methods for charity fundraising. ‘Direct marketing’ is defined in the Data Protection Act 2018 (‘DPA 2018’) as: ‘the communication (by whatever means) of advertising or marketing material which is directed to particular individuals’1. 12.2 Processing for direct marketing has to comply with the GDPR and DPA 2018 in the normal way. There thus has to be a lawful basis for the processing, and arrangements need to be made to enable a data subject to require the controller to cease the marketing. The Privacy and Electronic Communications (EC  Directive) Regulations 20032 (‘PECR’) may also apply in circumstances where personal data are not being processed. They include protection for companies as well as individuals; or, apply where individuals are not identifiable (and information about them is thus outside the data protection rules). Network service providers are exempted from the GDPR, in relation to matters for which they are subject to provisions of the PECR with the same objectives. The ICO is obliged to produce a Code of Practice on direct marketing under s 122(1), and issued a call for views on a code, to replace earlier guidance, which closed in December 2018. The call for views also covered age-appropriate design (under DPA 2018, s 123); and, the use of personal data in political campaigns (under powers in GDPR, Article 57(1)(d)). A consultation followed in Spring 2019 on a code of practice on age-appropriate design3.

PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS 12.3 The processing must also comply with the PECR4, which implemented much of the ‘e-Privacy directive’5. The regulations have been amended on a number of occasions; including with the advent of the GDPR. At the time of 1 DPA 2018, s 122(5). 2 SI 2003/2426. 3 GDPR, Article 95. 4 SI 2003/2426. 5 European Directive 2002/58/EC.

242

Privacy and Electronic Communications Regulations 12.6

writing, the PECR were expected to be replaced by an ‘e-Privacy Regulation’, which is awaiting agreement by the EU; and may take place after Brexit. In that event, it would seem reasonable to expect the UK to follow the new rules closely, and to produce statutory provisions of its own which reflect them. The European Data Protection Board (‘EDPB’) issued guidance in March 2019 on the interplay between the existing directive and the GDPR6. This states, for example, that specific rules in the PECR take priority over general rules in the GDPR. Thus where the PECR require consent for an activity, a lawful basis under the GDPR, Article 6 (such as the legitimate interests basis) cannot be used as a substitute which would circumvent the requirement for consent (see Opinion, para 39). 12.4 The PECR cover a number of matters concerning ‘electronic communications’, which are not defined in the regulations, but cover information sent between different parties over a telephone line or internet connection. The regulations include duties on providers in respect of: the use of cookies7; security, and personal data breaches8; restrictions on the processing of location data9; and, prohibitions on the use of automated calling systems, or fax machines, for direct marketing purposes10.

Marketing by electronic mail 12.5 PECR, reg 22 applies to the transmission of unsolicited communications by ‘electronic mail’ to individual subscribers. In this context, this means emails, texts, picture messages, video messages, voicemails, direct messages via social media, or ‘any similar message that is stored electronically’11. Unless the exemption for a ‘soft opt-in’ under reg  22(3) applies, a person is neither to transmit, nor to instigate the transmission of, unsolicited communications by electronic mail for the purposes of direct marketing, unless the subscriber consents for the time being to such communications being sent (or such sending being instigated) by the sender12. In principle, therefore, such new approaches should not take place in most cases, since there will have been no consent. 12.6 If a consent is given, the individual has to indicate it knowingly. Consent under PECR has now to be given to the standard demanded by the GDPR. This should involve some active step, even if limited to clicking an icon. While previously an option may have been given to opt-in or opt-out at the initial stage, this now needs to be compliant with the requirements for a valid consent under the GDPR13. The ICO advises treating consents originally obtained by another 6 ‘Opinion 5/2019 on the interplay between the e Privacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities’, (12 March 2019). 7 PECR, reg 6. 8 See PECR, regs 5–5C. 9 PECR, reg 14. 10 PECR regs 19 and 20 respectively. 11 See ICO guidance: Electronic mail marketing’. 12 PECR, reg 22(2). 13 See paragraphs 3.39–3.48 and 5.5–5.7; and DPPEC Regulations, reg 8(2) and (3), amending PECR, reg 2, in relation to the definition of ‘consent’ in the PECR.

243

12.7  Electronic Communications and Marketing

party (‘indirect consent’) with great care. It also needs to be made plain that the individual can unsubscribe at any time. The clearest method of obtaining valid consent, according to the ICO, is now to ask customers to tick opt-in boxes, to confirm that they are happy to receive calls, text or emails from the organisation concerned14. 12.7 There is an exemption for new approaches based on a so-called ‘soft optin’. Regulation 22(3) provides that a person may send, or instigate the sending, of electronic mail for the purposes of direct marketing where: (a) the sender has obtained the contact details of the recipient of the communication in the ‘course of sale or negotiations for the sale of a product or service to that recipient’; (b) the direct marketing, proposed to be undertaken, is of the sender’s ‘similar products and services only’; and (c) the recipient has been given a simple means of refusing the use of his or her contact details for such direct marketing purposes. The means of refusal offered must have been free of charge, except for the cost of transmission of the refusal. The offer of such a means is to have been made at the time when the contact details were initially collected, and (if the recipient did not refuse the use at that point) at the time of each subsequent communication with the individual15. 12.8 The key issue, apart from whether an opt-out was properly offered, is whether the product or service which the sender now wishes to promote is of a type which may be described as ‘similar products and services’. This should be interpreted with caution. The ICO advises that an organisation will be able to email or text its own customers, but not ’prospective customers or new contacts’16. While this does not address specifically the middle group of those who negotiated, but decided not to buy, it should be clear that this group will be relatively small. 12.9 The details must also have been obtained from the recipient by the sender (not by a third party). The exemption is available only where the present sender collected the information originally from the individual; and (in effect) wishes now to see whether a replacement or improved version of the product or service might be of interest to the previous purchaser (or person who negotiated over a purchase). It is not open to a sender, therefore, to acquire a list of potential customers for similar goods or services (or even, theoretically, a list of its own previous customers) from another source; and then lawfully to send them unsolicited electronic communications17.

14 ICO: Electronic and telephone marketing’: part of the ICO’s set of guidance ‘Guide to the Privacy and Electronic Communications Regulations’. 15 PECR, reg 22(3). 16 ICO guidance on ‘Electronic mail marketing’. 17 See PECR, reg 22(3)(a).

244

Privacy and Electronic Communications Regulations 12.15

12.10 The ‘soft opt-in’ does not apply to non-commercial promotions, such as charitable collections, or political campaigning18. 12.11 The controller needs to have a system for recording choices made, and acting upon them. To achieve this, however, it is aceptable to retain sufficient data about an individual (eg who asks to be removed from the marketing list), to enable their preference to be respected. Indeed, care should be taken in such an instance to carry over any such preferences onto any new list or separate marketing initiative. Any data collected should not be excessive.

Telephone calls 12.12 Under PECR  2003, reg  21(1). a person is not to use (or instigate the use of) a public electronic communications service to make unsolicited calls for direct marketing purposes where: (a) the subscriber of the called line has previously notified the caller that such calls should not be made on that line; or (b) the number of the line is listed in a register kept under regulation 26 (ie the Telephone Preference Service, or ‘TPS’), unless: (i) it has been registered for less than 28 days, or (ii) the subscriber has notified the caller that he or she does not, for the time being, object to such calls being made on that line by that caller. This concession may be withdrawn at any time, whereupon no further calls should be made19. 12.13 The TPS is now the responsibility of the ICO (previously of Ofcom). Those using telephone calls are obliged to check calling lists against it, and to abide by a reference that no marketing calls are desired. There is also a Corporate TPS. 12.14 In addition, calls over a ‘public electronic communications service’20, whether solicited or unsolicited, for direct marketing purposes are prohibited; unless the sender does not prevent the presentation of its identity on the called line; or, presents the identity of a line on which the sender can be contacted21. The caller should also provide a contact address or freephone number if requested. 12.15 Live calls may thus be made without consent to an individual who has not subscribed to the TPS service. Telephone calls to an individual who has specifically consented to receive marketing calls from that organisation (eg by ticking an opt-in box) are also not restricted. 18 See ICO guidance: ‘Electronic mail marketing’. 19 See PECR, reg 21(3)–(5). 20 Defined in the Communications Act 2003, s 151, as an ‘electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public.’ 21 PECR, reg 21(A1).

245

12.16  Electronic Communications and Marketing

Automated calls 12.16 Automated calls (ie  calls from an automated dialling system playing a recorded message) require specific consent from the subscriber, covering automated calls, which has been notified to the caller. The sender must not prevent presentation of the identity of the calling line on the called line; or, must present the identity of a line on which the sender can be contacted22.

Other restrictions 12.17 Different rules, requiring specific consent from the subscriber, apply to claims management services23. Calls for direct marketing in relation to pension schemes were not in force at the time of writing24. Direct marketing by fax requires specific consent25. 12.18 Information collected for one purpose should not be used for a different purpose without prior consent. The ICO advises, in relation to marketing lists, that their origin and accuracy should be checked. They should be screened against the TPS, and lists that have been bought-in should only be used with the specific consent of the individuals on them. In-house marketing lists should use opt-in boxes wherever possible, and consent should be sought as to specific means of communication, or if it is intended to forward information on to (named) other companies. Clear records of consent, and of lists of people wishing not to be contacted, should be kept.

General exemptions and enforcement 12.19 There are general exemptions in the PECR for national security (reg 28), or for law enforcement or compliance with other laws (reg 29). 12.20 The ICO has a range of enforcement powers under PECR, including criminal prosecution, non-criminal enforcement, or audits. She may also serve monetary penalties up to a limit of £500,000 against the organisation or its directors. The provisions of the DPA 1998 remain in force for the purposes of enforcing monetary penalties relating to the PECR, notwithstanding the introduction of the GDPR and DPA 201826. On 1 February 2019, for example, the ICO imposed two monetary penalties on Leave.EU Group Limited, of £15,000 and £45,000; and on Eldon Insurance Services Limited of £60,000; under DPA  1998, s  55A, in relation to contraventions of PECR, reg 22 (the ‘soft opt-in’; see para 12.5).

22 23 24 25 26

PECR, reg 19(1) and (2). An automated calling system is defined in reg 19(3). PECR, regs 21(b) and 21A. PECR, reg 21B. PECR, reg 20. DPA 2018, Sch 20, Pt 9, para 58(1).

246

Section E

Precautions, Advice and Enforcement

CHAPTER 13

Data Protection Impact Assessments

BACKGROUND AND WHEN TO CONDUCT A DPIA 13.1 The ICO describes a Data Protection Impact Assessment (DPIA) as a ‘process to help you identify and minimise the data protection risks of a project’. DPIAs are seen as a new central feature of the Accountability principle; and as closely linked to data protection by design and default. They are also seen as reflecting a more risk-based approach to data protection under the GDPR. 13.2 There is no set format, although the ICO recommends nine stages which need to be covered. A DPIA may be a limited exercise in a less important instance; or it may amount to a significant exercise in a larger case. The Commissioner describes the process as ‘designed to be flexible and scalable’. 13.3 The requirements as to DPIAs are set out GDPR, Articles 35 and 361. The DPA  2018 does not amend these; although the DPPEC regulations make some minor changes, post-Brexit. 13.4 The previous Privacy Impact Assessments (‘PIAs’) in the UK, which were voluntary but similar in most respects to DPIAs, had been regarded by the ICO as good practice for a number of years. They were also obligatory within government for new processing. The main differences between DPIAs and the former PIAs are that: — DPIAs are mandatory if an initial screening exercise shows the proposed processing to create a ‘high risk’ to data subjects. — The impact has to be considered on individuals’ rights and freedoms, which include (but are not limited to) privacy rights. Under PIAs, however, the Commissioner also included reputational damage to the controller, so that DPIAs are in that sense narrower in scope than PIAs, while referring to a wider range of data subjects’ interests. — There are some more specific requirements as to their content (although still rather limited ones). — If the controller has a Data Protection Officer (‘DPO’), that officer’s advice has to be sought on the DPIA. — A final (and potentially very important) stage of consultation is now required with the ICO, in cases where a ‘high risk’ remains after any proposed mitigation measures. 1

See also GDPR, Recitals 90-96; especially 91 and 94.

249

13.5  Data Protection Impact Assessments

13.5 As indicated above, the GDPR now makes DPIAs mandatory for ‘processing that is likely to result in a high risk to individuals’ [Emphasis added]. Such a risk will arise either because the processing is of a specified type; or in other cases because a potentially high risk is identified by the controller. It will be noted that the threshold is at the lower level; that the risk is ‘likely’ (which can be significantly below 50%)2. 13.6 The risks involved are to the ‘rights and freedoms of natural persons’. This is interpreted to include risks to privacy and data protection rights (eg by a data breach), but also to encompass effects on other fundamental rights and interests. Recital 75 refers to risks to rights and freedoms in general (ie not just in relation to data protection), but the ICO draws particular attention to it in this context. This significantly widens the scope of processing likely to be ‘high risk’ at the screening stage. 13.7 The Recital refers to different types of damage, resulting from processing as follows: • ‘physical, material or non-material damage’ (or harm) to individuals (eg discrimination; identity theft or fraud; financial loss; damage to reputation [of the individual]; an unauthorised reversal of pseudonymisation, or ‘any other significant economic or social disadvantage’); • where data subjects may be deprived of their rights and freedoms, or prevented from exercising control over their personal data; • where personal data are processed which reveal special category data or criminal data; •

where personal aspects are evaluated to create personal profiles (ie profiling, such as analysing performance at work, an individual’s health, or their personal preferences);

• processing of the personal data of vulnerable individuals, especially children; •

where processing involves a large amount of personal data and affects a large number of data subjects.

13.8 The ICO also considers that it is good practice to undertake a DPIA for any other major project which requires the processing of personal data. 13.9

A DPIA has to:

•

describe the nature, scope, context and purposes of the processing;

•

assess its necessity and proportionality, and compliance measures;

•

identify and assess risks to individuals; and

•

identify any additional measures to mitigate those risks.

2

See para 9.9 above.

250

Background and when to conduct a DPIA 13.11

13.10 The assessment of risk, at both the initial screening stage, and once the specific risks from the proposed processing are identified, requires the controller to consider both the likelihood and the severity of any impact on individuals. ‘High risk’ could result from either a high probability of some harm, or a lower probability of serious harm. The Commissioner describes the exercise at this stage as a ‘high-level screening test’, in which the question is: ‘are there features which point to the potential for high risk?’ [Emphasis added]. This approach, based on a low threshold and a focus on the potential for risk, as well as the wide range of activities which are considered to be likely to give rise to such risk, means that a ‘high’ level of risk is quite likely to be identified at this stage in a significant number of cases. 13.11 The GDPR itself says that a controller must do a DPIA if it plans to: • use ‘systematic and extensive’ profiling (or other automated evaluation) of individuals, on which decisions are based with legal or other significant effects. (An example might be an automatic decision over a loan application, conducted through a website); •

process special category data, or criminal convictions and offences data, on a ‘large scale’; or

•

systematically monitor publicly accessible places on a ‘large scale’.

‘Systematic’ [profiling] means that the processing occurs: according to a system, is pre-arranged (or organised or methodical); takes place as part of a general plan to collect data; and, is carried out as part of a strategy. ‘Extensive’ implies that it covers a large area, involves a wide range of data, or affects a large number of individuals. A ‘significant effect’ is one which has a noticeable impact on an individual, and can affect their circumstances, behaviour or choices in a significant way; perhaps relating to their financial status, health, reputation, access to services or other economic or social opportunities3. ‘Large-scale’ is not defined in the GDPR, but the ICO (based on the guidance of the former Article 29 Working Party) advises controllers to consider: — the number of individuals concerned; — the volume of data; — the variety of data; — the duration of the processing; and, its geographical extent. Examples include: •

a hospital processing patient data;

•

the tracking of individuals on a city’s public transport system;

•

a bank processing customer data;

•

a search engine processing data for behavioural advertising.

3

ICO: ‘When do we need to do a DPIA?’.

251

13.12  Data Protection Impact Assessments

In contrast, an individual lawyer or doctor in general practice who is processing client/patient data is operating on too small a scale to be ‘large-scale’. See also para 13.15 below. 13.12 The references in the GDPR were not, however, an exclusive list. The former Article  29 Working Party sought to interpret it in guidelines published before the GDPR came into effect4. These contain nine further types of activities which are likely to give rise to high risk, which involve: •

evaluation or scoring;

•

automated decision-making, with legal or similar significant effect;

•

systematic monitoring;

•

sensitive data or data of a highly personal nature;

•

data processed on a large scale;

•

data concerning vulnerable data subjects;

• innovative uses, or the application of new technological or organisational solutions; •

the prevention of data subjects from exercising a right or using a service or contract.

13.13 The working party indicated that in general, a combination of two or more of these factors indicated the need for a DPIA; although this was not a hard and fast rule, and one factor could in some cases be sufficient. On the other hand, if the controller believed that, notwithstanding the presence of these factors, the processing was nonetheless unlikely to result in a high risk, it should document its reasons. 13.14 The ICO has also produced a list of ‘the kind of processing operations’ (as they are described in Article 35(4)) which, in the UK, are to be treated as subject to the requirement for a DPIA, under powers in that Article. Overlapping to a degree with the Article  29 list, this states that a DPIA is required where the controller plans to do the following5. The ICO’s guidance was revised as this book was going to press, in the light of previous recommendations from the EDPB to reflect the latter’s view that certain factors were not sufficient on their own to justify a DPIA (see footnote 4). The ICO now advises that those particular factors would require a DPIA only in combination with others listed in the EDPB’s guidelines (as indicated below). (The examples are taken from the more detailed guidance in which the full list appears; see below)6: 4

‘Guidelines on Data Protection Impact Assessments’, Article 29 Working Party/European Data Protection Board, WP 248.rev.01. 5 The guidance states that the ICO ‘also requires you to do a DPIA if you plan to’ carry out the activities [Emphasis added]. The phraseology used might be open to question, but this appears to be based on a reading of GDPR, Article 35(4), requiring the ICO to publish a list of operations ‘which are subject’ to the requirement for a DPIA. 6 ICO: ‘Examples of processing “likely to result in high risk”’.

252

Background and when to conduct a DPIA 13.15

•

use new technologies (or a novel application of an existing technology) in new ways or for new purposes. (This refers to a technology that is new to the world, rather than to the controller). Examples: intelligent transport systems; artificial intelligence (AI);

•

introduce a denial of service: ie where a controller plans to use profiling, or automated decision-making (to any extent), or special category data, to decide on access to services. Examples: credit checks; mortgage applications;

• profile individuals on a large scale. Examples: data processed by smart meters; social media networks; •

process biometric data, if combined with another factor in the Article  29/ EDPB guidance. Examples: facial recognition systems; workplace access systems;

• process genetic data (other than by a GP or health professional for the provision of health care to the data subject), if combined with another factor in the Article  29/EDPB guidance. Examples: medical diagnosis; DNA testing; • match, combine or compare data or datasets from different sources. Examples: fraud prevention; direct marketing; •

collect personal data from a source other than the individual without providing them with a privacy notice, because the controller considers that it would be impossible or disproportionate to do so (so-called ‘invisible processing’), if the processing is combined with another factor in the Article  29/EDPB guidance. Examples: list brokering; online advertising;

• track individuals’ location or behaviour (including but not limited to the online environment), if combined with another factor in the Article 29/EDPB guidance. Examples: social networks; web tracking; loyalty schemes; •

target children or other vulnerable individuals: by using their personal data for marketing purposes, profiling or other automated decision-making; or, if the controller intends to offer online services direct to children. Examples: connected toys; social networks; or

• create a risk of physical harm: where the processing might endanger the individual’s physical health or safety. Examples: whistleblowing schemes; social care records. 13.15 The Commissioner’s full list includes the further three categories identified in the GDPR (see para 13.11). These are omitted from the list described in a parallel piece of guidance7. The three additional categories are: •

a systematic evaluation based on automated processing or profiling, resulting in legal or other significant effects. Examples: loan applications; insurance underwriting;

7 The two pieces of guidance concerned are: ‘When do we need to do a DPIA?’ (containing the shorter list); and ‘Examples of processing “likely to result in high risk”’ (the full list).

253

13.16  Data Protection Impact Assessments

•

large-scale processing of Article 9 and 10 data (ie special category data, and criminal data under the GDPR). Examples: political parties’ membership data; hospital health records; fraud prevention;

•

systematic monitoring of a publicly available area on a large scale. Examples: automatic number plate recognition; Bluetooth tracking; video surveillance of public areas.

13.16 Even if the processing does not fall into any of the above categories or descriptions, the controller should consider whether it is likely to result in high risk. 13.17 The Commissioner also advises controllers to ‘think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals’.

CONDUCTING A DPIA 13.18 The stages of a DPIA are as follows, although step 3 (consultation) does not need to be carried out at a specific point. The ICO has suggested a series of steps in her most recent guidance on DPIAs. 13.19 Curiously, consulting the ICO (where required) near the end of process has been omitted as a potential step, in relation to the minority of cases (it is hoped) in which it would be necessary. It likely to be significant, however, in a number of cases, and has been inserted below as Step 7A. (See also paras 13.23–13.25 below on the order of numbering).

Step 1: identify the need for a DPIA 13.20 The ICO’s detailed advice8 says that the controller should ask its DPO (if it has one) for advice. The high-level guidance on DPIAs contains suggested preparatory steps to raise awareness (eg  training, policies referring to DPIAs, creating a DPIA process); and checklists for screening for a DPIA (and later as to the process). The screening checklist reflects a number of the factors listed above. Where the processing is to be carried out on the lawful basis of a legal obligation, or under the ‘public task’, the main duties do not apply if a DPIA has already been carried out as part of a general impact assessment required by EU or member state law (or by domestic law, after Brexit), unless domestic law requires otherwise. (See Article 35(10), which is amended as to wording after Brexit by the DPPEC Regulations, Sch 1, para 29(10)). If the decision is that no DPIA is required, this should be recorded. In cases of doubt, the ICO advises conducting one. In a case where a DPIA proceeds, the following steps should be followed:

8

ICO: ‘How do we do a DPIA?’.

254

Conducting a DPIA 13.23

Step 2: describe the processing 13.21 The detailed guidance says that this should describe how and why the controller plans to use the personal data. The description should include ‘the nature, scope, context and purposes of the processing’9. The guidance gives lists of examples of each, and these should be consulted. For example, the ‘nature’ of the processing includes how it will be collected, who will have access to it, and security measures. Its ‘scope’ includes its volume and variety, duration, and the number of data subjects. Its ‘context’ includes its source, the extent to which individuals have control over their data, or any current issues of public concern. Its ‘purpose’ (ie  the reason for the proposed processing) should include the intended outcome for individuals, the controller’s legitimate interest (if relevant), and the expected benefits for the controller or for society. Another objective for this stage of the exercise, drawn mainly from the Code on the previous PIAs, would be that it should also chart the flows of personal data, so that (for example) points of weakness as to security can more easily be identified.

Step 3: consider consultation with individuals 13.22 The ICO’s guidance advocates consulting individuals (or their representatives), unless there is a ‘good reason’ not to do so. (This goes beyond the GDPR, Article 35(9), which merely says that the controller should seek the view of data subjects, or their representatives, ‘where appropriate’; without referring to other consultees). It states that such consultation should be possible in some form in most cases. It recognises, however, that commercial confidentiality, or security, may be compromised; or that it may be disproportionate, or impracticable, to conduct consultation with individuals (according with Article 35(9)). Where the DPIA concerns existing customers or employees, it says that a process should be designed to consult those individuals or their representatives. Otherwise, it noticeably does not repeat the proposals in the former PIA guidance for more ambitious consultation, extending to other stakeholders. If, the Guidance suggests, the DPIA decision is at odds with the consultation, the reasons for disregarding the views of the consultees should be recorded. Numbering of the steps in the ICO’s guidance 13.23 At this point, and at the time of writing, the ICO’s detailed guidance diverges from her high-level guidance as to the numbering and description of the steps involved. Step 4 is described as: ‘Do we need to consult anyone else?’, which does not appear on the flowchart in the high-level guidance. The numbering of the steps is adjusted accordingly in the detailed guidance, and the last two steps below are merged. The point being made in the ‘new’ step 4 is that the controller may wish to ask a data processor for information and assistance to complete the DPIA; and that arrangements for such assistance should already 9

GDPR, Article 35(1).

255

13.24  Data Protection Impact Assessments

have been included in the controller’s contract with the processor. (Subsequently, there appeared to be a further amendment to the numbering, to create two steps carrying the same number (Step 3)). 13.24 The ICO also recommends here that other internal stakeholders (eg  information technology experts; legal advisers; or, perhaps unexpectedly, ‘sociologists or ethicists’) should be consulted where appropriate; while pointing out that there is no obligation to do so. It is suggested that it may be better to see this part of the process less as ‘consultation’, than as designing a process which incorporates discussion with the necessary specialist staff or experts. 13.25 This work has maintained the numbering of the steps as in the highlevel guidance (save for the insertion of prior consultation with the ICO, where applicable, as ‘Step 7A’).

Step 4: assess the necessity and proportionality of the proposed processing 13.26 A  DPIA is required to assess the necessity and proportionality of the processing operations in relation to the purposes (GDPR, Article 35(7)(b)). The ICO poses these questions: (a) ‘do your plans help to achieve your purpose?’ and; (b) ‘is there any other reasonable way to achieve the same result?’ The guidance also refers to a different question (from the Article  29 Working Party) which is likewise intended to test necessity and proportionality: (c) how would you ensure data protection compliance? 13.27 In practical terms, the ICO says that the assessment should include: •

the lawful basis of processing;

•

how ‘function creep’ will be prevented;

•

how data quality will be ensured;

•

how data minimisation will be ensured;

•

how privacy information will be provided to individuals;

•

how individuals’ rights will be implemented;

•

measures to ensure that processors comply; and

•

safeguards for international transfers.

Step 5: identify and assess the risks 13.28 The controller should consider the impact of the processing on individuals, and any harm which might be caused by the processing; whether physical, emotional, or material. The ICO suggests that the following should 256

Conducting a DPIA 13.29

be examined. Security risks should be included, but it will be noted that these potential forms of impact go much wider. An example of the possible harm is suggested in each case: • An inability to exercise rights (including privacy rights, but not limited to them). For example, a security breach might lead to a welfare benefits claimant losing their payments for a period. •

An inability to gain access to services or opportunities (eg a website failure might lead to a customer being unable to book a service).

•

Loss of control over the use of personal data (eg the proposed processing might have the effect of lessening an individual’s ability to restrict the use of his or her data).

•

Discrimination (eg if publicising support given to a local group of vulnerable individuals, by publishing photographs alongside interviews with members of the group, could expose those individuals to a risk of harassment).

•

Identity theft or fraud (eg the sharing of electronic signatures of individuals with other controllers).

•

Financial loss (eg the transfer of large numbers of individuals’ bank account details by their bank to a new payments processor).

•

Reputational damage (eg sharing the offending histories of prisoners about to be released with charitable organisations in their home areas, for the purpose of helping them find work after release, but with inadequate security arrangements).

•

Physical harm (eg insecurely disposing of paper records of individuals who have been known to be on the sex offenders register).

• Loss of confidentiality (eg  sharing social services confidential case conference records more widely with other agencies). •

Re-identification of pseudonymised data (eg transferring responsibility for the security of the controller’s pseudonymisation ‘key’ to another part of the organisation).

•

Any other significant economic or social disadvantage.

13.29 As already indicated, both the likelihood and severity of the harm need to be considered in assessing whether the level of a risk is ‘high’; meaning in this context that it would need to be mitigated if a consultation with the ICO were to be avoided. The Commissioner describes a high risk, in this context, in the following terms: ‘Harm does not have to be inevitable to qualify as a risk or a high risk. It must be more than remote, but any significant possibility of very serious harm may still be enough to qualify as a high risk. Equally, a high probability of widespread but more minor harm might still count as high risk.’10 10 ICO: ‘How do we do a DPIA?’.

257

13.30  Data Protection Impact Assessments

13.30 The guidance includes a structured matrix, plotting severity of impact (ie minimal impact/some impact/serious harm) along one axis, against likelihood of harm (ie remote/reasonable possibility/more likely than not) along the other. ‘High risk’ is shown where there would be serious harm; both where it was more likely than not, and where it was only at the level of a reasonable possibility. A high risk would also arise where the level of severity was only at the level of ‘Some impact’, but the harm was more likely than not to occur11. 13.31 A medium (as opposed to high) risk would arise only where the level of severity was merely at no more than the level of ‘Some impact’; and its occurrence was judged to be no more than a reasonable possibility. 13.32 It will be seen from this that a ‘high risk’ requiring mitigation is quite likely to arise, possibly on multiple occasions, in a DPIA. Corporate or reputational risks 13.33 The Commissioner suggests in her guidance on this step that the controller may wish also to consider its own corporate risks, such as regulatory action or reputational damage. This accords with the approach taken in the ICO’s Code on PIAs. While controllers may well wish to use the opportunity to consider these issues in a DPIA, practitioners should be clear, however, that the outcomes relevant to the assessment itself, and particularly in relation to any referral to the ICO, are solely those affecting the rights and freedoms of individuals; rather than the interests of the controller as well.

Step 6: identify measures to mitigate the risks 13.34 This is the key step, on which will depend both whether a referral is needed to the ICO; and the longer-term lawfulness and robustness (or otherwise) of the processing, if it is undertaken. The ICO advises that the source of each risk identified should be recorded against it. Options should then be considered for reducing the risk. 13.35 The Commissioner lists certain options for mitigation measures, but acknowledges that the list is not exhaustive: — Deciding not to collect certain types of data. — Reducing the scope of the processing. — Reducing the retention periods. — Taking additional measures of technological security. — Training staff so that risks are anticipated and managed (so far as possible).

11 See matrix, shown under Step 6 of the ICO’s detailed guidance: ‘How do we do a DPIA?’ (See also para 13.23 above as to the numbering of the steps in the ICO’s guidance).

258

Conducting a DPIA 13.42

— Anonymising or pseudonymising the data. — Creating internal guidance or processes to avoid risks. — Using a different technology. — Putting clear data sharing agreements into place. — Offering individuals the opportunity to opt out where appropriate. — Implementing new systems to help individuals to exercise their rights. 13.36 The following might also be suggested: — Reducing the complexity of information flows. — Reducing the number of staff with a ‘need to know’. — Tightening controls on external working and the use of mobile devices. — Seeking undertakings to limit onward transmission of personal data. 13.37 As the Commissioner advises, the record should show whether the controller believes that the risk can be reduced (and to what level), or eliminated. It is important to note that the expectation is not that all (or all high) risks will be removed, regardless of cost. The controller may take the costs and benefits of each mitigating measure into account in deciding whether it is appropriate.

Step 7: sign off and record the outcomes 13.38 The controller should record what additional or mitigating measures it proposes to take. Each risk should be recorded as eliminated, reduced or accepted. This will then leave an overall level of ‘residual risk’, after the mitigating measures have been taken, which should also be recorded. 13.39 It is permissible to retain a risk at high level, if this is considered acceptable given the benefits of the processing; but with the inevitable result that ‘prior consultation’ (the term used in Article 36) with the ICO will be necessary. 13.40 The DPO should be asked to advise on whether the processing is (or will be) compliant, after the mitigating measures are taken. If the controller chooses not to follow the DPO’s advice, it should record its reasons. The ICO advises that it should also record its reasons for going against advice from individuals or others whom it has consulted. 13.41 The ICO’s Code for PIAs advised that a senior person should sign off the report, but this does not feature in the new guidance on the GDPR.

Step 7A (where applicable): prior consultation with the ICO 13.42 If a high risk will remain (after mitigation), then the processing has to be reported to the ICO. This should be done by the DPO, if the controller has one; 259

13.43  Data Protection Impact Assessments

using any report of the DPIA as the basis. The report to the ICO should be made by email12. 13.43 Article 36(3) sets out the information to be provided to the ICO: — (where applicable) the respective responsibilities of the controller, joint controllers and any processors involved in the processing (eg for processing within a group of undertakings). In a complex instance of data sharing, for example, this could require some detailed descriptions; — the purposes and means (ie the methods) of the intended processing; — measures and safeguards provided to protect the rights and freedoms of data subjects (ie the new mitigating measures proposed after the DPIA, and the existing measures already proposed); — (where applicable) the contact details of the DPO; — the DPIA (ie the report; or, if none is available, the records from it with a description); — any other information requested by the ICO. 13.44 On receipt, the ICO says that the information will be checked for completeness, and a brief screening exercise conducted to identify whether (ie in the ICO’s view) there is an unmitigated high risk. If there is none, the ICO will inform the controller that no review will be necessary. Confirmation or otherwise that a review will be conducted should be available within ten days of receipt. 13.45 If a review is conducted, the ICO will review the DPIA (ie the report) to see whether she has all the required information. The ICO will then consider whether: — the processing complies with data protection requirements; — the risks have been properly identified; and — the risks have been reduced to an acceptable level. 13.46 The ICO will provide written advice, where in her opinion the intended processing would infringe the GDPR (by taking too high a risk of breach). The advice may be given both to the controller and (where applicable) to the processor. In relation to overall timing, the ICO states in her guidance on DPIAs that, once they have the information they need, they will: ‘generally respond within eight weeks (although we can extend this by a further six weeks in complex cases).’13 If the ICO has questions, however, the timetable is suspended until all of the requested information has been received (under Article  36(2)); potentially adding significantly to the overall delay for which a controller may have to make allowance.

12 ICO: ‘Do we need to consult the ICO?’ There is a link on the ICO’s website for this purpose. 13 This reflects the timing in GDPR, Article 36(2).

260

Conducting a DPIA 13.49

13.47 The ICO may also, however, ‘use any of [her] powers referred to in Article 58’ (the powers of the supervisory authority)14. The ICO has acknowledged that this could include ordering the processing not to proceed (although this would doubtless be exceptional)15. The ICO describes, in her guidance16, the potential outcomes as being: ‘We will provide you [with] a written response, advising you that: – the risks are acceptable and you can go ahead with the processing; – you need to take further measures to reduce the risks; – you have not identified all risks and you need to review your DPIA; – your DPIA is not compliant and you need to repeat it; or – the processing would not comply with the GDPR and you should not proceed. [Emphasis added] In some cases, we may take more formal action. This might include an official warning not to proceed, or potentially imposing a limitation or ban on processing. [Emphasis added] In some cases, our draft decisions could be considered by other European data protection authorities where the scope of your intended processing includes European member states.’ 13.48 A  controller may ask the ICO to review a decision made about its processing. After that, it can appeal to the First Tier Tribunal. It will be noted from the above that the ICO may (and has signalled that it is possible that in some cases she will) order some proposed processing operations not to proceed. The government, the National Assembly for Wales or the Welsh Ministers, Scottish Ministers, or a Northern Ireland Department, have duties to consult the ICO (after Brexit), during the preparation of legislative or associated regulatory measures, under Articles 36(4) and (4A)17. The pre-Brexit text of Article 36(4) also refers expressly to member state law being able to require controllers to obtain the authorisation of the supervisory authority, for the performance of a task carried out in the public interest; and specifically to social protection and public health as being included within the type of processing concerned.

Step 8: integrate the outcomes into the project plan 13.49 This stage follows either from satisfactory mitigation of any risks below ‘high’ (ie Step 7 above); or consultation with the ICO (Step 7A). Action points,

14 15 16 17

GDPR, Article 36(2). See also GDPR, Recital 94. ICO: ‘Do we need to consult the ICO?’. DPPEC Regulations, Sch 1, para 30(5).

261

13.50  Data Protection Impact Assessments

and responsibilities for acting on them, should be identified and followed-up (eg through any project management processes). The performance of the DPIA should be monitored. It is suggested that the effectiveness of the mitigation measures which have been undertaken should also be reviewed, in terms of the actual level of risk that results. 13.50 The ICO repeats her advice that the DPIA report should be published; alternatively, publication of a redacted or summarised version should be considered. On that point, it is suggested that public authorities may wish to bear in mind that DPIAs will be subject to the Freedom of Information Act 2000 (‘FOIA 2000’), in any event; and that they will form part of the ‘definition documents’ in many publication schemes under that Act.

Step 9: keep the DPIA under review 13.51 A DPIA should be kept under review. It may need to be repeated if there is a substantial change in the future in the nature, scope, context, or purposes of the processing.

OTHER ISSUES, INCLUDING EXEMPTIONS Outsourcing a DPIA 13.52 The DPIA may be outsourced, but the controller remains responsible for it. If the controller has a DPO, their advice has to be sought on it, and should be documented. Information security staff, any processors associated with the operation, and legal advisers or other experts relevant to the type of processing, should also be involved.

Role of Data Protection Officer 13.53 The Commissioner advises that the DPO’s role should be to advise on: •

whether a DPIA is needed;

•

how it should be done;

•

whether it should be outsourced or handled in-house;

•

what measures can be taken to mitigate the risks identified;

•

whether the DPIA has been done correctly;

•

the outcome, and whether the processing can proceed.

13.54 Any reasons for differing from the DPO’s advice should be recorded (as well as the advice itself). The DPO should also monitor how 262

Other issues, including exemptions 13.58

the implementation of the DPIA is carried out, including the effectiveness of the steps taken to mitigate the risks. Since the DPO is also the contact point with the Commissioner for any consultation arising from a DPIA18, however, a controller will need to avoid giving the DPO responsibilities for the DPIA which may conflict with the independence of their role (and which would be contrary to Article 38(6)). 13.55 As already indicated (at para 13.50), the ICO recommends that a DPIA report be published, as part of engendering trust in processing. This is not a requirement of the GDPR, however, and it remains to be seen how far this proves to be attractive to controllers.

ICO’s capacity 13.56 The Commissioner expects the percentage of cases sent for consultation to be ‘small’. This could still represent a significant volume, however, and in that event there may be an issue over whether the ICO has the capacity to screen the risks within the period which it says will ‘generally’ be applied of eight weeks (with a further six weeks in complex cases)19. As indicated (para 13.46) if the ICO asks questions in a particular case, however, the deadlines are suspended, and the timing could become significantly longer. The ICO also points out that she may be required to co-operate with other data protection authorities (if the proposed processing would have an impact on data subjects in other countries), and that this may mean that the case cannot be resolved within the extended timescale of 14 weeks. Data subjects will be notified in that event, and kept informed.

Previous DPIA 13.57 A new DPIA is not required where the controller has already conducted a PIA, unless there has been a ‘significant change to the nature, scope, content or purposes of the processing since that previous assessment’20. It is recommended that the position is reviewed, and that the reasons for not conducting a new exercise are recorded. 13.58 A DPIA may cover a single operation of data processing, or a group of similar operations. An existing DPIA may be relied upon if it covered a ‘similar processing operation with similar risks’. If using new technology, a DPIA conducted by the developer of the product may be useable21. A DPIA may be necessary, however, for an existing processing system which is proposed to be changed.

18 19 20 21

See GDPR, Article 39(1)(e). See GDPR, Article 36(2). ICO detailed guidance on DPIAs: ‘What new under the GDPR?’. ICO detailed guidance on DPIAs: ‘What is a DPIA?’.

263

13.59  Data Protection Impact Assessments

Exemptions from a DPIA 13.59 There are limited circumstances where a controller may be exempted from an obligation to conduct a DPIA, where otherwise the requirement would apply. Three circumstances may arise: (a) the processing is on the lawful basis of either a legal obligation (Article 6(1)(c)), or of the public task (Article 6(1)(e)), and: •

the processing has a clear statutory basis;

• the legal provision or a statutory code specifically provides for the processing operation, and regulates it; • the controller is not subject to other obligations to complete a DPIA (eg under Cabinet Office requirements); or •

a risk assessment of data protection was carried out as part of the impact assessment when the legislation was adopted, and member state law (or after Brexit, domestic law) does not require a separate one22;

(b) the controller has already completed a substantially similar DPIA23; or (c) the activity appears on a list, issued by the ICO, of operations which do not require a DPIA. The ICO has a power under Article 35(5) to issue such a list but has not done so, and ‘may consider’ one in the future.

22 See GDPR, Article  35(10), as rephrased after Brexit by the DPPEC  Regulations, Sch  1, para 29(5). 23 See GDPR, Article 35(1).

264

CHAPTER 14

Data Protection Officer

DESIGNATION OF A DPO 14.1 A  controller or processor has to designate a Data Protection Officer (‘DPO’) in any case where1: (a) it is a public authority or body (other than a court acting in its judicial capacity); (b) its ‘core activities’ consist of processing which requires the regular and systematic monitoring of data subjects on a large scale, by virtue of those activities’ nature, scope or purpose; or (c) its ‘core activities’ consist of processing on a large scale of either special categories of data, or personal data relating to criminal convictions and offences (under GDPR, Article 10)2. 14.2 In relation to (a) in para 14.1 above, the meanings of ‘public authority’ and ‘public body’ are defined in the Data Protection Act 2018 (‘DPA  2018’), s  7(1) as: a public authority as defined by the Freedom of Information Act 2000 (‘FOIA 2000’); a Scottish public authority as defined in the Freedom of Information (Scotland) Act 2002;.or, an authority or body specified in regulations. 14.3

Limitations are then applied to these definitions:

(a) a public authority or body is only included for the purposes of the GDPR when it is performing a task carried out in the public interest, or in the exercise of official authority vested in it3. In this context, this means that a public authority or body only has to appoint a DPO when it carries out such tasks, or exercises such authority (ie when it has functions to perform involving personal data, which it supports using the lawful basis in GDPR, Article 6(1)(e)); (b) certain smaller local authorities and local bodies are excluded, and so do not have to appoint a DPO (English parish councils, Welsh community councils, parish meetings, community meetings, and charter trustees); and (c) the Secretary of State may, by further regulations, exclude a public authority or body from the application of the GDPR (and thus, in this context, from

1 2 3

See GDPR, Articles 35-36, 37-39, 83, and Recital 97. GDPR, Article 37(1). DPA 2018, s 7(2).

265

14.4  Data Protection Officer

having to appoint a DPO)4. At the time of writing, no regulations had been made under this provision. 14.4 In relation to (b) in para 14.1 above, ‘core activities’ are described in the ICO’s summary guidance on Data Protection Officers as ‘primary business activities’; or, what an organisation needs to do to achieve its key objectives. Other activities, such as Human Resources (‘HR’), or information technology (‘IT’) support, would be for a secondary purpose; since most organisations undertake them, and those roles do not in most cases form part of their main activities. Where a company provides HR (or IT) services to clients, so that it does constitute its core activity, the HR or IT activity it undertakes in relation to its own internal operations would be a secondary activity. 14.5 The former Article 29 Working Party (now the European Data Protection Board, or ‘EDPB’) has taken the view that the ‘regular and systematic monitoring’ of data subjects includes all forms of tracking and profiling, both on-and off-line; and that, in this respect, the scope should be seen as going beyond Recital 24 (which refers to monitoring of online behaviour)5. The ICO reflects this approach in her guidance on DPOs. This seems a sensible interpretation; notwithstanding that the great majority of such tracking will be on-line. 14.6

‘Regular’means (the working group advised) one or more of the following:

•

Ongoing or occurring at particular intervals for a particular period;

•

Recurring or repeated at fixed times; or

•

Constantly or periodically taking place.

14.7 The meaning of ‘systematic’ offered by the working group, is one or more of the following: •

Occurring according to a system;

•

Pre-arranged, organised or methodical;

•

Taking place as part of a general plan for data collection;

•

Carried out as part of a strategy.

14.8 Neither the Working Party nor the ICO has suggested a numerical definition of ‘large-scale’. Both suggest that the following factors should be taken into account in assessing scale: — numbers of people concerned (as a number or proportion); — volume of personal data, or range of data items being processed; — duration or permanence of the processing; — geographical extent of the processing. 4 5

DPA 2018, s 7(5). Article 29 Working Party, ‘Guidelines on Data Protection Officers’, WP 243, para 2.1.4.

266

Designation of a DPO 14.12

14.9 The Working Party gives examples: the patient data held by a hospital would be ‘large-scale’ but that held by an ‘individual physician’ (ie single GP) would not. The data collected through tracking travel cards used on a city’s urban transport scheme would be large-scale. A  bank or insurance company would process the data of its clients on a large-scale; as would a telephone company or internet service provider. The files held by an individual criminal lawyer would not be large in scale6. Example: regular and systematic monitoring The ICO advises that a retail website which uses algorithms to analyse customers’ preferences and to send recommendations to them, according to pre-arranged criteria, would be regular and systematic monitoring on a large scale. 14.10 In relation to (c) in para  14.1 above, the Working Party pointed out that Article  37(1)(c) refers in error to processing of special categories of data under Article 9 ‘and’ data relating to criminal convictions and sentences under Article 107. It says that there is no policy reason for these to be read simultaneously, and that the text should be read as ‘or’; so that the processing on a large-scale of either type of data would occasion the appointment of a DPO. (For a description of Article 10 processing, see Chapter 17). 14.11 A controller or processor, or an association or other body representing categories of controllers or processors, may designate a DPO to act on their behalf; and shall (pre-Brexit) do so where required by EU or member state law8. After Brexit, the potential to prescribe the designation of DPOs, beyond those required under the GDPR, is removed9. 14.12 A group of undertakings may appoint a DPO between them, provided that he or she is ‘easily accessible’ from each establishment10. Similarly, public authorities or bodies may appoint a single DPO between a number of them, taking their organisational structure and size into account11. The former condition would mean, for example, that undertakings that were geographically distant from each other, albeit conducting similar operations, would have to justify appointing a single DPO, and consider that they could overcome the practical limitations in that person’s accessibility. Large public authorities, or those distant from their proposed partner bodies, would need to look carefully at the feasibility of such an arrangement, in terms of their structure and size. Wider issues include that a DPO needs to have sufficient familiarity with the work of each undertaking or authority that they can assess what they are told from a critical perspective, and 6 7 8 9 10 11

Article 29 guidelines (see footnote 5 above), para 2.1.3. Article 29 guidelines (see footnote 5 above), para 2.1.5. GDPR, Article 37(4). DPPEC Regulations, Sch 1, para 31(2). GDPR, Article 37(2). GDPR, Article 37(3).

267

14.13  Data Protection Officer

can intervene effectively where required. This would tend to be more difficult if their knowledge were limited to that of a periodic visitor. 14.13 Where a controller or processor considers the above criteria, and concludes that it does not need to appoint a DPO, the ICO advises that it should record its reasons, as part of its duty of accountability12. 14.14 A controller or processor may appoint a DPO where it is not obliged to do so; but the full duties and responsibilities arising from designating a DPO will apply to them in those circumstances.

Skills and experience 14.15 The DPO is to be designated on the basis of their professional qualities and, in particular, their expert knowledge of data protection law and practices; together with the ability to fulfil the tasks of the role, as set out in GDPR, Article 39. A specific qualification in data protection is not, therefore, required; although either suitable knowledge or experience will be. The DPO may be a member of the staff of the controller or processor; or may operate under a service contract.

Contact details 14.16 The controller or processor has to publish the contact details of their DPO, where designated; and inform the supervisory authority of them. The details should also be published to the staff of the organisation. Their name need not necessarily be published, however (although it will need to be released to data subjects if a data breach is reported to the them). Notwithstanding that the name may be withheld (which seems impractical internally), the DPO should be easily accessible to employees, individuals and the ICO13.

POSITION OF THE DPO 14.17 The DPO has a particular, and essentially unique, position within (or in relation to, if they are outside) the organisation. The controller/processor has to ensure that they are ‘involved, properly and in a timely manner’ in all issues relating to data protection14. This is not the same as being placed in charge of data protection; indeed, the DPO should generally be separated, so far as possible, from direct management responsibility for fulfilling their employer’s or client’s data protection activities. Their involvement is primarily as a consultee, monitor

12 ICO: ‘Data Protection Officers’. 13 See ICO guidance: ‘Data Protection Officers’. 14 GDPR, Article 38(1).

268

Position of the DPO 14.21

or critic; with significant influence, but limited management responsibility. The DPO also has a back-stop responsibility to the Commissioner. 14.18 To ensure their independence and effectiveness, the controller/processor is to support the DPO in carrying out his or her tasks (which are specified in Article 39), by providing the DPO with: (a) the resources necessary to carry out the tasks (ie in terms of time, financial assistance, infrastructure and (where necessary) staff); (b) access to the personal data held, and the processing operations carried out on them (ie so that the controller/processor cannot deny access to the DPO); (c) the resources necessary to maintain his or her expert knowledge (eg training, subscriptions to professional information, attendance at professional conferences etc)15. 14.19 To reinforce their independence, the controller/processor is also to ensure that the DPO: (a) receives no instructions regarding the exercise of his or her tasks; (b) may not be dismissed or ‘penalised’ by the controller/processor for performing his or her tasks; and (c) reports directly to ‘the highest management level’ of the controller/ processor16. 14.20 The limitation on instructions relates only to the exercise of the tasks: the DPO can obviously be instructed on normal staffing rules or practices, or on corporate policies unrelated to data protection. The DPO may also have other tasks or duties, outside data protection; although the controller/processor is to ensure that these do not result in a conflict of interest17. 14.21 The requirement for the DPO to report to the ‘highest management level’ of the controller or processor caused some confusion when first unveiled; with many assuming that this meant the DPO should be of considerable seniority. The ICO’s guidance refers to the DPO reporting to a manager at board level, but then says that this does not mean that they need to be line-managed by that person. This may be questionable, but the important point is that the DPO needs a direct line to a person at Board level (or its equivalent); with the implication that the senior manager will report the DPO’s views direct to the Board, without interference or alteration in presentation. The DPO should, therefore, be in a position where his or her advice will be heard at that level; even if it is not always fully followed. If the controller/processor does not follow the advice, however, it would be well-advised to record its reasons.

15 The wording of GDPR, Article 38(2) is slightly ungrammatical at this point. 16 GDPR, Article 38(3). 17 GDPR, Article 38(6).

269

14.22  Data Protection Officer

14.22 Somewhat contrary to the general encouragement of independence, however, the DPO is bound by ‘secrecy and confidentiality’ about the performance of his or her tasks, as determined by EU or member state law; or, post-Brexit, by domestic law18. This rule could potentially cause some strain where a DPO was seeking to persuade the undertaking that it was not compliant; and it illustrates the limits within which the DPO is expected to operate. The DPO is not expected (at least at this stage) to step outside the corporate culture; or the equivalent boundaries placed on public comments by employees (even at a senior level) within or beyond a public authority. The DPO is not (at least at this stage) a public whistle-blower. As will be noted from para  14.27 below, however, this view of their role may need some (temporary) adjustment when a reference has to be made to the ICO. 14.23 Data subjects are given a specific right to contact the DPO with regard to all issues related to processing of their personal data, or the exercise of their GDPR rights19. In practice, the DPO can (and probably will) be the first contact point for complaints from individuals about the handling of access rights, or to make requests to exercise individual rights. The DPO may in practice, therefore, have responsibility for overseeing access requests, or other rights such as rectification or the right to object. Both the controller and the DPO should remain aware, however, that the latter needs to be in a position to inform the controller if it is failing to meet its data protection obligations (under his or her tasks in Article 39 – see para 14.24 below); and that any conflict of interests should be avoided. It should be noted that the Article 29 Working Party reasoned that since the tasks and duties of the DPO are prohibited from giving rise to a conflict of interest with his or her primary task20, the DPO could not hold a position leading him or her to determine the purposes and means of processing. The ICO says the same21. It will be important, therefore, for a DPO to maintain a sufficient degree of distance from day to day responsibilities, that any such tasks which they exercise do not give rise to such conflicts, and do not hamper their independent focus on the controller’s degree of compliance.

TASKS OF THE DPO 14.24 The tasks of the DPO are set out in GDPR, Article 39, as follows: (a) to inform and advise the controller/processor, and the employees who carry out processing of their obligations under the GDPR or EU or member state law (the latter rephrased, after Brexit, to refer to ‘other domestic law relating to data protection’22;

18 19 20 21

DPPEC Regulations, Sch 1, para 32. GDPR, Article 38(4). GDPR, Article 38(6). ICO guidance on ‘Data Protection Officers’ (sub-heading: ‘Can we assign other tasks to the DPO?’). 22 DPPEC Regulations, Sch 1, para 33(2).

270

Tasks of the DPO 14.26

(b) to monitor the controller or processor’s compliance with: • the GDPR; •

other EU or member state law (or domestic law, after Brexit, relating to data protection); or

•

their own data protection policies, including:

the assignment of responsibilities;



‘awareness-raising’ [of data protection issues];



training of staff involved in processing operations; and



‘the related audits’;

(c) to provide advice where requested [Emphasis added] on data protection impact assessments, and to monitor the controller’s or processor’s ‘performance pursuant to Article 35’ (ie to advise on: whether or not a DPIA should be undertaken; the appropriate method, and the safeguards to be introduced; and, to monitor whether the DPIA is correctly carried out, and that its conclusions comply with data protection requirements23); (d) to co-operate with the ICO; (e) to act as the contact point with the ICO on ‘issues relating to processing’, including (but not limited to) consultation with the ICO required under Article 3624; and to consult the ICO, where appropriate, on any other matter. (The role in relation to the ICO is thus broader than solely consultation following DPIAs). 14.25 The tasks listed under (b) in para 14.24 above are not intended to give the DPO a more active role in management (such as shaping data protection posts, or appointing people to them); rather than merely advising on either. The ‘related audits’ envisaged under the same sub-paragraph seems to refer to internal audits of data protection compliance. 14.26 The DPO is placed under a general duty to have due regard to the risks associated with processing operations25. He or she is expected to take a riskbased approach, and to prioritise accordingly26. The DPO is to take into account the ‘nature, scope, context and purposes’ of the processing concerned. Thus where the risks are potentially high (either by severity, or likelihood), the DPO should advise that this should be given suitable weight – and balanced with the reasons for the processing, and the context of what is being proposed – as part of the organisation’s consideration of whether to undertake the processing; and, if so, how to do it or which safeguards to put in place. As with the other main 23 Article 29 Working Group guidelines (see footnote 5 above), para 13. 24 Ie concerning the results of certain Data Protection Impact Assessments (DPIAs); see Chapter 13. 25 GDPR, Article 39(2). 26 See Article 29 Working Party, ‘Guidelines on Data Protection Officers’, WP 243, 13th December 2016, para 4.3.

271

14.27  Data Protection Officer

aspects of the role, the DPO is the adviser, not the decision-maker, in relation to such a balancing exercise. 14.27 The role of the DPO can be expected to change, however, at least temporarily, when a new proposed processing activity has to be referred to the ICO for ‘prior consultation’, and cannot be mitigated below ‘high risk’ following a DPIA27. (See Chapter 13). In those circumstances, the DPO moves from being an adviser to having responsibility for liaison and negotiations with the ICO. He or she will need to act as a ‘bridge’ in both directions between the controller/ processor and the ICO; assisting the ICO to understand the controller’s (or processor’s) concerns, but also explaining the ICO’s judgments and concerns to the controller or processor. There is a clear potential for conflict (eg the DPO acquiring knowledge from the ICO on terms which prelude its disclosure to the controller, thereby placing that person in an awkward position; while similarly having access to information which may be relevant to the ICO’s consideration, but which the controller or processor would consider to be confidential). In effect, the DPO will have to see and approach the issue from both sides. 14.28 The factors of the nature, scope, context and purposes of the processing, which are to be taken into account by the DPO generally in carrying out their functions, should also inform their actions in advising on a DPIA.

27 See GDPR, Articles 36(1) and 39(1)(e).

272

CHAPTER 15

Data Breaches 15.1 If there is a personal data breach, the controller must report it to the ICO within 72 hours (‘where feasible’) of becoming aware of it1. There is an exemption from the duty only if the breach is ‘unlikely’ to result in a risk to the rights and freedoms of individuals. If the matter is not reported, this should be recorded. Where a report is not made within 72 hours, reasons for the delay are to be given2. In assessing the risk, controllers should consider the potential negative consequences of the breach for individuals (see below). Recital 85 points to consequences of not addressing a breach in a timely manner. 15.2 A ‘personal data breach’ includes a loss or theft of personal data, but is not confined to these. GDPR, Article 4(12) defines it as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data which are being transmitted, stored, or otherwise processed. The breach can be accidental, deliberate or negligent. As noted above, however, the scope is limited to a security breach of some kind; although the consequences may be wider, harming the ‘rights and freedoms of natural persons’. 15.3 As well as unauthorised access, or the loss of computer devices containing personal data, examples of breaches may include: deliberate inaction by a controller or processor; sending data to the wrong recipient; or, a loss of availability of data. The consequences may include: loss of control over data; limitation of an individual’s rights; identity theft; financial loss; an unauthorised reversal of pseudonymisation of data; damage to reputation; or, loss of confidentiality of data protected by professional secrecy. Damage may be emotional, as well physical or material.

ASSESSING RISK 15.4 The Article  29 Working Party produced guidelines on this provision including the assessment of risk3. These referred to GDPR, Recitals 75 and 76. They contrasted assessing risk under a DPIA, where the judgment is of a hypothetical risk, and the circumstances of a data breach which has occurred. A judgment should be made both of the severity of the risk and its likelihood. Annex B of the document contained examples of different situations. Relevant factors were: 1 2 3

GDPR, Article 33(1). GDPR, Article 33(1). See Article 29 Working Party: ‘Guidelines on Personal data breach notification under Regulation 2016/679’, WP250 rev.01, pp 22–26.

273

15.5  Data Breaches

— the type of breach (eg a disclosure of medical information to an unauthorised person is more serious than a loss of medical data which may not be recoverable); — the nature, sensitivity and volume of the breach (usually, the more sensitive the data, the higher will be the risk of harm). Even the loss of a very small amount of highly sensitive data can have a high impact (as also can a loss of large volumes of less harmful data). Attention should be paid, however, to what other information may be available about the data subject, which may make an apparently innocuous loss into a more serious one, if they were combined. An example is given of a list of addresses receiving regular deliveries, but which indicates which household has postponed a delivery while they are away; producing information of use to thieves. Breaches involving: health data; identity documents; or, financial data, are likely to be harmful in themselves; but more serious if used for identity theft; — the ease of identification of the data subject may be an important factor, either from the data in question, or by combination with other data; — encrypted data will be unintelligible. Pseudonymised data will be better protected than otherwise, although not to the point of unintelligibility; — severity of consequences for the data subject: breaches resulting in identity theft, fraud, physical harm, psychological distress, humiliation, or damage to reputation can be especially severe. Knowledge of the likely intentions of those now holding the data may be highly relevant; data sent by accident to a party who may be trusted (even if they have opened the information) will be judged less likely to lead to its misuse than a clearly intentional breach from outside; — the permanence or otherwise of the consequences for the individual; — any special characteristics of the individuals (eg that they are children, or otherwise vulnerable); — the number affected (generally, the greater the number, the greater the impact); although a severe breach may affect even one individual sufficiently seriously to require notification.

NOTIFICATION TO ICO (GDPR, ARTICLE 33) 15.5

The notification by the controller to the ICO is to contain at least:

(a) a description of the breach, including so far as possible the categories and approximate number of people and records affected; (b) the name and contact details of the Data Protection Officer (‘DPO’) (if any); (c) the likely consequences of the breach; (d) measures taken, or proposed, to address the breach or to mitigate its adverse effects4. 4

GDPR, Article 33(3).

274

Notification to data subjects (GDPR, Article 34) 15.11

15.6 The information may be provided to the ICO in phases, if it cannot be provided at the same time. The ICO indicates, however, that she expects controllers to prioritise investigations, devote sufficient resources to them, and expedite them5. 15.7 The breach should be documented for the purposes of verification by the ICO, as part of the Accountability principle6; including what has happened, the effects, and any remedial action taken.

NOTIFICATION TO DATA SUBJECTS (GDPR, ARTICLE 34) 15.8 Where the breach is likely to result in a ‘high risk’ of an adverse effect on the rights and freedoms of individuals, the controller is also to communicate news of the breach to them ‘without undue delay’7. The risk is to be assessed both as to severity and likelihood. Thus a breach that would have severe consequences, where the consequences are unlikely to occur, can still be ‘high risk’8. Likewise, a high likelihood of harm which is of relatively low-consequence will nonetheless be ‘high risk’. 15.9 A  communication to the data subject, if it needs to be made, must describe the nature of the breach in plain language, and cover at least features (b)–(d) in para 15.5 above. 15.10 No communication is required, however, if: — the controller has applied appropriate protection measures, such as encrypting the data so that they are unintelligible to a person not authorised to have access; — the controller has taken subsequent measures so that the high risk to data subjects is now unlikely to arise (eg by disabling the data remotely); or — requiring the controller to notify data subjects would involve disproportionate effort; in which case the controller is to make a public announcement instead to inform those affected in an ‘equally effective manner’9. 15.11 Where the controller has not told data subjects about the breach, the ICO may require it to do so. Alternatively, the ICO may decide that one or more of the tests in para 15.10 above is met, so that there is no need for the controller to notify the individuals concerned10.

5 6 7 8

ICO: ‘Personal data breaches’. See paras 4.19–4.22 above. GDPR, Article 34(1). See, as an example, the matrix of risk in ICO’s detailed guidance on DPIAs: ‘How do we carry out a DPIA?’, Step 6. (See also para 13.30 above). 9 GDPR, Article 34(3). 10 GDPR, Article 34(4).

275

15.12  Data Breaches

15.12 Breaches affecting data subjects in more than one EU state would (preBrexit) require the controller to notify the lead supervisory authority (ie  the supervisory authority of the main establishment, or of the single establishment of the controller or processor). The guidance from the Article 29 Working Party covers this situation11. GDPR, Article 33(1) refers to notifying the ‘supervisory authority competent in accordance with Article  55’. The ICO’s website (preBrexit) advises controllers that it may not be the ‘lead supervisory authority’, and in consequence: ‘as part of your breach response plan, you should establish which European data protection agency would be your lead supervisory authority for the processing activities that have been subject to the breach.’ After Brexit, however, both the reference in Article 33(1), and Article 55 itself (dealing with the competence of supervisory authorities) are removed from the UK GDPR by the DPPEC  Regulations12. This will have practical effect, however, only in relation to processing within the UK. Controllers or processors based in the UK but trading, or monitoring individuals’ behaviour, in the EU will remain subject to the breach notification rules in the EU GDPR (ie the GDPR applying in the remainder of the EU), by virtue of Articles 3(2), 33(1) and 55 of that measure, in the un-amended form in which they have applied in the UK before Brexit; but may have to deal with supervisory authorities in each relevant member state. Controllers or processors based in the EU, or elsewhere outside the UK, but trading or monitoring individuals’ behaviour in the UK, are obliged after Brexit to notify the ICO of a breach (unless unlikely to result in risk to data subjects) by virtue of Article 3(2) of the UK GDPR.

Processors and data breaches 15.13 A processor is to notify a controller without undue delay if it becomes aware of a data breach13. Thus an information technology (‘IT’) company providing an organisation’s website and databases should inform it without delay if it detects unauthorised access which may result in the clients’ data being hacked. Although this broad requirement is in the GDPR (in Article 28(3)(f)), the practicalities such as emergency procedures, contact details, or timing should be specified in the controller’s contract or agreement with the IT provider.

Penalties 15.14 The consequence of not notifying a breach when required to do so could, in the most serious cases, be a fine of up to €10 million (pre-Brexit) or 2% of global turnover (ie a penalty within the lower level of the two ranges); or, other enforcement action under GDPR, Article  58 (ie  Part 6 of the DPA  2018). For this reason, the ICO advises that ‘robust’ systems should be in place to detect 11 Guidelines on Personal data breach notification, as at footnote 3 above (see pp 16–17). For lead supervisory authority, see GDPR, Article 56(1). 12 Sch 1, paras 27(3)(a) and 50 respectively. 13 GDPR, Article 33(2).

276

Notification to data subjects (GDPR, Article 34) 15.15

breaches, with procedures to investigate and to enable internal reporting. After Brexit, the maximum fine is converted to the equivalent figure of £8.7 million for breaches occurring after that date14.

Preparations 15.15 The overall tenor of GDPR, Articles 33–34, is that controllers, and their processors, should have agreements and procedures in place so that they are prepared to act on data breaches, in the ways outlined above, as soon as they are discovered, in order to be in compliance with the GDPR.

14 DPPEC Regulations, Sch 1, para 62(4); and transitional provision at DPA 2018, Sch 21, para 16.

277

CHAPTER 16

Enforcement and Appeals 16.1 The enforcement tools available to the ICO are largely familiar. They are now set out in Part 6 of the Data Protection Act 2018 (‘DPA  2018’). Part 6 also supplements Articles 83–84 of the GDPR as to financial penalties. The tools are: Information Notices (and information orders); Assessment Notices; Enforcement Notices; powers of entry; and, Penalty Notices. The ICO also has prosecution powers for data protection offences. The position of the ICO, her independence, and her tasks and powers, are reinforced by Chapter VI of the GDPR; as amended, after Brexit, by the DPPEC regulations (Sch 1, paras 44–54).

INFORMATION NOTICES 16.2 The ICO may by notice in writing require a controller or processor to provide her with the information she reasonably requires for the purposes of carrying out her functions. She may also require any other person to provide her with information she reasonably requires for the purposes of investigating various type of failure (eg  to give effect to individual rights) specified in DPA  2018, s  149(2), or a suspected data protection offence; or, for determining whether processing is by an individual for a purely household or personal activity (and thus outside the GDPR) (s 142(1)). 16.3 Provision is made in DPA 2018, s 142(2)–(5) as to the content of a valid notice, its scope, timing, and accompanying information. The information need not be provided before the end of the appeal period (s 142(5)); unless the ICO claims it is urgent, and gives reasons, under s 142(7); in which case the minimum period is 24 hours. Subject to the urgency procedure, an appeal against a notice suspends the obligation to provide the information (s 142(6)). 16.4 In the ICO’s guidance on her Regulatory Action policy, she states that information notices may be served at the ICO’s discretion in any investigation. The ICO will do so where such action is appropriate and proportionate, on the basis of criteria including: — the risk of harm to individuals from the processing; — the utility of requiring a formal response within a defined time; — the utility of testing responses (by the fact that it is an offence to make a false statement – see paras 16.7–16.8 below); — the public interest in the response1. 1

ICO: ‘Regulatory Action Policy’ (updated 2018), p 15.

278

Assessment notices 16.10

16.5 If there is less than a full response, the ICO will ‘promptly apply for a court order requiring a response’; although this can be modified by various criteria (such as any commitments given to respond)2. 16.6 Restrictions on Information Notices include that the ICO may not issue a notice with respect to processing for the ‘special purposes’ (eg to a newspaper) unless either there has been a determination as to whether the special purposes apply under s  174; or, the ICO has reasonable grounds to suspect that such a determination could be made, and the information is required for the purposes of making it3. 16.7 Other restrictions include that a Notice cannot require information whose disclosure would infringe Parliamentary privilege4. A notice cannot apply to information about a communication which is subject to legal professional privilege5; or which is connected to data protection proceedings6; or whose disclosure would incriminate the person7 (although with certain exclusions, including an offence under the DPA 2018, or a perjury offence)8. In Doorstep Dispensaree Ltd v ICO9, the First-tier Tribunal agreed with the ICO that an Information Notice is not rendered invalid by a claim that it would lead to selfincrimination (which there is a right to avoid in DPA 2018, s 143(b)). Rather, the ICO is obliged, if such a claim is made, to take any submission on that issue into account in deciding whether to apply to a court to seek to enforce the Notice (or the ICO may withdraw it, or issue a substitute which avoids the risk). 16.8 Knowingly or recklessly making a false statement in a material respect in an information notice is an offence10. (See also paras 16.14–16.15 below). 16.9 If a person fails to comply with a notice, the ICO may apply to a court for an information order, to oblige the disclosure by a given date of information which the court is satisfied is required by the ICO11. In UKIP  v ICO12, the Upper Tribunal considered an Information Notice for the first time (under the DPA 1998) and upheld it.

ASSESSMENT NOTICES 16.10 The ICO may by written notice require a controller or processor to permit the ICO to assess whether it is, or has been, compliant with the legislation13. The 2 3 4 5 6 7 8 9 10 11 12 13

Regulatory Action Policy as above, p 16. DPA 2018, s 143. DPA 2018, s 143(2). DPA 2018, s 143(3). DPA 2018, s 143(4). DPA 2018, s 143(6). DPA 2018, s 143(7). EA/2018/0265; see para 21. DPA 2018, s 144. DPA 2018, s 145. [2019] UKUT 62 (AAC). DPA 2018, s 146(1).

279

16.11  Enforcement and Appeals

notice may require the recipient to do a range of things, including: permitting the entering of specified premises; or, assisting the ICO to view information on equipment on the premises14. The notice must, in relation to each requirement, specify the times or periods within which there is to be compliance by the controller/processor. It must also include information about the consequences of non-compliance, and the right to appeal15. 16.11 No action can be required before the end of the appeal period, and an appeal suspends the requirement to comply16. Two urgency procedures are, however, available to the ICO. In the most serious cases, where in the ICO’s opinion there are reasonable grounds to suspect that a controller or processor has failed (or is failing) in ways described in s 149(2); or that an offence under the Act has been, or is being, committed; and where the ICO considers that compliance should take place within seven days, the suspension of compliance pending an appeal is lifted. The failures described include a failure to meet data protection requirements including a failure to meet the data protection principles, give effect to individual rights, or meet obligations of controllers and processors17. 16.12 In a less serious case, the ICO can state the opinion that urgent compliance is necessary, with reasons, whereupon the suspension of compliance pending an appeal is likewise lifted, and the notice may require compliance before the end of a period of 7 days18. 16.13 Assessment notices are subject to restrictions in s 147, including: not requiring action to the extent that it would infringe Parliamentary privilege; and, not having effect in order to disclose legal advice connected to data protection, or in connection with legal proceedings of any type. No assessment notice may be issued with respect to: processing for the special purposes (eg  to a news website); bodies dealing with security matters; or, to the Office for Standards in Education, Children’s Services and Skills (‘OFSTED’) in connection with care standards. 16.14 Where a person has been given an assessment notice requiring them to provide information, or to direct the ICO to a document equipment etc, it is an offence for the person to take such action as destroying, disposing of, or falsifying the information or equipment, or causing its destruction etc, with the intention of preventing the ICO from viewing or being provided with the information19. There is a defence if the action would have occurred in the absence of the person being given the notice (ie if it would have happened anyway). 16.15 It is an offence for a person given an information notice, or an assessment notice, to destroy the information, document, equipment, or material sought20. There is a defence for a person charged to prove that the destruction, disposal, 14 15 16 17 18 19 20

DPA 2018, s 146(2). DPA 2018, s 146(5). DPA 2018, s 146(7). DPA 2018, s 146(9). DPA 2018, s 146(8). DPA 2018, s 148(2). DPA 2018, s 148.

280

Enforcement Notices 16.19

concealment, blocking or falsification would have occurred if the person being given the notice had been absent (ie it would have occurred without them).

ENFORCEMENT NOTICES 16.16 An enforcement notice requires a person to take specified steps, or to refrain from taking specified steps, or both21. Enforcement notices arise where the ICO is satisfied that a person has failed, or is failing, to comply in one of four ways set out in s 149(2)–(5); of which the most important are a failure to comply with the first type, set in s 149(2), including: • Articles  5–11 (ie  Chapter 2) of the GDPR (comprising mainly the data protection principles), or the equivalent principles in DPA 2018, Parts 3 and 4; and the lawful bases of processing; •

Individual rights in Articles 12–22 (or in Part 3 for law enforcement);

•

Obligations of controllers and processors (Articles 28–39), including breach notification; or

•

International transfers22.

16.17 The scope of the power to issue enforcement notices may be expanded by regulations (s 149(8)). 16.18 Requirements as to the content of an enforcement notice are in s 150. A notice must state what the person has failed, or is failing, to do; and the ICO’s reasons for her opinion. In deciding whether to issue it, for a failure in s 149(2) (as set out above), the ICO must consider whether any person has been, or is likely to be, caused harm or distress by the failure. The power to order a person to refrain from taking steps may include a total or partial ban on processing, even of all personal data (although it is difficult to see how this could be applied). Requirements may (but need not) be applied for specified times or periods. The notice must state the consequences of non-compliance, and also rights of appeal. An assessment notice may not require compliance before the end of the period for appeals; and no compliance is necessary while an appeal is being determined23. Neither restriction applies, however, if the notice states that compliance is urgent, which may be required within a minimum of 24 hours24. 16.19 Particular rules apply to enforcement notices arising from a failure to comply with a data protection principle relating to accuracy, or with the rights to rectification, erasure or restriction. Instructions to rectify or erase inaccurate data may include:

21 DPA 2018, s 149(1). 22 The remaining three ‘types of failure’ concern matters such as the monitoring of codes of conduct, accreditation, or payment of charges to the ICO: DPA 2018, s 149(3)–(5). 23 DPA 2018, s 149(6) and (7). 24 DPA 2018, s 149(8).

281

16.20  Enforcement and Appeals

— rectifying or erasing expressions of opinion appearing to be based on the inaccurate data; — where data are accurately recorded as they were provided, but are factually inaccurate, requiring steps to be taken, including recording that the data subject considers the data to be inaccurate, or recording an approved statement as to the true facts; — requiring the controller or processor, if practicable, to notify third parties to whom the data have been disclosed of the rectification or erasure25. 16.20 There are a number of restrictions on the use of enforcement notices26: — a notice may not be issued in reliance on s 149(2) (see para 16.16 above) about processing for the ‘special purposes’, unless a determination has been made under s 174 with respect to the data or the processing, and a court has granted leave. A court may not grant leave unless it is satisfied that the ICO has reason to suspect a failure under s 149(2) which is of ‘substantial public importance’, and the controller or processor has been given notice of the application to the court; or the case is urgent. (See also para 16.36 below). — a notice may not require a person to do something which would infringe Parliamentary privilege. — where there are joint controllers under DPA  2018, Part 3 (or Part 4)27 (ie controllers who jointly determine the purposes and means of processing, and have an arrangement determining their respective responsibilities)28, a notice may only be given to the controller responsible for compliance with the requirement in question. 16.21 In her revised policy on regulatory action, the ICO states that issuing an enforcement notice will ‘usually be appropriate where specific correcting action (or its prevention) may be required’29.

POWERS OF ENTRY 16.22 The terms on which warrants for entry may be applied for, granted, and executed are set out in DPA 2018, s 154 and Sch 15. The terms of applications include that there are reasonable grounds for suspecting that evidence of a data protection failure (under s  149(2)), or of the commission of an offence, is to be found on specified premises; or, that a controller or processor has failed to comply with a requirement in an assessment notice30.

25 26 27 28 29 30

DPA 2018, s 151(5)–(7). DPA 2018, s 152. Ie in relation to law enforcement processing, or security services processing, respectively. See DPA 2018, s 58. Regulatory Action Policy (as footnote 1), p 22. DPA 2018, Sch 15, paras 1(1)(b) or 2(1) respectively.

282

Penalty Notices 16.28

16.23 Procedural requirements include that: seven days’ notice demanding access has already been given, in writing; or, access (or requests on gaining access) were unreasonably refused, when demanded at a reasonable hour; and, notice of the application has been given to the occupier31. 16.24 A person executing a warrant may use reasonable force32. It is an offence intentionally to obstruct a person executing a warrant issued under the Schedule; or, to fail without reasonable excuse to render such assistance as the person executing it may reasonably require33.

PENALTY NOTICES 16.25 The provisions in DPA  2018, Part 6, supplement the provision for substantial penalties contained in Articles 83–84 of the GDPR (as amended after Brexit, by the DPPEC Regulations, Sch 1, paras 63–64). Under s 155, if the ICO is satisfied that a person has failed, or is failing, in one of the ways described in s 149 (see para 16.16 above); or, has failed to comply with an information notice, an assessment notice or an enforcement notice, she may issue a penalty notice requiring the person to pay an amount specified. Fines may also be imposed in addition to, or instead of, other enforcement measures34. 16.26 When deciding whether to issue a notice, and in determining the amount, the ICO must have regard (so far as relevant): — to the extent that the notice concerns a matter covered by the GDPR, the matters listed in GDPR, Article 83(1) and (2) (see paras 16.27–16.28 below); — to the extent that it concerns another matter, the matters listed in DPA 2018, s 155(3) (see para 16.29 below). 16.27 The matters listed in Article 83(1) are that the ICO shall ensure that the penalty shall in each case be ‘effective, proportionate, and dissuasive’. 16.28 The matters listed in Article 83(2) are as follows: (a) the nature, gravity, and duration of the infringement, taking into account the nature, scope and purpose of the processing, the number of data subjects affected, and the level of damage; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage; (d) the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them under GDPR,

31 32 33 34

DPA 2018, Sch 15, para 4(2)–(4). DPA 2018, Sch 15, para 7. DPA 2018, Sch 15, para 15(1). Referred to in GDPR, Article 58(2)(a)–(h), and (j).

283

16.29  Enforcement and Appeals

Article 25 (data protection by design and default) and Article 32 (security of processing); (e) any relevant previous infringements; (f) the degree of cooperation with the ICO, in order to remedy the infringement and mitigate the possible damage; (g) the categories of personal data affected; (h) the manner in which the infringement became known to the ICO; including, in particular, whether the controller or processor notified her; (i) where enforcement measures have previously been ordered with regard to the same subject matter, whether they were complied with; (j) adherence to any approved codes of conduct (GDPR, Article 40) or approved certification mechanisms (GDPR, Article 42); or (k) any other aggravating or mitigating factor applicable to the circumstances (eg financial benefits gained; or losses avoided, from the infringement). 16.29 DPA 2018, s 155(3), applies a very similar list, of matters to be taken into account, to processing to which the GDPR does not apply. Apart from adaptations to the UK context, there are detailed differences in relation to (a) in para 16.28 above (no reference being made to the nature of the processing, the numbers affected, or the level of damage). The factors do not apply to a failure to comply with charges payable to the ICO (the ‘fourth’ failure in s 149)35.

Penalty notices 16.30 DPA 2018, Sch 16, provides for the process and content of the penalty notice regime. Before issuing a notice, the ICO must inform the person by a ‘notice of intent’, giving: — reasons for the proposed penalty notice, including the circumstances of the failure; — an indication of the amount of the penalty; and — any aggravating or mitigating factors proposed to be taken into account36. 16.31 The notice of intent must state the right of the person to make written representations within a specified period of not less than 21 days, and (if the ICO considers it appropriate) oral representations. A penalty notice may not be issued until after the date for representations; nor longer than six months after the notice of intent was issued37.

35 DPA 2018, s 155(4). 36 DPA 2018, s 155(5) and Sch 16, para 3(1). 37 DPA 2018, Sch 16, paras 4(1) and 2(2) respectively.

284

Penalty Notices 16.37

16.32 The detailed contents of the penalty notice are prescribed in DPA 2018, Sch 16, para 5; including reasons for the penalty and its amount, and the right of appeal38. Payment is due within a specified period of not less than 28 days. 16.33 A penalty notice may be varied, but the amount or period for payment may not be varied to the detriment of the person to whom it was given39. A notice may also be cancelled, whereupon the fine would be repaid. 16.34 No enforcement may be taken before the expiry of an appeals period40. Enforcement is through either the county court or the High Court41.

Regulations on penalty notices 16.35 The Secretary of State may by regulations confer power on the ICO to give a penalty notice in respect of other failures to comply with data protection legislation than those set out in DPA 2018, s 155 (see para 16.29); and, to provide for the level of maximum penalty to be at either the standard (lower) or higher level)42. Regulations may also amend substantial provisions of the penalty regime43. At the time of writing, neither type of regulations had been made.

Penalty notices and the ‘special purposes’ 16.36 The ICO may not issue a penalty notice for processing for the ‘special purposes’ unless a determination has been made under DPA 2018, s 174; and a court has granted leave for the notice to be given. The court may not do so unless the ICO has reason to suspect a failure (ie of the duties in s 149(2); see para 16.16 above) which is of ‘substantial public importance’; and has given notice of the application to the controller or processor, or it is urgent44. Part 6 of the DPA 2018 (ss 174–179) provides for a significant role for the ICO in relation to special purposes processing which is beyond the scope of this work.

Penalty Notices and Parliamentary privilege 16.37 A notice may not be given for processing whose purpose and manner are determined by or on behalf of either House of Parliament45.

38 DPA 2018, s 162. 39 DPA 2018, Sch 16, para 7(3). 40 DPA 2018, Sch 16, para 9(1)(b)–(d). 41 In England and Wales, and in Northern Ireland (DPA  2018, Sch  16, para  9(2) and (4) respectively). In Scotland, enforcement is through the sheriff court (Sch 16, para 9(3)). 42 DPA 2018, s 155(6)(a) and (b). 43 DPA 2018, s 155(7). 44 DPA 2018, s 156(1), and s 156(2)(a) or (b). 45 DPA 2018, s 156(3). See also other exclusions in s 155(4) and (5).

285

16.38  Enforcement and Appeals

When a penalty notice will be appropriate 16.38 As to when a penalty notice will be appropriate, the ICO’s regulatory policy states: ‘In the majority of cases we will reserve our powers for the most serious cases, representing the most severe breaches of information rights obligations. These will typically involve wilful, deliberate or negligent acts, or repeated breaches of information rights obligations, causing harm or damage to individuals. In considering the degree of harm or damage we may consider that, where there is a lower level of impact across a large number of individuals, the totality of that damage or harm may be substantial, and may require a sanction.’ 16.39 The policy goes on to say that each case will be assessed objectively on its merits, listing a series of factors such as whether there has been ‘a degree of damage or harm’, whether ‘sensitive’ personal data are involved, or where there has been a failure to comply with a notice46.

Maximum amount of penalty 16.40 The maximum penalty in the UK is the amount specified in GDPR, Articles  83(4) and (5); or, if none is specified there, the standard (ie  lower) maximum amount47. This means that the higher range of penalties applies to breaches of: — the data protection principles (including a breach of security)48; — individual rights49; — international transfers50; — (pre-Brexit) obligations under member state law in GDPR Chapter IX (such as provision under Article 85 in relation to freedom of expression); or after Brexit, by equivalent references in the DPA  2018 to processing for the ‘special purposes’ (journalistic etc), including any made in regulations under powers in s 16(1)(c); or, in respect of research, statistics, or archiving in the public interest51;

46 Regulatory Action Policy, as footnote 1 above, pp 24–25. 47 DPA 2018, s 157(1). 48 GDPR, Articles 5–7, and 9. 49 GDPR, Articles 12–22. 50 GDPR, Articles 44–49. 51 GDPR, Articles  85–91 (before Brexit). After Brexit, the DPPEC  Regulations make the amendments outlined (Sch 1, para 62(5)(b)). On provision in relation to freedom of expression and the ‘special purposes’, see paras 9.92–9.100. On provision in relation to research, statistics and archiving in the public interest, see paras 9.101–9.113.

286

Penalty Notices 16.42

— an information notice, assessment notice, or enforcement notice issued by the ICO; or a failure to provide access to premises or equipment52. The standard and higher maximum amounts for law enforcement processing are set out in s 157(2) of the Act. 16.41 Before Brexit, or in relation to infringements occurring before that date, the maximum amounts are (as in the GDPR): •

higher maximum: in the case of an undertaking, €20 million or 4% of annual worldwide turnover in the preceding financial year (whichever is the higher);

or, in any other case, €20 million;

• standard maximum: in the case of an undertaking, €10 million or 2% of annual worldwide turnover in the preceding financial year (whichever is the higher);

or, in any other case, €10 million53.

Before Brexit, or in relation to actions by that date, the amount is converted to sterling according to the spot rate of exchange set by the Bank of England on the day of the issue. For infringements which occur after the date of Brexit, the two maximum amounts are converted into sterling, as £17.7 million and £8.7 million respectively54.

Examples of penalties 16.42 Examples of penalties, under the GDPR and previous (ie  DPA  1998) regimes are as follows. Monetary penalties formerly applying in the UK under the DPA 1998 were limited to a maximum of £500,000: (a) In January 2019, the French supervisory authority, CNIL, imposed a penalty of 50 million Euros on Google, under the GDPR, for providing information about processing which was considered to be insufficiently transparent or accessible. In addition, consent to the processing of personal data for the purpose of personalising advertisements was found to be invalid, because it was insufficiently informed, and the consent was neither ‘specific’ nor ‘unambiguous’. Google announced that it would appeal; (b) Uber, the ride-sharing company, was fined £385,000 by the ICO in November 2018 under the DPA 1998, for inadequate security arrangements. A series of avoidable data security flaws had allowed the personal details of some 2.7 million UK customers to be accessed and downloaded in October-November 2016 from a cloud-based storage system operated by Uber’s US parent 52 GDPR, Article 58(2), or (in respect of access) Article 58(1). 53 DPA 2018, s 157(5). 54 DPPEC  Regulations, Sch  1, para  62. The transitional provision for infringements occurring before exit day, which converts the sterling amounts in the UK GDPR back into Euros, is in DPA 2018, Sch 21, para 16; inserted by DPPEC, Sch 2, para 102.

287

16.42  Enforcement and Appeals

company, as part of a larger attack involving some 57 million people. The customers’ information included full names, email addresses, and telephone numbers. The records of nearly 82,000 drivers, including their weekly earnings, were also taken. The losses had the potential to expose customers and drivers to an increased risk of fraud. Uber paid the hackers $100,000 (£78,400) to destroy the data. Customers and drivers were not told about the incidents for more than a year. Uber was also fined by regulators in Holland; (c) In April 2019, Bounty (UK) Limited, a pregnancy and parenting club, was fined £400,000 by the ICO, under the DPA 1998, for supplying the personal data of over 14 million individuals to third parties without being sufficiently transparent with those individuals about what would be done with their data; and, without a valid data processing condition (now a ‘lawful basis’) for the processing. The ICO said that the number of data subjects affected was ‘unprecedented’ in the history of her investigations of ‘data-broking organisations’; (d) In a ground-breaking decision in October 2018, the ICO fined Facebook Ireland Ltd and Facebook Inc., as joint controllers, the maximum permitted amount under the DPA 1998 (£500,000), for unlawful processing, and failure sufficiently to protect the privacy of their users. In processing estimated by Facebook to have affected up to 87 million people worldwide (about 1 million in the UK), the data of UK users who made use of the Facebook site were unfairly processed, contrary to the then first data protection principle; and the controllers failed to take appropriate technical or organisational measures against unauthorised or unlawful processing, contrary to then seventh data protection principle. Third parties were permitted to operate applications (‘apps’), in conjunction with the Facebook platform, and to obtain personal data about those users who installed the third party’s app. This extended also to obtaining personal data of users of the platform who did not install the app, but whose Facebook ‘friends’ did. One individual and his company created an app, and were able to obtain the personal data in these ways. Such data were shared with three other companies, and at least some of the data were likely, in the ICO’s finding, to have been used in connection with, or for the purposes of, political campaigning (although Facebook maintained that this was limited to US residents). The breach of the first data protection principle arose because information was collected about Facebook friends of users of the app without informing those persons; and without their consent being sought. To the extent that any processing purported to be based on consent, it was invalid since it was not freely given, specific or informed. Facebook unfairly, in the ICO’s finding, processed the data of users of the app, Facebook friends of such users, and individuals who exchanged Facebook messages with the users; and unfairly exposed them to a serious risk that their data would be used in breach of Facebook’s Platform Policy. The breaches of the seventh principle arose inter alia from a failure to take appropriate technical and organisational measures against the unauthorised or unlawful processing of the data of users of the app, Facebook friends of those users, and individuals who exchanged 288

Complaints to ICO, and Appeals to Tribunal 16.46

Facebook messages with users of the app. The ICO found that substantial distress was likely to have been caused. The ICO said that a significantly higher fine would have been imposed under the GDPR. Facebook announced in November 2018 that it was lodging an appeal to the First-tier Tribunal, which was awaited at the time of writing.

Penalty for non-payment of charges to ICO 16.43 In relation to non-compliance with the regulation on charges payable to the ICO, different fixed penalties may be applied in a document produced by the ICO55. The ICO’s revised Regulatory Action Policy set out fixed penalties of £400 for tier 1 (micro organisations); £600 for tier 2 (small and medium organisations), and £4000 for tier 3 (large organisations); as defined in, and consistent with, the Data Protection (Charges and Information) Regulations 201856. There is a maximum fine of £4350 for a failure to provide sufficient information to determine the appropriate fee, depending on aggravating factors57. The first fines were levied by the Commissioner in late November 2018. 16.44 The Secretary of State may by regulations provide that a person is, or is not, an undertaking, and make provision as to how to calculate turnover58. No regulations had been made under that power at the date of writing. The charging regulations were made under the Digital Economy Act 2017. 16.45 The ICO is obliged to issue guidance about how she proposes to exercise her enforcement functions and penalty notices59. Reference has been made to the ICO’s revised ‘Regulatory Action Policy’ issued in 2018, and practitioners will wish to consider its content in relevant instances60.

COMPLAINTS TO ICO, AND APPEALS TO TRIBUNAL 16.46 Complaints to the ICO by data subjects are made under DPA  2018, s 165(1)61. Complaints concerning processing under Parts 3 or 4 are made under DPA 2018, s 165(2). If the ICO does not act properly on a complaint (eg by failing to update the complainant about its progress), the complainant may apply to the Tribunal for an order obliging the ICO to take steps to progress the complaint, or to conclude it within a period62.

55 DPA 2018, s 158(1). 56 SI 2018/480. 57 ICO: ‘Regulatory Action Policy’, p 28. 58 DPA 2018, s 159. 59 DPA 2018, s 160. 60 DPA 2018, s 161. 61 Arising from GDPR, Articles 57(1)(f) and (2), and 77. 62 DPA  2018, s  166, and see also GDPR, Article  78; as amended after Brexit by the DPPEC Regulations, Sch 1, para 57.

289

16.47  Enforcement and Appeals

16.47 Rights of appeal to the Tribunal exist in respect of information, assessment or enforcement notices, or penalty notices or penalty variation notices63. In the case of an enforcement notice, the appeal is against the refusal of an application to the ICO under s 153 to cancel or vary the notice. Appeals against a penalty notice can be against its issue, or the amount, or both. 16.48 The First-tier Tribunal may review any determination of fact by the ICO; so that the hearing is a full one as to both the facts and the law64. If it considers that the notice or decision is not in accordance with the law, or involved an exercise of discretion by the ICO which ought to have been exercised differently, it must allow the appeal or substitute another notice or decision. Otherwise, it must dismiss the appeal. It may cancel or vary an enforcement notice, or cancel a determination in respect of ‘special purposes’ processing under s 174 by the ICO65.

COURT REMEDIES 16.49 As under the DPA  1998, there is a parallel regime of enforcement or redress for individuals through the courts. If a court is satisfied that there has been an infringement of a data subject’s rights under the ‘data protection legislation’66 (including law enforcement processing, but excluding intelligence services processing under Part 4 in this case), it may make an order to secure compliance, requiring steps to be taken (or refrained from) within a period67. This provides a right to a judicial remedy as required (pre-Brexit) by GDPR, Article 79(1); and as amended, after Brexit, by the DPPEC Regulations (Sch 1, para 58). 16.50 Compensation for a contravention of the data protection legislation is available under GDPR, Article  82; including financial loss. The 2018 Act confirms that this covers compensation for ‘non-material damage’, including distress68. For non-GDPR processing, DPA  2018, s  169(1) confers a right to compensation, for which liability lies with the controller. A processor is liable in those circumstances for damage caused by the processing only if it has not complied with an obligation directed to processors under the legislation; or if it has acted outside, or contrary to, the controller’s lawful instructions. Neither is liable if it can prove that it was not in any way responsible for the event69. A ‘joint controller’ (under law enforcement processing in Part 3, or intelligence services processing in Part 4) is liable only to the extent of his or her share of responsibilities under an agreement made under DPA 2018, s 58 or s 104. The courts have also developed a common law remedy, in the form of the tort [ie civil wrong] of ‘misuse of private information’; derived from an action for breach of 63 64 65 66 67 68 69

DPA 2018, s 162(1). DPA 2018, s 163(2). See paras 16.6, 16.20 and 16.36 above. See para 2.10 above, and DPA 2018, s 3(9); including as amended after Brexit. DPA 2018, s 167(2) and (3). DPA 2018, s 168(1). DPA 2018, s 169(3).

290

Court remedies 16.54

confidence. This is beginning to be claimed alongside actions for compensation under the data protection regime. In relation to the new tort, see: Campbell v MGN Ltd 70 (and especially the speech of Lord Nicholls at paras 13-17). Both remedies were claimed in Google Inc. v Vidal-Hall and ors and ICO71. See also: McKennitt v Ash72 and, Douglas v Hello! Ltd (No 3)73. 16.51 An urgency statement in an information, assessment or enforcement notice (eg  requiring an urgent reply) may be appealed to a court; which may direct that it is not to have effect, or vary it (eg as to timing)74.

Offences 16.52 It is an offence knowingly or recklessly: (a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller at the time when it was obtained75. 16.53 It is a defence to prove that the obtaining, disclosing, procuring or retaining: (a) was necessary for the purposes of preventing or detecting crime; (b) was required or authorised by an enactment, rule of law, or court/tribunal order; or (c) was justified in the public interest, in the particular circumstances76. 16.54 There are further defences, where it can be proved that: (a) the person acted in the reasonable belief that he or she had a legal right to process in that way; (b) the person acted in the reasonable belief that he or she would have had the consent, if the controller had been aware of it, and of the circumstances; (c) the person acted: (i) for the ‘special purposes’; (ii) with a view to publication; and

70 [2004] UKHL 22. 71 [2015] EWCA Civ 311, at paras 43 and 51. 72 [2008] QB 73, at paras 8 and 11. 73 [2005] EWCA Civ 595. 74 DPA 2018, s 164. 75 DPA 2018, s 170(1). 76 DPA 2018, s 170(2).

291

16.55  Enforcement and Appeals

(iii) in the reasonable belief that, in the particular circumstances, the processing was justified in the public interest77. 16.55 Other offences include (in summary): •

selling personal data obtained in circumstances in which the above offence was committed78;

•

offering to sell personal data which the person has obtained in circumstances where the above offence was committed; or which the person subsequently obtains79;

• knowingly or recklessly re-identifying information that is ‘de-identified’ personal data, without the consent of the controller responsible for its de-identification. (‘De-identification’ means that the data have been processed so that they can no longer be attributed, without more, to a specific data subject)80; •

knowingly or recklessly processing data that have been re-identified, where the person does so without the consent of the controller responsible for the de-identification, and in circumstances in which re-identification was an offence81.

•

requiring another person to provide to oneself (‘P1’), or to give access to P1 to, a ‘relevant record’ in connection with: the recruitment of an employee by P1; the continued employment of a person by P1; or, a contract for the provision of services to P1 (DPA 2018, s 184(1)); or, requiring another person to provide to oneself (‘P2’), or to give access to P2 to, a relevant record, where P2 is involved in the provision of goods, facilities or services to the public, or a section of it; and the requirement is a condition of offering those goods, facilities or services to that or another person (DPA 2018, s 184(2)). A  ‘relevant record’ is defined in Sch  18, paras 1–4, as: a health record; a record relating to convictions or cautions; or, a record relating to statutory functions on criminal, criminal justice or welfare benefits matters obtained by subject access; but excluding manual unstructured data. Defences can apply in either case (eg that the requirement is authorised by an enactment). A ‘requirement’ includes asking a person to provide a record, knowing that it would be reasonable for that person to feel obliged to comply, or being reckless as to whether that would be the case.

16.56 Defences to certain of these offences in DPA 2018, ss 171–172 include that the processing was necessary for the purposes of preventing crime. 16.57 It is also an offence for a controller or their employee, officer or a person under the controller’s direction, to alter, deface, block, erase, destroy or 77 78 79 80 81

DPA 2018, s 170(3). DPA 2018, s 170(4). DPA 2018, s 170(5). DPA 2018, s 171(1). DPA 2018, s 171(5).

292

Court remedies 16.59

conceal information which has been requested under the rights of access or data portability, with the intention to prevent disclosure82. 16.58 Provision as to liability to penalties for offences is made in DPA 2018, ss 196–198.

Representation of data subjects 16.59 Before Brexit, a data subject has a right under GDPR, Article  80(1), where domestic law allows, to mandate a ‘not for profit’ body or similar organisation, which is legally constituted, has ‘statutory objectives’ in the public interest (ie objectives set within a statutory framework), and is active in the data protection field, to lodge a complaint on his or her behalf. Part 7 of the DPA 2018 makes provision in the UK (ss 187–190). In the UK, a body meeting qualifying criteria may exercise the individuals’ rights against the controller, or the ICO (in Articles 77–79) on their behalf; including the right to claim compensation under Article 82. The Secretary of State is obliged under DPA 2018, s 189, to undertake a review of the operation of the provisions within 30 months of their coming into effect (c. November 2020); including as to the merits of enabling such a body to exercise the rights of a data subject without authorisation; or to do so in relation to children’s rights (see s 189(1)–(4)). Article 80, and the related provisions in the DPA  2018, are amended by the DPPEC regulations (Sch  1, para  59; and Sch 2, paras 81–84, respectively). After Brexit, regulations in this area would be made under DPA 2018, s 190.

82 DPA 2018, s 173(3).

293

Section F

Law Enforcement Processing

CHAPTER 17

Law Enforcement Processing (DPA 2018, Part 3) 17.1 The introduction of the Law Enforcement Directive1 (‘LED’) has been accompanied by the separation of processing for law enforcement purposes from the scope of the GDPR; where previously such processing was of ‘sensitive’ personal data under the former Data Protection Directive2 and the Data Protection Act 1998 (‘DPA 1998’). Part 3 of the Data Protection Act 2018 (‘DPA 2018’) applies rules in the LED, however, to all domestic and cross-border processing for law enforcement purposes. A summary only is given here, as it is beyond the scope of this work to analyse this area in detail. 17.2 Paragraphs 17.26–17.28 below deal with the arrangements for processing of personal data connected to law enforcement by legal persons other than ‘competent authorities’ under Part 3 of the Act (‘Article 10 processing’).

COMPETENT AUTHORITIES 17.3 Part 3 of the DPA 2018 applies to the processing of data about criminal and criminal sentencing matters, where conducted by one or more ‘competent authorities’ (essentially bodies concerned with policing and crime, or prosecutions and criminal justice)3, other than the intelligence services (defined in s  30(7)) These are either listed in Sch  7, or arise from s  30(1)(b), which applies the definition to persons outside the Schedule to the extent that they have statutory functions for law enforcement purposes (such as a local authority with certain powers to bring prosecutions).

Law enforcement purposes 17.4 The law enforcement purposes for which the data may be processed under Part 3 are: ‘the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’4. 1 Directive 2016/680, on protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. 2 Former Directive 95/46/EC. 3 DPA 2018, s 30 and Sch 7. 4 DPA 2018, s 31.

297

17.5  Law Enforcement Processing (DPA 2018, Part 3)

DATA PROTECTION PRINCIPLES 17.5 DPA  2018, Part 3, Chapter 2 sets out the data protection principles applying to data of this kind, together with safeguards: 1. Processing for any of the law enforcement purposes to be lawful and fair. This means that processing must be ‘based on law’ and either the data subject has given consent, or the processing is necessary for the performance of a task for a law enforcement purpose5. Where the processing is ‘sensitive’ (see para  17.6 below), the data subject must have consented to the processing for the law enforcement purpose; or, the processing has to be ‘strictly necessary’ for the law enforcement purpose, and meet a ‘condition’ in Sch  8 (see para  17.8 below)6. In either case of sensitive processing, an appropriate policy document (‘APD’) must be in place7. In the context of a criminal investigation, however, fairness would ‘rarely, if ever, require the subject of the criminal investigation to be kept abreast of the progress of the investigation, including transfer of information relating to his alleged criminality’8. It seems likely that this approach would be applied also to other processing, for law enforcement purposes, of the data of an individual under criminal investigation; 2. Law enforcement purposes for which data are collected must be specified, explicit and legitimate, and the data must not be processed in a manner incompatible with that purpose. Information may be processed for any other law enforcement purpose where the processing is authorised by law, and necessary and proportionate to the other purpose9; 3. The data must be adequate, relevant and not excessive in relation to the purpose of processing10; 4. The data must be accurate and where necessary kept up to date. Every reasonable step must be taken to erase or rectify inaccurate data. Facts and personal assessments should be distinguished. The personal data of suspects, persons convicted, victims, and witnesses should be clearly distinguished in processing. The quality of personal data should be verified before transmission, including the necessary information to enable the recipient to assess its accuracy. A recipient of incorrect data must be informed without delay11; 5. Data must be kept no longer than necessary for the purpose of the processing, with appropriate time limits for periodic reviews12;

5 6 7 8

DPA 2018, s 35(2). DPA 2018, s 35(4) and (5). See paras 5.89–5.91 and 17.7 on Appropriate Policy Documents. R  (El Gizouli) v Secretary of State for the Home Department [2019]  EWHC  60 (Admin), para 187. 9 DPA 2018, s 36(1)–(3). 10 DPA 2018, s 37. 11 DPA 2018, s 38. 12 DPA 2018, s 39.

298

Data Protection Principles 17.8

6. Processing must be carried out in a manner that ensures appropriate security13.

Sensitive processing 17.6

‘Sensitive processing’ means the processing of:

(a) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; (b) genetic data or biometric data in order uniquely to identify an individual; (c) data concerning health; or (d) data concerning an individual’s sex life or sexual orientation14. The term ‘religious or philosophical beliefs’ would not include ‘extreme religious violence’. Similarly, a ‘mindset’ impelling a person to commit criminal acts of violence ‘could not be seen as a “political belief” for these purposes’. Nor would other criminal acts, which the individual considered were not wrong, nor the use of terrorist violence for a political or religious end, engage those provisions15. 17.7 Safeguards are applied to sensitive processing; notably a requirement for an ‘appropriate policy document’ to be in place, explaining procedures for compliance with the data protection principles in relying on consent or on one of the conditions in Schedule 8, and policies as regards the retention and erasure of such personal data, giving an indication of how long the data are likely to be retained16.

Data processing conditions (DPA 2018, Schedule 8) 17.8 The main ‘condition’ in Schedule 8 is that the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and that it is necessary for reasons of substantial public interest. This should cover the common law functions of a constable. Processing also meets a condition if it is necessary for the administration of justice. The other headings in the Schedule are that the processing is necessary: — to protect vital interests; — for the safeguarding of children or to protect adults at risk; — for the purposes of legal claims or proceedings; — for judicial acts; 13 DPA 2018, s 40. 14 DPA 2018, s 35(8). 15 R  (El Gizouli) v Secretary of State for the Home Department [2019]  EWHC  60 (Admin), para 192. 16 See DPA 2018, s 42.

299

17.9  Law Enforcement Processing (DPA 2018, Part 3)

— for the prevention of fraud; — for the purposes of archiving, scientific or historical research, or statistics. A condition is also met under Schedule 8 if the processing relates to personal data which are manifestly made public by the data subject.

Information for data subjects 17.9 Controllers have obligations to make information available to data subjects or the general public, akin to Privacy Notices under the GDPR, but in a more limited form. Restrictions may be applied to the information made available (eg  to avoid obstructing an inquiry, or harming the prevention or detection of crime)17.

RIGHTS OF DATA SUBJECTS 17.10 Individuals have rights of access18, rectification19, and erasure or restriction of processing20. Data required to be erased, but which must be maintained for the purposes of evidence, have to be restricted by the controller21. 17.11 Under the right of access, the ground of refusal is that a restriction of the data disclosed would be a necessary and proportionate measure for a number of purposes, including: avoiding the obstruction of an official inquiry; avoiding prejudice to the investigation of offences; to protect public or national security; or, to protect the rights and freedoms of others (ie ‘third party’ data)22. Requests must be answered within one month; or any longer period set in regulations23. 17.12 An individual has a right not to be subject to automated decisionmaking, in that a controller may not take a significant decision by those means (ie one with an adverse legal effect, or which significantly affects the data subject) unless required or authorised to do so by law24. In that case, the data subject must be informed, and has the right within one month to require the controller to reconsider, or to take a new decision not based solely on automated processing25. 17.13 Rules as to unfounded or excessive requests apply to requests under the rights above. An ‘example’ of an excessive request is one which ‘merely repeats the substance of previous requests’ (which would, in such a case, appear 17 18 19 20 21 22

DPA 2018, s 44; restrictions in s 44(4). DPA 2018, s 45. DPA 2018, s 46. DPA 2018, s 47. DPA 2018, s 47(2). DPA 2018, s 45(4). See paras 7.9–7.11, 7.52–7.59, and 9.60–9.63 above for a description of third party personal data in the context of the GDPR. 23 DPA 2018, ss 45(3) and 54(2). 24 DPA 2018, s 49. 25 DPA 2018, s 50(2) and (3).

300

Rights of data subjects 17.17

to require at least two previous similar requests to have been made)26. It remains to be seen whether this general exception proves to be narrower in practice than that applicable under GDPR, Article 12(5).

Obligations of controllers and processors 17.14 DPA 2018, Part 3, Chapter 4 sets out the obligations of controllers and processors27. Controllers are required to implement appropriate technical and organisational measures to ensure compliance with the requirements of Part 328. They must take into account: (a) the latest developments in technology; (b) the cost of implementation; (c) the nature, scope, context and purposes of the processing; and (d) the risks for the rights and freedoms of the individual from the processing29. 17.15 Controllers have obligations in relation to ‘data protection by design and default’; with a particular emphasis on limiting how much data are collected, and for how long they are kept30. The relationship between controller and processor is governed by s  59, which applies similar requirements to those in GDPR, Article  28; including the need for a contract in writing between the parties, meeting conditions set out in s 59(5)–(7). 17.16 Controllers and processors are to keep records of all categories of processing for which they are responsible, including the information specified in DPA 2018, s 61(2) and (4) respectively. They are also to keep logs of processing in automated systems as to the collection, alteration, consultation, disclosure or transfer, combination, or erasure of data31. ‘Logs of consultation’ or ‘logs of disclosure’ must make it possible to establish the justification for, and timing of, consultations/disclosures; and (so far as possible) the identity of the person consulting/disclosing the data32. Logs may be used only for specified purposes33. 17.17 Data protection impact assessments are required in cases of ‘high risk’ from processing to the rights and freedoms of individuals34. In assessing the risk, the controller is to take into account the nature, scope, context and purposes of the processing35. Prior consultation with the ICO is required, however, only where a controller proposes to create a ‘filing system’ within which to process 26 27 28 29 30 31 32 33 34 35

DPA 2018, s 53(2). Defined in DPA 2018, s 32(1) and (3) respectively. DPA 2018, s 56(1). DPA 2018, s 55(3). DPA 2018, s 57. DPA 2018, s 62(1). DPA 2018, s 62(2) and (3). DPA 2018, s 62(4). DPA 2018, s 64(1). DPA 2018, s 64(4).

301

17.18  Law Enforcement Processing (DPA 2018, Part 3)

data (where a DPIA shows that there would be a high risk to individuals’ rights and freedoms after any mitigating measures)36. 17.18 Controllers (which are ‘competent authorities’), other than a court or other judicial authority, must designate a data protection officer; with similar tasks and on similar terms, in relation to their independence, as under the GDPR37.

Security and breach notification 17.19 Security obligations on controllers and processors are set out in the Act; including specific requirements in relation to preventing unauthorised automated processing38. Data breach notifications to the ICO, within 72 hours where feasible, are required unless there is unlikely to be a risk to the rights and freedoms of individuals39. Before Brexit, controllers in other EU member states, by or to which data involved in the breach have been transmitted, must be notified without undue delay; although this requirement is removed after Brexit40. 17.20 Where there is likely to be a ‘high risk’ from a personal data breach to the rights and freedoms of individuals, the controller must inform them without undue delay41. Where notification would involve a disproportionate effort, there must be a public announcement42. Restrictions may be imposed on the provision of information to the data subject, as a necessary and proportionate measure to avoid obstruction to an investigation, to protect public security, or on other grounds specified in s 68(7)43.

INTERNATIONAL TRANSFERS 17.21 DPA 2018, Part 3, Chapter 5 deals with international transfers of personal data for law enforcement purposes. If the personal data came originally from another EU member state, or a competent authority in that state, authorisation is required for any further transfer to a ‘third country’ or an international organisation; save in urgent cases where the transfer is necessary for the prevention of an ‘immediate and serious threat’ to the security of an EU member state (before Brexit) or a third country; or, to the ‘essential interests of a member state’ (ie an EU member state), whether before or after Brexit; and, in either case, the authorisation cannot be obtained in good time44. Pre-Brexit, a ‘third country’ is defined as a country or territory other than an EU member state; thus allowing

36 37 38 39 40 41 42 43 44

DPA 2018, s 65(1) and (2). DPA 2018, ss 69–71. DPA 2018, s 66. DPA 2018, s 67(2). DPA 2018, s 67(8); removed after Brexit by the DPPEC Regulations, Sch 2, para 39. DPA 2018, s 68(1). DPA 2018, s 68(3)(c) and (5). DPA 2018, s 68(7). DPA 2018, s 73(1)(b); subject to urgency provisions in s 73(5) and (6).

302

International transfers 17.22

the free transfer of data for law enforcement purposes between the EU and the UK. Post-Brexit, a ‘third country’ means a country or territory outside the UK; so that transfers to the EU and to non-EU countries are to be treated after Brexit on the same basis. In addition, three conditions must be met for any transfer (irrespective of the source)45: (i) the transfer is necessary for a law enforcement purpose; (ii) it is based on a ‘adequacy decision’ or, post-Brexit, on ‘adequacy regulations’46; or, on ‘appropriate safeguards’47; or, otherwise on ‘special circumstances’ (eg  the prevention of an immediate and serious threat to public security of a member state or third country [or any third country, after Brexit])48; and (iii) the intended recipient is a ‘relevant authority’ (the equivalent of a ‘competent authority’) in the third country49; or, an international organisation with law enforcement functions. Certain controllers (including chief constables, and courts) may make transfers under s  73(4)(b) to persons in third countries who or which are not relevant authorities, subject to additional conditions in DPA 2018, s 77. 17.22 The four additional conditions in s 77 are50: (1) the transfer is strictly necessary to perform a task of the transferring controller provided by law, for a law enforcement purpose; (2) the transferring controller has determined that there are no fundamental rights and freedoms of the data subject that override the public interest necessitating the transfer; (3) the transferring controller believes that a transfer to a relevant authority in the third country would be ineffective or inappropriate (eg it would take too long); and (4) the transferring controller informs the intended recipient of the specific purpose(s) for which the data may, so far as necessary, be processed. Procedural requirements as to notifications and documentation are set out in s 77(6) and (7).

45 DPA  2018, s  73(2)–(4). (See s  33(7), as amended after Brexit by the DPPEC  Regulations, Sch 2, para 37, for a definition of ‘third country’). 46 Defined in DPA 2018, s 74, pre-Brexit; or s 74A, inserted by the DPPEC Regulations, Sch 2, para 42, after Brexit. Transitional provisions from exit day continue the list of EU countries, Gibraltar, or third countries, which are the subject of adequacy decisions by the EU Commission before exit day, in DPA 2018, Sch 21, para 10 and 11; as inserted by the DPPEC Regulations, Sch 2, para 102. 47 Defined in DPA 2018, s 75. 48 Defined in DPA 2018, s 76, as amended after Brexit by the DPPEC Regulations, Sch 2, para 43. 49 DPA 2018, s 72(2). 50 DPA 2018, s 77(1)–(4).

303

17.23  Law Enforcement Processing (DPA 2018, Part 3)

17.23 International agreements in force between EU member states (or, after Brexit, the UK) and third countries in the field of judicial co-operation in criminal matters are exempt from the above requirements51. 17.24 Where a transfer takes place, the transferring controller must make it a condition that the data are not further transferred to a third country or international organisation without the authorisation of the transferring controller or another competent authority. Restrictions apply to such authorisations; modified in certain cases for urgency52. An amendment made, post-Brexit, appears to have the effect of reducing the maximum amount of penalty for an infringement of the requirements as to international transfers on the basis of adequacy regulations under DPA  2018, s  74A; from the higher to the standard amount (DPA  2018, s 157(2), as amended by the DPPEC Regulations, Sch 2, para 64(3). This would be anomalous in differing from the maximum amount applicable to, for example, a breach of requirements in DPA  2018, s  75, as to transfers with appropriate safeguards.

Other provisions 17.25 Other provisions deal with: — national security certificates to support restrictions; against which there is an appeal53; — restrictions on processing of data transferred to EU, or non-EU, recipients (or post-Brexit, ‘non-UK recipients’) with the controller obliged to consider whether the same restrictions would be applied if the data were transferred to another competent authority in the UK; and, (pre-Brexit) similar restrictions on data transferred to UK controllers54; and — rules applying to the reporting of infringements of the data protection rules55.

ARTICLE 10 PROCESSING (BY PERSONS OTHER THAN ‘COMPETENT AUTHORITIES’) 17.26 The GDPR provides for the processing of personal data on criminal, criminal justice, or related security matters by bodies that are not ‘competent authorities’; but which may hold, or need from time to time to process, such data. (An example would be a controller passing personal data about a customer or service user to the police, at their request, to assist an investigation). Data relating to criminal convictions or sentences, or related security measures, are defined in

51 52 53 54 55

DPA 2018, s 77(8); as amended after Brexit by the DPPEC Regulations, Sch 1, para 44. DPA 2018, s 78, including s 78(5) as to urgency. DPA 2018, s 79; including appeal provisions in s 79(5)–(9). DPA 2018, s 80, as amended by the DPPEC Regulations, Sch 2, para 46. DPA 2018, s 81.

304

Article 10 processing (by persons other than ‘competent authorities’) 17.28

GDPR Article 10, which is supplemented in the UK by DPA 2018, s 11(2). Such data are personal data relating to: — Criminal convictions or offences, or related security measures — The alleged commission of offences by the data subject — Proceedings for an offence committed (or alleged to have been committed) by the data subject — The disposal of such proceedings (ie their outcome), including any sentencing of the data subject. 17.27 GDPR, Article 10 provides that such processing has to be carried out either under the ‘control of official authority’; or under EU or member state law (or, after Brexit, by domestic law), with appropriate safeguards. The DPA 2018 sets out what this means in the UK56. ‘Official authority’ has not been defined in this country, although it may refer simply to law enforcement processing by the proper authorities. In practice, in relation to processing of criminal data by nonlaw enforcement bodies under Article 10, such processing has to be undertaken on one or more of the lawful bases set out in Sch 1 to the DPA 2018. Schedule 1 sets out lawful bases (‘conditions’) on which the processing of special category personal data may proceed. The processing of criminally-related personal data may proceed on the same bases, if it meets one of the ‘conditions’ in Sch 1, Parts 1 or 2 (ie as for special category data); with the addition of further conditions set out in Sch 1, Part 3. This Part of Sch 1 contains lawful bases equating to a majority of the bases set out in GDPR, Article 9, and applies them to criminal offence data (with some additions). The majority of the bases applying under the GDPR for special category data are thus ‘added back in’ for criminal offence data by Sch 1, Pt 3; alongside those defined in Sch 1, Pts 1–2. This is done under the UK’s powers, in GDPR, Article  9(2), to make specific domestic provision for different types of special category processing; including processing falling under the ‘substantial public interest’ under Article 9(2)(g)). Most of the bases for the processing of criminally-related data by non-law enforcement controllers in the UK are thus the same as (or very similar to) the bases for the processing of special category data. This doubtless reflects the fact that, until the introduction of the GDPR and the LED, criminally-related data were included within ‘sensitive’ personal data under the DPA 1998. 17.28 The lawful bases (or ‘conditions’) in DPA 2018, Sch 1, Parts 1 and 2 are described in Chapter 557. Many require an ‘appropriate policy document’ to be in place (see paras 5.89–5.91). Those ‘further “conditions”’ added for this purpose, by Part 3 of the Schedule, are as follows. Most will be familiar from the DPA 1998:

56 DPA 2018, s 10(4) and (5) and Sch 1, Parts 1–3 (to which Sch 1, Part 4 also applies); together with s 11(2). Section 10 is amended, after Brexit, by the DPPEC Regulations, Sch 2, para 13. See also GDPR, Article 10, as amended after Brexit by the DPPEC Regulations, Sch 1, para 10. 57 See paras 5.94–5.95, and 5.105–5.177 above.

305

17.28  Law Enforcement Processing (DPA 2018, Part 3)

•

consent of the data subject58;

•

processing is necessary to protect the ‘vital’ (ie life and death) interests of an individual who is physically or legally incapable of giving consent59;

•

processing is by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and relates solely to its members or former members, or persons with whom it has regular contact; where the data are not disclosed outside the body without individuals’ consent60;

•

the personal data are manifestly made public by the data subject61;

•

the processing is necessary for the purpose of, or in connection with, legal proceedings; for the purpose of obtaining legal advice; or, for the purposes of establishing, exercising or protecting legal rights62;

•

the processing is necessary where a court or tribunal is acting in its judicial capacity63;

• the processing is of personal data about a conviction or caution for one of specified indecency offences involving children; and, is necessary to administer an account relating to a payment card used in the offence, or to cancel a payment; and, the controller has an ‘appropriate policy document’ in place64; •

the processing would meet a condition in GDPR, Sch 1, Part 2 (ie it would fall under a ‘substantial public interest’ condition; but for an express requirement for it to be necessary for reasons of the substantial public interest65;

•

processing would meet the ‘insurance’ condition66, or the condition above (in Sch 1, para 36) by virtue of the insurance condition, but for a requirement for the processing to be processing of one of various types of special category data specified in Sch 1, para 20(1)(b), such as data revealing racial or ethnic origin, or data concerning health67.

As indicated above, therefore, most of the former data processing ‘conditions’, which supported the processing of such data when they formed part of ‘sensitive’ personal data under the DPA 1998, have been restored to apply as lawful bases for the processing of criminal or criminal justice data, by ‘non-competent’ persons, under Article 10 of the GDPR.

58 59 60 61 62 63 64 65 66 67

DPA 2018, Sch 1, Part 3, para 29. DPA 2018, Sch 1, Part 3, para 30. DPA 2018, Sch 1, Part 3, para 31. DPA 2018, Sch 1, Part 3, para 32. DPA 2018, Sch 1, Part 3, para 33. DPA 2018, Sch 1, Part 3, para 34. DPA 2018, Sch 1, Part 3, para 35. DPA 2018, Sch 1, Part 3, para 36. In DPA 2018, Sch 1, Part 2, para 20. As to the ‘insurance condition’, see paras 5.150–5.153. See DPA 2018, Sch 1, Part 3, para 37.

306

Part 2

Environmental Information Section A

Introduction, Definition and Comparison with Freedom of Information

CHAPTER 18

The Breadth and Importance of Environmental Information 18.1 Many people assume that Environmental Information, because of its name, is concerned only with information about the ‘green’ environment. This is far from correct. All too often it is assumed that an information request falls to be answered under the Freedom of Information Act 2000 (‘FOI Act’ or ‘FOIA’), when in fact the Environmental Information Regulations 2004 (the ‘EIR 2004’, or commonly ‘EIR’) apply to it; either wholly, or in part. Practitioners often believe that their organisation does not receive many EIR requests, because the nature of its work is not ‘environmental’. Yet the organisation will almost certainly receive some such requests; at least if it has any offices of other property to maintain; and probably about many other topics as well. On appeals, the Information Commissioner has very many times changed the applicable regime from FOI to EIR (and almost never the other way). The most common response to many people’s first detailed encounter with the EIR is: ‘I didn’t realise that they applied so widely’. 18.2 As an estimate, for example, up to 40% of the information requests received by a district council are likely to fall wholly or partly under the EIR. In certain service areas of local or central government, and in a significant number of quangos, it would be realistic to assume that a majority of the information held is environmental information; in other words, that an information request is more likely on average to fall under the EIR than under the FOI Act. 18.3 This position may change at some stage after Brexit, for reasons explained below at paras 18.9 and 18.14, but until it does, the EIR are very widely applied by the Commissioner and the First-Tier Tribunal. As a result, public authorities need to understand which regime applies. 18.4 There are a number of reasons why this is important. Even where – as in the majority of cases – the information will be disclosed irrespective of the regime, the authority still needs to know whether it has got the process right. In some parts of the private sector that provide public services (eg water companies), the EIR now apply where the FOI Act does not; and this may be extended in the future. Oral as well as written requests are permitted under the EIR (unlike the FOIA). The timescales for reply differ slightly between the regimes, with EIR having more fixed deadlines. On the other hand, there is more scope for charging under the EIR than FOI (although it is little used). 18.5 It is essential to establish the correct regime where the public authority believes that all or some of the information requested should not be disclosed, because the exemptions (or ‘exceptions’, as they are termed under the EIR) differ 309

18.6  The Breadth and Importance of Environmental Information

markedly. Unlike under the FOIA, all EIR exceptions (save the one applying to third party personal data) apply subject to the public interest test. On the other hand, if more than one exception applies, the public interest factors against disclosure can be aggregated (or ‘added up’; unlike the FOIA); which should reduce the likelihood of disclosure. While there is an express presumption of disclosure in the EIR, unlike the FOIA, its real significance is no more than arguable. Other differences include the absence of a cost limit on responding to requests (although an exception may be capable of being applied instead)1; and differences over the timing of internal reviews (or ‘representations’, as they are termed in the EIR). (See further at Chapter 20 below).

BACKGROUND TO THE EIR 18.6 The Environmental Information Regulations 20042 are the second round of legislation giving access to environmental information. They were hurried through Parliament in late 2004 to come into effect on the same day as the FOIA was fully implemented (1  January 2005), and have been rather overshadowed by the attention given to the UK’s first Freedom of Information regime. The first round, the Environmental Information Regulations 19923, were not widely known about or used, and lacked a direct enforcement mechanism. They (and the Directive to which they gave effect)4 did supply, however, some of the case decisions on which the current regime has been built. 18.7 The 2004 Regulations implemented the succeeding EU  Directive on public access to environmental information5. The Directive has in turn represented the EU’s implementation of a Convention of the United Nations Economic Commission for Europe (UNECE) on Access to Information, Public Participation in Decision-Making, and Access to Justice in Environmental Matters, known as the ‘Aarhus Convention’, agreed in 1998. 18.8 The two basic aspects of public access to information, and public involvement in decision-making, form the core public interest arguments in favour of disclosure under the EIR. 18.9 After Brexit, the UK may wish to become a signatory to the Convention in its own right. The simplest way to maintain its obligations would be to enable the Regulations to remain in place (as occurs automatically under the European Union (Withdrawal) Act 2018 (‘EUWA  2018’), s  2(1)); and is the case at the time of writing). Whether this remains the position over the longer term – or whether the UK  Parliament prefers at some stage to enact its own version of compliance with the Convention – is not certain; although a change may be considered unlikely, at least for a significant period. In that event, the day to day 1 See paras 22.16–22.25 below, on EIR 2004, reg 12(4)(b). 2 SI 2004/3391. 3 SI 1992/3240. 4 Council Directive 90/131/EEC on the freedom of access to information on the environment. 5 Council Directive 2003/4/EC on public access to environmental information.

310

Relationship of EIR with the FOIA 18.11

relationship with the FOIA is likely in substance to remain the same. Under the EU (Withdrawal) Act 2018, ‘EU-derived domestic legislation’ (as the EIR 2004 are to be classed after Brexit) continue to have primacy over purely domestic law, where there is a conflict. Similarly, it is to remain the case that, until the UK law on a given point is modified (either by statute; or by the Supreme Court, under EUWA 2018, s 6(4)), the law on that point should continue to be interpreted by the UK courts in accordance with the ‘retained general principles of EU law’ (provided they have been recognised by the European Court in a decided case) and the ‘retained case law of the European Court’ (other than the Charter of Fundamental Rights and certain other exceptions); see EUWA  2018, ss  6(3) (a), (7), 5(4), and Sch 1, para 2. As a result, where the meaning of the EIR is unclear, a ‘purposive approach’ should continue to be taken (which could include looking at materials such as the treaty base, Recitals, or working papers which led to its adoption). The measure should also be interpreted compatibly with the EU treaties. It might be arguable that neither of these rules (ie primacy in the event of conflict; or, a purposive approach) is necessarily the same as giving the broadest interpretation to an EU-derived measure in order to ensure that proper effect is given to it, if this were done solely because of its (former) status. This might particularly be the case if, on the specific facts, applying the domestic information regime instead (ie the FOIA) would be likely to produce at least an equivalent level of disclosure in a given case. As noted above, it is also the case, after Brexit, that a ‘general principle of EU law’ does not form part of domestic law if it was not recognised by the European Court in a case decided before exit day (whether or not as an essential part of the decision); under the EUWA 2018, Sch 1, para 2, so that there might be cases where principles may need to be tested as to any previous case law reflecting them. Over time, the concern which the Commissioner, and to a significant degree also the Tribunal, have shown to apply the EIR as broadly as possible may lessen; so that some change is seen in practice in the boundary with the FOIA. No change appears likely, however, in the short (or probably the longer) term. (See also para 18.14 below).

RELATIONSHIP OF EIR WITH THE FOIA 18.10 It is fundamental in Information Law to appreciate that there are three types of recorded information (or ‘data’, as it is known in the data protection context): (i) personal data; (ii) environmental information; and, (iii) ‘FOI’ information (the remainder). 18.11 Any single piece of information will fall under one of these types only. (Although any one document, or a group of pieces of information, could include two, or even all three of them). Although no order of approach is prescribed, it is usually easiest in practice to determine which type applies in the order above; and it is important to consider FOI last. 311

18.12  The Breadth and Importance of Environmental Information

18.12 It may be a surprise that ‘FOI’ information should be treated as the residual category of the three, given its public prominence. This arises because the other two have distinct characteristics and boundaries; so that information falling within the relevant scope has to be dealt with under that regime. Personal data (defined under GDPR, Article 4(1), as any information relating to an identified or identifiable ‘natural person’(or ‘living individual’6) under the Data Protection Act 2018, s  3(2)), is dealt with separately under the law from more general information about facts, policies, or people in general, because it is considered more private to the individual. It is, therefore, to be given greater protection than other recorded information. 18.13 Amongst non-personal data, if the information is ‘environmental information’, the EIR have to be applied to it. Such information has been given a very wide scope, and the EIR have been applied wherever appropriate (or, in reality, wherever possible) to information that would otherwise have fallen under the FOIA. Environmental information has effectively been given a separate status within the general category of information that is not personal data; aided by the purposive interpretation given to rules of EU derivation. In contrast, there is no separate category of ‘FOIA’ information. It follows that – once practitioners have separated any personal data from the rest of the information in issue – they should distinguish any environmental information from the rest of the nonpersonal data, and apply the EIR to it. The FOIA 2000 should be applied only to what remains after that process.

In summary: a practitioner considering which regime to apply to a given piece of information should: (i) consider whether it is personal data; and, if so, apply the data protection rules to it; (ii) if it is not personal data, consider whether it is environmental information; and, if so apply the EIR; (iii) only if it is neither of the above, apply the FOI Act to it. 18.14 As indicated above (para 18.9), this position may change at some future stage after Brexit, because the wide application given to the EIR has arisen in part because of the status of the 2004 Regulations as arising from a European Directive, to which a wide (‘purposive’) effect is to be given; and priority in cases of conflict with another provision. On the other hand, any change in the direction of a less emphatically broad approach vis a vis the FOIA is likely to be gradual, if it occurs. It would remain the case, moreover, that the EIR 2004 will continue to apply to a particular category of information that is not personal data; and so will necessarily still have to be considered – as to whether they apply – before the FOIA, in relation to any given piece of such information. This would 6

Data Protection Act 2018, s 3(2).

312

Relationship of EIR with the FOIA 18.15

be likely to continue to be the position even if both the EIR and FOIA were re-drafted; since the EIR would still apply to a defined type of information, and a boundary would remain between them. Assuming, moreover, that the UK ratified the Aarhus Convention after Brexit, it would continue to need to give effect to an international obligation. In consequence, it may be that it would wish to leave broadly undisturbed the existing balance between the two regimes. 18.15 This should not be taken to imply, however, that the boundary between the two regimes has always been an easy one to establish; and this looks likely to remain the case for some time to come.

313

CHAPTER 19

Definition of Environmental Information 19.1 The definition of environmental information is set out in the Environmental Information Regulations 2004 (‘EIR’), reg 2(1), as follows: ‘Environmental information has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on– (a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements; (b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in (a); (c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in (a) and (b) as well as measures or activities designed to protect those elements; (d) reports on the implementation of environmental legislation; (e) cost-benefit and other economic analyses and assumptions used within the framework of the measures and activities referred to in (c); and (f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in (a) or, through those elements, by any of the matters referred to in (b) and (c).’ 19.2 It may be seen that environmental information is any recorded information ‘on’ a number of matters, set out in the six categories (a) to (f). The word ‘on’ matters in this context, as it is interpreted very broadly. It means in effect any connection or relationship that the information can have with the matters which 314

Regulation 2(1)(a) – Elements of the environment 19.6

it describes. In the leading case on interpreting the definition, Henney, the Court of Appeal said that information is ‘on’ a measure (referring to category (c) above) if is it ‘about, relates to or concerns’ the measure. 19.3 Each category needs to be examined in turn. The main reason that environmental information is given such a broad interpretation is because of the wide scope given to category (c); and, to a lesser extent, to category (f).

REGULATION 2(1)(A) – ELEMENTS OF THE ENVIRONMENT 19.4 The first category applies to information on the state of the ‘elements’ of the environment. This includes, but is not limited to, the state of the air and atmosphere, water, soil, land, and landscape (which includes the built landscape). It also includes the state of natural sites, including wetlands, coastal sites and areas of the sea (‘marine areas’), and ‘biological diversity and its components’, meaning plants, animals and organisms within them, including geneticallymodified organisms. As well as the state of these ‘elements’, this part of the definition includes the ‘interaction’ between them. Example: A river overflows because of excessive rainfall, and floods a neighbouring field. Information about the state of each of the following aspects of the situation would fall within the definition: the weather (‘state of the air and atmosphere’); the water level in the river and in the field (‘state of.. water.. land.. and natural sites’); the fact that the field has been flooded (‘state of.. land’); and the interaction of the rainfall, river and field (eg the raising of the river level because of the rain; the overflow of the river water into the field; how long the flooding is expected to last). The information as a whole is environmental information.

19.5 The ‘landscape’ means an area of land where natural factors or human intervention (or both) have altered or shaped its character or appearance. This includes the built landscape. 19.6 Curiously the ICO takes the view that information on a single species (as opposed to more than one) will not fall within information on the state of ‘biological diversity and its components’, because biological diversity means ‘the balance between the various species on earth’ . It seems clear from a plain reading of reg 2(1)(a) that information on a single species is information on a component of biological diversity. It also seems over-complicated to separate information about two species from information about one (potentially even in the same passage of text); to the extent of putting them under separate regimes. 315

19.7  Definition of Environmental Information

REGULATION 2(1)(B) – FACTORS AFFECTING THE ELEMENTS 19.7 The second category covers ‘factors’ that affect, or are likely to affect, the elements of the environment in the first category. Under the EIR, as elsewhere, ‘likely’ means a significant or weighty chance, something that ‘may very well’ happen, but that is below a 50% probability . 19.8 Whilst ‘elements’ under (a) represent what might be described as the ‘building blocks’ of the natural and built environment, ‘factors’ under (b) constitute entities or events with a dynamic quality, which may change the environment. They include (but again are not limited to) substances, energy, noise, radiation, waste (including radioactive waste), ‘emissions’ (which are not defined), ‘discharges’ (also not defined), or ‘other releases’ into the environment. In each case, the emphasis is on the dynamic relationship between the factor and the relevant element of the environment. The defining characteristic of a ‘factor’, in relation to an ‘element’, is that the former is likely to change (or otherwise to affect) the latter. Factors may be man made, or they may occur naturally.

Emissions 19.9 There is no definition of ‘emissions’ in the Regulations or the Directive, which is important since, to any extent that the information is about emissions, it will be excluded from four of the ‘exceptions’ from disclosure – see para 19.13 below). The Commissioner’s guidance draws attention to a reference in the Aarhus Implementation Guide to the definition of an emission in the Integrated Pollution and Control Directive (‘IPCC’) (Directive 2008/1/EC) as a ‘direct or indirect release of substances, vibrations, heat or noise from individual or diffuse sources in the installation into the air, water or land.’ This has been criticised as too narrow and limiting ‘emissions’ to polluting releases only. 19.10 The ICO accepts the view of the (former) Information Tribunal in Ofcom v Information Commissioner and T-Mobile, that (for the purposes of the definition, and of the exclusion from the exceptions concerned) the word ‘emissions’ should be given its ordinary and natural meaning and should not be artificially narrowed as in the IPCC definition. In that case, the ICO accepted that radio wave radiation from a base station was an ‘emission’. The Shorter Oxford English Dictionary defines an emission as: ‘1. Something emitted, an emanation. 2. The action or an act of emitting.’ 19.11 The Commissioner goes on from this to state that emissions will generally be: — a by-product of an activity or process; — which is added (or potentially added) to and affecting the elements of the environment; and — over which any control is relinquished. 316

Regulation 2(1)(c) – Measures affecting (or protecting) the elements or factors 19.18

19.12 A  summary definition given in the guidance, and said to overlap with ‘discharges’ is: ‘the direct or indirect, accidental or deliberate release of substances, heat, radiation or noise into the air, water or land. “Release” suggests liberation, or a change of state from confined to unconfined’ . A simpler definition might be that an emission is a release (whether deliberate, accidental, or natural) of a substance or other thing from one environmental medium to another. 19.13 Regulation 12(9) prevents four exceptions from applying to environmental information relating to information on emissions. The exceptions are those in EIR, reg 12(5)(d)–(g): — Confidentiality of proceedings (reg 12(5)(d)); — Confidential commercial or industrial information (reg 12(5)(e)); — Interests of a volunteer (reg 12(5)(f)); — Protection of the environment (reg 12(5)(g)). 19.14 When disclosing information on ‘factors’, EIR, reg  5(5) obliges the public authority, so far as it is able, and where the applicant so requests, to inform the applicant where any information available may be found on procedures or methods used to compile the information; or to refer the applicant to a standardised procedure used.

REGULATION 2(1)(C) – MEASURES AFFECTING (OR PROTECTING) THE ELEMENTS OR FACTORS 19.15 Thus far the definition may have appeared relatively closely-related to the ‘green’ environment. It is with the interpretation of ‘measures’ in EIR, reg 2(1)(c) that the perspective widens. 19.16 The third category covers ‘measures’ or ‘activities’ affecting or likely to affect the elements referred to in (a), or the factors referred to in (b); as well as measures and activities designed to protect those elements. Neither ‘measures’ nor ‘activities’ are defined. 19.17 ‘Measures’ include ‘administrative measures’, and the examples given in the Regulation are ‘policies, legislation, plans, programmes, environmental agreements’. From this it might reasonably be inferred that ‘measures’ (as distinct from activities) were intended to encompass environmental decisions made, or legal requirements imposed by, governments, legislatures or other governmental or public agencies. The terms ‘plans’ and ‘programmes’, however, are broad ones. There is nothing in the definition which limits it to measures undertaken or made by public bodies. The question whether the scope of ‘measures’ should be restricted, notwithstanding its rather elastic drafting, has not been closely addressed in decisions on the EIR. 19.18 The proper scope of the second part of the category (‘activities’) has likewise had little attention from those interpreting it; perhaps because of the 317

19.19  Definition of Environmental Information

breadth already accorded to ‘measures’. Whatever the reason, the meaning of ‘activities’ (as well as ‘measures’) appears to have been taken to go beyond policy or law-making to encompass any action, by any (legal) person, which affects or is likely to affect the environment, or is designed to protect an element. So the farmer in the first example above, who pumps water off his flooded land, appears to be carrying out an ‘activity’ which is likely to affect (or is designed to protect) his land, which is an ‘element’. A farmer who tries to block or limit the contamination of his land from chemicals which are leaching from neighbouring land (eg  by digging a deep trench to try to stop their spread), appears to be undertaking an ‘activity’ likely to affect the leaching, which is a ‘factor’. Information on either ‘activity’ would, therefore, fall within the definition of the third category (although in practice both would probably be treated as ‘measures’ as well). 19.19 Example: environmental impact of a measure Your organisation, a public body, is considering moving its headquarters from the city centre to a new building it has commissioned to be built on a greenfield site outside the metropolis. All (or perhaps virtually all – see paras 19.19 above and 19.24 below) of its plans, policy proposals, Board reports, consultation materials with staff, discussions with professionals etc, concerning the proposed move, would fall under the EIR, rather than the FOIA 2000. The reason is that the basic proposal, to build a new HQ, would involve an effect on the land concerned. (At the simplest level, this is because a hole would have to be dug to start it; the traditional commencement of a planning development). All, or most, of the documentation describing both the plan, and its carrying out, would be information ‘on’ the ‘measure’ (ie the plan ). The EIR would apply to all or most of the information about the project, even if it were abandoned and no hole was dug; because if the measure (the plan) had been carried out, it would have been likely to have affected the element (ie the land).

Concept of ‘remoteness’ 19.20 The scope of ‘measures’, or ‘activities’, and of environmental information in general, has grown. At the outset, a concept of ‘remoteness’ was applied: whether the information had a sufficient (or direct) connection to the environment. (NB the link was to be between the information itself, and the environment). This was based primarily on an Austrian case, Glawischnig, in the European Court of Justice (‘ECJ’), decided under the previous Directive1. The request was for information concerning the application in that country of 1

Glawischnig v Bundesministerium fur Sicherheit und Generationen. Case C-316/01 (2003).

318

Regulation 2(1)(c) – Measures affecting (or protecting) the elements or factors 19.23

EU controls on the marketing of products derived from genetic modification. The government refused to disclose certain information, including in relation to controls on the packaging of the products and their enforcement, as falling outside environmental information. The ECJ agreed: the rules were marketing controls designed to remove obstacles to trade in genetically-modified products (in other words, an aspect of the EU  Single Market). They were not measures likely to affect environmental factors, and information on them was not sufficiently connected to the environment to be environmental information. 19.21 The lead government department in relation to the EIR when they were introduced, the Department for Environment, Food and Rural Affairs (‘DEFRA’), included this ‘remoteness’ principle in its guidance on the boundary between the EIR and FOI2. The Commissioner also initially accepted it, and cases in the (former) Information Tribunal were argued on the basis of it3. The Commissioner began to take a different view, however, reflected in internal guidance to case officers (which the ICO formerly published). This referred to their view of remoteness as being whether the information was proximate to, or remote from, the relevant element, factor, measure etc4. In other words the test (in the ICO’s view) was, whether there was a sufficient connection between the information in issue and the category [in reg 2(1)(a)–(f) above] to which it related; not whether there was a sufficient connection between the information (or its subject) and the environment. Given a broad interpretation of the meaning of ‘on’, it was perhaps difficult to see how this avoided being merely tautological; or, how it amounted to any limitation on the scope of environmental information. 19.22 The First-Tier Tribunal’s view of ‘remoteness’ has also changed. It commented in LB Southwark v ICO, Lend Lease and Glasspool that, while there might be a tendency to over-use the EIR, the answer was not the ‘development of the vague notion of “remoteness”’, but instead a ‘purposive application to the facts of a case of the definition of environmental information’ (ie  a broad application of the definition to the facts)5.

Henney case 19.23 The argument seems to have been settled, at least for the moment, by the decision of the Court of Appeal in Henney, which is now the leading case6. The Court of Appeal confirmed the decision of the Upper Tribunal7 in the same 2 See DEFRA: ‘Environmental Information Regulations: Guidance on the Boundaries between environmental and other information’, latest version February 2009. 3 DBERR v Information Commissioner & Friends of the Earth EA/2007/0072; Mersey Tunnel Users Association (MTUA) v Information Commissioner and Halton Borough Council EA/2009/0001. 4 Information Commissioner: ‘Line to Take’ (LTT) 80 (Defining Environmental Information). 5 EA/2013/0162, paras 29-30. 6 Department for Business, Energy and Industrial Strategy v Information Commissioner and Alex Henney [2017] EWCA Civ 844. 7 Department for Energy and Climate Change v Information Commissioner and Henney [2015] UKUT 0671 (AAC).

319

19.24  Definition of Environmental Information

case; in all but one respect. The decision underlines a broad interpretation of whether information is ‘on’ a ‘measure’ by enabling a broader subject, beyond the immediate one with which the information is directly concerned, to count as the ‘measure’ to which the information in issue relates. 19.24 Mr Henney had sought a copy of the ‘Project Assessment Review’ (‘PAR’) which formed part of the data and communications element of the government’s Smart Meter Programme (‘SMP’). The SMP was accepted by all parties to be a ‘measure’ affecting the environment, because one of its aims was to reduce carbon emissions. For the purposes of the case, it was assumed that the PAR (and the data communications element as a whole) did not of themselves affect the environment. The issue was whether the PAR was information ‘on’ the data and communications element, or on the SMP (or, in other words, whether it had to be ‘information on’ the immediate level of the programme above it, to fall within reg 2(1)(c); or whether it could be about the level above that; ie the wider programme). The Upper Tribunal had found it was the latter, by looking at the ‘big picture’ of the purpose of the programme. The Court of Appeal disagreed with the term ‘big picture’, but said that information could be ‘on’ more than one measure; and that the wider context, beyond the precise issue with which the information was concerned, could be considered. The wider context could include the purpose of the information, or whether access to it would enable the public to be better informed about the decision-making involved. On the facts, the Court agreed with the Upper Tribunal that the PAR was information ‘on’ the SMP, as a ‘measure’. The PAR was also information about the SMP for the additional reason that the communications element was ‘integral’ to the programme as a whole8. 19.25 The Court of Appeal did acknowledge, however, that there are limits to the scope of environmental information. In rejecting the ‘big picture’ approach, it took into account the Glawischnig decision. Relying simply on the ‘big picture’ could lead, it said, to the inclusion under the EIR of information which had only a minimal connection to environmental factors, which would be contrary to Glawischnig. Practitioners should have in mind, therefore, that while a broad approach is required to the scope of the EIR, and particularly of ‘measures’ – including assessing whether the information concerned is ‘on’ a wider measure which has an environmental impact, if the immediate subject of the information does not – there should still be some connection between the subject of the information (eg  the ‘measure’ to which the information refers) and the wider environment. 19.26 In making that judgment, the Court of Appeal in Henney advised using as a ‘starting point’ the Recitals to the Aarhus Convention and the Directive, requiring that citizens have access to information to enable them to participate in environmental decision-making more effectively; and the contribution which such access makes to a better awareness of environmental matters, and, eventually, to a better environment9. 8 See Henney, Court of Appeal, as footnote 13, paras 9 and 53. 9 Henney, Court of Appeal, as footnote 13, paragraph 48. See Directive 2003/4/EC, Recital 1.

320

Regulation 2(1)(c) – Measures affecting (or protecting) the elements or factors 19.28

19.27 In short: would disclosure of the information in issue (assuming that it is information ‘on’ a ‘measure’, (or, logically, another category of the definition of environmental information; whether directly or at a wider level) contribute to those objectives? If so, it is likely to be environmental information under EIR, reg 2(1)(c). In Lancashire Fire and Rescue10, the First-tier Tribunal applied the EIR to multiple questions about an operation of hydraulic fracturing (‘fracking’), relying on Henney, including casualty handling, training, emergency lighting, or emergency procedures. This was because the issue was whether all of these subjects related to fracking, which was the measure; rather than to the environment.

Examples of information ‘on’ a ‘measure’ 19.28 Even before the Henney decision, and the previous broadening of the ICO’s approach, a number of decisions confirmed that information on ‘measures’ can include information about policies, programmes etc which have no (or only a limited) environmental purpose in themselves, but which incidentally produce an environmental impact. The following have been treated as ‘measures’: •

the criteria for determining the boundary lines of building plots11;

•

a temporary pedestrian crossing12;

•

a risk assessment of hazards13;

• legal advice on the rights of individuals to participate in a countryside stewardship scheme14; •

a major housing development15;

•

tolls on a proposed bridge over the river Mersey (because they were ‘integral’ to whether the development would proceed, and thus whether it would have an environmental impact16. The test of whether non-environmental information is ‘integral’ to environmental information has been adopted by the Commissioner17; and was also reflected in Henney. The ICO advises that this test should be used to decide whether parts of large environmental projects (eg an IT sub-contract) should also be treated as falling under the EIR18;

10 11 12 13 14 15 16 17 18

Lancashire Fire and Rescue Service v ICO EA/2018/0084. Wolverhampton City Council FER 0120142, 2 June 2006. City of Plymouth Council FER 0069925, 2 March 2006. Milford Haven Port Authority FER 0072936, 28 March 2007. Rudd v IC EA/2008/0020. LB Southwark v ICO and Lend Lease, and Adrian Glasspool EA/2013/0162. Mersey Tunnel Users Association v ICO and Halton BC EA/2009/0001, para 69. See ICO: ‘What is Environmental Information?’, version 4.1, paragraph 18. ICO: ‘What is Environmental Information?’, paragraph 42.

321

19.29  Definition of Environmental Information

•

an agreement to build a toll road19;

• information by which to judge the quality of other environmental information20. 19.29 In summary, in relation to ‘measures’, this category of the definition both provides the majority of the instances of environmental information (in cases, and other than straightforward statistics about environmental developments); and is the main reason why the EIR are to be very broadly applied.

REGULATION 2(1)(D) – REPORTS ON THE IMPLEMENTATION OF ENVIRONMENTAL LEGISLATION 19.30 This category is straightforward: reports on how (or how effectively) statutory requirements in relation to the environment have been implemented by a public organisation, or have been enforced by it or other bodies, will be environmental information. The category is likely to include, for example: reports by a public body on carbon reduction in its own activities; the enforcement by it of environmental planning requirements on other legal persons; or, reports measuring outcomes, or public behaviour, in relation to environmental protection. Much of the information is likely to be in the public domain.

REGULATION 2(1)(E) – COST-BENEFIT AND OTHER ECONOMIC ANALYSES 19.31 Information will be environmental information if it is on ‘cost benefit or other economic analyses and assumptions’, which are used ‘within the framework of the measures and activities referred to in (c)’. This covers a costbenefit analysis of a ‘measure’, an economic analysis of it (eg  as to its likely economic consequences), or any economic assumptions made in assessing the measure. Thus a report to an organisation’s Management Board on the advantages in cost-benefit terms of constructing (or moving to) a new building would be environmental information; as would an assessment of the economic impact of it on the area (eg in terms of jobs), or any assumptions used in producing that analysis (eg as to how the new jobs were to be calculated). 19.32 In the Southwark case referred to above21, the First-Tier Tribunal held that a viability assessment by the developer of a major housing development fell within this category.

19 R v Secretary of State for Environment. Transport and the Regions ex parte Alliance against Birmingham Northern Relief Road [1998]  EWHC  Admin 598. (NB decided under the EIR 1992). 20 R  v British Coal Corporation ex parte Ibstock Building Products Ltd Case CO/1610/93, 21 October 1994. (NB decided under the EIR 1992). 21 LB Southwark v ICO and Lend Lease, and Glasspool EA/2013/0162.

322

Regulation 2(1)(f) – the state of human health and safety etc 19.37

REGULATION 2(1)(F) – THE STATE OF HUMAN HEALTH AND SAFETY ETC 19.33 This is a composite category with distinct sub-categories; each reflecting either an aspect of human life or of the built environment. In each case, the information is ‘on’ not the sub-category itself, but on how it is or may be affected by the state of the elements; or by any of the factors or measures/activities, as they operate through those elements. In other words, it is about the impact of the environment (or of changes in the environment, or environmental measures or activities) on certain aspects of human life, the built environment, or sites important in human culture. It should be noted that the information will only be environmental information ‘inasmuch’ as the environment, or changes or environmental measures, affect those aspects, buildings  etc. 19.34 Whereas the first five categories are broadly about the state of the environment, or about events or activities which have environmental consequences, the sixth is the other way around: it concerns the effect of the environment on human life, or on the built environment or cultural sites created by humans. The Aarhus Implementation Guide describes this as the ‘human environment’, including the built environment. 19.35 The sub-categories are: • The state of human health and safety, including the contamination of the food chain (where it is relevant to the state of human health and safety). •

‘Conditions of human life’.

•

Cultural sites and built structures.

19.36 The test of whether there is an effect from the environment, or environmental measures, is whether a sub-category ‘are or may be affected’. If they ‘are affected’, this suggests that the effect has already taken place, or is continuing. If they ‘may’ be affected, the level of probability required is that there has to be some possibility of the effect occurring. This is a lower level than ‘likely to affect’, as required under the second and third categories (EIR, reg 2(1)(b) and (c) above at paras 19.7–19.8 and 19.15–19.19 respectively).

State of human health and safety 19.37 The Commissioner advises that ‘human health and safety’ should be understood as a collective state, covering matters such as diseases, medical conditions and safety risks (ie  rather than individual risks). The effect, which can be harmful or beneficial, should arise from an element; or from a factor or measure working through an element. 323

19.38  Definition of Environmental Information

Examples: information on the state of human health and safety, as affected by elements, factors or measures Affected by an element: a warning broadcast about the degree of danger to humans from the sea (an element) on a coastline during storm conditions. Affected by a factor, through an element: a scientific finding about the likely level of harm to humans from land (an element) which has been contaminated by poisonous waste (a factor). Affected by a measure/activity, through an element: a report on the effectiveness of requirements for the fencing of a dangerous site. The rules requiring fencing are a ‘measure’, which affect the state of human safety through the land (by altering its state). The report on the effectiveness of the rules is information on the state of human safety.

Contamination of the food chain 19.38 The contamination of the food chain is treated as part of human health and safety. Under the first category above (EIR, reg 2(1)(a)), the state of ‘biological diversity’ (flora and fauna, or plants and animals) is an ‘element’. Thus information about how the condition of meat, or of vegetable foods, is affecting, or may affect, human health or safety will fall within this part of the definition. Information about how the food may have been contaminated (by an activity or ‘measure’, such as inadequate storage, which has affected its state) will likewise fall within its scope. 19.39 The Commissioner distinguishes this, however, from information about inadequate cooking of meat in a specific restaurant, since the information about the food being contaminated is not linked back to the state of the element (eg the original state of the food when supplied), or to a measure affecting the state of an element (eg to rules as to refrigeration before delivery)22. For this reason, this part of the definition seems unlikely, (following the view of the Commissioner), to apply to specific or isolated instances of food contamination arising at particular food outlets, or possibly for other very local reasons. 19.40 It is not clear that information about the system for the inspection of food in cafes and restaurants, or for the proper running of abattoirs and food processing factories, would fall within this part of the definition. This is because the focus in this part of the definition is on the state of any contamination (or presumably, its avoidance); rather than on the system designed to prevent (or contain) any such contamination. The food safety and inspection system is, however, likely to be a ‘measure’ under EIR, reg 2(1)(c) above, affecting or likely to affect an element; and so information about it would fall under the EIR by virtue of the third category in the definition, rather than under this heading. 22 ‘What is Environmental Information?’, paragraph 48.

324

Regulation 2(1)(f) – the state of human health and safety etc 19.45

19.41 In a case concerning a request for a report following an outbreak of food contamination by e coli, the Tribunal decided that reports about the premises used for processing food for human consumption related to the state of human health, as health could be affected by at least one of the ‘factors’, operating through at least one of the ‘elements’23. This was because the organisms were capable of being transmitted through water; and both temperature and humidity could affect the degree of risk of transfer by other means, such as direct contact between humans or between a human and a tangible object.

Conditions of human life 19.42 The meaning of this term has been something of a puzzle, and has generated few case decisions. The original version of the Aarhus Implementation Guide referred to the conditions in which people lived in buildings, and how the environment might adversely affect them. Examples might be information about infestations of vermin or wasps in buildings, or the incursion of rain or damp into housing premises. 19.43 The second edition of the Guide (2014), however, while recognising that the term could be interpreted very widely, gives examples of ‘air quality, quality and availability of water and food, housing and workplace conditions, relative wealth and various social conditions’24. The Commissioner’s guidance refers to: ‘information on housing, poverty, employment, social welfare, heating, access to clear water, sanitation and healthcare’. The Commissioner does not develop the point, or its implications25. 19.44 It should be stressed that environmental information would only cover information about the impact of the environment or environmental measures on such subjects (eg the impact of adverse weather conditions on those in poverty). It may nonetheless be seen that this interpretation of the scope of this part of the definition is potentially very wide indeed; encompassing much information which could otherwise be expected to fall under the FOIA 2000. It is suggested that the earlier Aarhus guidance as to its scope may be regarded as more practical. As with the rest of environmental information, of course, information which is not covered by the EIR would (in the UK) be expected to fall under the FOIA 2000.

Cultural sites 19.45 The Aarhus guidance refers to the definition of ‘cultural sites’ in the 1972 Convention Concerning the Protection of the World Cultural and Natural Heritage (‘World Heritage Convention’): ‘works of man or the combined works of nature and man, and areas including archaeological sites which are of outstanding universal value from the historical, aesthetic, ethnological or 23 Watts v ICO EA/2007/0022. 24 UNECE: ‘Aarhus Implementation Guide’, Article 2, para 3(c), p 55. 25 ICO: ‘What is Environmental Information?’, para 53.

325

19.46  Definition of Environmental Information

anthropological point of view’. While this demonstrates the potential breadth of the concept in one sense, there is nothing in the Regulations to limit the scope of such sites to those of ‘outstanding universal value’; expanding the scope further. While it would be reasonable to require some official recognition of a site concerned, the potential breadth of such sites is considerable. Information about the state of such a site, as affected (beneficially or adversely) by the environment, or by environmental measures, will fall within the definition. Example: cultural sites A local authority maintains a well-known mediaeval arch in its historic town centre. The arch requires regular maintenance, mainly because of the effect of frost, rain and wind on its mortar and stonework. Information about the condition of the arch is information about the effects of weather (a factor), or of the state of the atmosphere (an element), on the arch. Information about the maintenance programme is information about the state of the arch, as it may be affected by a measure or activity through the element (eg as to how re-mortaring will improve its weather-proofing).

Built structures 19.46 Almost all public authorities will own, or have responsibility for, built structures; often on a large scale. The term overlaps with a number of cultural sites where those have been built, rather than formed solely by nature. Many public authorities have significant involvement in construction or regeneration projects; the management or refurbishment of residential or office property and other forms of structures (roads, bridges, tunnels, public buildings etc); or the management of open spaces in which built structures of various kinds are sited. The Aarhus guide refers to ‘man-made constructions’, which are not limited to large buildings or objects such as dams or highways, but also include small constructions and even landscaping. The Commissioner refers to buildings, built structures and built infrastructure26. Example: built structures The Commissioner distinguishes in her guidance between information about subsidence affecting a building, which is environmental information because it shows how the building is being affected by the state of the land; and information about how a built structure has been affected by the use of poor building materials, which is not environmental information because the information is not about how the building has been affected by the state of an

26 ICO: ‘What is Environmental Information?’, para 53.

326

Regulation 2(1)(f) – the state of human health and safety etc 19.51

element27. However, if in the second example the information had been about how the use of incorrect mortar had allowed moisture to enter the brickwork, with the result that frost over the winter had damaged the brickwork, the information would arguably be environmental information because it would concern the impact of the weather on the brickwork; albeit the damage was permitted to happen because the wrong materials were used.

19.47 Internal works or alterations to a building, including information on internal fittings such as antique fireplaces, are not environmental information, since they do not fall within a plain reading of the definition28. If the issue concerned, however, whether installing fireplaces, and their use, would contribute to smoke or other emissions, the information about them would be environmental information.

Land use planning and development control 19.48 Many local authorities are planning authorities, either in terms of strategic planning as to future use of land (land use planning); or, in determining applications for planning permissions and enforcing against breaches of planning rules (‘development control’). All, or almost all, information held by them on planning matters of either type will be environmental information. 19.49 In the Southwark case29, the First-Tier Tribunal decided that a very large housing development was a ‘measure’, because of the impact on the state of the landscape (EIR, reg 2(1)(c)). As indicated above, the developer’s financial viability assessment was an ‘economic analysis’ used within the framework of that measure and activity (EIR, reg 2(1)(e))30. 19.50 The Tribunal could equally, it is argued, have decided that both the development control system within which the developers had submitted their application, and the application itself, were ‘measures’; with the viability assessment and other supporting documentation for the application being information on the measure. Either approach leads to the information about the application, and the viability assessment, being environmental information. 19.51 The Commissioner advises, however, that it should not be assumed that all information within a planning file will automatically fall under the EIR, as it will still be necessary to identify what measure the information is ‘on’, and to ensure that the measure will affect (or is likely to affect) the elements or factors; or is designed to protect the elements. It is respectfully suggested that this test will generally be met.

27 28 29 30

See ‘What is Environmental Information?’, examples in para 48. Black v ICO EA/2011/0064. LB Southwark v ICO and Lend Lease (Elephant and Castle Ltd) and Glasspool EA/2013/0162. See para 19.32.

327

19.52  Definition of Environmental Information

19.52 The Commissioner takes the view that information relating to a decision whether or not to list a building is environmental information, because the process of listing historic buildings is a measure likely to affect the environment (in the sense of the landscape, which includes the built environment and its appearance). While information about the application of the rules as to the external appearance of a building will fall within the EIR, therefore, information about internal fixtures and fittings will not , since measures or controls in relation to them (eg as part of a building’s listing) are not concerned with the state of the land, landscape or another element. 19.53 Agreements under Town and Country Planning Act 1990, s  106 (commonly known as ‘planning agreements’, whereby a developer agrees to provide an additional element of development to the benefit of the community as a whole, in parallel to a planning permission) are regarded by the Commissioner as ‘environmental agreements’ under EIR, reg 2(1)(c); provided there is likely to be an effect on an element or factor, or the ‘planning gain’ is designed to protect an element. An example might be the re-siting of a habitat for local wildlife, in order to conserve it, as part of a development. In Kirkcaldie, a planning agreement in relation to night flights at a local airport was treated by the Tribunal as a ‘measure’ under the EIR; rather than falling under the FOIA 200031. Legal advice on the agreement was, therefore, information ‘on’ a ‘measure’; and thus also covered by the EIR.

Property searches 19.54 The Commissioner regards the majority of the information examined as part of a local property ‘search’ before buying a residential property as environmental information, because it is a ‘measure’ which affects or is likely to affect the use – and, therefore, the state – of the land under EIR, reg 2(1)(c). A series of cases over charges for property searches, culminating in East Sussex County Council v ICO in the European Court of Justice32, treated information about such searches as falling under the EIR.

Table of areas likely to be covered by EIR Global warming Energy policy and consumption Genetic modification Nuclear processing and waste Transport, Roads and traffic Water supplies 31 Kirkcaldie v Information Commissioner and Thanet District Council EA/2006/0001. 32 East Sussex County Council v ICO Case – 71/14, 6 October 2015.

328

Regulation 2(1)(f) – the state of human health and safety etc 19.54

Flooding Regeneration and housing development Buildings maintenance Agriculture and fishing Land use planning and development control Waste collection, management and disposal Countryside policy, wildlife conservation Conservation of buildings, maintenance of cultural sites Public health Food safety Fire prevention and fire-fighting Noise nuisance

329

CHAPTER 20

Similarities with, and differences from, FOIA 2000

SUMMARY OF HOW EIR AND FOI COMPARE 20.1 The similarities between the Freedom of Information Act 2000 (‘FOIA 2000’) and the Environmental Information Regulations (‘EIR’) may be summarised as follows: •

the same Public Interest Test is used (although it applies to all EIR exceptions, except in relation to the personal data of third parties, whereas it applies to only about two-thirds of FOI exemptions);

•

the basic time limit (20 working days) is the same (but see para 21.43 below on extending time);

•

the enforcement and appeals regime, via the Information Commissioner, and thereafter the First-Tier and Upper Tribunals, is the same;

• the Publication Scheme of a public authority will cover both types of information, and in the same way; •

the appropriate records managements procedures are the same;

•

there is a duty to confirm or deny (although in the EIR it is not referred to expressly, other than in two places – see para 20.2 below).

20.2 Despite the similarities (and the common purpose of entitling the public to gain access to publicly-held information), the differences are more extensive: •

Oral requests are effective under the EIR.

•

A wider range of legal persons is covered by the EIR.

• There is an express presumption in favour of disclosure (although its effectiveness is debatable). •

The duty to disclose overrides a contrary enactment (although the exception in EIR, reg 12(5)(d) may apply in certain cases).

•

There is less flexibility to extend the period of time in which to respond to a request.

•

There is no express cost limit under the EIR (although the exception in EIR, reg 12(4)(b) may apply in some cases). 330

Summary of how EIR and FOI compare 20.4

•

Most of the exceptions require the public authority to confirm or deny whether the information is held (unlike FOI, where there may be an exemption from that requirement). There is a ‘neither confirm nor deny’ (‘NCND’) provision only in EIR, reg 12(5)(a) and 131.

• Some of the exceptions are narrower than their FOI nearest equivalents. On the other hand, others are broader: the EIR exceptions for incomplete material (reg  12(4)(d)) and internal communications (reg  12(4)(e)) are broader than their FOI equivalents in s  35 (policy formulation) and s  36 (prejudice to public affairs). The EIR exception for an adverse effect on the course of justice (EIR, reg 12(5)(b)) is broader than the FOI exemption for legal professional privilege (FOIA 2000, s 42). • Some EIR exceptions (eg  for confidential proceedings (reg  12(5)(d)) or intellectual property rights (reg  12(5)(c)) have no direct FOI equivalent. Likewise, some FOI exemptions have no EIR counterpart (eg information accessible by other means (s  21); or information intended for future publication (s 22)). •

Certain of the EIR exceptions appear to be more robust that their FOI nearequivalents (eg  the exception for confidential commercial or industrial information in EIR, reg 12(5)(e)).The nearest FOI equivalent in FOIA 2000, s 43 covering commercial prejudice, has been less certain. The same appears to be the case for the exceptions for incomplete material (reg 12(4)(d)) and internal communications (reg 12(4)(e)).

•

The aggregation of the public interest factors against disclosure under the EIR increases the likelihood that information may be withheld under the EIR2.

20.3

These characteristics are examined in Chapters 21–23 below.

20.4 The following tables set out FOI exemptions and EIR exceptions, in relation to their nearest equivalents: Table A: FOI exemptions compared with EIR equivalent exceptions FOI exemption s 12: Cost limit s 14: Vexatious request, similar request s 21: Information accessible by other means s 22: Information intended for future publication s 22A: Research

1 2

EIR exception reg 12(4)(b) Request manifestly unreasonable reg 12(4)(b) Request manifestly unreasonable No direct equivalent. (reg 6(1)(b) allows use of publicly available format for reply) No direct equivalent. (reg 12(4)(d) material in course of completion, may be relevant) No direct equivalent. (reg 12(4)(d) material in course of completion, may be relevant)

See paras 21.17 and 23.7–23.9 below. See paras 21.22–21.23.

331

20.4  Similarities with, and differences from, FOIA 2000

FOI exemption s 23: Security information s 24: National security s 26: Defence s 27: International relations s 28: Relations within the UK s 29: The economy

s 30: Public investigations and proceedings s 31: Law enforcement s 32: Court records etc

s 33: Audit functions

s 34: Parliamentary privilege s 35: Formulation of government policy, and Ministerial communications – Advice by Law Officers – Ministerial private office s 36: Prejudice to conduct of public affairs

EIR exception reg 12(5)(a) National security, Public safety reg 12(5)(a) National security reg 12(5)(a) Defence reg 12(5)(a) International relations No direct equivalent. (reg 12(4)(d), material incomplete, may be relevant). No direct equivalent (reg 12(4)(e) Internal communications, or reg 12(4)(d), material incomplete may be relevant) reg 12(5)(b) Course of justice; Criminal or disciplinary inquiries reg 12(5)(b) Course of justice, Criminal or disciplinary inquiries No direct equivalent, but public authority acting in judicial capacity excluded from EIR under reg 3(3) No direct equivalent. (reg 12(4)(e) Internal communications, or reg 12(4)(d) material incomplete may be relevant) reg 3(4) Parliamentary privilege reg 12(4)(e) and 12(8) Internal communications between government departments. Regulation 12(4)(d) Material in course of completion reg 12(5)(b) Course of Justice, reg 12(4)(e) Internal communications reg 12(4)(e) Internal communications; reg 12(4) (d) Unfinished documents reg 12(4)(d) Material in course of completion

reg 12(4)(e) and 12(8) Internal communications s 37: Communications with No direct equivalent. (reg 12(4)(e) Internal Her Majesty etc; honours communications may be relevant) s 38: Health and Safety reg 12(5)(a) Public safety (s 39: Environmental n/a information) s 40: Personal information regs 12(3) and 13 Personal data s 41: Information provided reg 12(5)(e) Commercial confidentiality in confidence reg 12(5)(f) Interests of volunteer

332

Summary of how EIR and FOI compare 20.4

FOI exemption s 42: Legal professional privilege s 43: Commercial interests (inc trade secrets) s 44: Prohibitions on disclosure

EIR exception reg 12(5)(b) Course of justice reg 12(5)(e) Commercial confidentiality reg 12(5)(c) Intellectual property rights No equivalent (and reg 5(6) overrides) but reg 12(5)(d), confidentiality of proceedings, may be relevant

Table B: EIR exceptions compared with FOI equivalent exemptions EIR exception reg 12(4)(a) Information not held reg 12(4)(b) Request manifestly unreasonable reg 12(4)(c) Request too general reg 12(4)(d) Material still in course of completion reg 12(4)(e) Internal communications

FOI exemption ss 1(1) and 3(2) (No FOI duty) s 12 Cost limit; s 14 Vexatious request No direct equivalent (s 1(3), further information required to identify information, may apply) s 35 Policy formulation; s 36 Public affairs s 35 Policy formulation; s 36 Public affairs

reg 12(5)(a) International relations, defence, national security, public safety

ss 23-25 Security, National security and Defence; s 27 International relations; s 38 Health and safety

reg 12(5)(b) Course of Justice

s 42 Legal professional privilege; s 30 Public investigations and proceedings

reg 12(5)(c) Intellectual property rights

No equivalent (s 43 Commercial prejudice, or s 41 Confidential information, may be relevant)

reg 12(5)(d) Confidential proceedings

No equivalent (s 35 Policy formulation; s 36 Public affairs, or s 44 Prohibitions on disclosure may be relevant)

reg 12(5)(e) Commercial confidentiality

s 43 Commercial prejudice, or s 41 Confidential information, are nearest equivalents 333

20.4  Similarities with, and differences from, FOIA 2000

EIR exception reg 12(5)(f) Interests of volunteer of information

FOI exemption No equivalent (s 41 Confidential information may be relevant)

reg 12(5)(g) Protection of the No equivalent environment

334

Section B

Handling EIR Requests

CHAPTER 21

Handling EIR Requests

WHO IS SUBJECT TO EIR 21.1 There are detailed differences between the Environmental Information Regulations (‘EIR’) and Freedom of Information Act 2000 (‘FOIA 2000’) as to which organisations are subject to them. The following are subject to the EIR: (a) a government department1; (b) a body designated under FOIA 2000, Sch 1, as subject to FOI, but with some variations (see para 21.2); (c) any other body or person carrying out ‘functions of public administration’; (d) any other body or person, who or which is under the control of a person falling within (a), (b) or (c), and: (i) has public responsibilities relating to the environment; (ii) exercises functions of a public nature relating to the environment; or (iii) provides public services relating to the environment. 21.2 The variations from those bodies designated under the FOIA  2000, referred to at (b) above are: — Any body or office-holder who or which is listed in Sch 1 to the FOIA 2000 (ie as subject to FOI) only in relation to a specified description of information; — The special forces of the armed forces, and any military unit required for the time being to assist the Government Communications Headquarters (‘GCHQ’) in the exercise of its functions; — Bodies designated as subject to FOI, in an Order under FOIA  2000, s  5, which are not thereby included under the EIR. 21.3 Those covered by (c) in para 21.1 above, as a body carrying out ‘functions of public administration’, are those which exercise functions which otherwise would be expected to be those of government. The Port of London Authority, for example, is subject to the EIR because it has statutory powers to regulate the use of tidal river Thames, including issuing river licences, under the Port of London Act 19682. In 1 Other than the Competition and Markets Authority, or the Office for Standards in Education, Children’s Services and Skills (‘Ofsted’). 2 Port of London Authority v ICO and John Hibbert EA/2006/0083.

337

21.4  Handling EIR Requests

Poplar Housing Association v ICO3, the First-tier Tribunal decided that a registered provider of social housing did not carry out functions of public administration, and so was not a public authority for the purposes of EIR, reg 2(2)(c). 21.4 Those covered by (d) in para 21.1 above carry out one or more of the (potentially overlapping) activities listed in connection with the environment, while being under the ‘control’ of one of the bodes listed in (a)–(c) (ie mainly, FOI public authorities). In two important cases involving water companies, it has been established that ‘control’ means more than a regulatory framework. It means that the body exercising control has a ‘decisive influence’ on their operations4. 21.5 The Fish Legal case in the European Court of Justice, raising like the earlier Smartsource case in the Upper Tribunal the issue of whether private (or privatised) water companies were subject to the EIR, decided that they would be so subject if either: • they held public administrative functions, so that they had powers over other legal persons (the ‘special powers’ test); and so would qualify under para 21.1(c) above in their own right; or, • if they carried out activities falling within para  21.1(d) above, they were under the ‘control’ (in the sense of a ‘decisive influence’) of the water regulator, Ofwat (the Water Services Regulation Authority). 21.6 The European Court having defined the issues, the Upper Tribunal applied them. It said that water companies were subject to the EIR on the basis of the special powers test, but not the control test. They had special powers over water users, such as compulsory purchase powers, powers to make (or propose) byelaws, powers of entry, and powers to apply hosepipe bans. These were sufficient to meet the special powers test. On the other hand, while Ofwat or the Secretary of State had certain powers over them, these applied to the manner of the exercise of the companies’ functions, rather than the functions themselves; and, on the facts, were not frequently used. The upshot is that water companies operate under the EIR. Other former public utilities, or undertakings which either have special powers, or operate within a tighter regulatory regime than water companies, may find the issue raised in future as to whether the Regulations apply to them. 21.7 The ICO, in January 2019, laid proposals before Parliament (using powers in the Data Protection Act 2018, s  139(3)), drawing attention to the limited coverage of contractors under the EIR and FOIA; and calling for the two regimes to be extended to them. In relation to the EIR, the report called on the government to consider reforming the regulations to allow organisations exercising functions of a public nature, including contractors, to be designated to increase consistency with the FOIA regime. EIR, reg 3 (on information held ‘on behalf of’ a public authority; see para 21.13) should be amended to make clearer 3 4

Poplar Housing Association and Regeneration Community Association (Poplar Harca) v ICO and Peoples Information Centre EA/2018/0199. Smartsource [2010] UKUT 415 (AAC); reaffirmed by the European Court of Justice in Fish Legal [2012] UKUT 177 (AAC), Case C-279/12. The term originated in the relevant DEFRA guidance. See paras 21.5-21.6.

338

Mixed EIR/FOI requests 21.12

what information regarding a public sector contract is held for the purposes of the legislation. It also called for a comprehensive review by government of disclosure processes regarding contracting and affecting the public sector. (See also para 24.25 on the FOIA)5. 21.8

Scottish public authorities have their own version of the EIR6.

MIXED EIR/FOI REQUESTS 21.9 If the information identified in a request is mixed as between EIR and FOI, but the ‘predominant purpose of the document covers environmental information’, the Tribunal has helpfully said that it may be possible to apply the EIR to the document as a whole. Where there are a number of purposes and none is dominant, however, it is necessary to review the document in detail7. It should be noted that this does not apply the other way around, where FOI is dominant (presumably because of the priority given currently to the EIR as a European measure, so that environmental information should not be handled under the FOIA); and that the unit of division (unusually) is by document. 21.10 The ICO indicates a preference for authorities separating FOI and EIR information, and only using the DBERR ‘pragmatic’ proposal exceptionally. She argues that taking a broad approach to interpreting ‘any information on’ the various parts of the definition in the EIR should mean that line-by-line separation would not normally be necessary8. This is not a welcome approach to the practical problems faced by public authorities; and it is respectfully suggested that they should not feel inhibited in following the DBERR approach, where possible.

Meaning of ‘held’ 21.11 Environmental information is ‘held’ by a public authority if: (a) it is in the possession of the authority, and has been produced or received by it; or (b) it is held by another person on behalf of the authority9. 21.12 The ICO qualifies the scope of (a) by saying that information is not in the possession of the authority if it is not held to any extent for the authority’s own purposes (eg if it is merely storing it for another body). The requirement for the information to have been ‘produced or received’ by the authority is qualified 5 ‘Outsourcing Oversight? The case for reforming access to information law’, ICO, January 2019; presented to Parliament under DPA 2018, s 139(3). 6 Environmental Information (Scotland) Regulations 2004, SSI 2004/520. 7 DBERR v ICO EA/2007/0072, paragraph 29. 8 ‘What is Environmental Information?’, paragraphs 63–65. 9 EIR, reg 3(2).

339

21.13  Handling EIR Requests

in the same way, in the ICO’s view10. The same guidance (paragraph 15) gives indicators of whether information is held by the public authority for its own purposes, based on its degree of control over, or responsibility for the information. 21.13 Information held ‘on behalf of the authority’ by others will include arrangements such as document storage, archiving, some contractual arrangements, or partnerships (where information generated by one partner will usually be regarded as held by all partners, unless otherwise arranged)11. In relation to an outsourced contractor, the ICO says that whether the information is held on behalf of the authority can be very difficult to determine in practice12. 21.14 The cases are not greatly helpful in this area. In BUAV13, the Upper Tribunal accepted the analysis of the First-tier Tribunal that, for information to be held on behalf of the public authority, there had to be an ‘appropriate connection’ between the information and the authority, so that it could properly be said that the information was held by it. The examples given by the FTT, however, of an employee bringing personal information into work, or a Minister bringing papers on a constituency issue into their government department, did not greatly clarify the formulation. In Visser, an FOIA case14, the First-tier Tribunal found that a register of attendance kept by a leisure centre provider, whose content exceeded the information required by the council to kept under the contract (which did not require the maintenance of the register), was held on behalf of the authority. On the facts, the tribunal took the view inter alia that the information would be needed by the contractor for auditing or monitoring purposes, and that it could reasonably be requested by the council for that purpose; and was thus held on its behalf. In her Parliamentary report, the ICO argues that the position is unsatisfactory, because decisions are reached by reference to the terms of the contract between the authority and provider, yet contracts often do not outline what is held on behalf of the authority. The ICO cites other examples: — a report by a contractor into fire safety at an NHS hospital built under the Private Finance Initiative, which was not accessible under the FOIA (pp 24–25); — information about building work done at the main London Olympic venue by a contractor, which was not held under the EIR (p 26); and, — a joint venture to create residential services for children with complex needs, where the information was not held for the purpose of access to information (p 26). The express exclusion from the FOIA of information held by the authority ‘on behalf of another person’ is absent from the EIR15.

10 11 12 13

ICO: ‘Information held by a public authority for the purposes of the EIR’, paragraphs 6–10. ICO guidance as footnote 10, paragraph 25. ‘Outsourcing Oversight’, as footnote 5 above. University of Newcastle v ICO and British Union for the Abolition of Vivisection [2011] UKUT 185 (AAC), para 23. 14 Willem Visser v ICO and London Borough of Southwark EA/2012/0125, paras 27–29. 15 FOIA 2000 s 3(2)(a); EIR, reg 3(2)(a).

340

DEFRA Code 21.19

Regulation 4 duty 21.15 Under EIR, reg 4, a public authority has a duty progressively to make environmental information available by easily accessible electronic means; and to take reasonable steps to organise the information with a view to its active and systematic dissemination. Information before 1 January 2005 in non-electronic form is excluded. The duty does not extend to information which would be exempt from disclosure. 21.16 The minimum is to include information referred to in Article 7(2)(a)–(g) of the Directive (such as policies and programmes, or reports on the state of the environment); together with facts and analyses which the authority considers to be relevant and important in framing major environmental proposals16. See also para 21.34 below.

Requests: confirmation or denial 21.17 There is a duty to confirm or deny that environmental information is held, in the same way as under the FOIA, but it is not express. It may be inferred from its exclusion in the two instances referred to below. Otherwise, and unlike the FOIA, there are no exceptions to the duty; so that it may be necessary to confirm that information which has been requested is held, even if harmful to do so; and where there is an exception from the duty to disclose it: • information covered by the exception in EIR, reg  12(5)(a) (international relations defence, national security, or public safety)17, or •

information excepted under EIR, reg 13, including in relation to the personal data of a third party18.

DEFRA CODE 21.18 The DEFRA  Code of Practice on the discharge of EIR obligations gives background on the process of handling EIR cases. Only key points are highlighted here, as the Code needs to be directly considered. The Commissioner has added a commentary19. 21.19 The Code covers: training; proactive dissemination (reg 4); advice and assistance; timing; charges; transferring requests; consulting third parties; public sector contracts; accepting information in confidence; consulting devolved administrations; refusals; and reviewing complaints. 16 17 18 19

Directive 2003/4/EC on public access to environmental information, Article 7(2)(a)-(g). EIR, reg 12(6). EIR, reg 13(5A) and (5B). DEFRA: Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004, SI 2004/3391’, February 2005; ICO: ‘Regulation 16 Code of Practice’, version 1.0.

341

21.20  Handling EIR Requests

21.20 The foreword to the Code makes clear that: •

authorities are expected to abide by it unless they have good reasons not to do so (paragraph 11);

•

an authority is deemed to have complied with its duty to advise and assist in reg 9 if it has conformed with the Code in that respect (paragraph 15);

•

unlike FOI, having a complaints and reconsideration procedure is mandatory (paragraph 14(viii)).

21.21 Key points from the Code are as follows: (i)

appropriate assistance to a requester would include steps such as: providing an outline of the different kinds of information available; providing access to catalogues and indexes; and, setting out options for further information that could be provided; plus advising on other agencies, such as citizens advice, which may be able to assist them, including by making the application on their behalf;

(ii) before transferring a request, applicants should be notified (and alerted beforehand). Requests may only be transferred where (or to the extent that) the authority does not hold the information; (iii) if the authority believes that some/all of the information is held by another authority, it should assist the applicant in the most expeditious way (eg by informing them; suggesting they re-apply; or, providing contact details). A  procedure is set out, involving consulting the second authority while protecting the identity of the requester, and then obtaining the applicant’s consent to the transfer; (iv) where a request has to be clarified, the authority should, so far as practicable, provide assistance to enable the applicant more clearly to describe the information. If, after such assistance, the applicant still cannot describe the information in a way to enable the authority to identify and locate it, the authority is not expected to seek further clarification; (v)

where an applicant is not prepared to pay any charge requested, the authority should consider whether any relevant information is available free;

(vi) there are no special EIR provisions for dealing with requests which appear to be part of an organised campaign; (vii) the Regulations do not refer to providing a summary, but this should generally be provided if reasonably practical to do so, taking cost into account; (viii) a schedule of charges should include a price list, or the ‘charge per unit of work’ which will be incurred; (ix) an authority may consider that consultation with a third party would be disproportionate on grounds of cost; 342

Aggregation of public interest factors 21.25

(x) public authorities cannot ‘contract out’ of their EIR responsibilities (ie undertake to a contractual partner not to comply with them); (xi) refusals should be accompanied by the exception claimed and reasons, with public interest factors for and against; unless the statement would involve disclosing information which the exception would seek to withhold. In that case, the authority may merely paraphrase the exception; (xii) records should be kept of all applications, and copies of redacted information and of the version sent to the requester; (xiii) each public authority must have a review procedure. This should be a fair and impartial means of reviewing decisions. A target date for determining the complaint, and reasons for any delay, should be notified. Authorities must respond within 40 working days.

AGGREGATION OF PUBLIC INTEREST FACTORS 21.22 In a decision of major significance for public authorities, the European Court of Justice ruled that, where two or more EIR exceptions apply to the same requested information, the factors in favour of maintaining the exception should be added together; rather than (as with FOI) assessed separately as against the totality of those public interest factors which are in favour of disclosure20. The principal argument is that these factors will then be assessed (together on each side) on a common basis. 21.23 Public authorities need to apply this rule consistently and purposively, to assist in achieving the balance between the conflicting interests involved which the Directive and UK Regulations clearly seek.

Regulation 5(6) 21.24 EIR, reg 5(6) provides that any enactment or rule of (judge-made) law, which would prevent the disclosure of information in accordance with the EIR, shall not apply. Reflecting the precedence to be taken by EU legislation until Brexit, the Regulations (a piece of secondary legislation in UK terms) have effect notwithstanding any primary statute in UK domestic law which may make contradictory provision21. The position under this provision after Brexit remains to be tested, or determined. 21.25 See para 23.91 below, under the exception for confidential proceedings (reg  12(5)(d)), for a useful approach to handling conflicts created by this provision, in the context of that exception.

20 Office of Communications (Ofcom) v Information Commissioner [2011] EU ECJ, Case C-71/10. 21 Sometimes called a ‘Henry VIII clause’.

343

21.26  Handling EIR Requests

PRESUMPTION IN FAVOUR OF DISCLOSURE – ARTICLE 12(2) 21.26 Regulation 12(2) requires an authority, in responding to information requests (and thus particularly if it is considering claiming that an exception applies), to apply a ‘presumption in favour of disclosure’. This is frequently referred to in decisions by the Commissioner and Tribunal, as well as in the ICO’s guidance on the exceptions; but there is a dearth of evidence that it makes a practical difference as to the scope or type of information disclosed, by comparison with the FOIA. Indeed, the Commissioner takes the view that the same presumption applies implicitly under the FOIA. There does not appear to be a decision in which the presumption being in express form made a difference between less disclosure or more in a specific context, or as between EIR and FOIA; as opposed to being taken to indicate the general approach to disclosure which should correctly be taken. The general view that greater disclosure can be expected under the EIR than under the FOIA seems, moreover, to have receded somewhat in recent years. As to the public interest factors generally in favour of disclosure, however, which are essentially common as between EIR and the FOIA, see paras 24.84–24.86 and 24.89.

COSTS AND CHARGES 21.27 There is no cost limit, equivalent to FOIA 2000, s 12, under the EIR. The exception for a manifestly unreasonable request (EIR, reg 12(4)(b)) may be used to introduce a form of cost limit. (See paras 22.16–22.25 below). 21.28 The EIR have greater scope for charging than FOIA, where only disbursements may be charged for answering information requests; yet few public authorities take advantage of it.

East Sussex case 21.29 In East Sussex22, the European Court of Justice clarified the breadth of the rules enabling charging under the EIR. An authority may charge for: ‘the costs attributable to the time spent by staff of the public authority concerned in answering an individual request for information’. It may charge for: — the cost of staff time, including overhead costs, incurred when preparing information to be supplied in response to a request. This includes the time spent in locating, retrieving and extracting the information, and then putting it into the required format; — the costs of printing or copying the request and sending it to the requester.

22 East Sussex CC  v ICO  Case C-71/14, paras 37-45. See also ICO guidance ‘Charging for environmental information (regulation 8); due for revision in later 2019.

344

Costs and charges 21.35

A charge should be ‘reasonable’. It should not have a ‘deterrent effect’, taking into account the ‘financial capacity’ of the requester, and whether it appeared to be ‘objectively unreasonable’. 21.30 The cost of a database could not be charged for, because it was also necessary to enable the authority to answer requests to inspect the information; for which no charge could be made. Charges could be made, however, in respect of other overhead costs, for the proportion attributable to answering information requests. 21.31 No charge may be made for inspecting public registers or lists, or the information itself on a register. Where charges are made, the authority has to have published a schedule of them beforehand. 21.32 The ICO ‘strongly discourages’ public authorities from charging for staff time spent in considering the application of exceptions and redacting exempt information (or information outside the request); other than the cost of (for example) redaction tape. The task is subjective, as the ICO argues, and could result in unreasonable charges. At the same time, the fact that an authority may do so illustrates the pressures on its resources in dealing with substantial EIR requests. The ICO’s advice effectively acknowledges that authorities may make such charges. 21.33 The rates of charges for staff time are not set down in the EIR. The ICO has found a charge of £25 per hour (for 3.5 hours: £87.50) to be reasonable as a ‘starting point’; but not for 13 hours (£325.00), pointing to the overall cost, and differences of circumstances. (See Wolverhampton CC, FER 0585074; and Folkestone and Hythe DC FER 0763266).

Reasonable costs 21.34 The ICO warns that authorities have duties under EIR, reg 4 which, if they have been properly implemented, should mean that many searches will have become easier to manage. She cautions that compliance with that duty, as well as with EIR, reg 9 (duty to advise and assist), may be relevant considerations in considering whether charges have been reasonable. The ICO gives two examples: •

Where a search is large, but the records have been properly organised; and the time spent carries no suggestion of poor records management, and so a reasonable charge is justified.

• This is contrasted with another search, where irrelevant material has to be searched because of poor records management, where it would be unreasonable to charge for the whole cost of the search. 21.35 In relation to disbursement costs, DEFRA’s guidance on charges has been that they should be harmonised with those chargeable under FOIA. This was interpreted by the Tribunal as a guide price of 10p per A4 photocopied sheet, 345

21.36  Handling EIR Requests

unless the authority has a ‘good reason’ to charge more having regard to the guidance23. Higher charges may be applied for larger or more complex documents. 21.36 Where an authority is permitted to raise a commercial charge, as a trading fund, a commercial level of charge may be applied. This is defined as a reasonable amount which includes a rate of return similar to that achieved by comparable businesses facing a similar level of risk. 21.37 Where levels of charges are set down in legislation, care is needed to establish whether they are made subject to the EIR. Otherwise, they may serve as equivalent to EIR charges, provided their level is reasonable. Under the Re-use of Public Sector Information Regulations 2015 (‘RPSI’)24, if information is accessible under the EIR, the public sector body also has to make it available for re-use on request. A charge may be made for re-use, but will generally be limited to the marginal costs of reproduction, provision and dissemination. An authority which has charged for information under the EIR may not charge the same for it under the RPSI.

Charges for collating for inspection 21.38 No charge may be made to look at public registers and lists of environmental information. There cannot be a charge for allowing access to information in its normal location, or if public access to it is straightforward; but a charge may be made if the information has to be located and/or collated, in order to enable it to be inspected. This charge too must be reasonable. 21.39 Collation costs would apply to information which was not held in the form requested, and where work had to be undertaken to collate it into the arrangement sought. If no costs are incurred in preparing the information for inspection, none should be charged.

Schedule of costs 21.40 The publication of a schedule of costs is essential if the right to charge is to be maintained25. The ICO recommends that the schedule is placed on the authority’s website. It should set out: — Standard costs (eg charge per sheet; charge for producing on compact disc (‘CD’)); — List of publications, with prices; — Circumstances where payment in advance is required;

23 Markinson v ICO EA/2005/0014. The author had an early involvement in the case, in a nonlegal capacity. 24 SI 2015/1415. See Appendix 6. 25 Bickford-Smith v ICO and Rural Payments Agency EA/2010/0032, paras 76–80.

346

Costs and charges 21.45

— Explanation of basis for calculation of staff time; — Basis of calculation of any other unpriced/variable items.

Payment in advance 21.41 The authority is entitled to require payment in advance, provided it notifies the applicant of this fact within 20 working days of receiving the request; a statement of the amount to pay. The applicant then has 60 working days (c. three months) in which to make payment. If payment is not made by then, the obligation to supply the information lapses. 21.42 A reasonable charge may generally be made for the actual costs of staff time taken to locate information requested, and to put it into an appropriate format for disclosure. Any disbursement costs, as under FOIA 2000 (the costs of transferring the information to the requester, such as copying or postage) may be added.

Time limit and extensions 21.43 The time limit for responding to EIR requests is that information is to be made available as soon as possible, and no later than 20 working days after the date of receipt of the request26. Under reg 7, the time may be extended to 40 working days (in total), if the authority reasonably believes that the complexity and volume of the information makes it impracticable either to comply with the request, or to make a decision to refuse to do so. It must notify the requester within the 20 working day limit. It should be noted that the provision refers to “complexity and volume’ [Emphasis added]. The ICO has had to accept that this means, in terms of normal statutory interpretation in the UK, that both conditions should be met before the time is extended27.

Refusals and appeals 21.44 The procedure on refusing a request is substantially the same as under FOIA 2000. (See paras 24.93–24.96 below). Under EIR, reg 14, a refusal has to be in writing, and sent not later than the 20 working day deadline (unless the time has been extended). 21.45 A refusal should give reasons, any exception relied upon, and an outline of the public interest factors considered on both sides. If the exception in EIR, reg 12(4)(d) is cited, the authority should also specify (if known) the name of another public authority which is preparing the information, and an estimate of when it will be available.

26 EIR, reg 5(2). 27 EIR, reg  7(1). ICO: ‘Time limits for compliance, Environmental Information Regulations’, para 52.

347

21.46  Handling EIR Requests

21.46 The refusal should inform the applicant of the right to make ‘representations’ under EIR, reg 11 (ie in FOI terms, to ask for a review); and of the enforcement and appeal provisions in the FOIA, which the EIR utilise28. Unlike a review under FOI, there is an obligation to enable ‘representations’ to be made, which (if made) are to be made in writing to the authority within 40 working days. The authority shall consider any representations made and respond within another 40 working days of receipt. 21.47 See paras 24.99–24.102 in relation to the common system for FOI and EIR appeals.

National security and former Ministerial override provision 21.48 Under EIR, reg  15, a Cabinet Minister, the Attorney General, the Advocate General for Scotland, or the Attorney General for Northern Ireland (or another person designated on behalf of such a Minister), may certify that a refusal to disclose information in response to an EIR request is because the disclosure would adversely affect national security, and would not be in the public interest. (The exemption extends also to neither confirming or denying that information is held under Reg 12(5)(a); see para 23.7). It will be noted that the test is at the higher level that there ‘would’ be harm to national security (see paras 23.1–23.4). Such a certificate is conclusive evidence of the matters to which the exemption relates, and it may identify the information to which it relates in general terms. A  document purporting to be such a certificate shall be received in evidence and deemed to be such a certificate unless the contrary is proved. There is thus a national security exception, capable of being instigated only at the level of the UK government, or the law officers of the devolved governments in Scotland or Northern Ireland, under the EIR. The exception is similar to, but appears to be broader than, that contained in FOIA, s 24 (see paras 25.75–25.88). 21.49 Regulation 18(6) of the EIR formerly included a broader Ministerial override against a decision or enforcement notice, by applying the equivalent provision in FOIA, s 53 (see para 24.106). This is no longer the case, however, following the decision of the Supreme Court in R (on the application of Evans) and another (Respondents) v Attorney General (Appellant)29, which decided that reg 18(6) was incompatible with the 2003 Directive and should be treated as invalid. The judges considered that Article  6 of the Directive required that, following a refusal by a public authority of a request for environmental information, the refusal had to be considered first administratively (ie  by an internal review; see para  21.46 above); and, thereafter that the applicant must have access to a ‘review procedure before a court of law’ or similar body ‘whose decisions may become final’, and were binding on the public authority. For these reasons, reg 18(6), allowing a Ministerial override, was incompatible with Article 6 of the 2003 Directive. It has since been amended to remove the EIR override. 28 EIR, reg 18(1). 29 [2015] UKSC 21.

348

Section C

Exemptions

CHAPTER 22

EIR Exceptions 1: Regulation 12(4) 22.1 All of the exceptions under the Environmental Information Regulations 2004 (‘EIR’), save in relation to the personal data of third parties (reg 13), are contained in reg 12(4) and (5), EIR1. Of the five exceptions in reg 12(4), the first three might be described as ‘process’ exceptions; although the latter two raise issues of potential harm to the working of the public authority, going beyond the disclosure in issue. The five exceptions are: •

the information is not held when the request is received (reg 12(4)(a));

•

the request for information is manifestly unreasonable (reg 12(4)(b));

•

the request is formulated in too general a manner, and the public authority has complied with reg 9 (on advice and assistance) (reg 12(4)(c));

• the material requested is in the course of completion, the documents are unfinished, or the data are incomplete (reg 12(4)(d)); • the request involves the disclosure of internal communications (reg  12(4) (e)).

INFORMATION NOT HELD – REGULATION 12(4)(A) 22.2 Under the Freedom of Information Act 2000 (‘FOIA  2000’), if the public authority does not hold the information, no duty to confirm or deny that the information is held, or to disclose it, arises under s 1(1) (read with s 3(2) on the meaning of ‘held’). If there is a complaint by the requester, the authority will be required to demonstrate, to the satisfaction of the Commissioner, that it does not hold the information, on a balance of probabilities (ie on a measure of 50% plus 1%). 22.3 The level of ‘proof’ required is the same under the EIR, but a different mechanism has to be used. An authority which considers that it does not hold the information requested (or does not hold some part of it) has to claim the exception in reg  12(4)(a). An authority thus has first to establish what it is

1 The ICO helpfully reissued her EIR (and FOI) guidance in April 2019, to insert an overall summary covering all EIR exceptions; to which the more detailed notes of guidance for each exception are then linked. This summary guidance is listed on the ICO’s website as ‘Refusing a request’, in the main section on ‘Environmental information’, and has the title: ‘When can we refuse a request for environmental information?’. The rearrangement of the website coincided with the issuing of new guidance on dealing with information requests concerning personal data, to which Chapter 27 refers.

351

22.4  EIR Exceptions 1: Regulation 12(4)

looking for, in order to assess where it is most logical to search. It will then have to search all of the places that would normally be expected to hold information of that type, in a reasonable and thorough manner2. An authority which undertakes an inadequate search will not be entitled to claim that it has demonstrated on the balance of probabilities (ie 51%/49%) that the information is not held. A further possibility is that the authority demonstrates to the ICO that it would never have had a business need to record the information sought, because it did not relate to matters for which it was responsible; or, because, even though it did, the authority had found that it had no practical need to record information of that kind3. 22.4 Where the authority can point to a retention (or destruction) schedule under which the information should have been destroyed, the ICO will take account of the importance of the information to the authority. (The greater the clarity which the authority can demonstrate about the operation of its retention schedule, the stronger will be its position. The ideal would be a record of the destruction of the actual record; otherwise, a record showing that information of that type or age would have been destroyed on a particular date, or in particular circumstances, should suffice). 22.5 Where information is held electronically, but in a ‘deleted’ form, and the costs of recovery would be prohibitive, the appropriate exception is that in reg  12(4)(b) (manifestly unreasonable request), rather than claiming that the information is not held. 22.6 The need to use this exception, however, gives rise to the curious position that (at least technically) the public authority, having satisfied itself to the required standard that it does not hold the information, should then apply a public interest test to the question of whether it should, or should not, disclose information which it does not hold. This is plainly a nonsense, and the ICO has previously advised that the authority will not be expected to apply the test4.

REQUEST MANIFESTLY UNREASONABLE – REGULATION 12(4)(B) 22.7

This EIR exception covers two situations that arise also under the FOIA:

•

Where the request is vexatious.

•

Where the cost of compliance with the request would be too great.

22.8 In relation to vexatious requests, the exception is effectively the same as that in FOIA 2000, s 14(1). There are material differences, however, where the basis for claiming the exception is the cost or the diversion of resources. The word ‘manifestly’ means that the unreasonableness must have an ‘obvious or clear quality’ (according to the Commissioner’s guidance). There is a public interest test in either case. 2 3 4

See ICO, ‘Determining whether information is held’, version 3.0, paragraph 61. See ICO, ‘Determining whether information is held’, paragraphs 62–63. The ICO had no current guidance on the exception, however, at the time of writing.

352

Request manifestly unreasonable – Regulation 12(4)(b) 22.13

22.9 As with FOIA 2000, s 14(1), and the FOI cost limit in s 12, the purpose of the exception is to protect public authorities from exposure to a burden that is disproportionate, or from exposure to an unjustified level of distress, disruption or irritation in handling information requests.

Regulation 12(4)(b): (i) vexatious requests 22.10 Although the wording is different – the word ‘vexatious’ not being used in this exception – and although (as above at para 22.2) an exception has to be claimed where under FOIA 2000 no duty would arise, the Upper Tribunal has held that there is no material difference between a request that is vexatious under FOIA 2000, s 14(1), and a request that falls under this exception on vexatious grounds: Craven v Information Commissioner and the Department of Energy and Climate Change5; Judge Wikeley in the Upper Tribunal said: ‘I  do not believe that the existence of the explicit public interest test in the EIR and the statutory presumption of a restrictive interpretation of regulation 12(4)(b) should mean that, even at the margins, it is in some way “easier” to get a request accepted under the EIR than under FOIA’ (paragraph 22). 22.11 Public authorities should, therefore, rely on the ICO’s guidance and the case law for vexatious requests under FOIA 2000, s 14(1), (notably the ‘issues or themes’ in Dransfield6). These were: •

the burden of meeting the request;

•

the motive of the requester;

•

the value of, or any serious purpose in, the request;

•

any harassment or distress caused.

Authorities should have in mind that the guidance and caselaw on vexatiousness, and also the ICO’s guidance, give robust grounds for refusal. (See also discussion of FOIA, s 14(1) at paras 24.65–24.76; including cases referred to in para 24.75). 22.12 The scope of the context and history that may be taken into account can include: other requests (from the same source, or if requests appear to have been concerted); their number and subject matter; and, any previous dealings with the requester. The Commissioner’s core test, after Dransfield, is whether there would be a disproportionate and unjustified level of disruption, irritation or distress resulting from the request. 22.13 The public authority will still need, however, to apply the public interest test to a vexatious request under the EIR. The Commissioner advises that many 5 6

[2012] UKUT 442 (AAC), para 22; upheld in the Court of Appeal, [2015] EWCA Civ 454. [2012] UKUT 440 (AAC), paragraph 28.

353

22.14  EIR Exceptions 1: Regulation 12(4)

of the issues will already have been considered in deciding whether the exception is engaged, because doing so involves some consideration of the proportionality and value of the request. The authority will usually, therefore, be able to ‘carry through’ the same relevant considerations which it took into account in determining that the exception was engaged, into the public interest test7. The public interest factors in favour of maintaining the exception will be in protecting the authority from the exposure; including in order to enable it to protect its mainstream services, or to answer other information requests. The public interest factors in favour of disclosure will be in the promotion of transparency and accountability, greater public awareness and understanding of environmental matters, the free exchange of ideas, or more effective public participation in environmental decision-making. Their weight in each case will vary. 22.14 If the information is mixed as between the FOIA and EIR, the authority should state in its refusal letter that the request is vexatious, or manifestly unreasonable, under the relevant provisions, to the extent that the request is for non-environmental or environmental information respectively. (In other words, it does not need to allocate the information as between the two regimes, and may proceed on an ‘either/or basis’; where doing otherwise would partly defeat the purpose of enabling a public authority not to have to answer vexatious requests)8. In relation to any EIR information covered by reg 12(4)(b), it should explain the public interest test that has been carried out. 22.15 The ICO would not expect a public authority to provide advice and assistance, where it refuses a request under this exception as vexatious9.

Regulation 12(4)(b): (ii) cost grounds 22.16 The position is more complicated in relation to cost. There is no express cost limit in the EIR. The Commissioner advises, somewhat oddly, that the main instrument for dealing with burdensome requests should be the power in EIR, reg  7(1), to extend the time for response from 20 to 40 working days where the authority reasonably believes that the complexity and volume of the request means that it is impracticable for it to comply in the earlier period, or to make a decision to refuse the request10. This seems to imply that the use of the exception as a cost limit should be avoided where possible, in favour of disclosure where it can be achieved; although no reason is given. It must also be the case that a request remains burdensome even if the authority is allowed a longer period in which to tackle it. It is respectfully suggested that this advice seems to be contrary to the spirit of the Craven11 and Dransfield12 decisions.

7 8 9 10

ICO, ‘Manifestly unreasonable requests – Regulation 12(4)(b)’, version 1, paragraph 32. As footnote 7 above, paras 39-40. As footnote 7 above, para 16. ICO: ‘Manifestly unreasonable requests – regulation 12(4)(b)’, para 17. On extending time, see para 21.43 above. 11 [2012] UKUT 442 (AAC). 12 [2012] UKUT 440 (AAC).

354

Request manifestly unreasonable – Regulation 12(4)(b) 22.20

22.17 In Craven, the judge said: ‘Taking the position under the EIR first, it must be right that a public authority is entitled to refuse a single extremely burdensome request under regulation 12(4)(b) as “manifestly unreasonable”, purely on the basis that the cost of compliance would be too great (assuming, of course, it is also satisfied that the public interest favours maintaining the exception). The absence of any provision in the EIR equivalent to section 12 of FOIA makes such a conclusion inescapable.’ (paragraph 25)13. 22.18 As the Commissioner advises, the test should be whether the cost or burden of dealing with the request is ‘too great’; involving consideration of the proportionality of the burden or costs involved, and a decision as to whether they are manifestly (ie  clearly or obviously) unreasonable. An authority will need to take account of all the circumstances of the case, which will include the nature of the request and any wider value in the information being published; the importance of any underlying issue to which the request relates, and any extent to which publication would illuminate it; the size of the authority and its resources (eg  whether dealing with it would distract the authority from delivering other services); and the context of the request, including any other requests on the same subject from the same requester. The Commissioner advises that the express presumption in favour of disclosure may oblige the authority to deploy greater resources to EIR requests than would be the case with the FOIA14; although this seems to be at variance with the statement of Judge Wikeley in the (more senior) Upper Tribunal in Craven referred to at para  22.10 above (and upheld by the Court of Appeal). 22.19 The Commissioner suggests that the same hourly rate (£25 per hour) should be used to assess staff costs; but that while the same hours limit (18 hours, or 24 hours for central government) is a useful starting point, it is not determinative15. Experience would suggest that in practice a higher limit should be applied under the EIR, although it is unclear what this might be; save that the level will probably vary with the scale of the overall request, in relation to the size and resources of the organisation. The Commissioner does, however, state her position to be that there may be occasions when it is permissible to aggregate requests, when assessing whether they are unreasonable on grounds of cost (although this approach should only be used where ‘dealing with multiple requests would cause a real problem’16). 22.20 If the information is ‘mixed’ as between FOI and EIR, and the authority wishes to refuse it on grounds of cost, it has to do so separately. It should look at the Commissioner’s guidance ‘Calculating Costs Where a Request Spans Different Access Regimes’. 13 14 15 16

Case reference as in footnote 11. DBERR v ICO EA/2008/0096. ICO: ‘Manifestly unreasonable requests – Regulation 12(4)(b)’, paragraph 23. As above, paragraph 25.

355

22.21  EIR Exceptions 1: Regulation 12(4)

22.21 The ICO says in her guidance that, whereas, the cost of considering whether information is exempt cannot be taken into account under FOIA 2000, s 12 (because the costs regulations are specific as to what may be included), it can be taken into account under reg 12(4)(b)), since it is not excluded. (NB Such cost may similarly be taken into account in relation to vexatious requests under s 14(1)). This is a significant concession, of which many public authorities may not be aware17. 22.22 The Commissioner also advises that, if authorities are considering using reg 12(4)(b) as a cost limit, they should – before claiming the exception — offer the requester appropriate advice and assistance to seek to reduce the scale of their request before claiming the exception. While this is may be desirable, and productive in some cases (and may even indicate the ICO’s likely approach to a complaint), it is not a formal requirement. Public interest test 22.23 The public interest factors in favour of disclosure may be approached in the same way as in para  22.13 above. The Commissioner points out that, since the information will often not have been collated (since the authority is seeking to avoid doing so), this will often have to be assessed from the nature of the request, the type of information likely to be covered, or from a small sample. In particular cases, there may be other factors (such as accountability for spending public money, if large numbers of people are affected, or if there is a reasonable suspicion of wrongdoing). The public interest in favour of maintaining the exception will be in avoiding exposure to the burden or distress involved or, any adverse impact on the delivery of other mainstream services or to the authority’s capacity to answer other information requests. It may be that, for smaller public authorities, or for larger ones handling significant numbers of requests according to well-established processes, such disruption may be relatively easy to demonstrate. 22.24 There is no exemption under reg  12(4)(b), of either type, from the requirement to confirm or deny whether the information is held. The Commissioner recognises, however, that this may not be practicable in a small number of cases where the authority is not sure whether the information is held, and the cost of finding out would be obviously unreasonable. 22.25 Where a complaint is made to the ICO, she makes clear that she will expect to see detailed cost estimates, sample correspondence, or correspondence logs; while not expecting the authority to collate the information held, since this would defeat the purpose of the exception18.

17 ICO: ‘Manifestly unreasonable requests – Regulation 12(4)(b), paragraph 26. 18 As footnote 17, paragraph 45.

356

Request too general – Regulation 12(4)(c) 22.31

REQUEST TOO GENERAL – REGULATION 12(4)(C) 22.26 This exception is engaged where the request is formulated in too general a manner, and the authority has complied with its duty to advise and assist in reg 9. The exception applies, therefore, where the request is unclear, or ambiguous; or where the authority cannot identify from it, or locate, the information that is sought. Where the request is too large, the authority should claim the exception in reg 12(4)(b). This exception is rarely used, and there are very few case examples. 22.27 The ICO makes a number of recommendations for dealing with unclear requests. These include reading the request objectively; taking a plain reading of it; and, avoiding reading a meaning into it. 22.28 The exception is only available where the authority has complied with its duty in reg 9 to provide advice and assistance. In practice, this means that it has requested further particulars from the requester. Where the authority relies on the exception, it should issue a formal refusal notice within 20 working days of receiving the request. At the same time, it should ask the requester to clarify the meaning of the request; and provide him or her with ‘reasonable’ advice and assistance in order to do so. 22.29 In Olympic Delivery Authority19, the request was for all records and data concerning radiation monitoring at the main Olympic site, and the location of each device20. The ODA refused the request on this ground. It did not, however, ask for clarification, and the ICO determined that, as a result, it could not claim the exception. The duty to give advice and assistance comes into play once the authority establishes that it does not understand the request (Boddy v ICO)21). Appropriate advice and assistance may include: — Providing an outline of the information available, relevant to the request. — Offering access to registers or catalogues. — Providing a general response to the request, describing the information available. 22.30 The list is not exhaustive, and authorities should be flexible in providing advice and assistance. Where a person finds it difficult to specify clearly the nature of their request, the authority should provide appropriate assistance to help them to make a request (eg  frame the categories of information, within which they need to provide more information to the authority). 22.31 While reg  9(3) states that conformity to the EIR  Code of Practice amounts to compliance with the duty to advise and assist, the ICO also makes clear that the steps are not limited to those in reg 9; leaving an authority at risk of breach, even where it has taken the steps set out in the Code22.

19 FER 0267670. 20 The meaning of the request might appear to some to have been reasonably clear. 21 EA/2007/0074. 22 See ‘Requests formulated in too general a manner (Regulation 12(4)(c))’, paragraph 21.

357

22.32  EIR Exceptions 1: Regulation 12(4)

22.32 Once sufficient clarification has been received, a new period of 20 working days after receipt applies. In effect, therefore, a new request is begun, which is helpful to the authority placed in the position that it cannot understand an EIR request. If the authority still cannot establish what the request covers, however, even with the additional clarification provided, it has no further  duty. 22.33 The Commissioner again recognises that applying a public interest test to whether the exception will apply will be difficult until the public authority knows what is the information sought. The ICO further takes the view that the public interest in maintaining the exception (in order to allow the matter to be clarified) will outweigh the public interest in disclosing what could easily be the wrong information23. 22.34 If the requester complains that they have not received the requisite advice and assistance, the matter should be dealt with under the public authority’s complaints procedure.

MATERIAL IN COURSE OF COMPLETION ETC – REGULATION 12(4) (D) 22.35 This exception applies to the extent that the request relates to ‘material’ which is still in the course of completion, to unfinished ‘documents’, or to incomplete ‘data’. It can, therefore, apply to policy formulation or development by government as in (FOIA  2000, s  35); or to information whose disclosure would harm the conduct of public affairs (FOIA 2000, s 36). It is one of their two nearest equivalents under the EIR; although it is not limited to either, and may apply to unfinished documents etc on any matter. Information created as part of the process of formulating or developing policy or taking a decision, where the process is not complete, is included. A note or memorandum made as part of a developing policy process may, therefore, itself be complete; but be covered by the exception, as forming part of a larger decision-making process which is not concluded). 22.36 Since the exception applies to both ‘material’ and ‘documents’, they are clearly separate. ‘Material’ must have a ‘physical existence’: it does not describe a project, exercise or process. It includes information which is not held in documents, such as photographs, films or audio recordings24. The ICO takes the view that a document may be finished, but can form part of incomplete material and fall within the exception. Much will depend, however, on the overall factual position. The same view has been taken in a number of decisions in the First-tier Tribunal (eg as cited in Gardner v ICO)25. In

23 As footnote 22, paragraph 31. 24 Highways England Co. Ltd v ICO and Henry Manistey [2018] UKUT 423 (AAC), paras 23–24. 25 Colin Gardner v ICO EA/2018/0150, at paras 22–26.

358

Public interest test – Regulation 12(4)(d) 22.39

Chichester26, the local authority sought to argue that, where a proposal to develop affordable housing on a piece of land was in its early stages, with terms for the acquisition of the land and the nature of the development yet to be finalised, the content of three completed documents which were related to the matter were still in the course of completion. The ICO said, however, that the relevant test concerned the information within each document and the purpose for which it was created; not the progress of the project. One of the documents had been submitted to the county council for a response on highways issues, which the latter had used. Another was a committee report about acquiring land, which the committee had considered; and there had been nothing to suggest that it was a draft. A third document was an email which the ICO assumed that the recipients would have acted upon. 22.37 Labelling a document as a ‘draft’ is not sufficient to engage the exception. There needs to be an unfinished element to it (at the time of the request); although this may include that it is awaiting consideration or approval, provided there could be some change to the overall final position. If a piece of information was properly a ‘draft’, however, it will remain so permanently for the purposes of this exception; notwithstanding that later versions may have been approved, or even published, before the request is made27. The public interest in disclosing previous drafts of a completed document (including if it has since been published) may be low28. 22.38 In Wirral MBC v ICO29, the request was for the background papers to a controversial local authority report, made immediately following its consideration by the council’s Cabinet (although that consideration did not conclude the matter). The Tribunal rejected the view that there was a need to ‘allow the public to trace the evolving picture of what information the drafters of the report felt should be included in, and especially omitted from, the final version’; saying that it was not obvious what public interest would be served, if the officers were acting in good faith (as was assumed). (See further below at paras 22.42–22.44).

PUBLIC INTEREST TEST – REGULATION 12(4)(D) 22.39 Given the potential breadth of its scope, the key issue as to how widely the exception will apply in practice will arise in relation to the public interest test. Three factors are of relevance: the ‘safe space’ (to allow private thinking space for an organisation); a ‘chilling effect’ (on the candour or openness of future advice); or, whether publication would ‘distract from the public debate’ on the matter (the latter arising from a case involving a report on Transport policy)30.

26 27 28 29 30

Chichester District Council FER 0349127. Secretary of State for Transport v ICO EA/2008/0052. See, for example, Wirral, as in footnote 29; as well as the Transport case as in footnote 27. Wirral Metropolitan Borough Council v ICO EA/2012/0117. See footnote 27, and below at paras 22.49–22.50.

359

22.40  EIR Exceptions 1: Regulation 12(4)

Safe Space 22.40 The content of the information, and the timing of the request, will be key determinants of the degree of weight to give to these factors. The need for a ‘safe space’, a time or area within which decision-makers or officials can undertake frank consideration or discussion without outside scrutiny, may have significant weight while a policy, decision or other matter is under discussion (or ‘live’). If the exemption is to be claimed, the need is to show why disclosure of the particular draft would be likely to harm the safe space. This could be by, for example: – opening those taking the decision to external interference and distraction; – hampering the internal debate by requiring disclosure before the options have been fully developed; or – opening up the issue to public discussion before all the information needed to take the decision has been identified, gathered or analysed. 22.41 It may also be that disclosure on this occasion would harm future consideration of an identical or similar type of issue; although it is important to avoid a ‘blanket’ approach, and the public interest factors will be the more robust to the extent that they are based on the present instance, rather than future potential examples; and relate in substance to it. 22.42 Reference has already been made to the public interest in the Wirral case31. The Tribunal in that case strongly endorsed a comment in Mersey Tunnel Users Association v ICO32, that: ‘there may be little, if any, public interest in disclosing a draft which is an unfinished document, particularly if a finished or final version has been or is likely to be made public.’ 22.43 The Tribunal in Wirral added that there was, in that case, in its view a strong public interest in withholding such draft reports from disclosure because of the ‘risk of fruitless public debate and interrogation of officials as to unadopted positions and abandoned arguments.’33 22.44 Timing added to (but did not determine) the weight of the public interest in that case in favour of maintaining the exception. The report had been written shortly before its consideration, and the making of the request. The Tribunal drew a distinction between what could be expected to be the consequences of disclosure where a request was made some two years after the discussion recorded (as in Department of Education and Skills (DFES) v ICO34); and shortly after the

31 32 33 34

See para 22.38 above. EA/2009/0001, para 27. Wirral Metropolitan Borough Council v ICO EA/2012/0117, paragraph 22. Department for Education and Skills v ICO and Evening Standard EA/2006/0006.

360

Public interest test – Regulation 12(4)(d) 22.46

report was published (and with the final matter still to be disposed of). The Wirral case also expressly supported the application of the same high expectations of the conduct of officials, stated in the DFES to apply to civil servants, to senior local authority officers. It concluded: ‘Accordingly, we discern little public interest in following the trail of internal discussions which led to the final report but powerful interests to justify upholding the exceptions in Regulation 12(4)(d) and (e).’35 22.45 It should be noted that the ICO takes a different approach in her guidance, referring to a decision of her own (LB Hillingdon36) where she found that any prejudicial effect of disclosing a draft was likely to reduce once the final version was completed. The author respectfully suggests that the approach set out by the Tribunal on that issue in the cases referred to above at paras 22.42–22.44 is to be preferred. 22.46 The ICO’s guidance on reg 12(4)(d) does not refer, however, to a need for a continuing safe space in some cases after a policy has been decided. In other guidance than on this exception, the ICO accepts that there may be a continuing need for a safe space, after the policy or decision has been announced; if only for a short time, and to ‘properly promote, explain and defend its key points’37. It could be added that a safe space may be needed for a period also to deal with implementation issues, or to review a more detailed aspect or development of a policy. It is not apparent that there should be any difference in principle in relation to this exception. It is respectfully suggested that the correct position is as set out by the Tribunal in DBERR v ICO (partly decided under reg 12(4) (e))38; and other cases. The formulation in that case was that the public interest in favour of maintaining the exception diminishes over time, as the policy becomes more certain and a decision on policy is made public. In OGC  v ICO39, (an FOIA s 35 case), the High Court said that the importance of the public interest in maintaining the exemption was diminished once the Parliamentary Bill in question had been presented; but it was not ended. In Badger Trust, the Upper Tribunal similarly rejected the view that there would be no public interest in non-disclosure once a policy had been formulated and announced. It said that the issue was not whether there was a continuing need for a ‘space to think privately’ at that point (which there was); but whether the weight of the public interest outweighed the public interest in disclosure at that time. The issues depended on the facts and circumstances. The state of the programme in issue, and the thinking current at the time, were relevant factors (although not decisive). This 35 Wirral (as footnote 33 above), paras 26 and 27. 36 London Borough of Hillingdon FER 0322012; ICO guidance on reg 12(4)(d), para 15. 37 See ICO  Internal Communications (regulation 12(4)(e)) (and para  22.70 below). Also ICO guidance on FOIA, s 35 (paras 199-200) and s 36 (para 61). 38 ICO guidance on reg 12(4)(e) (as footnote 37), para 50; and Department for Business, Enterprise and Regulatory Reform (DBERR) v ICO and Friends of the Earth EA/2007/0072, para 114. 39 Office of Government Commerce v ICO and Attorney-General [2008]  EWHC  737 (Admin), para 101.

361

22.47  EIR Exceptions 1: Regulation 12(4)

approach was acknowledged too, in the context of FOIA, s 35(1)(a) in Webber. (See also paras 22.70–22.72)40. 22.47 In relation to unfinished material (which need not concern policy at all) much will depend on the facts. An authority claiming that the role for a safe space needs to continue (or has recurred) will need to be able to show how, and why, confidential consideration of the issue is likely to be harmed by the disclosure. A situation could be envisaged, however, where unfinished materials continue to be relevant to a matter, and where the need to consider an aspect of the matter in private may recur (see Example below). Example: Further need for safe space Your local authority has recently repaired a road on an emergency basis, but it is unclear whether increased traffic usage will mean that further repairs will be required soon. A draft report, produced by the authority’s highways engineers before the repair was carried out, had warned that this might be the case, and advised of more durable (but more expensive) methods of repair. The repair went ahead, however, without properly considering the report, which was never completed. An EIR request last week, submitted by a road haulage company, is seeking any documentation relating to the repair. Your lawyers are concerned that disclosure now of the possible need for a further repair soon may hamper the council’s consideration of its options; particularly if any vehicle suffers damage in the meantime and the owner seeks redress from the council. You may have a basis for withholding the draft report, on the ground that – notwithstanding that the decision has been taken – a safe space continues to be needed to reconsider the draft report, and that the public interest in withholding it to enable this to take place (and perhaps also to allow your authority to consider in private any legal advice in relati,on to it) outweighs the public interest in disclosure. There may also, however, be a public interest in the circumstances, in knowing the authority’s decision-making process, and these interests would have to be balanced.

Chilling effect 22.48 A chilling effect is less likely to be affected by whether the final version of the material has been published; as the same harm would arguably arise from the publication of a draft. The harm claimed is for the future in such cases, as a consequence of the material now being disclosed. The issue will be whether

40 Defra v ICO and Badger Trust [2014] UKUT 526 (AAC), paras 51–53; Cabinet Office v ICO and Webber [2018] UKUT 410 (AAC), paras 22–23.

362

Public interest test – Regulation 12(4)(d) 22.50

disclosure of the information in an unfinished form would affect the frankness or candour with which officials, or others involved in the decision, would give advice or exchange views in the future (and thus affect the quality of those exchanges). The Commissioner accepts that, where the issue is still under consideration, there may in some cases be an argument for a chilling effect. She is less prepared to recognise that there may be an argument as to ‘unspecified and unrelated discussions in the future’41. A more positive approach would acknowledge the reality that disclosing drafts of documents, advice, email discussions or proposed lines of approach will, from time to time, make more difficult the position of officials and others in future in dealing with both internal and external issues of the same sort. It will naturally make them more cautious, on occasion, about expressing their views in a similar way again. The issue may arise as much from complications encountered in handling external relations, as in internal working relationships with decision makers.

Distraction from public debate 22.49 Where there may be a distraction from the public debate about the matter concerned, by discussion instead of the disclosed draft, this may form a further public interest factor in favour of maintaining the exception. In the Transport case referred to above, a report for the government on links between transport and the economy, by the retired Chief Executive of British Airways, Sir Rod Eddington, was written with civil service support. A draft was known to have been completed some months before the final version was published. The then Parliamentary Opposition requested the draft version under the EIR, to see whether it had been changed since its completion. The Tribunal refused disclosure, on the basis of this exception and reg  12(4)(e); the main public interest factor being that there would be likely to be a distraction from the debate on the report itself by the creation of a separate debate about whether, and in what respects, the draft might have been altered. In these circumstances, the greater weight of the public interest lay with conducting the main debate without the detrimental effects of such a distraction, which was contrary to the public interest42. 22.50 It is notable that the ICO’s guidance on reg  12(4)(d) seeks to limit the scope of this public interest factor to instances where the public authority cannot minimise the extent of any distraction by providing an explanation of any deficiencies or differences between the draft and the final version. While every case is different, it is respectfully suggested that publishing the draft with an accompanying explanation about differences between the two versions is as likely to fuel a debate as to avoid it; as well as involving the authority in a potentially complex and burdensome exercise of justification. The insertion of this condition by the ICO is not supported by the case law.

41 ICO: ‘Material in the course of completion, unfinished documents and incomplete data (regulation 12(4)(d))’, paragraph 17. 42 Secretary of State for Transport v ICO EA/2008/0052, paragraphs 132–133, and 159–160.

363

22.51  EIR Exceptions 1: Regulation 12(4)

Whether disclosure would assist understanding 22.51 The Commissioner’s guidance helpfully focusses attention on a significant factor in some cases; whether the content of the unfinished information is actually such that its disclosure would shed light on the issue concerned. Acknowledging that there is always an argument for describing how a decision was reached, it is nonetheless quite frequently the case that the background papers, surrounding correspondence, or earlier drafts would add little to the information in the final document; especially if the latter has been published. The ICO refers to her decision on a request to the Department for Business, Enterprise and Regulatory Reform (DBERR) for all information held about a decision to produce a document on planning conditions for onshore windfarms; in which the Commissioner was not persuaded that disclosure would greatly inform the public as to how the guidance was published43.

Misleading material 22.52 An argument that publication of unfinished material may be misleading usually carries little public interest weight. (The distinction between this point, and the distraction from public debate discussed above at paras 22.49–22.50, should be noted). The ICO’s consistent view on arguments of this kind has been that it is generally open to the public authority to publish explanatory material alongside the disclosure, in order to explain any potential misunderstanding. There are, however, exceptional situations in which this may be a valid public interest factor; if it would be difficult to correct a misleading impression, or would require a disproportionate effort to do so. This might arise for example: if the only staff member who could answer the point has recently left; if the authority does not hold the final version of the information; or, if the volume of enquiries generated would be likely to hinder completion of the work.

Incomplete data 22.53 Data which are incomplete because the authority is still collecting them will fall within the scope of the exception; but such data which are (or have been) in use by the time of the request will not. This will be the case even if, in the view of the authority, the data may be modified at a later stage. Where, in Basildon44, the local authority was using an estimate of the number of mobile homes on unauthorised sites occupied by Travellers, which it intended to clear, it could not rely on its view that the estimates might in the future prove to be incorrect, or subject to change, to treat them as incomplete for the purposes of the exception.

43 ICO guidance on EIR reg  12(4)(d) (as footnote 35 above); paragraph  25. Department for Business, Enterprise, and Regulatory Reform (DBERR) FER 0184525. 44 Basildon District Council FER0321779.

364

Public interest test – Regulation 12(4)(d) 22.58

22.54 Similarly, if a public authority is using raw data which it has collected as part of an ongoing research exercise, the data are not incomplete; even if they may later be revised, or published in another form. Data collected on a regular basis are not incomplete, even if later revised, because of the continuing process of collection. 22.55 Similar issues may arise where an authority is considering a series of reports, findings etc on an issue which it is investigating. If the result of a first report will not affect the course of the following part of the investigation, because it concerns a different aspect or is otherwise not dependent on it, and the first report has been completed, the exception is unlikely to apply (a ‘longitudinal’ study). By contrast, if disclosure of the results of the first report would properly affect the subject matter of, or the approach taken in, the second investigation, the whole exercise may be incomplete (a ‘horizontal’ study); and the exception may be engaged in those circumstances45.

Ancillary duties 22.56 EIR, reg 5(4) requires information made available, where it is compiled by or on behalf of the authority, to be up to date, accurate and comparable; so far as the authority reasonably believes. The ICO takes a narrow view of the scope of this provision, considering it to be: limited to ‘current factual data’; applicable only where the authority is collecting the information on an ongoing basis, for its own business purposes; and, having an impact only where the authority is aware (or ought to be) that the information does not meet the requirements46. The ICO is concerned that these requirements should not be taken to strengthen the argument for this exception; and that the authority should publish any corrected data, if they are available. 22.57 Where the exception in reg  12(4)(d) is claimed, the authority should specify (if it knows) the name of any other public authority which is preparing the information, and the estimated time when it will be completed.

Other relevant exceptions 22.58 Other potentially relevant EIR exceptions may include: internal communications (reg 12(4)(e)); course of justice (reg 12(5)(b)); confidentiality of proceedings (reg  12(5)(d)); confidentiality of commercial or industrial information (reg 12(5)(e)).

45 For an example of such a series of studies, see City of Plymouth Council FER00069925. 46 ICO guidance on reg 12(4)(d) (see footnote 41), para 22.

365

22.59  EIR Exceptions 1: Regulation 12(4)

INTERNAL COMMUNICATIONS – REGULATION 12(4)(E) 22.59 A public authority may refuse to disclose environmental information to the extent that the request involves the disclosure of ‘internal communications’. A ‘communication’ will include any information intended to be communicated to others, or saved in a file where it may be consulted by others. Merely filing a paper document in a file to which others have access will count, therefore, as a communication; as will an electronic record of a meeting etc. The ICO advises that an aide-memoire to oneself may also be a communication, provided it records the content of another communication. An unsent draft of a communication may also be covered47. 22.60 An ‘internal communication’ is essentially a communication kept within one public authority. All central government departments are deemed to be one public authority (under reg 12(8)) to allow circulation within government on the same basis as other public authorities48. 22.61 Thus communications between different bodies, other than government departments, even though they may sit at the same ‘tier’of national administration or local government, share common or similar functions, or be working in partnership, are excluded. Correspondence between a local authority and the arms-length body it created to manage its housing stock was not an internal communication49; nor were discussions between the Mayor of London and a government department over climate policy50. A communication between a department of the UK government and a devolved government is not an internal communication. 22.62 Discussions between a contractor and a public body will generally be excluded; as was a development appraisal by two planning consultants advising a local authority51. The ICO suggests that the form and substance of the relationship, and the nature of the information, may vary on occasion. The report of an unpaid external adviser, Sir Rod Eddington, who was advising the Transport department and writing a report for it, and who was ‘embedded’ in the department with support from its staff, was included; although the ICO regards this instance as exceptional52. A report by a planning inspector to the Secretary of State has also been included (although on the narrow basis that it was a communication from the inspector, which was passed internally by the DCLG to the Minister)53. 22.63 Communications between executive agencies and their parent departments (or to another department), or between different such agencies, are covered, however, as they are treated as part of the parent department for this purpose. Communications from non-departmental public bodies are not included, 47 ICO: ‘Internal Communications (regulation 12(4)(e))’, paras 15 and 16 respectively. 48 Government departments are treated as separate organisations for the purposes of Parts 2, 4 and 5 of the EIR; which does not include the exceptions, which are in Part 3. 49 London Borough of Islington FER 0453309. 50 Department for Environment, Food and Rural Affairs (DEFRA) FER 0272686. 51 South Gloucestershire.Council v ICO and Bovis Homes EA/2009/0032. 52 Secretary of State for Transport (‘Eddington case’) above. See ‘Internal communications (regulation 12(4)(e))’, para 27. 53 Department of Communities and Local Government FER 0525303, paras 11–12.

366

Internal communications – Regulation 12(4)(e) 22.70

since they are separate entities from their departments; as are companies that are wholly-owned by public bodies. 22.64 If an internal communication is copied externally, it loses its internal status. This will be the case where it is copied subsequently outside the organisation; unless the copying was in error, a leak, or as a result of an obligation on the authority; where the ICO takes the view that the protection should not be lost (although the public interest in maintaining the exception may have been weakened)54. An internal email chain which is copied externally loses its internal status at the point where it was copied externally. (Later internal emails in the same chain may, therefore, resume the protection). 22.65 An internal communication may record a discussion with an external third party, provided it remains within the public authority55. 22.66 An attachment to an internal communication falls within the exception, provided the covering email etc is kept within the public authority. A  communication from outside which is circulated as it stands will not be an internal communication; although if information from it is reproduced in an internal memorandum, that extract can form part of such a communication. An external document which is attached to an internal communication, however, is counted as falling within the internal communication as a whole56. 22.67 As a class-based exception, the exception applies in principle even more broadly than the exception for incomplete material in reg 12(4)(d), but the public interest test likewise limits the scope.

Public interest test 22.68 The discussion of the safe space and chilling effect under the exception in reg 12(4)(d) will have relevance under this exception as well. 22.69 Arguments for the public interest test should be concentrated on the need to protect the internal process of deliberation and decision making in the organisation. Thus some harm from disclosure will have to be identified as likely to support the exception. The safe space and, to a lesser extent the chilling effect, are the key public interest considerations. Public interest arguments should be concerned with the content and sensitivity of the information, and the circumstances surrounding the request57.

Safe space 22.70 The ICO accepts the need for a safe space in relation to reg 12(4)(e) to develop ideas, debate issues and reach decisions, away from external interference 54 55 56 57

See ICO: ‘Internal communications (regulation 12(4)(e))’, para 32. ICO guidance on reg 12(4)(e), para 30. The distinction is a fine one; see ICO guidance, paras 34–35. ICO guidance, as in footnote 55, para 47.

367

22.71  EIR Exceptions 1: Regulation 12(4)

and distraction; and says that in some cases it can have significant weight58. The timing of the request will be very important. The ICO maintains that the public interest in non-disclosure will be strongest in relation to the safe space while the issue is ‘live’. The Upper Tribunal said in Amin v ICO and DECC59, a case concerning this exception, that there is not a binary distinction between a ‘live’ and a ‘not live’ issue; nor a single point at which the public interest becomes, or ceases to be, significant. (It might be different with FOIA, s 35(1)(a), it said, to the extent of whether the matter concerned the formulation or development of policy, as opposed to its implementation; and thus whether that provision was engaged (para 120)). The position after the policy has been decided, or the decision taken, is as set out in the DBERR case60, and the other decisions discussed at para 22.46. The Judge in Amin added, however, that if there was evidence that, ‘even though no policy formulation was occurring at the time when the request was answered, it was likely that the policy would need to be reconsidered’, and that in that event a ‘previous disclosure of the withheld information would or might well have given rise to unproductive disruption and distraction’, this could be taken into account (para 110); referred to also in Webber at para 2461. 22.71 The Commissioner acknowledges that an authority may need a safe space for a short time after an announcement, to promote, explain and defend its policy; although it would need to be able to describe the need for the safe space to continue. (See also wider suggestions at para 22.46 above). The guidance also makes the point that the public interest in disclosure will be increasing once the decision has been announced, in order to allow scrutiny of the new decision or policy. 22.72 The content of the information will also be important in assessing the need for a safe space. Questions for a public authority to ask itself, in forming its view, might include: what in the content of the policy or decision makes a safe space necessary? Is it a new area, requiring expertise or options to be considered? Does the organisation need time to research the matter, so that it is not yet ready for a debate? Does the issue involve difficult choices, over which internal debate is needed? Is the policy controversial, or a matter of public debate; in relation to which it is proper to reserve a period of time for officials or decision makers to consider the options in private? Conversely, is this a relatively routine or recurrent matter, for which the options are familiar? Is the organisation’s ‘direction of travel’ on this issue sufficiently clear already, so that a private debate can be very brief, or even unnecessary?

Chilling effect 22.73 The argument for a chilling effect is that disclosure would discourage frankness and candour in future discussions, to the detriment of the quality of 58 59 60 61

ICO guidance, as in footnote 55, para 49. Amin v ICO and Department for Energy and Climate Change [2015] UKUT 527 (AAC). DBERR v ICO and FOE EA/2007/0072. See also para 22.46 above. As in footnote 40 at para 22.46 above.

368

Internal communications – Regulation 12(4)(e) 22.76

advice and of the decision-making process. It need not, it may be suggested be restricted to officials; there could be a chilling effect for a body of decisionmakers as well, if a record of their private deliberations were to be published. The deliberative process may involve considerable discussion between advisers and decision-makers, and the quality of the contribution of either side can be improved by the contributions or questioning by the other. 22.74 The Commissioner takes the view that a chilling effect ‘cannot be dismissed out of hand’62. This is too limited an approach. As the ICO advises, the Tribunal has said, in relation to a chilling effect, that officials can be expected to show robustness in advising decision makers within organisations. In principle, any professional or senior official will take a responsible approach to their role, including challenging incorrect assumptions and providing clear advice regardless of their own interests. This formulation takes too little account, however, of the need to manage situations in a practical way; which can on occasion include avoiding an overly confrontational approach, in order to achieve a more effective long term objective for the organisation; or, acknowledging the political context within which a policy is being developed. Sometimes there is simply too little time to offer rounded, as opposed to sound, advice. It is less a matter of officials not standing up to overbearing politicians, than of the realities of political and administrative life not always conforming to the textbook; with the result in some circumstances that even an accompanying explanation to a disclosure would not be able to remedy the harm or embarrassment to an official or decision-maker seeking to do their best in difficult circumstances; and thus create a chilling effect on their future approach. 22.75 As the ICO records, the Tribunal has expressed an attitude of scepticism towards claims for a chilling effect which appear to refer to unrelated future discussions63. It is certainly necessary, in claiming that there will be a chilling effect, or in assessing its likelihood, to be able to show how this particular disclosure would cause harm to the openness or frankness of future similar discussions, or the candour with which views or advice will be advanced or received. The ICO advises that there will be significant weight, in relation to continuing discussions, where the issue remains ‘live’. Other ‘closely related live discussions’ may also have weight. It is more difficult, in the ICO’s view, to support arguments for a ‘generalised chilling effect on all future discussions’64. That still leaves a narrower category of future discussions, which are on issues which are similar in type, but not ‘closely related’, to the original subject; on which the ICO’s guidance is not explicit. It is suggested that authorities may be able to make a case in these types of case too; with care and in particular circumstances. 22.76 The ICO’s further view, that there is little (if any) automatic weight in chilling effect arguments, can be accepted. As the ICO summarises in her

62 ICO guidance on reg 12(4)(e), as in footnote 55, para 53. 63 Scotland Office v ICO EA/2007/0128, paragraph  71; referring to ‘internal government deliberations’. 64 ICO guidance on reg 12(4)(e), as in footnote 55, para 54.

369

22.77  EIR Exceptions 1: Regulation 12(4)

guidance, however, it remains the case that chilling effect arguments can apply successfully, depending on the factual circumstances, the timing, whether the issue is live (or was at the time of the request), and the content of the information in issue and the degree of its sensitivity. To this list may be added, it is suggested, the type of information or the nature of the discussions, with reference to whether or how either may recur in future circumstances of a similar type.

Less record-keeping 22.77 The argument that disclosure in a given case will reduce the degree to which public authorities will keep detailed records of internal discussion (at least of that type) in future is given little, if any, weight by the Commissioner. This reflects the standard official view that FOI has not had that effect. The difficulty is that, where this has in fact occurred (as is occasionally heard anecdotally) there is no record of it, and it is not acknowledged. It may also occur for other reasons (eg shortage of time or staff). It would only be possible to demonstrate this effect, if it were sought to be argued, by comparing similar types of records over a period; which would probably require further time from now in order to show that the level of records had declined between two previous instances (and for that reason); of which the request now in issue was the third instance. 22.78 The Commissioner does, however, suggest that arguments based on record-keeping may be chilling effect arguments (ie that disclosure would result in less detailed advice, and thus less detailed records of the relevant discussion); and that they may have some weight on this basis65.

Collective responsibility 22.79 As with FOIA  2000, s  35, if collective responsibility is in issue, it is likely to carry significant weight. The argument may arise because disclosure would reveal the views of an individual Minister before the collective decision was taken. Less commonly, it might show the previously differing views of two or more Ministers on the issue, especially if they have since become bound by the obligation of collective responsibility. Notwithstanding the apparent (but wholly informal) greater flexibility in recent years for Ministers to indicate areas of difference in views (eg during the Coalition government of 2010–15; or over the issue of Brexit since the EU Referendum in 2016), the official position remains unchanged. It is one which the Commissioner and courts can be expected to continue to maintain, and can be expected to carry significant weight because of what the ICO describes as ‘the fundamental importance of the general constitutional principle’66. 22.80 This is tempered, however, by a reduced weight where the individuals concerned are no longer politically active (or, at least, no longer in government 65 ICO guidance on reg 12(4)(e), para 58. 66 ICO guidance on reg 12(4)(e), paras 60–62.

370

Internal communications – Regulation 12(4)(e) 22.83

or a major political role); or, if memoirs or other accounts have been published about the discussions concerned, so as to undermine (or reduce the scope of) their confidentiality. In some cases, significant time will have passed, reducing the salience of collective responsibility (although it remains relevant for an appreciable period after a decision has been taken, even once an issue has faded from immediate importance, in order to uphold the general principle). The current gradual reduction of the period for access to official records from 30 years to 20 years gives an indication of the likely timescale. The disclosure of the Cabinet minutes over the ‘Westland affair’ (a case under FOIA 2000, s 35) followed a request made 19 years after the events concerned (although the decisions by the Commissioner and the Tribunal came some years later)67.

Names of officials 22.81 The exception should not be used to seek to withhold the names or other contact details of junior officials; which should be a matter of fairness, and considered under the personal data exception in reg 13. 22.82 The identify of more senior officials should only be considered for withholding under the EIR, if there would either be harm to the process of internal deliberation and decision making, in the ways indicated above at paras 22.70–22.76 (which could include harm to working relationships, or a chilling effect, or harm to the accountability of politicians or other senior officials); or, if the neutrality of a particular official would appear likely to be harmed by the disclosure. For example, if a disclosure, in naming a senior official, would appear to place the blame for an error unfairly onto that person rather than a politician, when perhaps the accountability should be shared, there might be a justification for withholding the name of the senior official (although not their role). The Commissioner makes clear, however, that the expectation of robustness on the part of officials will generally give these arguments little weight.

Legal advice 22.83 Legal advice is likely to attract the potentially stronger exception in reg  12(5)(b). This exception may have relevance, however, in relation to any harm to internal deliberation from the disclosure of advice (or the questions leading to it). This would potentially apply whether the advice sought was internal or external. There may be a public interest in preserving the safe space in which the advice is sought, received and discussed. There may also be a chilling effect, if internal discussions leading to a request for legal advice (eg as to whether it is needed, or proposals for the questions to be put to the lawyer concerned) would be inhibited in similar circumstances in future by their disclosure in this case.

67 Cabinet Office v ICO EA/2010/0031.

371

22.84  EIR Exceptions 1: Regulation 12(4)

22.84 Although the public interest arguments against the disclosure of legal advice will in most cases be strong, if this exception is also relevant, the aggregation of public interest arguments should increase the weight in favour of maintaining the exceptions applicable.

Commercial interests 22.85 The Commissioner recognises that there is a public interest in enabling public authorities to make effective commercial decisions. The principal exception likely to be relevant in such cases will be that in reg 12(5)(e). There may be relevance for this exception, however, in relation to the authority’s internal discussions about a commercial or procurement matter. Any arguments in support of this exception would need to be linked to the harm from disclosure to the authority’s internal deliberations, not to its commercial interests. 22.86 The ICO gives the example of a discussion about the budget available for a contract which, if disclosed, would harm the authority’s ability to achieve best value from the letting of the contract. While avoiding the latter effect would be in the public interest, it is not a relevant factor in relation to this exception in reg  12(4)(e). If, however, disclosure of the discussion about this contract would have a chilling effect on future discussion of other contracts – perhaps by inhibiting discussions about the funds available for other future projects – which in turn would affect the quality of the decisions made in relation to the budgets or bids for those contracts, a public interest factor of relevance to the exception (and with some weight) may have been identified.

Public interest in disclosure 22.87 There will always be some public interest in disclosure, for the reasons of transparency, accountability, assisting public awareness and understanding of environmental decisions, and enabling a free exchange of views or public participation in environmental decision making. The weight will vary, but will be greater if the issue concerns matters such as accountability for public spending, or conflicts of interest; or if there is any reasonable suspicion of wrong doing.

Other relevant EIR exceptions 22.88 Other EIR exceptions which may be relevant, depending on the facts, may be: incomplete material (reg  12(4)(d)); legal professional privilege (under reg 12(5)(b)); confidentiality of proceedings (reg 12(5)(d)); industrial or commercial confidentiality (reg 12(5)(e)).

372

CHAPTER 23

EIR Exceptions 2: Regulation 12(5) and Personal Data

HARM TEST 23.1 The second group of Environmental Information Regulations 2004 (‘EIR’), exceptions, contained in reg 12(5), is different to the first group in that each of them applies only to the extent that harm can be shown (although in practice some harm is also required for the latter two exceptions in regs 12(4)(d) and 12(4)(e) at paras 22.35ff and 22.59ff respectively). 23.2 Regulation 12(5) provides that the authority may refuse to disclose environmental information to the extent that its disclosure would adversely affect the type of activity listed (emphasis added). Unlike most qualified exemptions under the Freedom of Information Act 2000 (‘FOIA 2000’), there is only one level of likelihood (FOI general allowing a choice of two: ‘likely’ to cause harm; and, ‘would’ harm, with stronger public interest considerations attaching to the latter if it applies). 23.3 Instead, the EIR admit of one level only: that disclosure ‘would’ adversely affect the activity or area of law concerned. This means that the harm has to be estimated to be more probable than not (50% plus 1); or, to meet the test of the balance of probabilities. It does not mean that the matter has to be established beyond doubt1. 23.4 The authority should also, in assessing that such harm is more likely than not, be able to produce evidence which demonstrates a causal relationship between the disclosure and the prejudice. In other words, it should be able to show how disclosure of the particular information in issue would lead to the harm identified. Without such a causal connection, the exemptions will not apply2. Example: Causal connection A Foreign Office report is critical of a plan by a former Soviet republic to build a dam on its border with another country, concluding that the project

1 See discussion at para 9.9 above, and also paras 24.92a and 25.45 of the ‘more probable than not’, and ‘likely’, tests. R (on the application of Alan Lord) v Secretary of State for the Home Department [2003] EWHC 2073 (Admin), para 100. See also John Connor Press Associates Ltd v ICO EA/2005/0005, para 15, in which the Information Tribunal first adopted the Lord test in the context of FOI/EIR. 2 Christopher Martin Hogan and Oxford City Council v ICO EA/2005/0026 and 0030.

373

23.5  EIR Exceptions 2: Regulation 12(5) and Personal Data

will have harmful environmental effects in each. A copy was leaked to the press last week, and received wide coverage. Foreign Office Ministers and officials have held embarrassing discussions since with the government of the country concerned, and it is clear that relations with that country have been harmed. An EIR request for the report has now been received. The Foreign Office is reluctant to release the report, and would wish to have claimed the exception for harm to international relations (reg  12(5)(a)); but the damage appears already to have been done. Disclosure of the report, in response to the request, would thus not cause the impact which the exception seeks to protect. Unless further harm can be identified from disclosure (eg by releasing other parts of the report which have not been reported and which raise different or more serious issues) the exception will not apply.

Harm to international relations, defence, national security or public safety – Regulation 12(5)(a) 23.5 There is an EIR exception where disclosure of environmental information would have an adverse effect on any of the following: — International relations; — Defence; — National security; or — Public safety. 23.6 These are four distinct exemptions, and they are treated separately below (at paras 23.10–23.18 (International Relations); 23.19–23.24 (Defence); 23.25–23.34 (National Security); and 23.35–23.37 (Public Safety)). Neither confirm nor deny (NCND) and Regulation 12(5)(a) 23.7 The public authority may opt to neither confirm nor deny (NCND) on any of the above grounds of this exception, if the same ground of exemption applies to that confirmation or denial (and the public interest test supports its application)3. This is one of only two places in the EIR where the duty to confirm or deny is mentioned; and the only one in relation to the exceptions within reg 124. The adverse effect can arise from either the confirmation or the denial; both are not necessary. If the authority does hold the information, it is entitled to consider the effect of a hypothetical denial as part of determining whether the NCND exception applies. 3 4

EIR, reg 12(6). The other reference is in EIR, reg 13(5A).and (5B).

374

Harm test 23.12

23.8 By inference from this reference (since it is not stated expressly elsewhere), it is to be taken that there is a general duty to confirm or deny in response to EIR questions; and that (save for this one, and the exception for third party personal data in reg 13(5A)), there are no exceptions from it in the EIR. 23.9 In relation to this exception, and because of its subject matter, the Commissioner stresses in her guidance the potential importance, where multiple requests on a subject may be expected over time, the potential value of neither confirming nor denying as (in effect) a standard response, in order to disguise any past (or more likely future) change of practice. If, for example, a part of the security services is asked whether it holds information on a particular type of surveillance which it does not undertake at the time of the request (but may in the future); rather than claiming that the information is not held under reg 12(4) (a), it should use NCND, in order to ensure consistency in the future. If it does not do so, and the activity later commences, so that a subsequent request could not be answered that the information was not held, any different response at that stage would be likely to reveal that the surveillance was now being undertaken. Just as the government regularly refuses to comment on matters involving the security services, so NCND may be a useful standard response in such areas. It is important to ensure that the public interest test is met on each occasion before claiming the exception. (1)  International Relations 23.10 International relations describe the United Kingdom’s relations with other states, but also its relationships with international organisations. The DEFRA guidance on the EIR, referred to by the Commissioner, describes this exception as covering disclosures which ‘might’ compromise the UK’s future co-operation in areas of its ‘vital interests’, or concern information with the potential to undermine its relationships with other countries or with international organisations. ‘Vital interests’ in this context are to be taken to include the UK’s economic as well as its security interests5. 23.11 While it seems likely that much of the information of greatest moment in relation to international relations will fall under FOIA 2000, rather than the EIR, examples under this exception have included: information about legal proceedings between the UK and the European Commissioner and, information provided in confidence by the government of a British Overseas Territory. A  case on communications between the Prime Minister’s Office and a private oil company concerning a pipeline project in Russia was decided under the FOIA 20006. 23.12 The threshold for the level of harm giving rise to this exception is not high. A disclosure which makes relations with a country more difficult, or calls

5 6

ICO: ‘International Relations, defence, national security or public safety (regulation 12(5)(a))’, para 11. As footnote above at para 13.

375

23.13  EIR Exceptions 2: Regulation 12(5) and Personal Data

for a diplomatic response to contain any damage, is sufficient to engage the exception. No actual or quantifiable harm to international relations is necessary7. In the CAAT case, the request was for a memorandum of understanding between the UK and the Kingdom of Saudi Arabia relating to the sale of defence equipment. An argument that it was necessary to show there was a risk of losing defence contracts to engage the exception was rejected, in favour of the approach outlined. 23.13 Nor is it necessary, in order for the exception to be engaged, that there should be an immediate (or any) negative reaction from the other country or organisation; as often there will not be in international relations. The test is effectively whether the UK government considers that remedial steps are necessary. In claiming the exception, it is necessary to explain the grounds for believing such steps to be required. 23.14 If the UK’s comparative position in relation to other countries or organisations would be weakened, so that its bargaining position (in a diplomatic sense) in negotiations with other countries or organisations would also be weakened, the threshold will be met. In Sinclair v ICO and Department of Energy and Climate Change, the request was for the UK’s estimates of the cost to itself of reducing carbon emissions; the information having been prepared for use in international negotiations on climate change. The concern was that disclosure would weaken the country’s bargaining position in such negotiations; and commensurately strengthen the position of other countries. The Tribunal found that the exception was not limited to ‘annoying other states’; the adverse effect in that case was sufficient to engage the exception8. 23.15 In the same way, where the publication of certain passages from an assessment report by the Export Credit Guarantee Department about the BalkuTbilisi-Ceyhan (‘BTC’) oil pipeline project engaged the exception, the potential harm to international relations was sufficient to justify their redaction9. 23.16 The majority of the information likely to fall within the exception will be held by government departments, but it may also be available in certain circumstances to non-governmental bodies. A request to the University of East Anglia for climate change data provided by the national meteorological services of other countries was considered to have the potential to affect international relations. The University was the leading research body in the UK on climate change, and had close links to the Met Office, which itself was part of the Ministry of Defence. For these reasons, their actions might be perceived to reflect the attitude of the UK government. Although the harm, as perceived by the foreign meteorological services, was not judged sufficient to engage the exception, the case illustrates the potential for other bodies to affect international relations10.

7 8 9 10

Campaign Against the Arms Trade (CAAT) v ICO EA/2007/0040. Matthew Sinclair v ICO and Department of Energy and Climate Change EA/2011/0052. Export Credit Guarantee Department v ICO and Mr N Hildyard EA/2008/0071. Governing Body of the University of East Anglia FER 0282488.

376

Harm test 23.21

23.17 At the same time, it is important to note that the exception will not be engaged because another body’s relations abroad may be harmed by the disclosure it is asked to make; the issue is harm to the relations of the UK. 23.18 The cultural values of other countries, and particularly their attitude to confidentiality, may be taken into account in applying the exception. Thus in the CAAT case, the greater emphasis placed on secrecy in Saudi Arabia concerning information between the two countries, including arms agreements, should be judged against what it was reasonable for that country’s government to expect. The Commissioner appears to suggest that the disclosure of information on matters which may still be sensitive from the past between the UK and another country may also be relevant to this exception11. (2) Defence 23.19 There are very few cases in this area. A disclosure which would have an adverse effect on defence is considered by the ICO to describe one which ‘would assist an enemy or potential enemy’. The term ‘defence’ is not defined in the EIR, but the Commissioner considers it to extend, in geographical terms, to the defence of the UK, the Channel Islands, and the Isle of Man. The ICO takes the view that operations in any part of the world, which are designed to ensure the defence of the UK by opposing its enemies in those locations, will potentially be covered12. 23.20 The Commissioner further indicates that anything which has an adverse effect on the capabilities or effectiveness of the armed forces will also have an adverse effect on the country’s defence. Any harm to UK forces deployed in, for example, a peace-keeping role for the United Nations will ultimately weaken the defence of the UK. Any threat to forces with which UK forces are co-operating will also threaten our armed forces. There need be no immediate or direct impact for an adverse effect to be present. The Commissioner appears to take an extremely broad view of the meaning of defence, which remains to be tested. 23.21 The ICO further advises that, since the capability of the armed forces will be affected by the equipment and supplies available to them, it is possible that requests for information on supply chains, problems with equipment or the terms of their specification, or information concerned with the production of equipment, could fall within the exception. This proved not to be the case, however, in Department for Business, Innovation and Skills13 (an FOI case) where information was requested concerning a Ministerial Direction about the purchase of Hawk 128 training aircraft. The Commissioner was not satisfied that disclosure would cause sufficient harm to the manufacturer or the supply of

11 ICO: ‘International Relations, defence, national security or public safety (regulation 12(5)(a))’, paras 21 and 22. 12 As guidance in footnote 11 at paras 23 and 24. 13 FS50089556.

377

23.22  EIR Exceptions 2: Regulation 12(5) and Personal Data

equipment to the armed services; and so rejected the application of the exemption in FOIA 2000, s 26 (prejudice to defence). 23.22 The ICO nonetheless advises that the scope of the defence exception in the EIR can be drawn ‘quite widely’, to provide similar protection for environmental information as under FOIA 2000, s 2614. 23.23 On this basis, the ICO advises too that, given the threats from terrorism, and that information on infrastructure can have implications for defence, such information may also come within the exception. (It must be likely, however, that information of that kind will be more relevant to national security than to defence, particularly in the context of terrorism). The emergency services and health services hold information about emergency planning, which may also be relevant. 23.24 The ICO advises, on a ‘speculative’ basis, that the exception may also cover the following, in relation to environmental information: — the use, storage or testing of nuclear, chemical or biological weapons; — the decommissioning of ships; — fuel consumption (presumably by military vehicles, ships and installations). (3)  National Security 23.25 The term ‘national security’ is not defined in the EIR. In Norman Baker v ICO and the Cabinet Office, the Tribunal drew on a deportation case in the House of Lords to provide a definition. In summary, ‘national security’ means the security of the UK and its people. This is not limited to guarding against the actions of an individual targeted at the country, its system of government or its people; nor its military defence. It includes also the protection of democracy and the legal and constitutional systems of the state. Action against a foreign state may indirectly affect the security of the UK. Reciprocal action with other countries in combatting terrorism may promote the UK’s national security15. 23.26 In Office of Communications (Ofcom) v ICO and T-Mobile (UK) Ltd16, OFCOM demonstrated that disclosing a database of mobile telephone base stations would assist criminals to steal cabling and other materials from them; and that this would in turn adversely affect public safety (see paras 21.22–21.23). The Tribunal accepted as well that the information would be of use to terrorists seeking to disrupt the national communication system. The scope for ‘relatively mundane’ infrastructure information of this sort, often held by public authorities, potentially to be of assistance to terrorists appears to be wide. It is suggested that 14 As guidance in footnote 11 at para 27. 15 Norman Baker MP  v ICO and the Cabinet Office and National Council of Civil Liberties EA/2006/0045. 16 EA/2006/0078. This case became the decision of the European Court of Justice which gave rise to the aggregation of EIR public interest factors against disclosure:Office of Communications v ICO [2011] EU ECJ, Case C-71/10.

378

Harm test 23.30

public authorities may need to have this exception actively in mind in future, when asked for such information. 23.27 The ICO also draws attention to an overlap between information of this sort and international relations, because of the links between national security and co-operation with allies. (An example might be as to information about possible terrorist planning). The Commissioner advises public authorities, in the light of this, not to worry about which limb of the exception the threat may fall under; provided it falls under at least one of them, and the authority can explain why one or more the aspects of it would be adversely affected17. 23.28 There is no need to demonstrate an immediate threat to national security to be able to claim this exception. There could, for example, be a long-term harm to sharing of intelligence against terrorism, if the UK’s relations with an ally were damaged by a disclosure. Attempts to improve relations with countries which may be helpful in fighting terrorism may be frustrated by a disclosure which sets back such efforts. 23.29 A  potential threat for the future may be included in the exception, even where it is acknowledged that no step has yet been taken in a harmful direction. The West Yorkshire Fire and Rescue Service decision illustrates the point, although it was decided under the Freedom of Information Act 2000. The authority argued successfully that a request for details of its fleet of vehicles, including makes and ages, but also their registration numbers and locations, could lead to those vehicles being ‘cloned’ (ie  other vehicles being made to appear to be those vehicles). The authority also ran the national centre for large-scale incidents, and was the only fire service in the country to use vehicle recognition from number plates to control access to some of its sites. In consequence, it was concerned that false vehicles could be used as weapons to gain access to those sites. Its withholding of the registration numbers and locations was upheld by the Commissioner, who found a public interest in safeguarding national security which was ‘very great indeed’, and was not matched by the public interest in disclosure18. Mosaic argument 23.30 The Commissioner advises that the strong motivation of terrorists means that there may be reasons to withhold ‘seemingly harmless information’ which could, when placed alongside other information which is in the public domain (or could be obtained), assist terrorists. An example was a request for the cost in previous years of the Royal Protection Unit which, if compared with other information in the public domain, could yield intelligence to terrorists on relative vulnerability of the different members of the Royal Family.

17 ICO: ‘International Relations, defence, national security or public safety (regulation 12(5)(a))’, at para 37. 18 West Yorkshire Fire and Rescue Service FS 50308040.

379

23.31  EIR Exceptions 2: Regulation 12(5) and Personal Data

23.31 The ‘mosaic argument’ applies to other exceptions as well as those directly concerned with national security or similar issues. In those cases, however, it relates to combining the information requested with other information which is in the public domain. In relation to national security, it relates to combining the disputed information with information whose disclosure would be useful, which terrorists may already hold, or which they could obtain. The Commissioner says that she will bear this distinction in mind when assessing claims by a public authority of this type; and that she recognises the difficulty of knowing to what additional information terrorists may have access, or what may be chosen as a target19. Security bodies 23.32 There is no equivalent of FOIA  2000, s  23 in the EIR, which allows an exemption for information supplied by, or relating to, listed security bodies. The Commissioner takes the view that much of the information to which the s 23 exemption would apply, would, under the EIR, fall within this exception; although the public authority would need to explain the harm expected from its disclosure, in order to claim the exception. 23.33 Where acknowledging that the information requested is held would, in effect, reveal the role of a security body (eg  because information of that type is highly likely to have been gathered by that particular security body), EIR, reg 12(6) allows the authority to NCND that the information is held (subject to the public interest test). Ministerial certificates 23.34 A Ministerial certificate, issued under EIR, reg 15(1)(a) by a Minister of the Crown (or a person designated by them), stating that disclosure of the information would adversely affect national security, and that the public interest favours its withholding, will be conclusive evidence. (They can be issued only for this aspect of the exception). (4)  Public safety 23.35 Like the other terms in this exception, ‘public safety’ is not defined in the EIR. The ICO suggests that the exception allows the withholding of information whose disclosure would ‘result in hurt or injury to a member of the public’, which can relate to a group or one individual. The hurt or injury can relate to physical or mental health. It does not encompass, however, worry or stress; so that a more serious impact, constituting an ‘endangerment to their mental health’, would be

19 ICO guidance on reg 12(5)(a) (see footnote 11 above), para 43.

380

Harm test 23.38

required20. No expert evidence is required, but the public authority will need to be able to explain its grounds. 23.36 As noted above at para 23.26, the avoidance of assistance to criminals seeking to steal cabling from mobile telephone stations, by not disclosing the grid references of the locations, and thus rendering the stations dangerous and a risk to public safety, was one of the grounds relied upon successfully by Ofcom21. 23.37 Other examples, noted by the Commissioner, include: — A second audit safety report of three (by traffic engineers) on a pedestrian crossing installed near a roundabout. The council refused to disclose the second report until the third had been completed, arguing that disclosure would compromise the third report; and thus pedestrian safety. The ICO found that, if disclosing the second report would have compromised the third report, the exception would have been engaged. The finding, however, was that it was not clear how any public debate generated by the disclosure would affect the judgements of the professional staff, and thus that the exception in EIR, reg 12(5)(a) was not engaged22. — A report on the risks posed by a dangerous chemical, Acrylonitrile (ACN), to be used in a manufacturing plant; where the Health and Safety Executive were upheld in withholding parts of the information, on the basis of evidence that disclosure of the effects of a catastrophic failure at the plant would assist terrorists (and thus undermine national security); and endanger public safety in the area23. — The Basildon case concerning Travellers’ sites, referred to above (at para  22.53, in the context of incomplete data) , where disclosure of parts of the information requested would have endangered those carrying out the operation, and public safety, by exposing any weaknesses in a plan which was yet to be executed at the time of the request; the public interest favouring maintaining this exception to avoid this harm24. Public interest in questions of (1) international relations and (3) national security – Regulation 12(5)(a) 23.38 There is a particular public interest in maintaining confidences in international relations. As the Tribunal put it in the CAAT case: ‘there is an inherent disservice to the public interest in flouting international confidence’, which was a ‘matter of significant weight in the context of international comity

20 People for the Ethical Treatment of Animals Europe (PETA) v ICO and University of Oxford EA/2009/0076. 21 Office of Communications v ICO EA/2006/0078, [2010]  UKSC  3, [2011]  EU ECJ, Case C-71/10. 22 City of Plymouth FER0069925. 23 Health and Safety Executive FER 0172420. 24 FER 0321779.

381

23.39  EIR Exceptions 2: Regulation 12(5) and Personal Data

and relationships’25. As the Commissioner states in her guidance, disclosing such information ‘would give the impression that the UK government could no longer be trusted with confidential information’, which could affect the country’s relations with the international community26. There is also a strong public interest in safeguarding national security, which will require equally weighty arguments in favour of disclosure before information is disclosed. It might be expected that national security considerations would also be relevant in some cases to the Defence element of the exception. Although there will in particular instances be a significant public interest in maintaining public safety, no special public interest considerations attach to that element in the same way.

Course of Justice – Regulation 12(5)(b) 23.39 Regulation 12(5)(b) of the EIR provides an exception where disclosure would adversely affect the course of justice, the ability of a person to receive a fair trial, or the ability of a public authority to conduct an inquiry of a criminal or disciplinary nature. The breadth of the first element (the course of justice) leads the ICO to advise that the remaining elements are sub-sets of the first. 23.40 The exception broadly covers: (1) Material covered by legal professional privilege; (2) Information whose disclosure would harm investigations or proceedings. These may be of a criminal or disciplinary nature; (3) Court or tribunal records. 23.41 There is no exception from the duty to confirm or deny that information is held. This might have the effect of obliging the public authority to reveal that it holds information about an investigation, where that disclosure could be harmful to the course of that matter; particularly in relation to criminal matters. (1)  Legal professional privilege (LPP) 23.42 This will be the most common form of application of the exception. LPP applies to protect advice given by a lawyer to a client, and confidential communications between about the advice (beforehand in the form of questions, and afterwards to clarify or discuss it). In complex matters, the latter might include a note of a ‘conference’ with counsel to follow-up aspects of the advice. It also protects information drawn up for use in proceedings. 23.43 The Tribunal first applied LPP under the EIR in Kirkcaldie v ICO and Thanet District Council, concerning legal advice on a planning agreement27.

25 CAAT (as in footnote 7), paragraph 95. 26 See reg 12(5)(a) guidance, paragraphs 67–69. 27 EA/2006/0001.

382

Harm test 23.46

23.44 In order for the exception to apply to protect information subject to LPP, the authority has to show that its disclosure would have an adverse effect on the course of justice. This can work in one of two ways. — If disclosure would undermine a court case, by disclosing strengths and weaknesses of one side’s case to the other side, then there will be harm to the fundamental principle of a ‘level playing field’ between contending parties in adversarial proceedings. Privileged information (ie in this context, information protected as to its confidentiality) would have been disclosed while a case was ‘live’. In Cheshire East Council, the requester sought information from the council about a planning enforcement file, where the council was taking action against residents. The information was subject to LPP, and disclosure would have adversely affected the course of justice for these reasons28. — More generally, the Upper Tribunal (ie  setting a precedent) considered the role of LPP under the EIR in Department for Communities and Local Government (DCLG) v ICO and WR, and established that there can be an adverse effect from undermining the general principles of LPP, by weakening confidence in its efficacy and in the administration of justice by making the disclosure29. While this was not automatic, there would need to be special or unusual factors involved for this not to apply. There is no need, therefore, to demonstrate harm in the individual case; the principle is a general one. 23.45 DCLG is a helpful case, outlining a general principle which is straightforward to apply in most instances. It did refer to some variations, saying that it would be possible to conclude that the course of justice would not be adversely affected if disclosure took place in certain circumstances, such as where the legal advice was very ‘stale’ (old); so that public confidence in LPP generally would not be undermined. It also said that whether the exception was engaged had to be considered case by case. In most instances, however, the DCLG case should provide a firm starting point for refusing to disclose information subject to legal professional privilege. ‘Without prejudice’ correspondence 23.46 Correspondence marked ‘without prejudice’ may have a part in negotiations about a proposed settlement of litigation. The correspondence, or any offers to settle or admissions made in it, should not be raised in the litigation. The protection continues after a settlement has been agreed. Information in such correspondence may, therefore, be subject to the exception in EIR, reg 12(5)(b) because its disclosure would harm the course of justice. The authority would need to be able to demonstrate that the negotiations were genuine, and that disclosure would either undermine confidence in the general principle of ‘without prejudice’ 28 FER 0414615. 29 Department for Communities and Local Government (DCLG) v ICO and WR [2012] UKUT 103 (AAC). See also fuller discussion of LLP and the public interest at para  26.195 and paras 26.205–26.210.

383

23.47  EIR Exceptions 2: Regulation 12(5) and Personal Data

negotiations, or would harm the specific negotiations involved (see also paras 23.56–23.57). (2)  Law enforcement investigations or proceedings 23.47 The exception appears to be wide enough to include any harmful effect on law enforcement, or on a wide range of investigations and proceedings. Law enforcement obviously covers the work of the agencies with responsibility for fighting crime, including the police or the national crime agencies, where these involve environmental information. 23.48 The exception will also cover information relating to other types of civil or criminal investigations, involving environmental information, such as: — planning and environmental enforcement; — charities investigations; — disciplinary investigations (eg by employers or professional bodies); — taxation enforcement; — immigration enforcement; — health and safety investigations; — local authority licensing prosecutions; — parking enforcement. 23.49 In Warwickshire Police, the request was for information concerning an investigation into allegations that a decision to grant planning permission for land near the complainant’s property had been made improperly. In relation to whether disclosure would harm a criminal investigation, the Commissioner found that it would hinder the ability of the police to identify witnesses willing to testify in future investigations, if they knew that their contributions would be disclosed. This in turn would adversely affect the ability of the police to conduct criminal investigations. Disclosure would also have revealed information about how the police conducted investigations, which would assist suspects to evade detection. The investigation had been relatively recent and, although it had been closed, the investigative techniques continued to be used in other cases. The statements of the witnesses were also recent. For all of these reasons, disclosure would harm future investigations, and the exception was engaged30. Ability of a person to receive a fair trial 23.50 This is listed separately within the exception, yet like the ability to conduct investigations forms part of the overall course of justice. 30 Warwickshire Police FER 0080372.

384

Harm test 23.55

23.51 In Watts v ICO, criminal proceedings against the owner of premises alleged to have caused serious food poisoning had not commenced at the time of the request. The question was whether the exception applied, on the basis that disclosure of the reports would jeopardise the defendant’s chances of a fair trial. On the facts, the Tribunal found that this would not be the case. It commented generally, however, that public authorities should have this factor in mind when they received a request of this kind. They should adopt a cautious approach to disclosure, in order not to prejudice a fair trial. If disclosure would not adversely affect the prospects of such a trial, however, then the mere connection between the subject matter of the information and a (forthcoming) prosecution should not be considered sufficient to justify non-disclosure31. (3)  Records of courts, tribunals and inquiries 23.52 The exception is wide enough to include an adverse effect arising from the disclosure under the EIR of court records, or information held by a tribunal or other body for the purpose of an inquiry or arbitration. The Commissioner points to the procedure rules for the civil and criminal courts, the Civil Procedure Rules (‘CPR’) and Criminal Procedure Rules respectively, which (with relevant case law) provide access regimes for the two types of court. She advises that circumventing those rules by allowing access to court records under the EIR could adversely affect the course of justice, because the parties in a case will have expected that disclosure would only occur within the confines of the relevant regime. The harm would thus be to the expectation as to the rules for such disclosure, and to public confidence in those regimes32. 23.53 Each case would need to be considered separately, and the harm would not be an automatic conclusion; but there would evidently, in the Commissioner’s view, be a high likelihood that the exception would apply in this way. (See also paras 23.60–23.62). 23.54 A word of caution may, however, be appropriate. In recent decisions, the courts appear to be moving in a direction which is starting to loosen the rules in the CPR on disclosing court bundles and records, under pressure to open court proceedings to greater scrutiny; especially after they have been concluded. It may be advisable in a case of this kind to consult the latest White Book, or to seek legal advice. Public interest test 23.55 The public interest in maintaining the exception in EIR, reg 12(5)(b) will always be weighty, because of the basic importance of the principle of upholding the administration of justice (or, it may be added, the conduct of investigations of wrongdoing, or the protection by enforcement bodies of other individuals’ 31 Mark Watts v ICO EA/2007/0022. 32 ICO: ‘The course of justice and inquiries exception (regulation 12(5)(b))’, paras 25–27.

385

23.56  EIR Exceptions 2: Regulation 12(5) and Personal Data

rights). The public interest factors will not always weigh in favour of nondisclosure, however, and their relative weight will vary as between the different elements of the exception. There is also a strong public interest in disclosure, in terms of transparency as to how justice is administered in any given case. (i)  LPP and without prejudice correspondence 23.56 There is a strong public interest in safeguarding open communications between lawyer and client, so that the former can received frank and through legal advice. The DCLG case emphasised33: — The risk that disclosure of information subject to LPP would weaken confidence in the general privilege of legal professional privilege, which had ‘very considerable weight’ in public interest terms. ‘Special or unusual factors’ would need to be present in order for it not to be given this weight in a particular case. — Disclosure would be unfair where (as in that case) there was a possibility of legal proceedings. The importance of maintaining a level playing field was emphasised, and disclosing the legal advice given to the public authority to the requester would not be fair unless the authority also had ‘the corresponding benefit’ (ie of seeing the requester’s advice). 23.57 There is a strong inbuilt public interest in favour of maintaining the exception for information marked ‘without prejudice’, in order to encourage the settling of disputes. Where the information is also protected by LPP, the weight will be even greater. The public interest in favour of maintaining the exception will be affected by timing, being of greatest weight where any negotiations being conducted ‘without prejudice’ are either current or recent, or where either the settlement or the court case are yet to be concluded. (ii)  Civil and criminal investigations and proceedings 23.58 The public interest in favour of maintaining the exception will be in not causing harm to investigations, proceedings or inquiries falling within it. Timing may be relevant, with a greater need to protect information gathered during an investigation while it is still continuing. Once an investigation has been concluded, recent information such as witness statements may continue to need protection. The stage reached in an investigation, whether the information in issue is already in the public domain, its significance or degree of sensitivity, or its age, may be relevant factors to be considered. 23.59 If there is any question as to whether the investigation has been properly carried out, any evidence which is available and from an independent source may be relevant to the public interest (in favour of disclosure). 33 See footnote 29.

386

Harm test 23.64

(iii)  Court and tribunal records 23.60 The Commissioner considers that there are strong public interest arguments for maintaining the exception for these types of information, such as upholding public confidence in the courts’ rules and preventing access via the EIR which would undermine the judiciary. 23.61 Each case should be considered separately, as to the content of the information and the timing of the request. Other factors would include whether it is held elsewhere for another purpose, especially if it has a separate status (eg as a professional report, or the outcome of an investigation) which would reduce the weight against disclosure; and how accessible the information may be in that form. 23.62 During litigation itself, there will usually be an overriding public interest in maintaining the exception; which may continue if there remains a prospect of further litigation afterwards.

Intellectual Property Rights – Regulation 12(5)(c) 23.63 An intellectual property right (‘IP right’) is a right to exclusive exploitation, granted to the creator or owner of a work that has resulted from human creativity. The ICO refers to an intellectual property right as an ‘intangible asset’. The EIR include an exception from the right to know (but not from the duty to confirm or deny) to the extent that: — the information concerned is protected by an intellectual property right; — the right holder would suffer harm, which needs to go beyond the right merely having been infringed; — the harm would result from the infringement of the right (interpreted as a loss of control over how the information is used); and — the harm or loss could not be prevented merely by enforcing the intellectual property right (ie the right to damages, or an injunction to prevent further infringements, will not sufficiently remedy the harm). 23.64 Copyright, patents, trademarks and other protected designs are all examples of intellectual property rights. They exist to protect the benefits earned by the creative or intellectual process used to produce the work. An intellectual work will include any created work arising from intellectual effort; but it is not limited to original work. The creation of a database can be an intellectual work, although none of the information stored in it may have been created by the originator of the database. It may include information which has been gathered and organised for use to meet a need or function. The granting of an IP right in it is in recognition of the intellectual effort required to devise the categories of information, and the criteria for the selection of the content, which constitute the character and intellectual foundation of the database. 387

23.65  EIR Exceptions 2: Regulation 12(5) and Personal Data

23.65 The Commissioner’s guidance focusses on three types of IP right: copyright; database rights; and, copyright in databases. ‘Copyright’ can apply to the creation of a wide range of recorded information, including original literary, musical or artistic works. Literary works can include computer programmes and databases. ‘Database rights’ apply to the work of gathering the material, verifying it, presenting it within a database, and maintaining the database. ‘Copyright in databases’ protects the process of designing the database in a creative sense, selecting the material, and deciding on its organisation. There was no such copyright for a database which held mainly information (property search information) which the public authority was obliged by law to provide34. 23.66 The area of law is complex, and public authorities may wish to consider seeking specialist advice in this area. IP rights generally apply to the creator, unless that person is an employee and the work was created in the course of their employment; in which case it will be owned by the employer. Public authorities may, therefore, own the IP rights to information created by their staff (eg publicity material, films or videos, other written materials for public use). They will also hold copyright information supplied from outside the authority which is not their own. Information received from third parties (eg  drawings or submissions in support of an application for a licence or a permission) will generally be owned by that person. Where the material has been supplied to the public authority by a third party under contract (ie the authority paid for it), ownership of the copyright should have been determined in the contract. 23.67 In general, the owner of an IP right has exclusive control over how the material is used (subject to any statutory requirements as to its use). The Copyright, Designs and Patents Act 1988 covers copyright and copyright in databases. The Copyright and Rights in Databases Regulations 199735 set out database rights. The EIR, of course, take precedence over domestic statute, in terms of any prohibition on disclosure in the latter, by virtue of EIR, reg 5(6). 23.68 It is not the case that the mere existence of a right to exploit an intellectual work means that the information included within the work will be exempt from disclosure. The EIR exception arises only where there would be harm to the intellectual property right from the disclosure requested. As well as the test of harm, it is important to note that it is the intellectual property right that is protected, rather than the information to which the property right applies. 23.69 Merely infringing an intellectual property right (eg by publishing part of a copyright work without permission) is not enough to engage the exception: loss to those rights is required. The harm has to arise as a result of the infringement of the right, rather than for another reason. 23.70 The four conditions for the exception to apply were set out at para 23.63 above. In relation to the first, establishing that there is an IP right (of one of the

34 Leeds City Council FER 0354510, para 95. 35 SI 1997/3032.

388

Harm test 23.75

kinds outlined above at para 23.65), the Commissioner’s guidance sets out the main considerations36. 23.71 In relation to the second (right holder to suffer harm), a technical infringement will be insufficient (ie  an infringement which might attract only nominal damages, or where a court might exercise its discretion not to award an injunction)37. The harm has to be suffered by the right holder (whether the creator or another person), or it will not support the exception being engaged. 23.72 In respect of the third (harm resulting from infringement of IP right), the harm has to result from the loss of the owner’s control over how the information is used. Where the harm is claimed to be to the third party, it is necessary for the authority to provide arguments which come from the third party (as with commercial prejudice in FOIA  2000, s  43, and commercial confidentiality in EIR, reg 12(5)(e)); see paras 23.113–23.120, and 26.221–26.224. 23.73 In relation to the fourth (harm not preventable by exercising IP rights), A  further use of the information, for example, might be capable of being prevented by enforcing the IP right in the normal way, such as by an injunction; in which case, the exception would not apply, (if a risk of such further use were to be the harm which is identified from disclosing the information under the EIR). On the other hand, if the right holder would effectively lose control over further uses (or some of them), the condition in that case would be met. The ICO summarises the position as that someone would wish to exploit the material; they could successfully do so; and, the infringements would either be undetected, or could not be prevented. Public interest test 23.74 The public interest in maintaining the exception will be determined by how severe or otherwise the loss will be to the holder of the right in losing control over the information. There may be a commercial loss which can be measured; or a loss to the authority of a revenue stream. There may be a disincentive to continuing to produce information of that type in other contexts. If the information was developed for research purposes, there may be loss of the opportunity to earn credit for the research. 23.75 If a third party right-holder would be harmed, the public authority may take account of any harm expected to be caused by the reaction of the third party to having their rights threatened by the disclosure, They may, for example, no longer be prepared to co-operate with the authority; or to provide information to it. There will be a public interest in avoiding this harm to trust or to the working relationship; although its weight will vary with the circumstances.

36 See ICO ‘Intellectual Property Rights (regulation 12(5)(c))’, paras 21–35. 37 Office of Communications v ICO and T-Mobile Ltd EA/2002/0078; Office of Communications v ICO [2009] EWCA Civ 90.

389

23.76  EIR Exceptions 2: Regulation 12(5) and Personal Data

23.76 The public interest in disclosure will be general, in terms of accountability, transparency, enabling participation in public debate etc; although its weight will vary. There may also be specific reasons to support the disclosure; especially if there are any issues over accountability for public spending; a large number of people are affected; or, there is any reasonable suspicion of wrong-doing. There may also be benefits to society from the wider use or dissemination of the information, and these should be taken into account38. Other relevant EIR exceptions 23.77 These may include: internal communications (EIR, reg  12(4)(e)); commercial confidentiality (EIR, reg 12(5)(e)); or, the interests of the provider of information (EIR, reg 12(5)(f)).

Confidentiality of proceedings – Regulation 12(5)(d) 23.78 Environmental information may be exempt to the extent that its disclosure would adversely affect the confidentiality of proceedings of that, or any other, public authority where such confidentiality is provided by law. The protection, given by the exception, is thus to the confidentiality of any such proceedings: ie how much would disclosing this information to the public harm a confidential process (of the public authority or another) to which the information is subject, under which it is considered, or to which it relates? Proceedings 23.79 The term ‘proceedings’ covers the following: (a) formal meetings to consider matters which are within the jurisdiction of the public authority; (b) the exercise by the authority of its statutory or other decision-making powers; or (c) legal proceedings in which the authority is involved, or which are in contemplation; or its consideration of such legal proceedings. 23.80 An essential characteristic of ‘proceedings’ is that there is some element of formality to them. There has to be some process of consideration, and a decision or outcome, which is likely to be formally recorded. The term does not cover every act, or routine decision, or day to day meeting of the authority. 23.81 An example of (a) would be where a local authority meets in closed session to consider whether a serious planning matter should be made subject to enforcement. Formal, but private, meetings to discuss whether to approve a 38 Office of Communications v ICO [2009] EWCA Civ 90, para 56 (the Ofcom case in the Court of Appeal).

390

Harm test 23.85

business case have been included39. A dinner held by DEFRA for supermarket representatives was not included40. An investigation by an ombudsman or other regulatory authority, the conduct of an audit, or the process of reviewing a licence, would be included. An example of (b) might be where the authority met to decide whether to institute enforcement, on a planning or other regulatory matter where it had such powers. An example of (c) might arise where the authority was preparing for ensuing legal proceedings41. 23.82 In each case, although it may be the information under discussion which is largely the subject of a possible exception, the exception arises (and should be considered in the context of) whether there would be harm to the authority’s confidential consideration of the matters concerned. It is the proceedings which have to be confidential, not the information; and so it is the impact on the confidentiality of the proceedings which is in issue. Confidentiality of proceedings 23.83 The confidentiality involved must arise from either statute or common law. The exception does not allow the authority to determine for itself whether the consideration is confidential; nor to deem it to be such when a request is received. For disclosure to affect the confidentiality of the proceedings adversely, the information in question must form part of the business of the proceedings. 23.84 A statutory right to consider matters in private should be clear to identify. A local authority may, for example, meet privately in certain circumstances to consider ‘exempt’ information, under the terms of the Local Government Act 1972, Sch 12A, Pt 142. In an important precedent involving a local authority’s consideration of information about a land valuation, it was established in the Upper Tribunal that the exception is engaged where the 1972 regime applies43. 23.85 The Local Government and Social Care Ombudsman (formerly the Commission for Local Administration in England) is prohibited from disclosing any information obtained in the course of, or for the purposes of, his or her investigations44. In the context of this exception, therefore, the confidentiality of the Ombudman’s’s proceedings (ie  the investigation) was provided by law. Disclosure would adversely affect the confidentiality of those proceedings, and so the exception was engaged45. (See below at para 23.91 as to the relevance of this to the public interest test).

39 Northumberland Care Trust FER0408840. 40 Department for Environment, Food and Rural Affairs FER0098306/7. 41 See Benjamin Archer v ICO and Salisbury District Council EA/2006/0037. 42 There is also provision for a very narrow range of ‘confidential’ information, which in that context is restricted to information supplied on a confidential basis to the local authority by central government. 43 Chichester District Council v ICO and Friel EA/2011/0180, [2012] UKUT 491 (AAC). 44 Local Government Act 1974, s 32(2); subject to certain limited exemptions in that subsection. 45 Commission for Local Administration in England FER0374428; Group Captain Dalley v ICO EA/2011/0180.

391

23.86  EIR Exceptions 2: Regulation 12(5) and Personal Data

23.86 Common law confidentiality arises where information has the ‘quality of confidence’ (ie is not trivial, and so is of importance to the confider; and is not already in the public domain) and where there is an expectation that it will not be disclosed. An example would be negotiations between parties over a contract or agreement, or in consulting on a policy. Information which is confidential at common law may be disclosed, however, where there is an overriding legitimate interest in doing so, or public interest defence. Adverse effect 23.87 The adverse effect has to be to the confidentiality of the proceedings, and to be more probable than not. The information whose disclosure would cause that harm does not have to have been prepared solely for those proceedings, however, provided it was (or would be) considered in, or form part of, those proceedings; and, provided its disclosure would cause the harm. 23.88 An example may be if public authority A is assisting authority B with a confidential proceeding, such as a disciplinary investigation in which the authority A  has particular expertise, and is playing an independent role. The harm from disclosure of the case papers, in response to a request to authority A, would be to the confidentiality of the process being run by authority B. Authority A may claim the exception on that basis. 23.89 The harm may be to the proceedings of any other public authority. The public authority may be Scottish in this instance (where generally Scottish authorities fall outside the EIR 2004, having their own regulations). This is likely to be of assistance to local authorities and other public bodies in England which operate geographically close to the border. Public interest test 23.90 The public interest arguments must be concerned only with the need to protect the confidentiality of the proceedings. There is a general and inherent public interest in protecting confidential information and avoiding undermining a relationship of trust between two parties. 23.91 Under EIR, reg  5(6), any domestic enactment or rule of law which would prevent the disclosure of information does not apply. Thus information which may be confidential in other circumstances, so that it would be exempt from disclosure under other legislation, will not be excluded for that reason from potential disclosure under EIR. A key consideration, however, is that the existence of the statutory or other prohibition, although overborne by the EIR, may point to a public interest in maintaining the exception. The fact that it exists, under a specific domestic provision or rule of law, should provide very significant weight in favour of maintaining the exception in certain cases (eg the Dalley case at para 23.85)46. 46 Group Captain Dalley v ICO EA/2011/0180, paras 10–12.

392

Harm test 23.99

23.92 There will always be a public interest in disclosure, and the general reasons of transparency, accountability etc applying in all cases may be supplemented by specific reasons arising from the circumstances. These may include a need to ensure that investigations or other private proceedings are carried out rigorously. Any suggestion of wrongdoing or maladministration in private proceedings would likewise contribute considerable weight. 23.93 An important factor in assessing the balance may be how far disclosure of the information in issue would add to public understanding of the matter concerned; perhaps in the context of other similar or related information already in the public domain. In the Dalley case47, the Tribunal concluded that release of the precise information involved (about drainage problems) would not increase public knowledge of those issues. A further question to be considered, given the competing pressures, is whether all of the information sought is subject to the same strength of the public interest considerations in favour of disclosure. 23.94 As with all EIR exceptions, any information which is not excepted should be disclosed, unless (under reg  12(11)) it is‘not reasonably capable of being separated from the other information’ (ie from the exempt information). 23.95 Whether the provision in EIR, reg 5(6) survives Brexit; or (if it does) what its relative weight might be considered to be as against a primary statutory provision, remains to be seen. 23.96 This exception does not allow the authority to neither confirm nor deny that the information is held. Emissions 23.97 The final four EIR exceptions in EIR, reg  12(5) do not apply to environmental information which relates to ‘information on emissions’48. (See paras 19.9–19.13).

Confidentiality of commercial or industrial information – Regulation 12(5)(e) 23.98 The exception applies where disclosure would adversely affect the confidentiality of commercial or industrial information, where such confidentiality is provided by law to protect a legitimate economic interest. It thus has several distinct elements which must be satisfied before it is engaged. Its scope has not proved, however, to be as limited as the list of conditions for its application might imply. Where it applies, it has proved in many cases to be a robust exception. 23.99 Like most other EIR exceptions, there is no exception from the duty to confirm or deny. 47 Dalley, as footnote 46. 48 EIR, reg 12(9).

393

23.100  EIR Exceptions 2: Regulation 12(5) and Personal Data

Commercial or industrial information 23.100 ‘Commercial or industrial information’ means information which is respectively concerned with the sale of, or trade in, goods or services (commerce); or, the extraction of raw materials or production of goods in factories (industry). The latter could include information about industrial processes or materials. The activity may be that of the authority, or a third party (or both). There is no need for a third party to be affected, however, if disclosure would harm the confidentiality of commercial or industrial information held by the authority alone, in its legitimate economic interest. 23.101 Financial information is not necessarily commercial information. Information about the revenue stream of a public authority, or its financial assets or reserves, will not generally be commercial information, unless it arises from a charge it levies for goods or services. Confidentiality 23.102 ‘Confidentiality’.(ie  where A  treats information imparted to her by B as not to be disclosed, and that she will be liable to be sued by B if she does disclose it) may arise from circumstances recognised by the common law, or from statute. It may arise from a contract or agreement (or negotiations); either if two or more parties have so agreed, or by implication from the circumstances. It may arise internally if an employee is under an obligation to keep information confidential (eg about a production process), arising from statute, common law or their contract of employment. 23.103 As noted in the context of other exceptions, the common law of confidence applies to information which has the ‘quality of confidence’ (ie it is not trivial, and not in the public domain). The information may have been shared with a limited number of others who have a need to know it, without losing its confidential status; provided it has not been shared widely or put into the public domain (or, even if the latter in disparate places, it could not be reassembled without time and effort). If in receiving the information, the authority made clear that it might have to be disclosed under EIR, the confidentiality will not have been undermined. 23.104 Unlike FOIA  2000, s  41, the confidentiality does not apply only to information imparted by a third party to the public authority; it may go in either or both directions49. Also unlike s 41, it is not limited to information over whose disclosure the third party could successfully sue the authority; nor does a detriment to the confider have to be demonstrated before the information is confidential. Since the confidentiality can arise from a contract or agreement, moreover, the parties may agree what is to be covered by it (although noting that the public interest in non-disclosure may be weaker in such cases). The information covered could also include information exchanged between the 49 South Gloucestershire Council v ICO EA/2009/0032.

394

Harm test 23.108

parties, but not incorporated into an agreement. The information still needs to be inherently sensitive, however, or the exception may be found not to apply on the facts. 23.105 Although EIR, reg 5(6) applies to prevent other statutory or legal rules from preventing disclosure, where the information would otherwise be disclosed under the EIR, if there is a domestic statutory bar on disclosure, it will mean that the confidentiality is provided by law. Legitimate economic interest 23.106 A  ‘legitimate economic interest’ is an economic interest which is not unlawful. It may relate to: preserving or advancing a commercial body’s market position; preventing competitors from acquiring valuable information; avoiding harm to the organisation affected (including reputational harm); protecting a position in negotiations; or, avoiding losses to income. (These are, therefore, also pointers to the types of harm which use of the exception may seek to avoid). Economic interests can be wider than commercial interests, and may include financial interests. One type of harm may, therefore, be to the financial interests of the public authority; even though the information concerned may generally not be financial information. 23.107 The economic interest has to be that of the person whom (or which) the confidentiality is designed to protect50. A public authority should not try to argue, in consequence, for the need to safeguard an economic interest which is not its own, without evidence from the third party involved, or prior knowledge of its views (see para  23.133ff). Conversely, if there is no economic interest which the confidentiality is designed to protect (or if there would no effect on that interest from the loss of the confidentiality), the exception will not be engaged. Generally, the economic interest will be that of the confider of the information or a commercial partner. If the confidentiality was agreed jointly between the parties, however, they may both have economic interests at stake. Comparison with FOI exemptions 23.108 The exception thus has similarities with, but also significant differences from, the FOI exemptions for confidential information (FOIA 2000, s 41) and commercial prejudice (FOIA 2000, s 43). It is restricted to confidential information (unlike s 43), but may apply to quite a wide range of information agreed by the parties to be confidential (and doubtless constituting the information they regard as more important to withhold). As noted, it is not restricted to information from the third party. There has to be an economic interest, similar to commercial prejudice in s 43, which would be harmed by the loss of confidentiality arising from disclosure. This can be the economic interest of the authority itself, or it

50 Elmbridge District Council v ICO and Gladedale Property Group Ltd EA/2010/0106.

395

23.109  EIR Exceptions 2: Regulation 12(5) and Personal Data

can be that of a commercial or other partner. A trade secret (ie information, often technical, which has taken skill to produce; and which confers a competitive advantage) is covered; it may also include a financial model or a pricing structure. 23.109 Given the breadth of environmental information, it may apply (or apply in part) to a significant proportion of the contracts or other agreements between the public and private sectors in fields such as regeneration, land and property management, waste, or energy. An important difference, however, by comparison with s 43, is that the harm to confidentiality identified as arising from a disclosure, cannot be merely ‘likely’, and has to be more probable than not to occur. 23.110 To fall within the exception, information has to meet the tests outlined above, and as laid down in Bristol v ICO51: — Information is commercial or industrial in nature; — Confidentiality is provided by law; — Confidentiality is protecting a legitimate economic interest; — Confidentiality would be adversely affected by disclosure. 23.111 If the first three are met, the ICO will consider the last to be met automatically, as a function of the remainder52. Adverse impact 23.112 A public authority needs to consider the nature of any harm, its timing, and whether the information is still current in commercial terms. In Elmbridge BC v ICO (see footnote 50), neither the council nor the developer accepted that they needed to demonstrate that the harm claimed by the council would result. The Tribunal in that case said that the use of words such as that the harm: ‘might or could be caused are insufficient… The use of words such as “could” or “may” do not in our view provide evidence of harm or prejudice to the required standard of proof (para  24).’ (NB  The use of ‘would’ is acceptable, in the context of a probability above 50%). Evidence from a third party 23.113 Although the protection is of confidentiality, it is likely that the harm that will arise from its breach will be economic. The Tribunal made clear, in the context of FOIA 2000, s 43, that it will not entertain evidence of harm from any person or body other than that which is likely to suffer it53. This approach 51 Bristol CC v ICO and Portland and Brunswick Squares Association EA/2010/0012. 52 ‘Confidentiality of commercial or industrial information (regulation 12(5)(e))’, version 1.2, para 49. 53 Derry City Council v ICO EA/2006/0014. See para 26.221.

396

Harm test 23.118

has consistently been taken to apply to this exception as well. It is essential, therefore, in assessing whether the exception applies, where harm to a third party is anticipated, that the public authority consults that person promptly about the following: whether it anticipates any harm to its economic interests from disclosure; how likely that harm is to occur; what the harm is expected to be; and, its likely degree of seriousness. The language in which the Commissioner or Tribunal would expect the harm to be described, consistent with meeting the requisite standard of likelihood, was referred to above (in para 23.112). 23.114 The authority must make its own judgment, as to the degree of harm and its likelihood. It should adopt a sceptical stance as to any claims made. The first requirement, however, is that the consultation takes place, which requires the authority to act with deliberation, making clear what it needs to know from the third party; and in sufficient time for the third party to respond in a considered way. 23.115 The practical difficulty is that too often the third party is wholly unused to a culture of transparency, and may be suspicious, and possibly hostile. Both large and small companies exist in a different culture to the public sector, in which commercial secrecy is assumed at all times. Unless a company has many contracts with the public sector, it may have little or no experience of FOI/EIR, as to its assumptions and timescales. Its response is often simply to demand that all information relating to it is withheld; while providing no arguments to support the need for this, and assuming that the authority must have some discretion in the matter. The response may well come from the most senior person responsible, as though to underline its importance, but be expressed in general and often exaggerated terms. A response of that kind adds nothing to the public authority’s consideration of the matter. The authority can only make its judgement of the level of any harm, and how likely it is to occur, on the basis of evidence provided to it; and the Commissioner (and Tribunal) will accept nothing less. 23.116 It is in the interests of both parties, therefore, before they embark on a joint commercial project, or before a contract is let following a procurement exercise, if the authority makes arrangements to explain the EIR and FOI regimes to the commercial company concerned; and if the company pays attention at a senior level. More positively still, the two should seek to understand in advance what sorts of information may realistically be considered likely to be confidential and harmful if disclosed, what the likely harm from a disclosure would be, and what could be expected to be exempt. The third party could also be shown the timescale for response to an FOI/EIR question, and the need for any response on its part to be provided on a timely basis. 23.117 If none of the above can be achieved, the partner should at least be made aware that prompt and pointed responses to EIR/FOI requests will be needed. 23.118 The conceptual difficulties faced by private sector third parties in trying to make their case for withholding information about them under this exception (or the s  43 exemption) tend to be: a failure to link the harm claimed to the specific disclosure in issue; a tendency to generalise, rather than to focus solely on the information requested, or to analyse why its disclosure would be harmful 397

23.119  EIR Exceptions 2: Regulation 12(5) and Personal Data

to their interests; wide claims that the disclosure would assist their competitors, without explaining how. 23.119 When asked to support the claims of harm, however, companies often fall back on overly cautious language, possibly because of unfamiliarity. As indicated above, the Commissioner, on this exception or any other where harm has to be shown to more probable than not, will discount evidence claiming that there ‘may’, ‘might’ or ‘could be’ harm of a certain kind; or that it is ‘likely’. If the harm is claimed to be more likely than not to occur (and no other likelihood is relevant in the context of this exception), this should be clearly stated in the evidence, and reasons given; using ‘will’, ‘can be expected to’, or ‘would’ (in that context). 23.120 The third party may need to put themselves in the position of a busy competitor and assess how useful the information would be to that rival. A pertinent question to ask Company A making this claim can sometimes be: ‘if you were Company B, the competitor, and this information were disclosed, how in fact would you use it (if at all) against Company A?’ It will only be if the third party can show a credible route by which the information in issue would assist specific competitor B that the claim may be borne out. This might be (for example) by enabling its competitor to: — understand its production processes or service procedures more clearly, so that it could mimic and improve on them; — divine its financial structure from the figures disclosed, so that it could structure itself more efficiently by comparison; or bid more keenly in future tenders against company A; — gain an advantage over its rival by training its staff to a higher standard than disclosed in the information in issue. If, as will more often be the case, the competitor would find the information interesting, but be unable (or unlikely) to use it to its own advantage, the harm will not be demonstrated, and the exception will not be engaged; at least on that ground. 23.121 As an example of the application of the exception, in a waste contract, the public authority was upheld in withholding four elements of the contract documentation: — systems and technical information; — information on costs and profits; — information on the clawing-back of cost through sale of waste by-products; and — the manual on quality assessment54.

54 Brighton and Hove City Council FER0073984.

398

Harm test 23.127

23.122 A  ‘viability assessment’, comparing a local authority’s targets for affordable housing in its area with the proportion of such housing which the developer believed that it could profitably build on a development site in the council’s ownership, was found substantially to have been correctly excepted from disclosure under this exception55. Public interest test – Regulation 12(5)(e) 23.123 The discussion above has been all about the economic harm from disclosure. Avoidance of the level of economic harm identified, whether to the public authority or a third party, will be the main initial public interest consideration in favour of maintaining the exception; underlining the critical importance of that evidence, especially if it concerns the third party. Once that has been established, however, it needs to be related to the further need to preserve the principle of confidentiality about it. Arguments about undermining a relationship of trust with the confider or partner, showing how the level of trust assists the public interest, will be relevant. If harm to the relationship would preclude working with that party again, or possibly others too in the future, that would be highly relevant to the public interest test. The greater the degree of economic harm, broadly the greater too will be the likely level of harm to trust. 23.124 If the information in issue could be obtained in another way from that party, however, the public interest in maintaining the exception will be reduced; unless securing the same information by another route would take time. In the Bristol case, the Tribunal refused to accept that disclosing a viability report would reduce their supply in future, on the basis that developers would be obliged to supply them in many cases, in order to secure planning permissions. 23.125 A voluntary adoption of confidentiality (eg by agreement) will carry less weight than an obligation arising from statute. An expectation of confidentiality applied to the authority itself will carry very little weight. Responsible public bodies can be expected to observe confidentiality; but, as is well-known, their statutory obligations may require information to be disclosed. 23.126 There is in general a strong public interest in the protection of information in a trade secret, because of the extent of investment in it. 23.127 Public interest factors in favour of disclosure will be those of promoting accountability, transparency, and public understanding as to environmental decision making; although there may be an enhanced emphasis on these factors, if the commercial or industrial matter concerned is controversial or considered harmful to the local community. There is generally a significant weight of public interest in disclosure in planning matters, to assist public participation. Where a local authority or other public body has a financial interest in the matter concerned

55 London Borough of Southwark v ICO and Glasspool EA/2013/0162. In Greenwich v ICO and Brownie EA/2014/0122, however, the Tribunal ordered disclosure of a viability assessment.

399

23.128  EIR Exceptions 2: Regulation 12(5) and Personal Data

(eg because it owns the land involved in a development), there is an expectation of ‘particular scrupulousness’ on its part, which may lend weight to disclosure56. 23.128 Public interest factors against disclosure may be aggregated, if more than one exception applies, and this is often particularly relevant in the case of this exception. Emissions and Regulation 12(5)(e) 23.129 The exception for confidential commercial and industrial information is the second of the four exceptions which do not apply to the extent that the information in issue relates to emissions.

Interests of voluntary provider of information – Regulation 12(5)(f) 23.130 This exception applies where: •

disclosure would adversely affect the interests of the provider of information in issue;

•

the person providing it was not under (and could not be put under) a legal obligation to supply the information to that (or any other) authority;

• the public authority is not entitled to disclose it (and neither is any other public authority); •

the person has not consented to the disclosure of the information; and

•

the public interest in maintaining the exception outweighs that in disclosure.

23.131 Where the first four bullet-points in the preceding paragraph are satisfied, the public authority will be under an obligation of confidence to the confider. The ‘person’ at risk of harm may be an individual or an organisation. References to a public authority include references to a Scottish public authority for this purpose57. 23.132 The kinds of information covered may arise from: • whistle-blowing; •

reports of environmental, planning or waste infringements by others;

•

pre-application planning discussions, or other requests for advice from the public authority;

•

voluntary disclosures to authorities as employers by their employees, outside the responsibilities of their role;

56 Bristol City Council v ICO, as footnote 51, paras 16–17. 57 EIR, reg 12(10).

400

Harm test 23.136

•

reports by environmental groups; or

•

responses to public consultations.

23.133 Since the information has to come from a third party, it cannot fall within wording jointly negotiated in an agreement. There is no exception allowing an authority neither to confirm nor deny. Adverse impact 23.134 The harm to the interests of the confider needs to be more than trivial (ie  ‘real, actual and of substance’58); and the authority needs to be able to demonstrate, on the balance of probabilities, why disclosure would cause it. In most cases, the authority will need to consult the confider (or will have done so when the information was received); including where the information was volunteered some time previously. In others, the authority will be able to explain the harm without consulting the confider (eg where it is clear; or the authority has close knowledge of the circumstances). 23.135 One of the earliest cases involved a complainant to a local authority about the state of a piece of land. The landowner sought the file about the complaint which, if unredacted, would have disclosed the identity of the complainant. The ICO decided that the identity of, and any identifying information about, the complainant were correctly withheld; on the basis that it was expected that the complainant would suffer harm in the form of an ‘undesirable impact on their relationship’ if his or her identity were disclosed and the balance of the public interest favoured maintaining the flow of information to planning authorities by not deterring people from volunteering information59. 23.136 Another example involves pre-planning application advice, whereby a local planning authority offers advice for a fee to prospective planning applicants about the acceptability or otherwise of the project they have in mind, in the light of national and local criteria. The purpose is to smooth the process of planning applications by discouraging unacceptable schemes, or improving others in line with those criteria. In Redcar and Cleveland BC60, a further education college sought pre-planning advice from the authority about its plans for a new development. These were later described as ‘speculative plans’, which were ‘quite different’ to those in a subsequent planning application. While the subsequent application was being considered, an EIR request was made for the former set of plans. The college considered that disclosure would prejudice its then current application, because the public’s reaction to the current plans would be ‘negatively influenced’ by the disclosure of the former plans. The Commissioner upheld the refusal.

58 ICO: ‘Interests of the person who provided the information to the public authority (regulation 12(5)(f))’, para 23. 59 Bridgnorth District Council FS50062329. 60 Redcar and Cleveland Borough Council FER0066999.

401

23.137  EIR Exceptions 2: Regulation 12(5) and Personal Data

No legal obligation to supply 23.137 Powers (eg enforcement powers) may exist to have compelled production of the information from the confider. These will preclude the use of the exception, even if they were not used (or known about) in the given case. So will situations where an applicant for a licence or grant is obliged to provide the information as part of the formal process, in order for the application to proceed. This can be distinguished from the situation where the applicant asks for discussions with the decision-makers before submitted a formal application, which is voluntary. 23.138 If another public authority would have powers to compel the third party to disclose the information to it, the exception will not apply. The authority dealing with the request must, therefore, consider the powers which any other authority might have. 23.139 Information given voluntarily by individual X to authority A, and then passed by that authority to authority B, similarly on a voluntary basis, will be covered by the exception as between X and A; but also potentially as between A and B, if authority A would suffer harm from its disclosure in response to an EIR request to authority B. No entitlement to disclose 23.140 If there is a duty of confidence, the authority will need a power to disclose the information, before it can lawfully do so. If the confider knew that the authority had a power to disclose, the Commissioner is doubtful that the confider would have a reasonable expectation of confidence (unless, it is suggested, they had secured an express undertaking not to disclose). The ICO believes that it is unnecessary to consider whether a public interest defence would apply. If there is a statutory prohibition on disclosure, the information will not have been provided in circumstances of an entitlement to disclose, and so that requirement of the exception will be satisfied. EIR, reg 5(6) will not disapply such a prohibition, because of the wording that the authority must not be entitled ‘apart from these Regulations’ (ie outside them) to disclose the information61. Consent of confider 23.141 The authority should as a matter of good practice have made clear on receipt the uses to which the information would be put. If time has passed, and a request is made, it should check with the confider (and ask about harm). Where there is no duty of confidence, and the confider does not object to disclosure, the ICO takes the view that the authority may disclose. (The exception is unlikely to apply in these circumstances anyway).

61 ICO: ‘Interests of the person who provided the information to the public authority (regulation 12(5)(f))’, paras 43–44 and 45–47.

402

Harm test 23.147

23.142 The exception is the third which has no application to information about emissions. Public interest considerations – Regulation 12(5)(f) 23.143 Although avoiding the harm to the confider is a public interest factor, the ICO advises that the authority must go further than merely asserting that it should be prevented, to show how doing so will serve the public interest. This may be by avoiding harm to the relationship with the confider, or preventing the authority’s ability to do business with that or another party from being hindered. Avoiding harm to confidentiality in general has some public interest weight; but avoiding the specific harm to confidentiality in relation to the confider, and why that is important in the public interest, matters more in relation to this exception. 23.144 The Aarhus Convention suggested that the objective of this exception was to encourage the voluntary flow of information from third parties to public authorities. While the guidance appears to downplay this, concentrating initially on avoiding harm to the interests of the individual, it is then described as the ‘crucial factor’ in adding weight to the public interest in favour of maintaining the exception62. 23.145 The usual public interest reasons apply in favour of disclosure; their weight varying with the circumstances. The exception often arises in connection with planning matters, and the ICO refers to the high level of public interest in promoting public participation in planning matters; while also drawing attention to the importance of enabling planning authorities to conduct the planning process, which could be hampered if the voluntary flow of information from developers and others were to be reduced. There may also be a strong public interest in disclosing information supplied about scientific developments. Other relevant exceptions 23.146 These may include harm to an individual’s safety (EIR, reg  12(5)(a)); confidential proceedings (EIR, reg  12(5)(d)); commercial or industrial confidentiality (EIR, reg  12(5)(e)); or, the personal data of third parties (EIR, reg 13).

Harm to the environment – Regulation 12(5)(g) 23.147 Ironically, this exception appears to be used only rarely. The exception applies where disclosure would adversely affect the protection of the environment to which the information relates. The ‘environment’ is to be understood to refer to the elements of the environment, as defined in EIR, reg 2(1)(a). The objective is 62 ICO: ‘Interests of the person who provided the information to the public authority (regulation 12(5)(f))’, para 59.

403

23.148  EIR Exceptions 2: Regulation 12(5) and Personal Data

to protect biodiversity, including vulnerable wildlife sites, or other environmental features such as archaeological sites, listed buildings, or unusual local flora, to the extent that the publication of information about them would cause harm. The harm could arise from encouraging visits, or directing undue public attention to the feature in question. 23.148 Preventing cruelty is not relevant to this exception; the harm concerned is to biodiversity, rather than to individual animals. Public interest test 23.149 The public interest considerations will relate to the degree of importance of avoiding the weakening of protection for the feature concerned, or avoiding actual harm to it; which will vary with its degree of rarity, importance in a national or local context, perceived attractiveness or popularity (eg in relation to landscape), or level of vulnerability. 23.150 There is a public interest in avoiding harm to environmental protection. It should not be assumed, however, that the public interest would wholly favour non-disclosure. There will be a public interest in favour of disclosure, in relation to issues such as public expenditure or the number of people potentially affected. In some cases, the harm may be insufficiently severe to outweigh the public interest in people being aware of the matter, or able to enjoy it. Even in the case of an important habitat, where human incursion is a cause of significant harm, there may be some information which it would be in the public interest to disclose; in order to enhance public understanding of the issues involved and the reasons for allowing only limited disclosure. These might include: the fact that such a site exists; the measures considered necessary to preserve it; any individual behaviour to avoid in the event of accidentally coming into contact with it; or, any future conservation measures planned by the relevant authorities. 23.151 There is no exception from the duty to confirm or deny (perhaps strangely, in the context of protecting areas such as rare sites). 23.152 This is the fourth exception which has no application to information about emissions. Example: Harm to environment and emissions If a rare site (eg a river where beavers were being reintroduced) was being polluted by discharges of effluent from a nearby manufacturing plant, and it was thought advantageous – in terms of managing or reducing the pollution – to withhold the information held when a request was made, it might nonetheless+ be difficult to exempt all of the information concerned under this exception, to the extent that it related to the emissions or their impact on the beavers.

404

Harm test 23.154

Personal data and EIR requests – Regulation 13 23.153 The handling of personal data which are sought via the EIR, or which arise in response to EIR requests, is for practical purposes the same as under FOIA 2000, s 40, FOIA; with minor differences of wording. (See Chapter 27 on s 40). The DPPEC Regulations make minor consequential amendments after Brexit to the provisions of EIR, regs 2 and 13, relating to personal data. 23.154 Personal data sought by the requester concerning themselves is not environmental information, and so does not need to be exempted under EIR, reg 13; it should be treated as an access request from the outset.

405

Part 3

Freedom of Information

CHAPTER 24

Duties and Process

FOI DUTIES 24.1 The duties of public authorities under the Freedom of Information Act 2000 (‘FOIA  2000’) date in their full extent from 1  January 2005. Such authorities have the following duties: –

to adopt and maintain a ‘Publication Scheme’, approved by the Commissioner, which specifies and publishes information which the public authority determines to be in the public domain (or which it is required to publish), on request. The information in a Publication Scheme is thus freely available; either on request, or more usually direct via the public authority’s website1.

– to observe a two-part duty: to confirm, in response to requests, whether or not information requested is ‘held’ by the authority; and, if it is, to disclose it to the requester2. The authority is thereafter to regard that information as disclosable to any other person who requests it (unless there has in the meantime been a major change in circumstances, which gives rise to an exemption which did not previously apply; but this is highly unlikely to occur). Once disclosed, therefore, the information should be treated for practical purposes as being in the public domain. 24.2 One of the inhibiting factors behind FOI decisions, which is too little acknowledged, is that the implications of publication to the world (albeit represented at the point of initial decision by the requester), in contrast to disclosing it to the requester alone (as occurs with an access request under the GDPR/Data Protection Act 2018 (‘DPA 2018’)), are normally much greater in scale and significance for the authority; or for public service more generally. 24.3 The two-part duty is the subject of a large number of exemptions. If one applies, it may mean that, in the circumstances of that request, the duty does not apply such as to require disclosure; or (less commonly) confirmation or denial, does so to only a limited extent (or only in relation to some of the information, in the latter case). The application of an exemption has effect for that request only, however; whether it applied to to a similar future request would need to be justified afresh at that time. A disclosure, in contrast, will almost always be permanent, for the reason above.

1 2

FOIA 2000, s 19. FOIA 2000, s 1(1)(a) and (b), respectively.

409

24.4  Duties and Process

Separating the types of information 24.4 The FOI duties apply to ‘information’ held by a ‘public authority’3. Information is defined to mean ‘information recorded in any form’4. The breadth of this definition contrasts with those for personal data and environmental information. ‘Personal data’ are defined as information relating to individuals which identifies them (in a broad sense). Such information is analysed in detail in Chapter 3, paras 3.1–3.9. ‘Environmental information’ is defined in the Environmental Information Regulations 2004 (‘EIR’); with a very broad application (see Chapter 19 generally). Whereas in the private sector, only personal data are relevant to information law, in the public sector all three types of information may give rise to obligations. Any given piece of recorded information will fall under one (only) of these headings: personal data; environmental information; or, the remainder, namely information to which the FOI Act applies. 24.5 Many, and possibly the majority, of FOI requests also involve either or both of the other two regimes. The high profile of FOI rights might suggest, moreover, that the information to which the 2000 Act applies would stand out. The opposite can be the case; it often comprises the less significant elements within a request. Since the other two regimes are defined more specifically, and different rules apply to each of them, it is necessary first to identify the information which may be personal data or environmental information; with the FOI information forming the residual category5. 24.6 It could be suggested, as a rough rule of thumb, that some 15–20% of a typical mixed information request might constitute the personal data of the requester or another person; and about 25–30% (and often more) to be environmental information. Up to half of the information falling within a typical such request, therefore, may turn out to fall under one of the other two regimes; when it appeared at the outset to be an FOI request. 24.7 It is the duty of the public authority, where a request is made to it for information that falls under the GDPR/DPA  2018, the EIR, or the FOIA, to apply the correct regime. This is the case irrespective of the wording of the request; or what the requester may believe. Requesters cannot be expected to know the law in any detail, and are not obliged to name the correct (or any) regime in order to enjoy their rights. It would moreover be unreasonable if they were to be refused information under one regime which fell under another for which the authority was also responsible, and to which they were entitled under that regime.

3 For ‘public authority’ see para 24.23 below. 4 FOIA 2000, s 84. 5 See also paras 18.10–18.15 as to the relationship with environmental information; and para 24.21 below.

410

FOI Duties 24.13

Publication Schemes 24.8 Section 19 of the FOIA 2000 requires an authority to adopt a Publication Scheme, as approved by the Commissioner; to publish information in accordance with it; and, from time to time, to review, it. A  scheme has to specify classes of information which the authority ‘publishes or intends to publish’, specify the manner of their publication, and also state whether the material is available free or for a charge6. (It may be noted from this that an opportunity routinely to charge for published information exists under s 19 – see paras 24.47–24.49). The scheme should be the authority’s ‘shop window’ of what is in the public domain as a matter of course. A guide should accompany the scheme, setting out what information is published and by what means, and a schedule of fees (if any are to be charged)7. 24.9 In adopting or reviewing its scheme, a public authority is to have regard to the public interest in allowing the public to have access to information which it holds; and in the publication by the authority of reasons for the decisions it takes8. 24.10 The manner of publication is a matter for the authority’s discretion, although material is almost universally published on websites; increasingly with electronic links to give direct access to the information specified. If information has to be requested, rather than being made directly available via a website, the ICO stresses the importance of promptness in response. 24.11 Approval by the ICO may be time-limited. Notice of approval may be revoked by the ICO with six months’ notice (eg in the event of irregularities). Where the ICO withdraws notice, she must give reasons9. 24.12 Authorities with over 100 full-time equivalent employees should set out, as a matter of best practice, details of their performance in handling FOI requests10. 24.13 Under FOIA 2000, s 20, the ICO has power to produce model schemes for different classes of authority. An authority which adopts such a model scheme without modification does not require further approval for its scheme while the model remains approved. If it adopts it with modifications, the ICO’s approval is required only for the modified elements. Model schemes are also timelimited, and may likewise be revoked on notice of at least six months. A refusal of a modification, or a revocation of a model scheme, by the ICO has to be accompanied by reasons11.

6 FOIA 2000, s 19(2). 7 Cabinet Office: ‘Freedom of Information Code of Practice’, revised July 2018 (‘Revised s 45 FOI Code’), para 8.2. 8 FOIA 2000, s 19(3). 9 FOIA 2000, s 19(6) and (7). 10 See revised s 45 FOI Code, paras 8.5–8.6. 11 FOIA 2000, s 20(6) and (7).

411

24.14  Duties and Process

Model Scheme 24.14 The ICO has produced a single model publication scheme in two versions; one for most public authorities, and the other for those which are only covered by the Act for certain information they hold. Any publication scheme which preceded 1 January 2009 has had to be replaced with the model scheme. The model is short (four pages on the ICO website) and sets out seven broad classes of information which the scheme must contain: – ‘Who we are and what we do’ (organisational and governance information); – ‘What we spend and how we spend it’ (financial information including procurement information); – ‘What our priorities are and how we are doing’ (policy proposals, decisionmaking processes, internal criteria, and consultations); – ‘Our policies and procedures’ (current ‘protocols’ for delivering the authority’s functions); – ‘Lists and registers’ (information required by law to be displayed and other registers relating to the authority’s functions); – ‘The services we offer’ (advice, media release, description of services). 24.15 Information whose disclosure is prevented by law, exempt information under the Act, information which ‘is otherwise properly considered to be protected from disclosure’12, information in draft form, or information that is no longer readily available (eg archived information) is excluded. With the model scheme, the ICO has shifted the balance, from authorities having discretion as to what to put into their Publication Schemes, to seeking to oblige them to include all or most information which does not fall into those areas which are excluded; in order to encourage the maximum automatic availability of information. 24.16 Accompanying the model scheme are ‘Definition Documents’ which set out in greater detail what should be published, by type of authority. There is an extensive list of such authorities (eg government departments, the National Assembly for Wales, principal local authorities etc). For smaller public authorities, such as health practitioners, parish councils or primary or nursery schools, simpler ‘template guides to information’ substitute for definition documents. 24.17 Public authorities need to have a system for updating their Publication Scheme: adding new information; removing information that is out of date; and, reviewing its scope. This should be co-ordinated with the management of records.

12 ICO: Model Publication scheme.

412

Section 45 Code 24.22

DATASETS 24.18 A  ‘dataset’ is a collection of factual information which has not been altered or analysed since receipt by the public authority. It is likely to be ‘raw’ or source data. Datasets of information need to be made available in a re-usable form. If a dataset is covered by the Re-Use of Public Sector Information Regulations 201513, it should be licensed for re-use under those Regulations. If it is not covered (eg  because the public body is outside the regulations), it should be dealt with under the dataset provision in the FOI Act14. Guidance on handling datasets is set out in the revised Code of Practice on handling FOI15 (see following paragraph).

SECTION 45 CODE 24.19 Under the FOIA 2000, s 45(1) the Secretary of State is required to issue, and from time to time to revise, a code of practice to guide public authorities as to desirable practice in discharging their FOI duties. The Code is a useful starting point for newcomers to the field. A revised Code was issued in July 201816. The foreword makes clear that it constitutes guidance on best practice. 24.20 The Code should be examined directly, but covers: the FOI right of access; advice and assistance; consultation with third parties; time limits for responding to requests; internal reviews; the FOI cost limit; vexatious requests; publication schemes; transparency and confidentiality obligations in contracts; communicating with a requester; and, handling of datasets. 24.21 The Code makes clear that information given out as part of ‘routine business’ (eg standard responses to general enquiries) may be handled outside the FOIA. Requests for environmental information, or the requester’s own personal data, likewise fall outside the FOIA. A request for any other recorded information should be treated as an FOI request17. 24.22 A separate code issued under FOIA 2000, s 46, provides guidance as to records management. The importance of integrating records management with FOI cannot be over-stressed; particularly in providing a solid and defensible basis for searches in response to information requests. Much important work has been undertaken by public authorities in recent years to support and improve good records management practices.

13 14 15 16 17

SI 2015/1415. See Appendix 6. FOIA 2000, s 11A. Revised s 45 FOI Code, section 11 and Annex B. ‘Freedom of Information Code of Practice’, Cabinet Office, revised July 2018. Revised s 45 FOI Code, paragraph 1.4.

413

24.23  Duties and Process

APPLICATION OF ACT: PUBLIC AUTHORITIES 24.23 The Act applies to ‘public authorities’, defined in FOIA 2000, s 3, as bodies, persons or office-holders falling within: (a) Authorities, or types of authorities, listed in Sch 1, Pts 1–7; (b) bodies designated under s 5; or (c) a publicly owned company, as defined in s 6. 24.24 The Schedule applies to a very wide spectrum of central government, Parliament, local government, quangoes, regulators, universities, the police and armed forces18, the NHS, or other public bodies. Certain bodies, such as the Bank of England, the BBC, or Channel 4, are listed only in respect of certain information they hold. The BBC, for example, is listed in respect of information held other than for the purposes of journalism, art or literature. 24.25 The Secretary of State may designate bodies appearing to him or her to be exercising functions of a public nature, or carrying out public functions under contract. Orders have been made to desigate the Financial Ombudsman Service, the Association of Chief Police Officers (since replaced by the National Police Chiefs Council19), and the University and College Admissions Service (UCAS) in 201120; and Network Rail and two associated companies in 201521. The Commissioner laid proposals before Parliament in early 2019 to extend the scope of designation under FOIA, s  5, in respect of outsourced services. The proposals included: (a) Designation by government of contractors regarding public functions they undertake, where this would be in the public interest, whether because of scale, duration or public importance; (b) Designation of a greater number of other organisations exercising functions of a public nature, and for this to occur more frequently and efficiently; (c) Amending FOIA, s  3, to clarify what information about public sector contracts is held ‘on behalf of’ an FOIA authority (see para 24.29); and (d) A  comprehensive review of pro-active disclosure provisions affecting contracting and the public sector22. 24.26 Publicly owned companies are wholly owned by the Crown; or by a public authority listed in Sch 1, other than a government department or any public authority listed only in relation to particular information. Companies owned by

18 Other than the special forces, and units assisting the Government Communications Headquarters (GCHQ). 19 SI 2018/1212. 20 SI 2011/2598. 21 SI 2015/851. 22 ‘Outsourcing Oversight? The case for reforming access to information law’, ICO, January 2019; presented to Parliament under DPA 2018, s 139(3). See also paras 21.7 and 21.13–21.14.

414

Application of Act: Public authorities 24.29

more than one public authority have been brought into the scope of FOI where they are jointly owned by the Crown and another public authority, or by any two public authorities, and other conditions are met23. Examples of companies covered by the FOIA 2000 in this way include: UK Government Investments Ltd (UKGI – wholly-owned by the Treasury); subsidiary companies of Transport for London (including Crossrail Ltd); and, Arms Length Management organisations (ALMOs) established by some local authorities to manage and improve their housing stock.

Information Held 24.27 The right to information is broad, encompassing any ‘recorded information’24. The medium in which the information is held is unimportant. The request has to be for recorded information, not for explanations, comments or clarifications of policy. Requests of those kinds should be responded to outside the FOIA25. 24.28 Information is held by a public authority, if it is held by the authority other than on behalf of another person; or, if it is held by another person on behalf of the authority26. (NB See paras 21.11–21.14 as to the different rules applying under the EIR). Example: Holding information Nonsuch Educational Trust, an FOI authority, works with local schools and parents’ groups to improve educational standards in Nonsuch Town. It offers space in its office to some of the parents’ groups, and they keep files and laptops there. The files of the parents’ groups are not held, for FOI purposes, by the Trust under FOIA 2000, s 3(2), because it holds them on behalf of those groups. On the other hand, when one of the Trust’s staff goes to work on secondment in a school, and the school gives her a room for her computer and files, those electronic and physical files remain held by the Trust, since they are being held during her secondment by another [legal] person on behalf of the Trust. 24.29 ‘Held’ is to be interpreted in its ordinary English sense, without reference to legal concepts such as ‘possession’ or ‘control’. This does not mean that it is a purely physical concept, as the above example shows. A  public authority cannot arrange for its information to be held by persons outside the scope of the FOIA, and thus evade the obligations in the Act. Conversely, if it physically holds information, but for purposes other than its own (eg on behalf of another body), 23 24 25 26

FOIA 2000, s 6, as amended by Protection of Freedoms Act 2012, s 103. FOIA 2000, s 84. Revised s 45 FOI Code, para 1.7. FOIA 2000, s 3(2).

415

24.30  Duties and Process

it will not ‘hold’ the information for FOI purposes. In relation to information held by a contractor to the authority, if the authority has rights to inspect the information, or to receive it back after the end of the contract, these will be indicators that the information is likely to be held on the authority’s behalf by the contractor, rather than by the contractor in its own right. The ICO advises, however, that determining in practice what information is held by an outsourced provider on a public authority’s behalf can be very difficult; and she proposed in early 2019 that this be reviewed by government (see also paras 21.7, 21.13– 21.14 and 24.25).The revised s 45 Code advises that the authority and contractor agree at the outset what information is held on behalf of the authority (and also arrangements to gain access if a request is made)27. 24.30 The question of what is held arises in another way if some work on the information is needed to answer an FOI request. There is no FOI duty to create new information in response to a request; and if a degree of skill or judgment is required to manipulate the data in order to answer the question, the information may be considered not to be ‘held’ in that form (and therefore there would be no duty to put it into that form). The ICO’s guidance rests on whether a ‘sophisticated’, rather than a ‘reasonable’, level of judgment would be required to provide the information from the raw material (or ‘building blocks’) held. Thus, if the question could be answered by a simple examination of the material, or by only a simple or mechanical rearrangement of the existing data (eg by producing a total from a list of numbers or collection of documents), the public authority is likely to be considered to ‘hold’ the information in the form requested. 24.31 The question of what is ‘held’ arises also in relation to what has been deleted at the time when an FOI request is made for the information. If the information has been deleted in line with a policy to do so (typically, a retention schedule for records management purposes), the authority will be considered no longer to hold the information. This is the case even if it may be possible, at considerable cost, to recreate it; or to find it on a back-up file. On the other hand, if a back-up file has been used for a current purpose, such as in the place of an archived copy (‘archiving’ meaning that the information is kept available, for at least occasional use) it will be considered still be to held. The issue underlines the need for clarity in records management and retention scheduling; and the great assistance which clear policies of that kind can be in dealing with issues arising in relation to FOI searches (provided they are adhered to). 24.32 Where a public authority claims that it does not hold the information requested, it will need to be able to supply evidence; comprising a record of the conduct of the search, and the places searched. The standard to which it will need to convince the ICO, if there is an investigation, is the balance of probabilities. It will need to be able to show that it has conducted a proper search of the places where the information could be expected to be; and, also made suitable inquiries of its staff and systems. A log made of the search, demonstrating that this has been done, will assist the Commissioner to conclude on the balance of probabilities that the information is not held. 27 Revised s 45 FOI Code, para 9.4.

416

Application of Act: Public authorities 24.36

Valid request 24.33 A valid ‘request for information’ has to be made in writing, give a (real) name and an address for correspondence, and describe the information requested. The first requirement is met if: the text of the request is transmitted by electronic means (eg email); is received in legible form; and, is capable of being used for subsequent reference28. A tweeted request was held by the Tribunal not to be valid because the requester’s real name did not appear in the request. Furthermore, a Twitter user name was not an address for correspondence because (at the time) there was a limit of 140 characters on private tweets, which was unsuitable for correspondence between the authority and a requester. The Tribunal rejected the argument that the authority could have sent a link to a response uploaded to a website29. The FOI Code says that addresses for correspondence can be by email or ‘a unique name or identifier on a social media platform’, or postal address. The request must be addressed directly to the authority, and this requirement will be met only if the authority has a ‘formal, monitorable presence’ on the particular platform used by the applicant30. 24.34 FOI is in general ‘motive and requester blind’; in that a requester does not have to give a reason for a request, and none should be taken into account. In some circumstances, however, the identity of a requester may be important; or may be taken into consideration. If the request involves information which is (or is claimed to be) the personal data of the requester, it will be important (as with access requests in data protection) to resolve any doubt about the identity of the person whose personal data have been requested. If a request is considered ‘vexatious’, or ‘repeated’ (see paras 24.65–24.76, and 24.77–24.80 below respectively), it may be important to ensure that the true identity of the requester is known. The motive of the requester may also be relevant (see paras 24.69–24.70 below, and also paras 22.10–22.15 in relation to the EIR above). If a requester fails to give their real name, the request is technically invalid and the ICO would not be obliged to investigate a complaint from that requester. 24.35 On the other hand, the ICO has advised a pragmatic approach to the use of pseudonyms by requesters. The authority should consider whether the identity matters, in the context of the information requested. In the instance cited above, for example, it may be important. In other cases (and especially if the information will be disclosed without issue), it may be of no significance. The best course may be for the authority to make the requester aware that it does not consider that it has received his or her correct name, and that it will have to disclose any information informally, if none is forthcoming. The consequence would be that the requester would have no right to ask for a review, or to appeal31. 24.36 One point to note is that a request is not valid if it does not describe the information sought. On the other hand, it should not be assumed that this is the

28 29 30 31

FOIA 2000, s 8(2). Ghafoor v ICO EA/2015/0140. Section 45 FOI Code, paragraph 1.16. The EIR have no equivalent rules.

417

24.37  Duties and Process

case merely because the request is phrased unconventionally, or even polemically. In Cabinet Office32, part of the request was as follows: ‘At the time of huge spending cuts – not least in the NHS – I wonder if you could explain why you have spent £5 million of taxpayer’s money on refurbishing 10 Downing Street and 70 Whitehall? 3. Could you further advise how this refurbishment is an example of: i) Your assertion that “we’re all in this together”? ii) A good use of taxpayer’s money?’ On the facts, the department did have information relevant to the first part of this extract, and supplied it to the requester. In relation to the second part, it held no information and was not obliged to answer a question which did not describe the information sought, and was seeking merely an opinion or explanation.

Time limit 24.37 The standard period for compliance with FOI responses is ‘promptly’; and in any event not longer than 20 working days following the date of receipt (ie four weeks, in a normal cycle)33. In limited circumstances, the public authority may extend the time; although the conditions are often misunderstood. Where the authority needs more time to assess the public interest balance concerning a potential (qualified) exemption, it may extend the time to enable it to do so; but must issue a refusal notice by the 20 working day deadline, and give an estimate of the time by which it expects to have reached its decision34. The Code suggests that reasons may be where the information is ‘especially complex or voluminous’, or where the authority needs to consult third parties35. Under s 10(3), compliance should follow in no longer than ‘is reasonable in the circumstances’. The Commissioner has long advised that this should be no longer than another 20 working days, but this is not in the Act; and the Code recognises that in some circumstances it may need to be longer36. 24.38 Certain public authorities have longer time limits, under Regulations made under FOIA 2000, s 10(4). These include maintained schools, academies, archives, frontline units of the armed forces, and information held outside the UK (eg in Embassies)37. 24.39 An important provision is that the authority does not incur a duty to respond to a request until it can understand how to do so. Where the authority reasonably requires further information to enable it to ‘identify and locate the information requested’, and has informed the requester of the fact, it is not obliged 32 33 34 35 36 37

FS 50437321, paras 18-23. FOIA 2000, s 10(1). FOIA 2000, s 17(2). Revised s 45 FOI Code, para 4.5. Revised s 45 FOI Code, para 4.6. Revised FOIA 2000, s 45 FOI Code, para 4.3.

418

Application of Act: Public authorities 24.44

to comply with the request unless it is supplied with the further information38. The Code suggests waiting two months for a reply before closing the request39. 24.40 Where the authority has charged a fee, it has no duty to comply with the request until the fee is paid, within three months of its issue40. The period during which the fee is not paid does not count towards the 20 working days41.

Exemption from duty to confirm or deny 24.41 There is generally, in principle an exemption from the duty to confirm or deny where, on the facts, the same exemption would potentially apply to the confirmation or denial as to a disclosure; but it is important to examine the provision to see whether such an exemption is available. Where it is, the authority will need to consider in each case whether the exemption is engaged, and (if it is a qualified exemption) the effect on the public interest test. This type of exemption is less commonly engaged in practice than an exemption from disclosure.

Duty to advise and assist 24.42 A public authority has a duty to provide advice and assistance, so far as it would be reasonable to expect it to do so, to persons who propose to make, or have made, requests to it for information. It will be noted therefore, that the duty applies as much to intending requesters as to those who have lodged requests. Under FOIA 2000, s 16(2), compliance with a code issued under s 45 of the Act satisfies this requirement. 24.43 One example of the application of the duty is to advise a requester whose request is likely to breach the cost limit (see paras 24.57–24.64 below), as to how they may reduce the request in order to escape the limit. Another is assisting a person who is unable to frame their request in writing, perhaps because of a disability. The s 45 Code says that the authority should ensure that the person receives assistance (eg by advising them as to who else may be able to assist, such as a Citizen’s Advice Bureau); or by making the application on their behalf. Exceptionally, the authority could offer to take a note of the request over the telephone and send it to them for confirmation42.

Conducting the search 24.44 Reference has been made above to the advisability of logging a search, and the standard to be met for claiming that information is not held (para 24.32). 38 39 40 41 42

FOIA 2000, s 1(3). Revised s 45 FOI Code, para 2.9. FOIA 2000, s 9(2). FOIA 2000, s 10(2). Revised s 45 FOI Code, paragraph 2.5.

419

24.45  Duties and Process

Where the information (or its full extent) are not readily identifiable, it is also advisable to establish a plan for a search, along the same lines as for an access request for an applicant’s personal data43. This should include all the places where the information could reasonably be expected to be held; but also searching of the titles (and preferably, thereafter the content) of all relevant emails in the area(s) of the organisation likely to be involved, and of senior staff or others likely to have been engaged in discussion of the matter concerned. If staff (and particularly senior staff) are permitted to use private email accounts for business purposes, these should be searched too, in respect of those who may have been involved. In a case involving information held on the private email accounts of Rt Hon Michael Gove MP (when Secretary of State for Education) and others, it was established that an email held on a private email account will count as held by the authority, having considered its purpose, to the extent that the majority of the content of the email concerns the business of that authority44.

Format of response 24.45 Where the applicant expresses a preference as to the format of the response, whether for a copy in ‘permanent form’ (or another form acceptable to the applicant), inspection, or a digest or summary, the authority must give effect to that preference so far as reasonably practicable. In considering whether it is reasonably practicable to communicate the information by a particular means, the authority may have regard to all of the circumstances, including the cost. It shall notify the applicant if it considers that it is not reasonably practicable to comply with the preference. Subject to this requirement, the authority may comply by communicating the information by any means which are reasonable in the circumstances45. 24.46 Under amendments to FOIA 2000, s 11, made with effect from 2013, if a dataset is requested to be provided in an electronic format, the authority should provide it, so far as reasonably practicable, in a re-usable (ie machine-readable) electronic format. The authority should use the Open Government Licence to permit disclosure, if it holds the copyright to the information (see Appendix 6).

CHARGING FOR REQUESTS: (I) PUBLICATION SCHEME 24.47 There are two regimes for charging; one, which will be familiar to most practitioners, concerns charging for one-off FOI requests, which is determined by regulations described at paras 24.50–24.56 below. The other, less well-known, arises under FOIA  2000, s  19(2)(c), in relation to Publication Schemes; and relates, therefore, to information which is treated as within the public domain by

43 See paras 7.26–7.28. 44 Department for Education FS50422276, para 21. 45 FOIA 2000, s 11(1)–(4).

420

Charging for requests: (ii) information requests 24.51

the authority (and to which the exemption in s 21 applies, if it is requested under the FOI 2000). 24.48 Few public authorities charge in either situation, citing the administrative cost of raising invoices. In the case of information requests, there would also no doubt be administrative inconvenience in separating information for which a charge was to be made, from documents likely to be considered freely available as a matter of course (eg agendas of public meetings). As public budgets become yet more constrained in the future, however, and as technological means to pay become more readily available, this position may change. 24.49 In relation to charging under a publication scheme, the model scheme requires only that the authority produce a schedule of the charges it will make for the information available; and, that the charges made under the scheme for ‘routinely published material’ should be ‘justified and transparent and kept to a minimum’. It then suggests that charges may be made for ‘actual disbursements incurred’, including photocopying, postage and packaging, and ‘the costs directly incurred as a result of viewing information’ (ie by the requester). The more detailed information about publication schemes explains that the ICO does not consider it reasonable to charge for information provided online; but also adds that information ‘produced commercially’ for sale, and which the authority would not otherwise have produced, may be charged for46. The model scheme acknowledges that charges may be legally authorised by other provisions; and also that other charges may be ‘justified’ in all the circumstances, including the general principles of the right of access; in accordance with a published schedule which is readily available to the public. If a charge is made, confirmation of the amount should be given before the information is provided; but the authority may also request the payment prior to providing the information.

CHARGING FOR REQUESTS: (II) INFORMATION REQUESTS 24.50 In relation to one-off fees relating to information requests under FOIA 2000, s 9, if the public authority is to charge such a fee, it must issue a fees notice within the 20-day period from the request. It is not obliged to comply with the request until the fee is paid, within a period of three months from the date on which the notice is given to the requester. Unless the fee for the information concerned is set by another statute47, the fee must be determined in accordance with regulations under the FOIA 2000. 24.51 The Freedom of Information and Data Protection (Appropriate Limits and Fees) Regulations 2004 (the ‘Fees Regulations’)48 govern both the fees which may be charged, and limits placed on the costs of FOI searches (see FOIA 2000,

46 ICO: ‘What information do we need to publish?’ 47 FOIA  2000, s  9(5). The FOIA  2000, unlike the EIR, generally fits around other legislative regimes. 48 SI 2004/3244.

421

24.52  Duties and Process

s 12 below at paras 24.57–24.64)49. Regulation 6 states the maximum which may be charged for any fee issued under FOIA 2000, s 9. This is the sum equivalent to the total costs which the authority reasonably expects to incur, in relation to the request, in: (a) informing the person making the request whether it holds the information (ie confirmation or denial); and (b) communicating the information to the person making the request50. 24.52 Costs which the authority may take into account in setting the fee include, but (it may be noted) are not limited to, the costs of: (a) complying with any obligation under FOIA 2000, s 11(1) as to the means or form of communicating the information (ie any particular costs associated with complying with the requester’s preference; which might have included making the material available for inspection, or producing a summary, as well as the particular format requested for reproduction); (b) reproducing any document containing the information; and (c) postage and other forms of transmitting the information51. 24.53 The s 45 Code refers to ‘actual production costs’, including ‘redacting exempt information’ in preparing the information for disclosure. This does not include, however, the staff time in determining redactions, where the request is below the cost limit. 24.54 The time of staff spent in the activities in para  24.51(a) or (b) above (ie confirmation or denial, or communication) may not be included52. (It may be noted that other staff time involved in earlier stages of the request is not expressly excluded). 24.55 Charges may also be made for a dataset of a ‘relevant copyright work’53, provided in a re-usable format under FOIA 2000, s 11A(2), as determined by the Freedom of Information (Release of Datasets for Re-Use) (Fees) Regulations 201354. In that case, the total fee shall not exceed the sum of: (a) the cost of collection, production, reproduction and dissemination of the copyright work; and (b) a reasonable return on investment55.

49 The same limits are applied in relation to certain access requests for personal data – see paras 7.46–7.49. 50 Fees Regulations, reg 6(2). 51 Fees Regulations, reg 6(3). 52 Fees Regulations, reg 6(4). 53 Ie a copyright work, or database subject to copyright, other than one owned by the Crown or either House of Parliament. 54 SI 2013/1977. 55 SI 2013/1977, reg 2(2).

422

No duty to comply: (i) cost limit for FOI requests 24.59

24.56 The fee for a dataset is to be determined, so far as reasonably practicable, in accordance with accounting principles applying to the authority at that time, and on the basis of a reasonable estimate of the demand for the copyright work over the appropriate accounting period. The fee is not to include the cost of collection etc ((a) in para 24.55 above) if that cost has previously been charged to the same requester for that work56. The authority is expected to establish standard fees of this type, so far as reasonably practicable, specifying in writing on request how it has done so. Where there is no standard fee, and if requested, the authority shall specify in writing the factors to be taken into account in determining the fee. These provisions do not apply if there is any other power to charge for making the work available for re-use.

NO DUTY TO COMPLY: (I) COST LIMIT FOR FOI REQUESTS 24.57 Under FOIA 2000, s 12(1), an authority is not obliged to comply with a request if it estimates that the cost of compliance would exceed the ‘appropriate limit’. (The exemption does not apply to the duty to confirm or deny unless the estimated cost of complying with that duty alone would exceed the limit57). The limits are set out in the Fees Regulations referred to above. FOIA 2000, s 12(4) enables provision to be made as to circumstances where two or more requests are made to an authority by one person, or by different persons who appear to the authority to be ‘acting in concert or in pursuance of a campaign’; in which case, the estimated cost of complying with any of the requests is to be taken to be the total cost of complying with all of them. 24.58 Where it applies a cost limit, the authority does not have to search for information falling within the request up to the point where the cost limit is reached58. It should consider what advice and assistance to offer to help the applicant to reframe the request, with a view to bringing it below the cost limit59. 24.59 Regulation 3 of the Fees Regulations sets the limit at £600 for an authority listed in Pt 1 of Sch 1 to the Act (ie broadly: government departments; either House of Parliament; the devolved assemblies and governments in Wales and Northern Ireland; and, the armed forces)60. The limit for any other public authority is £450. The total is calculated at a notional £25 per hour in terms of staff time (including the time of any contractors)61. This means that the higher limit equates to 24 hours’ work for one person, and the lower to 18 hours. The equation of the two has become automatic, however; ignoring the fact that the

56 57 58 59 60

SI 2013/1977, regs 2(3) and (4) respectively. FOIA 2000, s 12(2). Revised s 45 FOI Code, paragraph 6.6. Revised s 45 FOI Code, paragraph 6.9. The Schedule has been amended several times, to exclude information from the FOIA 2000, such as the home addresses of MPs for security reasons; or to qualify the scope of the Act in relation to the Competition and Markets Authority, or to the Office for Standards in Education, Children’s Services and Skills (Ofsted). 61 SI 2004/3244, reg 4(4).

423

24.60  Duties and Process

limits are not restricted to the cost of such time. If other significant costs would be incurred, provided they fall within the activities listed below, it is open to the authority to take those into account. Where they are not staff costs, they may be calculated as actual costs. 24.60 As an Example, if IT software had to be purchased to gain access to electronic files in order to establish whether it held them and (if so) to locate them, in the terms described in para  24.61 below (and assuming: (a) there was a reasonable basis for believing that some of the information requested was likely to be located there, and could not be reached otherwise; and, (b) the need for the software did not arise from some deficiency in the authority’s previous management of its electronic files), the authority would be able to take the purchase price of the software into account against the limit (which might well exceed it); in addition to any staff time that would be involved in using the software. 24.61 In making its estimate, an authority may take into account only the costs it reasonably expects to incur in relation to the request in62: (a) determining whether it holds the information (ie establishing whether it does so, before locating it or its extent); (b) locating the information, or a document which may contain it (ie finding it, to its full extent); (c) retrieving the information, or a document which may contain it (ie placing it into a useable form in the hands of the person conducting the search; eg from an archived file); or (d) extracting the information from a document containing it (ie separating the precise information requested from any other information). 24.62 As indicated above63, reg  5(1) of the Fees Regulations provides that where two or more requests are made to an authority, by one person or by different persons who appear to the authority to be acting in concert or in pursuance of a campaign, the estimated cost of complying with any of the requests is to be taken to be the total cost of complying with all of them which may be taken into account in reg 4 of those Regulations. . This restriction applies, however, only in circumstances where: the two or more requests relate, to any extent to the same or similar information; and, those requests are received by the authority within any period of sixty consecutive working days (ie typically, about three months)64. The fact that the requests can relate ‘to any extent’ means that slightly overlapping requests will fall within the restriction. Requests on wholly different subjects, even if clearly made to support a campaign, will fall outside the restriction (although an authority may wish to consider the ground of vexatiousness in FOIA 2000, s 14 – see paras 24.65–24.76 below).

62 SI 2004/3244, reg 4(1)–(3). 63 See para 24.57 above. 64 Working days are defined in SI 2004/3244, reg 5(3).

424

No duty to comply: (ii) vexatious or repeated requests 24.66

24.63 Where the cost limit would be reached (and assuming no other provision applies as to the fee), the authority may choose to refuse to supply the information. Alternatively (and probably less commonly), it may decide to exercise another option, apart from refusal; namely, to offer to supply the information, if the requester pays a fee set in regulations made under FOIA 2000, s 13. Regulation 7 of the Fees Regulations sets the maximum level of such a fee; as a sum equivalent to the total of: (a) The costs which the authority may take into account: (i) under Regulation 4 (ie  in setting the cost limit; but discounting any aggregated costs included under a campaign in Regulation 5); and, (ii) the costs it reasonably expects to incur in relation to the request in: – informing the requester whether it holds the information; and – communicating the information to the requester. 24.64 The costs which may be taken into account under (ii) above include, but are not limited to, the costs of: (a) giving effect to any preference of the requester as to the means or form of communicating the information; (b) reproducing any document continuing the information; and (c) postage and other forms of transmitting the information.

NO DUTY TO COMPLY: (II) VEXATIOUS OR REPEATED REQUESTS 24.65 The provisions in FOIA 2000, s 14, contain important safeguards, which most public authorities can expect to need to rely on at some point. Section 14(1) of the FOIA 2000 disapplies the duties to confirm or deny, and the duty to disclose the information, if the request is ‘vexatious’. The term itself is unfortunate, and is often misunderstood by requesters to be intended to be offensive. The EIR refer to requests which are ‘manifestly unreasonable’, which would be a better term under the FOIA; especially as the courts have now expressly equated the two (see para 22.10). Whatever its title, however, the right to disapply such requests is an important one for public authorities in their dealings with requesters who exceed reasonable limits in relation to their information requests. Since FOI is generally applicant-blind, the exception applies to the request, not the requester. 24.66 The Commissioner urges authorities not to treat FOIA 2000, s14, as a last resort, or as only to be used in extreme circumstances. She would encourage authorities to use it in any case where the request is disproportionate or unjustified. The s 45 Code says the same, and stresses a number of the points below65.

65 Revised s 45 FOI Code, paragraph 7.3; and also section 7 of the Code generally.

425

24.67  Duties and Process

24.67 In the important case of Dransfield, the Upper Tribunal described a vexatious request, in the context of the FOIA, as a ‘…manifestly unjustified, inappropriate or improper use of a formal procedure.’66 It also said that s  14 served the ‘legitimate public interest in public authorities not being exposed to irresponsible use of FOIA, especially by repeat requesters whose inquiries may represent an undue and disproportionate burden on scarce public resources’67. In the Court of Appeal in the same case, Arden LJ described a vexatious request as one which: ‘has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester or to the public or any section of the public’68. 24.68 In Dransfield in the Upper Tribunal, Judge Wikeley referred to the earlier case of Wise, in which the ‘common theme’ in cases under FOIA 2000, s 14(1), had been identified – at least where there had been a previous course of dealings between the authority and the requester – as a ‘lack of proportionality’69. 24.69 This led the judge to say that the ‘misuse of the FOIA procedure’, represented by a vexatious request, could be evidenced by four ‘broad issues or themes’; although he stressed that these were not ‘all encompassing’ and other evidence would be possible. The four themes are: (1) the burden on the public authority and its staff: the judge recognised that, because this was linked to previous dealings, the ‘context and history’ had to be considered, including the number, breadth, pattern, and duration of previous requests; (2) the motive of the requester: this may well be relevant to whether the request is vexatious, in the context of the wider dealings between the requester and the authority (eg where a reasonable request leads to further requests at increasing distances from the original topic, or which become disproportionate). In important statements, the judge said that: the ‘right to information under FOIA is a significant but not an overriding right in a modern democratic society’; although authorities should not use s14 to forestall ‘genuine attempts to hold them to account’70; (3) the value or serious purpose of the request: the value may be obvious; or, it may have diminished over time (eg  if the issue has been ‘exhaustively considered’); or, there may appear objectively to be none (although this would be insufficient on its own to justify a finding of vexatiousness);

66 67 68 69

ICO v Devon County Council and Dransfield [2012] UKUT 440 (AAC), para 27. Dransfield (as footnote 66), para 35. Dransfield v ICO and Devon CC [2015] EWCA Civ 454, para 68. Wise v ICO GIA/1871/2011. The Judge in Dransfield referred also to Lee v ICO and King’s College. Cambridge EA/2012/0015, 0049 and 0085. See Dransfield in the Upper Tribunal (as footnote 66), para 27. 70 Dransfield, Upper Tribunal (as footnote 66), paras 35–36.

426

No duty to comply: (ii) vexatious or repeated requests 24.73

(4) any harassment to, or distress of, staff: although not a pre-requisite, obsessive or offensive behaviour, the use of ‘intemperate’ or racist language, or the making of wide-ranging and unsubstantiated criminal allegations, may be evidence of vexatious requests71. 24.70 The ICO’s guidance was re-cast in the light of Dransfield. The Commissioner lists a number of ‘indicators’ of potential vexatiousness: — Abusive or aggressive language; — Burden on the authority; — Personal grudges; — Unreasonable persistence; — Unfounded accusations; — Intransigence; — Frequent or overlapping requests; — Deliberate intention to cause annoyance; — Scattergun approach; — Disproportionate effort; — No obvious intent to obtain information; — Futile requests; — Frivolous requests. 24.71 For the Commissioner, some requests are ‘so patently unreasonable or objectionable’ as to ‘obviously be vexatious’; including ones whose purpose is clearly to annoy or disrupt, or whose tone or content are so objectionable that it would be unreasonable to expect the authority to comply, however great the value of the request; or, which issue threats against employees, or use racist language. 24.72 Where this is not the case, the key question is whether the request is ‘likely to cause a disproportionate or unjustified level of disruption, irritation or distress.’72 It may be added that a vexatious request can also be too burdensome, or have no serious purpose. 24.73 It will usually be necessary to weigh the evidence about the impact against the purpose and value of the request. This is summarised in a table in the ICO’s guidance on s 14, balancing:

71 See paras 28–39 of the Dransfield judgment in the Upper Tribunal (as in footnote 66). Practitioners may wish to examine these passages, and also para 27 of the judgment. 72 ICO: ‘Dealing with vexatious requests (section 14)’, para 36.

427

24.74  Duties and Process

Serious purpose Requester’s aims and legitimate motivation Wider public interest and objective value versus Detrimental impact on the authority Evidence that the requester is abusing the right to information73. 24.74 The ICO recommends asking a colleague who has not been involved to consider the correspondence; and also considering a more conciliatory approach before making a final decision to refuse on this ground74. The guidance also deals with issues such as round robins, campaigns, and ‘fishing’ expeditions; and helpfully includes an annex of examples of types of situations from previous Tribunal decisions. 24.75 There are a significant number of decisions on vexatiousness. Examples (as well as Dransfield itself) which may assist practitioners in considering whether it applies in a given case may include: (in the Upper Tribunal) CP  v ICO (on the amount of evidence needed as to a course of dealings; and also a very helpful summary of the Dransfield decisions, and their significance, at paras 22–30); Ashton (confirmation that vexatiousness may be invoked on the grounds of resources alone; and that this need not be trumped by a substantial public interest underlying the request); and (in the First-tier Tribunal) Jason Blake v ICO (which contains a clear discussion of the Dransfield themes)75. 24.76 If there is a refusal, a notice is required, unless one has already been issued to the same individual for a previous vexatious request, and it would be unreasonable to expect it to issue another.

Repeated requests 24.77 Under FOIA  2000, s  14(2), where a public authority has previously complied with a request which was made by any person, it is not obliged to comply with a subsequent identical or substantially similar request from that person, unless a reasonable interval has elapsed between the previous compliance and the making of the correct request. There is no public interest test. 24.78 The authority may previously have provided the requester with the information, or confirmed that it is not held in response to the earlier FOI request.

73 ICO guidance on s 14 (as footnote 71 above), para 54. See also para 37. 74 ICO guidance on s 14, para 100. 75 CP v ICO [2016] UKUT 472 (AAC), paras 2 and 34–38; and paras 22-30 respectively; Cabinet Office v ICO and Ashton [2018] UKUT 208 (AAC), para 27; Jason Blake v ICO and Leicester City Council EA/2018/0179, paras 23–27.

428

Handling exemptions and the public interest test 24.83

A request will be ‘identical’ where both its scope and wording precisely match the wording of the previous request. It will be ‘substantially similar’ if: – although the wording is different, the scope of the request is the same; or – the scope is not significantly different from that of the previous request. 24.79 Whether there has been a reasonable interval will largely depend on how likely it is that the information concerned will be different to, or have changed from, the information previously provided. If it is likely to have changed, it should be supplied afresh. If it is unlikely to be different, the authority will need to consider the amount of time between requests and determine whether this is enough to make it reasonable for it to be required to provide the same information again. The Commissioner declines to advise on a period and calls for the rule to be applied sensibly76. Although not suggested in the guidance, a rough guide might be suggested of six months, if the information has not changed. On the other hand, in Lampert, the same request was repeated after about a year, and the Tribunal upheld the refusal77. 24.80 The authority has to issue a refusal notice unless it has already sent the requester a notice under FOIA 2000, s 14(2), in response to a previous request for the same information, and it would be unreasonable to expect it to issue another78.

HANDLING EXEMPTIONS AND THE PUBLIC INTEREST TEST 24.81 While public authorities should expect that the great majority of the information requested should be disclosed, in accordance with the purpose of the FOIA 2000 (and the environmental information regime), the Act does allow a number of exemptions as part of a careful balance between the broad purpose of increased disclosure and the need for restraint in specific circumstances. The Act includes 23 exemptions, of which 8 are ‘absolute’ (in whole or part); and the remainder apply, subject to a ‘public interest test’ (known as ‘qualified’ exemptions, although the term does not appear in the Act). 24.82 The absolute exemptions are listed in FOIA 2000, s 2(3). Where, or to the extent that, the facts or circumstances fit the terms of the exemption, the latter may be applied by the public authority without further consideration, and the information need not be disclosed. 24.83 With qualified exemptions, there is a two-stage test. Where, or to the extent that, the facts or circumstances fit the terms of a qualified exemption, the first stage has been met. The authority then needs to apply the public interest test79. This can apply either to the duty to confirm or deny, or (more commonly) 76 77 78 79

ICO: ‘Dealing with repeat requests (section 14(2))’, para 29. Jeffrey Lampert v ICO and Financial Services Authority EA/2010/0203. FOIA 2000, s 17(6). FOIA 2000, s 2(1)(b) in relation to confirmation or denial; or, s 2(2)(b) in relation to disclosure.

429

24.84  Duties and Process

to the duty to disclose; or both. The test is whether, in all the circumstances of the case, the public interest in maintaining the exemption (or in maintaining the exclusion of the duty to confirm or deny) outweighs the public interest in disclosing the information (or in disclosing whether the public authority holds the information). There is thus anticipated to be a public interest on both sides of the issue (and there will always be some general public interest in transparency); so that both aspects need to be examined. The test should be applied objectively. The test will only be met (ie the information may only be withheld, or the need to confirm or deny be avoided) if, or to the extent that, the public interest in non-disclosure is weightier than the public interest in disclosure. (This is the practical meaning of the implicit ‘presumption in favour of disclosure’ under the FOIA 2000). If they are of even weight, the information should be disclosed. 24.84 The ICO has produced detailed guidance on the public interest test, and what follows is an outline of the issues80. The public interest can be expressed as ‘the public good’. It is not the same as what interests the public. Public interest ‘factors’ in favour of disclosure will often be general ones, of the type indicated below; although they can be relevant also to the specific circumstances of the request. Those favouring maintaining the exemption (ie not disclosing), in contrast, should be specific to the subject matter of the exemption, or to the circumstances in which it applies. There are no ‘blanket’ factors against disclosure, and if the authority takes the view that ‘we never disclose that kind of information because of X’, without considering each case on its merits, it is almost certainly breaching the Act. 24.85 The test should be applied as at the time of the request; or, if there is an internal review, at the time of the review81. If exceptionally the circumstances change after that time, such that the disclosure has become undesirable, the ICO has discretion as to what she may order the public authority to do82. 24.86 The general public interest factors in favour of disclosure include: transparency; accountability; the promotion of public understanding of policy-making; and, the safeguarding of democratic processes. Good public understanding of the issues involved can improve policy-making, and produce a more informed public response. Standards of integrity, making the best use of public resources, ensuring that public administration is just and that all enjoy fair treatment, can all be assisted by wider public knowledge and understanding of the often complex questions involved. Fair commercial competition (eg  in relation to procurement processes) may similarly benefit from transparency. The public interest will often demand the revelation of wrong-doing (or a ‘plausible suspicion’ of it). 24.87 On the other hand, the above should not be assumed to determine the issue in all cases. Depending on the circumstances, countervailing factors may point in the opposite direction; albeit it for the same broad purposes. Good 80 See ICO: ‘The public interest test’ generally. 81 All-Party Parliamentary Group on Extraordinary Rendition (APPGER) v ICO and Foreign and Commonwealth Office [2015] UKUT 0377 (AAC). 82 ICO v Her Majesty’s Revenue and Customs (HMRC) and Gaskell [2011] UKUT 296 (AAC).

430

Handling exemptions and the public interest test 24.89

decision-making may require time and space in which to consider options, or to reach balanced outcomes, away from public scrutiny and interference. While it may be necessary to reveal wrongdoing, in order to pursue justice, there may be a need to investigate an allegation first on a confidential basis, to establish whether there is evidence to support it. The efficient use of public resources may require confidentiality to be preserved, if the public body is not to be disadvantaged in the market; and suffer increased cost to the public purse. Fairness in a commercial context may require the protection of interests in which parties have invested resources, to prevent competitors from gaining an unfair advantage from their premature disclosure83.

Factors against disclosure 24.88 The factors against disclosure will vary in each case, as relevant to the circumstances. Where the exemption requires likely harm (from disclosure) to be demonstrated before it applies, (a ‘prejudice-based exemption’), the avoidance of that harm will usually also form an important part of the public interest against disclosure. Where the exemption is ‘class-based’ (ie it applies where the facts fit a given ‘class’ or type of information, such as that it is held for the purposes of an investigation) the exemption provides protection without needing to show harm. The public interest in non-disclosure, in such a case, is more likely to arise from the benefit of ensuring the effective carrying out of the investigation.

Factors in favour of disclosure 24.89

Common factors in favour of disclosure may be summarised as follows84:

(1) general public interest in promoting transparency, accountability, public understanding, and public involvement in the democratic and decisionmaking processes; (2) public interest in the issue: if there is a legitimate public interest in the subject, and in furthering debate on it (eg because of its public importance); (3) public interest in the specific information: perhaps because of its wide potential impact on individuals; (4) suspicion of wrongdoing by the public authority: although this should relate to the public interest (rather than to the private interests of the requester). It should also have a plausible basis (such as that the authority’s actions are unclear) and amount to more than an allegation; (5) presenting what the ICO calls a ‘full picture’: ie in enabling the public to understand the full reasons for decisions.

83 See ICO guidance, as footnote 80, paras 9–10. 84 See ICO guidance, as footnote 80, paras 28–38.

431

24.90  Duties and Process

Irrelevant factors 24.90 The identity of the requester will generally be irrelevant, since the FOIA  2000 is ‘applicant and motive blind’85. As indicated in the preceding paragraph, the private interests of a requester (even if amounting to a grievance) will not be relevant, unless there is a wider issue raised that may relate to the public interest. Information that may be misunderstood, or which appears too complex to be disclosed, can be accompanied by explanatory material86. 24.91 The ICO considers that the existence of other means of scrutiny is not in itself relevant; unless they have been used, or are being pursued, at the time of the request. In that case, they may satisfy the public interest in disclosure to some degree. It may be that the greater public interest would be in allowing the other means of investigation to take its course without the disruption of a disclosure under the FOIA 200087.

The public interest balance 24.92 Establishing the balance is not an easy or precise process, but the public authority should seek to assess it as objectively as possible. Its reasoning should be recorded. Authorities may wish to examine the Commissioner’s helpful guidance on the public interest test (especially paras 53–69), and the examples given. Individual factors may apply in a given case, but certain frequent factors may add weight on either side of the balance, as follows: (a) likelihood of prejudice: if the authority decides that the prejudice ‘would’ happen (ie it is more than 50% likely to occur), the public interest argument against disclosure will be weightier, in order to avoid the harm. Weightier arguments still, in favour of disclosure (or confirmation or denial), would be needed for the disclosure/confirmation to take place. On the other hand, in many cases the authority will only be able to satisfy itself that the harm is ‘likely’ to occur (under a 50% likelihood). In that case, the public interest weight against disclosure may rely on its severity (see below). (See also the discussion of the meaning of ‘likely’ at paras 9.9, 23.3–23.4 and 25.45). (b) severity: a greater degree of severity (eg a risk of physical or mental harm) will carry greater weight in relation to the public interest. The ICO includes a diagram in her guidance showing weightings from 1–4, depending on the combination of the likelihood and severity of harm. A  ‘severe’ harm that would be (only) ‘likely’ to happen will carry greater weight than a harm that ‘would’ occur (ie which is over 50% likely) but which would not be severe88. (c) age of the information: the public interest in maintaining the exemption will generally diminish over time, although in certain cases (eg if an investigation 85 86 87 88

But see paras 24.65–24.76 above in relation to vexatious requests. See ICO guidance, as footnote 80, paras 40–46. See ICO guidance, as footnote 80, paras 47–50. See ICO guidance, as footnote 80, para 60.

432

Internal Review and Appeals 24.97

were re-opened) it might be argued that it would be restored. Conversely, the public interest in not disclosing ‘live’ information may be significant, depending on the circumstances and the purpose of the exemption. (d) relevance of the specific information to the public interest in disclosure: if there is a particular public interest in disclosure of information about a specific issue, it may be relevant to consider the extent to which the information in issue would (or would not) add to public understanding, or help to inform the debate. (e) information already in the public domain: if similar information is already public, disclosure of the information in issue may not add greatly to the public debate; and thus carry little weight. On the other hand, if the material would add new information to the debate, then this will contribute additional weight to the general arguments for transparency and completing the picture.

Refusal Notices 24.93 Section17(1) of the FOIA  2000 requires an authority which is to any extent making a refusal based on an exemption to give the applicant, within the time limit, a notice: stating the fact; specifying the exemption in question; and, stating (unless apparent) why the exemption applies. Section 17(3) requires reasons to be given why, for a qualified exemption, the exemption from the duty to confirm or deny, or from disclosure, applies. An extension of time, to consider the public interest further in relation to a qualified exemption, has to be claimed by a refusal notice conforming to s 17(2). 24.94 The revised s 45 Code says that details setting out why the refusal has been made should be given, including the sections (and sub-sections) on which the authority relies, if relevant. It does not use the term ‘reasons’. It also does not specify that the public interest factors (for a qualified exemption) have to be stated on both sides. This should nonetheless, be seen as good practice, wherever possible. The authority is not expected, however, to provide in its explanation any information which is in itself exempt89. 24.95 A  refusal on grounds of cost, or under s  14, has to be given in those cases; save where none is required under s 14 for the reasons above (paras 24.76 or 24.80). 24.96 Refusal notices have to set out the authority’s procedure (if any) for dealing with complaints about the handling of requests; or state that none is provided. It must also set out the process for complaining to the Commissioner.

INTERNAL REVIEW AND APPEALS 24.97 As indicated above, there is no obligation on an authority to provide an internal review process, although the Commissioner recommends that they 89 See revised s 45 FOI Code, paragraph 10.2; and FOIA 2000, s 17(3).

433

24.98  Duties and Process

should do so. An internal review gives an authority more time to review the case and its stance to date. It may also rely on further exemptions at that stage, if any more are relevant. 24.98 The revised s 45 Code advises that the usual practice is to accept a request for an internal review made within 40 working days from the date of the refusal (the ‘initial response’); and that this should be made clear in that response. It states that public authorities are not obliged to accept a request after this date (although it should be noted that this does not arise from the Act; in contrast to the position under the EIR)90. A review should be carried out, ‘wherever possible’, by someone other than the person who took the decision. There is some flexibility to go beyond the target response date of 20 working days, if the review is complex, concerns a high volume of information, or requires consultation with third parties. Best practice would limit the extension to a further 20 working days, although it is accepted that ‘there will sometimes be legitimate reasons why a longer extension is needed’91.

Appeals 24.99 Requesters may apply to the ICO for a decision under FOIA 2000, s 50, as to whether a request for information has been dealt with in accordance with the requirements of Pt 1 of the FOIA 2000. The Commissioner may require the applicant to exhaust the authority’s review procedure, if he or she has not done so. The application may be rejected on other grounds, such as that it is frivolous or unduly delayed. 24.100 Otherwise the Commissioner will start an investigation, usually by notifying the authority and requester; and then at a later date asking the authority to supply all the information relevant to the matter, and to provide its case as to why the refusal should be upheld. This is a crucial juncture for the authority, since under the procedure now being followed it can expect to have one chance only to make its case. The ICO’s former practice of reverting to the parties, often several times, to clarify issues, or on occasion to seek to broker common ground, has been dropped. While the investigating officer may come back once or twice by email to request further information or to ask pertinent questions, the parties should not otherwise expect to hear further about the matter until a decision notice is sent to them; and published shortly afterwards. It is, therefore, very important for the authority and the complainant to be ready to respond to a fairly short deadline to submit their case; and, from the point of view of the authority, to start to prepare to explain its positon even earlier; as soon as it is informed that an investigation has been started. 24.101 In the event that one or other party is not satisfied with the decision notice, that party may appeal to the First-tier Tribunal (‘FTT’) under FOIA 2000, s 57(1). A Tribunal appeal will consider the full matter on its merits, as to both facts and law; although the decision notice forms the starting point for its consideration. If the requester appeals, the authority may be joined as a second respondent; and 90 Revised, s 45 FOI Code, para 5.3. 91 Revised s 45 FOI Code, paras 5.5 and 5.9.

434

Internal Review and Appeals 24.104

vice versa. Appeals may be conducted on the papers and by written submissions, or at an oral hearing. The Tribunal may uphold the decision; or determine that it is not in accordance with the law, or, decide that the ICO should have exercised her discretion differently. It may allow the appeal, or substitute another decision notice. In any other case, it shall dismiss the appeal92. 24.102 From the decision of the FTT, either party may seek permission to appeal to the Upper Tribunal on a point of law only.

ICO’s sanctions under FOIA 24.103 The ICO has a range of enforcement powers, applicable to the FOIA (and also to the EIR). These are: (a) Information Notices (s 51): where the ICO reasonably requires information for the purpose of determining a complaint against an authority; or to decide whether it is in conformity with the s  45 or s  46 Codes. The notice may require it to furnish the ICO with specified information (subject to exclusions for legal advice). The notice may be appealed to the FTT; (b) Enforcement notices (s 52): if the ICO is satisfied that an authority has failed to comply with Part 1 of the Act (ie rights of access to information), it may serve a notice requiring the authority to take steps within a specified time. The notice must state the requirements with which the authority is considered not to have complied. The notice may be appealed; (c) Failure to comply with notice (s 54): if a public authority has failed to comply with a decision notice, or one of the notices above, including knowingly or recklessly making a false statement in a material respect, the ICO may file a certificate with the court. The High Court may investigate and may decide that the authority has committed a contempt of court; (d) Powers of entry: the ICO has powers of entry under Schedule 3 of the FOIA. 24.104 In relation to a decision notice or enforcement notice, concerning a failure to comply with the disclosure duties, there is a procedure open to government departments, the National Assembly for Wales, or any public authority designated for those purposes in an order, to issue a certificate whereby the notice will cease to have effect. A Cabinet Minister, the Attorney General (or the Advocate General for Scotland or for Northern Ireland), the First Minister and deputy First Minister of Northern Ireland acting jointly, or the First Minister for Wales (in each case, as an ‘accountable person’) may within 20 working days issue a certificate, stating that he or she has on reasonable grounds formed the opinion that there was no failure under s 1(1)(b) of the FOIA 2000 (ie the obligation to disclose the information); and thus override the notice. The complainant is to be informed of the reasons, unless this would disclose exempt information93. 92 FOIA 2000, s 58. 93 FOIA 2000, s 53.

435

24.105  Duties and Process

Offence 24.105 It is an offence under the FOIA 2000 s 77 to alter, deface, destroy, or conceal any record held by a public authority, with the intention of preventing its disclosure where a requester is entitled to it. The offence may be committed by the authority, or an officer of it. A person is liable on summary conviction to a fine not exceeding level 5 on the standard scale94. Prosecutions may be brought only by the ICO, by or with the consent of the Director of Public Prosecutions (or the Director of Public Prosecutions for Northern Ireland).

Ministerial override in the FOIA 24.106 The Attorney General or another UK Cabinet Minister, or the Advocate General for Scotland, or the Attorney General for Northern Ireland, may override a decision notice or enforcement notice served on a government department, the Welsh government or a public authority designated by Order. This may be done by their issuing a certificate under FOIA, s 53(2), stating that, in respect of the request or requests concerned, there was no failure to comply with the duty to confirm or deny, or (as the case may be) the duty to disclose in respect of exempt information. The power to override may be applied to a decision notice of the Commissioner or Tribunal. The certificate must be given to the Commissioner within twenty working days following the date on which the notice was given to the authority, or the appeal was determined. 24.107 In R (on the application of Evans) and another (Respondents) v Attorney General (Appellant)95, however, a case concerning a request for correspondence involving the heir to the throne, the Supreme Court ruled a certificate issued by the Attorney General to be invalid. It held that the Attorney General was not entitled to issue a certificate under FOIA, s 53, overriding a decision of the Upper Tribunal, merely because he, a member of the executive, considering the same facts and arguments, had taken a different view from that taken by the tribunal or court. Three of the judges said that s 53 did not permit the Attorney General to override a decision of a judicial tribunal or court by issuing a certificate. Two judges said that it would be open to the Attorney General to issue such a certificate, if the Minister disagreed with the decision of the Upper Tribunal; but that findings of fact or rulings of law in a fully reasoned decision would require the clearest possible justification (and might only be possible in certain circumstances). If the Minister disagreed as to the weight to be attached to competing public interests, the basis for his or her decision would require properly explained and solid reasons. The court ruled the equivalent provision in the EIR to be incompatible with the originating Directive, and it has since been dropped from the regulations – see para 21.49.

94 £5000; Criminal Justice Act 1982, s 37(2). 95 [2015] UKSC 21.

436

CHAPTER 25

Freedom of Information Exemptions 1

GROUPING OF FOI EXEMPTIONS 25.1 Any of the FOI exemptions may be available in relation to a given request1, but it may be helpful to think of them as grouped as follows. They are not arranged in this way in the Freedom of Information Act 2000 (‘FOIA 2000’), and are to be found in their usual numerical order in the text below, for ease of reference. It may, nonetheless, assist to consider them as covering the following types of policy and information.2 All sections refer to the FOIA  2000, unless otherwise specified: I

Information available elsewhere, or in the future; research (ss 21–22A);

II

Security and defence (ss 23–26);

III

International and devolved government relations (ss 27–28);

IV Economic and commercial interests (ss 29, 43); V Criminal or other investigations, law enforcement, health and safety (ss 30–31, 38); VI Court and audit information (ss 32, 33); VII Parliamentary proceedings, public policy (ss 34–36); VIII Confidential information (ss 37, 41, 42, 44); IX Information about individuals (s 40) (see Chapter 27). 25.2 One general point is worth making at the outset of this section; and it applies equally to the Environmental Information Regulations 2004 (‘EIR’). If more than one exemption credibly applies, from the point of view of the public authority, each should be claimed. While an organisation should not claim

1 The ICO helpfully reissued her FOI (and EIR) guidance in April 2019, to insert an overall summary covering all FOI exemptions; to which the more detailed notes of guidance for each exemption are then linked. This summary guidance is listed on the ICO’s website as ‘Refusing a request’, in the main section on ‘Freedom of Information’, and has the title: ‘When can we refuse a request for information?’. The rearrangement of the website coincided with the issuing of new guidance on dealing with information requests concerning personal data, to which Chapter 27 refers. 2 The exemption in FOIA 2000, s 39, for Environmental information, has been omitted from this list since it applies to the boundary between the regimes, and leads to the application of the EIR, rather than to an exemption from disclosure.

437

25.3  Freedom of Information Exemptions 1

exemptions with only a slight connection to the subject matter, because they make the organisation look secretive unnecessarily, and weaken the overall case, it is generally a mistake to conclude that claiming one exemption is enough, if more than one credibly applies. Some of the most successful cases, including ones which have changed the law (like the Ofcom decision leading to the aggregation of EIR public interest factors), have turned on unexpected exemptions or exceptions which did not appear at the outset to be the most relevant ones. Equally, cases have almost certainly been lost on appeal to the Commissioner because the authority has not claimed an additional exemption which could have produced a different result. While some exemptions tend more naturally to stand alone (eg where the authority claims that the information is reasonably accessible elsewhere3), many others can overlap. For this reason, other exemptions which may be relevant are indicated at the end of most of the descriptions below.

FOI EXEMPTIONS (SECTIONS 21–29) Section 21: Information reasonably accessible to the requester by other means 25.3 This is a popular exemption, since it allows the public authority to avoid having to disclose the information in response to the request, for the straightforward reason that it is already available elsewhere. In that sense, the frequency of use of the exemption is an indication of the extent to which the core purpose of FOI – that most public information should routinely be made available – is being achieved. 25.4 Most frequently, the information will be available from the public authority itself, but this is not a requirement. The information can be available from any other person, provided that: (a) it is genuinely reasonably available to that requester; and (b) the public authority can show that this is the case, and point the requester in the right direction. 25.5 The usual mechanism through which the information may be considered already to be available from the authority itself will be its Publication Scheme. Where the information is available under its scheme, the public authority will have taken a conscious decision to put the information in question (or information of that type) into the public domain, freely available or on request, as a matter of course. Other information covered by the exemption will be information which the authority is obliged by statute to make available. The third type of information to which this exemption will apply will be held by a person other than the public authority, from whom or which it is available to the public; where the authority is aware of its status, and from whom it can be obtained.

3

FOIA 2000, s 21.

438

FOI Exemptions (sections 21–29) 25.11

25.6 Section 21(1) provides that information which is ‘reasonably accessible’ to the applicant , otherwise than under FOIA 2000, s 1 (ie otherwise than under the requester’s right to the information under FOI) is exempt information (ie does not need to be disclosed in response to the request). The authority is, of course, still at liberty to disclose the information if it wishes. 25.7

Section 21(2) sets out the terms of the exemption:

(a) information can be ‘reasonably accessible’ even though it has to be paid for; (b) it is reasonably accessible if it is information which the public authority (or anyone else) is obliged by statute to give (‘communicate’) to members of the public on request, either free or for a charge; but not if it has merely to be made available for inspection by the public. 25.8 Where the information is available from a public authority (ie  the one dealing with the FOI request, or another), and it does not fall within subsection (2)(b) (ie its availability is not obligatory under statute), the information is not reasonably accessible if it is merely available from the authority on request, unless the availability arises from the authority’s publication scheme. Any charge for it must, moreover, already be specified in (or to be determined under) that scheme (s 21(3)). This constraint does not apply of course, if the information is available from a person other than a public authority. Public authorities claiming the exemption, however, need to be careful to establish that ‘one-off’ information, which they claim is in the public domain from another public authority, is in fact covered by the relevant Publication Scheme of the authority from which it is said to be available. 25.9

In summary, therefore:

(a) information available under a Publication Scheme falls within the exemption (irrespective of any charge, provided that it is set – or is calculable – under the scheme); (b) information that, by statute, has to be made available, falls within the exemption (irrespective of any charge); but this does not include information which the authority concerned is merely required to make available for inspection; and (c) information which a public authority regards as in the public domain on request, but which it has not been required to place there by statute, and which is not in its Publication Scheme (together with any charge), is excluded from the exemption. 25.10 Section 21 is an absolute exemption, and class-based. On the other hand, there is no exclusion from the duty to confirm or deny (and so no provision as to that duty in s 21. The duty to confirm or deny in FOIA 2000, s 1(1)(a), applies in all such cases). 25.11 The exemption does not apply if another FOI exemption applies to the information. This is because, in those circumstances, the information cannot be 439

25.12  Freedom of Information Exemptions 1

regarded as reasonably accessible to the public, by virtue of the operation of that other exemption. 25.12 The test of whether the information is reasonably accessible to the applicant is specific to that person. The authority claiming the exemption should direct the applicant to the other regime, and make sure that they are familiar with it, before relying on the exemption. Reasonable accessibility to the specific requester 25.13 The authority should take the individual circumstances of the requester into account; a relative rarity under FOI4. One requester might have access under another statutory regime, (for example, because of their status as a user of that public service) where another individual will not have access. The test is whether the information is reasonably accessible (or otherwise) to the specific individual who has made the request. This does not mean, however, that the individual’s circumstances should always take precedence over what would otherwise be regarded as reasonable accessibility. The term ‘reasonable’ is an objective one. In an example given by the Commissioner, if the information is only available by inspection, perhaps because it is reasonable that it is only available at a specific location, arrangements for such inspection may count as reasonable accessibility. What is ‘reasonable’ may thus qualify the degree of accessibility to a particular individual. 25.14 Relevant points on accessibility are: — if only part of the information is in the public domain, the exemption can only apply to that part of the information (but see para 25.15); — the authority may assume that accessibility is reasonable in a given case until it becomes aware of any particular circumstances suggesting this is not the case; — even if the information is wholly in the public domain, it may still be inaccessible to a particular applicant. The authority should consider these circumstances (on becoming aware of them). This might be the case where the applicant did not have the access to the information which was available to other individuals (eg though a lack of access to the internet); or, where a large amount of searching would be required (eg of a large website). In those circumstances, the authority should provide a specific link or reference. The Commissioner suggests that the information will only be reasonably accessible if either: •

the authority knows that the applicant has found the information; or

•

it can give the applicant precise directions to the information, which can be reached without difficulty.

4 The public authority may (and should) similarly take into the account the impact on an individual, other than the requester, of the publication of their personal data under FOIA 2000, s 40.

440

FOI Exemptions (sections 21–29) 25.17

Information accessible in part 25.15 The guidance is confusing as to the position if only part of the information is accessible; over whether the exemption applies to that part, or is unavailable. As noted above, it states shortly that the exemption can only apply to the part that is available elsewhere. This must be correct; but, depending on the facts, may be difficult to apply meaningfully. The confusion arises where the Commissioner cites a discussion in LB Bexley and Colin P. England v ICO5, where some 70% of the information was in the public domain (although the case did not turn on s 21). The guidance appears to suggest that the relevant part of the judgment means that it is necessary to consider whether ‘the entirety of the information is reasonably accessible’; while also going on to say again that the exemption ‘will only apply to the extent that any of the requested information is in fact reasonably accessible to the applicant’6. It is suggested that the point may be that the authority claiming the exemption should look at whether the information as a whole is available, and the practical consequences (for seeking to withhold part of it under s 21) of the availability of any other part of it. Information available to a category 25.16 Where information is available under other legislation only to a particular category of people (eg those who are entitled, and have applied for it), whether s 21 applies will depend on whether the FOI requester is a member of that category, and/or on the timing of the request. Thus, for example, the Access to Health Records Act 1990, s  3(1)(f), gives the personal representatives of a deceased person, or those who might have a claim arising from the deceased person’s death, a right of access to their health records. If the requester is one of the personal representatives, and he or she seeks the same information via the FOIA 2000, the information will be exempt under s 21 because it is reasonably accessible to them under the 1990 Act. The onus is on the public authority, however, to demonstrate that this is the case. Likewise, a ‘person interested’ in the finances of a local authority, including a local elector or council tax payer, may inspect the accounts at the time when they are audited. A request for the same information under the FOIA would be exempt under s 21 only where its timing coincided with the period for inspection of the accounts; and, provided the FOI requester was a ‘person interested’, so that they had the same right of access7. Restrictions 25.17 If restrictions are (or would be) placed on the use of the information available under the alternative regime, the exemption in s 21 does not apply8. 5 EA/2006/0060 and 0066. 6 ICO: ‘Information reasonably accessible to the applicant by other means (section 21)’, para 23. 7 The relevant legislation at the time when the ICO’s guidance was written was the Audit Commission Act 1998, s 15. This has since been replaced by the Local Audit and Accountability Act 2014, s 26. (See ICO guidance on FOIA 2000, s 21, para 26). 8 See Newcastle upon Tyne NHS Foundation Trust v ICO EA/2011/0236, para 10.

441

25.18  Freedom of Information Exemptions 1

Charges 25.18 As noted above, FOI 2000, s 21(2)(a), permits the exemption to apply even though the information is available only if a charge is paid. Many public authorities charge for information, under a variety of powers or on a commercial basis. The Commissioner’s view is that information will be ‘generally reasonably accessible’, even where (as will often be the case) the charge exceeds what would be payable under the FOIA. A charge for a large document, for example, which contained the small piece of information which the requester was seeking under FOI would, in the Commissioner’s view, be unlikely to be viewed as reasonably accessible; which, it is respectfully suggested, appears likely to be correct. The example underlines that the authority asserting the FOI question should consider the circumstances in which the information may be accessible elsewhere, including as to the purchase cost, before it claims the exemption. Disclosure required by law 25.19 As noted above, information which has to be made available (as opposed to made available for inspection) under a separate legal duty can be reasonably accessible to the applicant, for the purposes of the FOIA 2000; and thus exempt under s 21. The legal duty can apply to the public authority answering the FOI request, another public authority, or another person. 25.20 Where the legal obligation is merely to make the information available for inspection, the exemption does not apply9. The Commissioner points out, however, that there may be instances where information is only reasonably accessible by inspection. Where this is the case, and such inspection is provided under the publication scheme, it appears from the guidance that the exemption may apply10.

Section 22: Information intended for future publication 25.21 Section 22 is one of the more straightforward exemptions, and is popular amongst practitioners. It exempts information which the public authority, or any other person, intends to publish in the future. 25.22 The exemption applies if, by the time when the public authority receives the request, it holds the requested information with a view to its publication at ‘some future date’ (whether or not the date is determined). The publication may be by it or by another person (which could mean an individual, or a legal person). It is also a condition of the exemption’s application that, in all the circumstances, it is reasonable to withhold the information from disclosure until the future date.

9 FOIA 2000, s 21(2)(b), as noted above. 10 ICO guidance on s 21 (see footnote 6), para 43.

442

FOI Exemptions (sections 21–29) 25.28

25.23 If the information in issue has been shared between a number of persons (perhaps in the form of drafts), and one of the parties intends or expects to publish the information, any public authority which holds the information jointly in this way may claim the exemption11. 25.24 Section 22 is a qualified exemption, and so the exemption from disclosure applies only where (or to the extent that), in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosure. 25.25 If compliance with the duty to confirm or deny would involve the disclosure of any of the information that is exempt from disclosure (whether or not it has already been recorded), the duty will also not arise; this decision being subject, like the exemption from disclosure, to the public interest test. (See para 25.35). ‘Settled expectation’ of publication 25.26 The authority has to have a ‘settled expectation’ that it (or another person) will publish the information at some future date; and this intention must be in place by the time of the request. A general intention to publish some information from amongst the information requested, or on the subject of the information requested, is not sufficient. The information to be published must be the specific information that is requested (or some of it, in which case the exemption can only apply to that part). It is necessary that the public authority can identify the precise information which it is intended should be published. Any information within the request which, by the time the request is made, has been rejected for publication is not (or is no longer) held with a view to its publication; and so falls outside the scope of the exemption. 25.27 It is not necessary for the publication date to have been set. The Commissioner advises that a deadline for publication will qualify; as will an expectation that publication will follow certain other steps, or will occur once other events have taken place. A draft publication schedule, which has not been finalised, will be sufficient. The key is a decision, or settled expectation, by the time of the request, that a person will publish the information at some future point. 25.28 ‘Publication’ means making the information available to the general public. Disclosure to a more limited group is not publication. It may take a number of forms, including print, online or electronically, by inspection (provided the facilities are advertised, available and easily accessible), through public display (eg of an image), or via a broadcast speech or presentation. The Commissioner accepts a transfer of records to The National Archives (‘TNA’) as ‘open’ records as publication, because of their inspection facilities (and a plan to transfer the information to TNA as a sufficient intention of publication). 11 ICO: ‘Information intended for future publication and research information (sections 22 and 22A)’, para 7.

443

25.29  Freedom of Information Exemptions 1

Reasonable to withhold 25.29 The requirement, in s  22(1)(c), that it must be reasonable in all the circumstances to withhold the information until the date of publication, is often overlooked. This test must be considered before the public interest test is applied; notwithstanding that some of the factors may be relevant to both. The guidance suggests a number of factors to consider, and others may be suggested: — Whether it is sensible, in line with accepted practice, and fair to all those concerned to withhold publication. — Whether access to the information should be managed by controlling its publication (and, if so, the reasons why this is the case). — Whether disclosure now to the requester would enable that person to gain an advantage before the intended publication (and, if so, whether this would be fair, or desirable). The answers to the latter two questions may diverge, and which of them should be given greater weight may depend very much of the factual circumstances at the time of the request. Example: whether reasonable to withhold The Future Car Authority is preparing to publish the results of experiments on driverless cars in four weeks’ time. The most recent experiments showed a safety flaw, which has led to some limited press speculation. A motoring journalist has now asked an FOI question. Publication at the expected time would protect the manufacturers, and allow more time to solve the problem. Publication now under the FOIA 2000 would benefit the journalist concerned; perhaps unfairly, when other specialist journalists also knew about the experiments and were awaiting publication. On the other hand, publication now would also address public concerns following the press speculation; and, in all the circumstances, it may not be reasonable to withhold the information for four weeks. — Whether the organisation still needs to consider or check the information internally before its release. — Whether extracting the information before its planned release would involve real difficulties. Example: difficulty of extraction An FOI request is made in relation to one aspect only of a large-scale research exercise which is nearly complete. It concerns one substance in a group whose interaction was analysed under controlled conditions. Extracting the information about substance A, in its interaction with substances B–E, would be difficult, and raise issues about its completeness without the context provided by the remaining information. 444

FOI Exemptions (sections 21–29) 25.33

— Whether the information should be made available instead through the Publication Scheme. In a case, for example, of scientific experiments which have a commercial value, but which should be made generally available to the peers of the researchers, placing them in the publication scheme may avoid unfairly benefitting the requester over other rivals. This could be the case whether the authority considers that it should publish by this means ahead of the intended time of publication, or at that time. 25.30 Withholding the information until the expected time of publication is likely to be more reasonable if the date is nearer in the future, than if it is more distant. The reasons for the withholding will need to be correspondingly weightier where there is a longer period before publication. This will also be relevant to the public interest factors for or against maintaining the exemption. 25.31 An Example may be found in an ICO  Decision Notice12. A  request to a university for a PhD thesis was refused. The thesis was embargoed from publication under a publishing contract. The university would make the thesis available in its library once the book based on it was published (or if it was not published). The Commissioner upheld the refusal as reasonable since the university had agreed to the embargo. Disclosure, which would be likely to breach the author’s contract with the publisher, would be unfair; and would be likely to undermine the commercial performance of the book. A delay, up to the time of the publication of the book (but not longer), was reasonable. Public interest test 25.32 The public interest factors relevant to maintaining the exemption will be about protecting particular interests under it, and so should relate to why this is important or necessary. The public interest arguments in favour of disclosure will be about why the information should be released earlier than intended, and must relate to why that is desirable. The core arguments, on either side, are likely to be about timing. Issues of the kind outlined above at para 25.29, as to whether delay would be reasonable, will usually be relevant to the public interest test as well. 25.33 Arguments that the information is too technical to be easily understood, if published, or that it would be misleading if disclosed, will carry little weight, since the authority usually has the option to accompany the disclosure with an explanation. If such an explanation is not possible, however, perhaps because of what else it would disclose; or, if the anticipated damage from disclosure would still occur, it may be relevant. This argument may have greater weight if the proposed form of publication itself would include a similar explanation.

12 University of Liverpool FS 50349323.

445

25.34  Freedom of Information Exemptions 1

Example: planned mitigating measures A Government department proposes to publish an economic assessment of the impact of Brexit. The information consists of complicated economic and mathematical projections, and it was intending to accompany the study with an explanation for non-specialist readers. The department is sensitive to the way the report is likely to be received in those industrial sectors highlighted as likely to suffer adverse consequences. It has developed a plan for consultations at Ministerial level with representatives of those sectors, at the time of publication, to address the concerns and discuss confidencebuilding measures designed to alleviate the anticipated effects. In response to an FOI question, the department claims FOIA 2000, s 22. It weighs as a factor against disclosure that, while it could publish the explanatory materials alongside an earlier disclosure, this would not soften the anticipated impact; and there would not be enough time to bring forward the planned discussions that are designed to do so. In the circumstances, it may successfully be able to claim exemption under s 22.

25.34 Other public interest factors that may be relevant include: — Allowing time for peer review of research papers (or whether early publication would harm a later publication planned in a journal that is peerreviewed). — If delay would allow a more complete publication of material that is still being assembled (or perhaps checked). — If earlier publication would mean that public resources already committed to the intended publication would be wasted, or less effectively-used. — If earlier publication would harm trust between the public authority and other persons (eg partner authorities or companies with which it was working in connection with the intended publication). — Whether early publication is justified, or important in the public interest, because of some intervening event which has changed the context in which the publication would take place (eg the matter has unexpectedly come to public attention, or has become the subject of public concern). Duty to confirm or deny 25.35 As noted above at para 25.25, where compliance with the duty to confirm or deny would involve the disclosure of any of the information that is exempt from disclosure, the duty will not arise, subject to the public interest test. 25.36 This will be the case even where the information requested has not in fact been recorded by the date of the request (s  22(2)). This is a puzzling provision; on which the guidance is silent. How can the information requested 446

FOI Exemptions (sections 21–29) 25.38

be not recorded; and yet also be ‘held’ by the public authority under s  22(1) with a view to its publication? The nearest explanation (although not one that fully fits the wording) may be that, while most of the information requested has been recorded, another element is known but not yet recorded; but confirming or denying that the main information is held will amount to disclosure of the damaging additional element. Example: confirmation or denial of information intended for future publication A public authority plans to publish its proposed annual budget next month, including cuts in spending on certain services. A trade union, representing the specialist staff whose jobs are under threat, has sought an urgent stay of execution of the plans and talks with the authority, which it claims is required under statute (although the authority disputes this). The union is threatening to seek an injunction to prevent the plans from being published without further consultation. It is also threatening strike action; although only verbally and in private at this stage. An FOI requester asks for any information held about spending cuts in the forthcoming budget. While it will be obvious to an informed observer that the annual budget will be in preparation, confirming or denying to an FOI requester that specific information about the proposed cuts is held could harm the authority’s position in its dispute with the union, and the potential litigation. The authority may conclude: (a) that the relevant part of the draft budget is exempt under s 22, and that it is reasonable to withhold it until any proposal for cuts is formally made at the time of publication; and (b) that confirming or denying that the specific information about those cuts is held will, in the context of the risk of litigation and industrial action, harm the authority in its discussions with the union.

25.37 The exemption from the duty to confirm or deny is subject, like the exemption from disclosure, to the public interest test. The same public interest factors are likely to apply to the potential exclusion of the duty, although separate ones may also be relevant. Where they are the same factors, however, they may not apply in the same way; or with the same degree of weight. Other relevant exemptions 25.38 The exemption in FOIA  2000, s  22A, for research information may also be relevant in some cases; as may information concerning: investigations and proceedings (s 30); law enforcement (s 31); government policy formulation (s  35), the effective conduct of public affairs (s  36), or commercial interests (s 43). 447

25.39  Freedom of Information Exemptions 1

Section 22A: research information 25.39 This exemption applies to information obtained in the course of (or derived from) a programme of research, if the programme is continuing at the time of the request, with a view to the publication of a report of it by a public authority or any other person. The exemption may apply whether or not the publication will include a statement of the specific information requested. The exemption will only apply, however, if disclosure of the information requested before the date of publication would, or would be likely to, harm (‘prejudice’): (i) the programme (NB as a whole, not confined to the specific research containing the information); (ii) the interests of any individual participating in the programme; (iii) the interests of the authority which holds the information; or (iv) the interests of the authority which intends to publish the information (if it is different from the authority which holds the information)13. 25.40 The duty to confirm or deny does not arise (ie there can be an exemption from it) in relation to information which is (or, if it were held by the public authority, would be) exempt under subsection (1) if, or to the extent that, confirming or denying that the information was held would, or would be likely to, harm any of the matters mentioned in sub-paragraphs (i) to (iv) of the preceding paragraph. 25.41 Both exemptions (from disclosure, and from the duty to confirm or deny) are subject to the public interest test. 25.42 The exemption was added by the Intellectual Property Act 2014, s 20. Section 22A is wider in scope than FOIA 2000, s 22, although there is a degree of overlap between them. In particular: — It is not necessary that the specific information requested is intended to be published; merely that it is intended that a report of the outcome of the research, with which the information is connected, should in due course be published. — Any information ‘obtained in the course of, or derived from’ the programme of research is potentially covered by the exemption. The information requested could be about one part of a research project, whereas the information to be published could be about another part of the project. In contrast under FOIA 2000, s 22, the specific information requested has to be intended for publication, and if any of the information originally intended for publication is discarded, that information falls outside that exemption. — Provided the research is continuing at the time of the request, with a view to publication (ie  one or more reports remain to be published under the programme), there is a looser requirement as to the timing of publication. The exemption is no longer available once the research programme has concluded, and the planned reports have been published. 13 FOIA 2000, s 22A(1).

448

FOI Exemptions (sections 21–29) 25.45

25.43 ‘Research’ is not defined in the Act. The Commissioner says in her guidance that she will use the definition: ‘a systematic investigation intended to establish facts, acquire new knowledge and reach new conclusions’14. 25.44 The conditions, for the exemption to apply in a given case, are that it is at least likely that disclosure of the information requested, earlier than the intended publication time, would harm any of the interests listed in para 25.39 (i)–(iv) above.This embraces a breadth of persons who can be adversely affected. The ‘interests’ in question are not defined, moreover; except that they are held by the persons or bodies listed, and could be very wide in scope; going beyond the research programme. The harm claimed may also be relatively unspecific; provided it is linked to one of the persons listed. 25.45 Under the standard interpretations of the degree and likelihood of prejudice, the harm does need, however, to be ‘real, actual and of substance’; and there needs to be a causal link between the disclosure under the FOIA 2000 and the harm said to flow from it15. The likelihood of harm under this exemption can be that it ‘would’ be caused (ie a likelihood of 51%); or, that it would be ‘likely’ to be caused. In R (on the application of Alan Lord v Secretary of State for the Home Department16, Munby J held that the meaning of ‘likely’ was that it represented a ‘very significant and weighty chance’ of harm. The level of risk was that there “may very well” be harm, although falling under 50%. Example: harm to research interests A research programme on training standards in the engineering industry has been running for five years, and four reports have been published. There has been criticism of the length of the programme, and of delays to its reports. One report, intended to review the findings, remains to be published. Fred is a senior researcher on the project. He has just spotted a statistical error in the data relied on in one of the earlier published reports, which will means that its conclusions will have to be revised; also affecting the eventual report. An FOI request received yesterday seeks information about any delays to the timing of the forthcoming final report. Giving this information in full would require a disclosure that both reports will have to be revised. Section 22A is engaged in relation to: (a) any harm to the programme from the disclosure that the final report will be delayed; (b) any harm to Fred’s career if it becomes known that work on the report was incorrect (albeit the error was in the figures supplied by the industry involved, and Fred was not at fault); and (c) any harm to the research body involved. Whether the information revealing the error can be withheld will depend on the balance of the public interest factors involved, such as the importance of the issue, and the significance of both the correction and its timing. 14 ICO guidance on ss 22 and 22A (as footnote 11), para 45. 15 Christopher Martin Hogan and Oxford City Council v ICO EA/2005/0026 and 0030. 16 [2003] EWHC 2073, para 100. See also John Connor Press Associates Ltd v ICO EA/2005/0005, para 15, in the context of the FOIA; and see paras 9.9, 23.3–23.4 and 24.92(a).

449

25.46  Freedom of Information Exemptions 1

Public interest test 25.46 In assessing the public interest, the public authority needs to consider the extent, frequency and severity of the harm claimed (noting again that the interests harmed can be very broad). 25.47 The Commissioner has made clear in her guidance that, apart from those issues, a significant public interest factor is that the researcher should be permitted to complete a programme of research, and their findings, without external scrutiny; so that they have the time and space to examine their findings thoroughly, and for them to be properly reviewed by their peers17. This is a wide and significant view of the most important public interest factor involved; especially when the Commissioner adds that an incomplete picture, or publication without the relevant context, would also not be in the public interest. In practice, while the exemption remains a qualified one, it is closer to an absolute exemption than many other qualified exemptions. Duty to confirm or deny 25.48 Subject to the public interest test, there is no duty to confirm or deny where the information is (or would be, if it were held) exempt from disclosure under s 22A(1) (ie where there will be a report of continuing research, whether or not including the information requested; and, disclosure would be likely to harm the programme or any of the other interests listed in para 25.39 above). 25.49 The public interest balance to identify will be whether, notwithstanding the risk of harm, the public interest in disclosure favours the authority stating whether it holds the information. Thus the judgment will probably depend on there being either some harm from disclosing this fact which is more than slight, balanced (if it is weightier than that) against some special reason for disclosure, going beyond the usual public interest in openness. Good practice 25.50 As with FOIA  2000, s  22, the Commissioner advises that authorities should consult third parties about a request; in this case, where they are the intended publisher. The third party may have useful views on the level of harm, or its likelihood; or on other issues which may affect the public interest test. 25.51 The Commissioner also advises that the authority should, in a case involving FOIA 2000, s 22A, inform the requester as a matter of good practice,of a date when publication is anticipated. If the information is not subsequently published, the authority should inform the requester and invite them to resubmit the request18. As with much of the good practice advice, whether this is 17 ICO guidance on ss 22 and 22A, (as footnote 11), para 60. 18 ICO guidance on ss 22 and 22A, (as footnote 11), para 67.

450

FOI Exemptions (sections 21–29) 25.56

appropriate is a matter on which the authority will wish to take a view, since it is discretionary; and may depend on practicality, as well as on the factors which led to the refusal in the first instance. Other relevant exemptions 25.52 Other relevant exemptions may include: information intended for future publication (FOIA  2000, s  22); or most of the other exemptions, in particular cases, if the subject matter of the research concerns those areas (eg security or defence, international relations, the economy, government policy formulation, commercial interests etc).

Section 23: information supplied by, or relating to, security bodies 25.53 This exemption applies where information was supplied by, or relates to, a security body. The latter term, ‘relates to’, is to be applied broadly, to include any information concerning or linked to the activities of a security body. The security bodies are listed. 25.54 Section 23 is an absolute exemption; save in relation to historical records in public records offices, where s 23(1) becomes a qualified exemption19. 25.55 Section 23(1) provides that information held by a public authority is exempt if it was supplied, directly or indirectly, to the authority by any of the bodies listed in s 23(3); or, if it relates to any of those bodies. Information supplied indirectly means that the information originated from a security body, but that it was passed to the public authority which now holds it by a third party (for example, information on a potential terrorism matter which was supplied originally by GCHQ to the police, but then passed on to a local authority for a particular purpose; where the local authority receives an FOI request in relation to it). 25.56 Subject to an appeal, a certificate signed by a ‘Minister of the Crown’20 is ‘conclusive’ evidence that the information has been supplied by, or relates to, one of the bodies listed21. This may relate either to the specific information requested, or to any information which would be disclosed by confirming or denying that the information requested was held. (The certificate may thus be relevant either to s 23(1), the core exemption; or to s 23(5), the exemption from confirmation or denial. The latter, in the context of security policy or anti-terrorist measures, may on occasion be at least equally as important – see paras 25.58–25.67 below). An appeal, on the part of either the Commissioner or the requester, is to the First-tier Tribunal (‘FTT’)22. 19 See paras 25-72–25.73 below, and FOIA 2000, s 64(2). 20 Defined (in this context) as a Cabinet Minister, the Attorney General or the Advocate General for Scotland, or for Northern Ireland (FOIA 2000, s 25(3)). 21 FOIA 2000, s 23(2). As to ‘Minister of the Crown’, see preceding footnote. 22 Under FOIA 2000, s 60(2).

451

25.57  Freedom of Information Exemptions 1

25.57 Section 23(3) lists the security bodies, which include: the Security Service; the Secret Intelligence Service; the Government Communications Headquarters (GCHQ); the special forces; the National Crime Intelligence Service (NCIS); and, the National Crime Agency (NCA). The Intelligence and Security Committee of Parliament is also included. Neither confirming nor denying (‘NCND’) 25.58 Section 23(5) provides an exemption from the duty to confirm or deny where such confirmation or denial would in itself disclose information relating to a security body (ie information which likewise has been supplied directly or indirectly to the public authority by, or which relates to, any of the bodies listed). 25.59 The exemption from the duty to confirm or deny includes information which is not already recorded. It is suggested that this raises awkward issues (as has been seen already under s 22: see discussion at para 25.36 above). It is not clear why the information is not simply regarded as falling outside the request, since it is not recorded. It may be simplest in this case to regard information which is ‘not already recorded’ as referring to information which has been received orally, or in some other transient form (and which perhaps needs to be verified); and which has not yet been recorded in the final form intended. 25.60 More generally, the Commissioner takes the view that the combination of a broad interpretation of the term ‘relates to’, and the fact that information not already recorded may be included in the exemption, means that there is potential to apply NCND to a wide variety of situations23. 25.61 The Commissioner stresses that the public authority, when considering whether to confirm or deny that the information is held, may consider the consequences not only of the actual response, but of other potential responses in other situations (including hypothetical ones): Example: Security bodies A public authority is asked for disclosure of a particular piece of information which originated with a security body. It does hold the information; but does not consider on this occasion that disclosing this fact would in itself be damaging (although it intends to refuse disclosure of the actual information). It may take into account, however, what would be revealed, in the hypothetical situation that it did not hold the information, if it confirmed that position. (One consequence, in that hypothetical situation, might be that the requester or others would learn that the security body concerned did not appear to be sharing information of that type with the authority to which the FOI request was directed). If the hypothetical denial would engage the NCND exemption, the exemption may be applied to confirmation or denial of the actual position. 23 ICO: ‘Security bodies (section 23)’, para 15.

452

FOI Exemptions (sections 21–29) 25.66

25.62 As another example, the guidance refers to information which could have come from a number of sources, of which only some are security bodies. Confirming that the requested information is held would not necessarily reveal anything about the source, in terms of whether or not the information had come from such a security body. On the other hand, if it was denied that the information was held, such a statement would reveal that no security body had supplied it to the public authority concerned (which might, in turn, enable inferences to be drawn about the information held by such security bodies). 25.63 Against this background, the Commissioner has developed the approach that NCND may be used, in the context of s  23, to avoid the risk of giving inconsistent or revealing responses over time to similar requests, in relation to confirmation or denial (eg if the situation as to what is held may change over time). If the public authority confirms or denies, up to the point where the situation changes and it can no longer do so, and resorts to the NCND exemption, this could be revealing as to a change in the pattern of monitoring by the security bodies. The Commissioner suggests instead that a consistent use of NCND, in relation to information that could originate from or relate to security bodies, would avoid these risks. 25.64 In effect, the Commissioner suggests the regular use of the NCND exemption, where there is a pattern of activity (or non-activity) by the security bodies which could change; and where an indication of this, by a future change in the authority’s response in confirming or denying, would be harmful to security policy. She is careful to state that this approach would not be appropriate to apply to ‘any request that touches on issues of national security or the work of the security bodies’; and that the public authority would need to be able to explain its grounds of refusal in a refusal notice24. The justification which the authority would need to give to the Commissioner should be based on the series of requests which it expects to receive, and why a consistent response to those requests is needed. 25.65 It should also be noted that the test of the exemption is whether confirming or denying ‘would’ disclose information relating to a security body (not ‘would’ or ‘would be likely to’), so that the threshold is ‘more likely than not’ (or 50% plus 1)25. In the context of establishing whether information would be revealed of the types at para 25.55 discussed above, however, this threshold may not be unduly difficult to meet. 25.66 The Commissioner makes clear that, while NCND can be applied in this context to a wide range of requests, it is not unlimited. The request (NB not the information) has to be in what she calls the ‘territory of national security’; meaning that there has to be a ‘realistic possibility that a security body could be involved in the issue that the request relates to’. There similarly has to be a realistic possibility that, if a security body were involved, the public authority in receipt of the request would hold the information. Thus, for example, a public authority concerned with school examinations or product safety, would be unlikely to hold 24 See ICO guidance on s 23, (as footnote 23), para 18. 25 See Commissioner of Police of the Metropolis v ICO EA/2010/0008.

453

25.67  Freedom of Information Exemptions 1

information from, or relating to, a security body; and so would not be expected to use the NCND exemption to respond to a request for information of that type26. 25.67 In overall terms, and noting the qualifications above, it is clear that the correct response to the question whether to confirm or deny, in relation to information falling within s 23, will often reflect the approach usually taken by government in relation to commenting on security matters.

Relationship to section 24 (National security) 25.68 As explained below at paras 25.94–25.97, FOIA  2000, s  24(1) (concerning the safeguarding of national security) cannot be relied upon at the same time as s 23, in relation to information which falls within s 23(1). Section 24 can however, be cited as an alternative to s 23(1) (see below at para 25.96). 25.69 This is not the case, however, in relation to neither confirming nor denying. The exemption in s 23(5), and its equivalent in s 24(2), can be applied to the same request; and should not be cited in the alternative (see below at para 25.95).

Approach to complaints 25.70 The Commissioner sets out in the guidance her approach to complaints made to her in relation to s 23. In relation to complaints about s 23(1), she will need to be satisfied that the information was supplied by a security body, or relates to one. She will accept a written assurance from the public authority where it appears initially to be plausible that the information would fall within the exemption; provided the assurance is from a sufficiently senior person, who has regular access to information relating to security bodies, and who has seen the information in question. Where it is less clear that the information comes from, or relates to, a security body, the ICO will wish to discuss the matter with the public authority rather than rely on written assurances; and may need to see the information itself (on which she reserves her right in all cases). 25.71 In relation to complaints about s 23(5) (the exemption from confirmation or denial), the Commissioner states that she will generally be able to reach a determination without asking whether the information is actually held; although exceptionally this, or even access to it, may be necessary.

Historical security records 25.72 As noted above (see para  25.54), the exemption in s  23(1) becomes subject to the public interest test where the information requested is in an 26 See ICO guidance on s 23, (as footnote 23), paras 19–21.

454

FOI Exemptions (sections 21–29) 25.77

historical record held by the National Archives, or the Public Record Office, Northern Ireland. Under the Constitutional Reform and Governance Act 2010, s 46(2) and (3), a reduction from 30 to 20 years is being phased-in over a period27. By the end of 2018, the period was 24 years; and it will have reached 20 years after the end of 2022. 25.73 The factual basis of the exemption being engaged remains the same, but a public interest test has to be applied to the question of disclosure. The Commissioner’s guidance notes that the public interest will favour disclosure where doing so ‘would not cause any harm’ [Emphasis added]. This suggests that the threshold for disclosure is still likely to be high, and that if there would be some degree of harm, the public test for disclosure would not be likely to be met. Other relevant exemptions 25.74 In the nature of the subject matter, the exemptions for national security (s 24), defence (s 26), international relations (s 27), formulation of government policy (s 35), prejudice to the conduct of public affairs (s 36), health and safety (s 38) or personal data (s 40) may also be relevant in particular cases.

Section 24: National Security 25.75 Information which falls outside the scope of s 23(1) – in other words, if does not originate from, or relate to, a security body – is exempt from disclosure, if the exemption is ‘required for the purpose of safeguarding national security’. The exemption is subject to the public interest test. 25.76 The exemption states: (1) Information not falling within s 23(1) is exempt information if the exemption is required for the purpose of safeguarding national security; and (2) The duty to confirm or deny does not arise if, or to the extent that, exemption from it is required for the purpose of safeguarding national security. 25.77 The test of whether the exemption is ‘required for the purpose of’ safeguarding national security should be interpreted as whether it is ‘reasonably necessary’ for those purposes; rather than unavoidable, or absolutely necessary. As in other areas, the approach taken by the European Court of Human Rights is adopted, derived from interpreting what degree of interference with human rights can be justified as ‘necessary’ in a democratic society; in this case, to safeguard national security. In this context, ‘necessary’ means less than essential, but more than merely useful or desirable. The test goes beyond merely relating to national 27 See FOIA  2000, s  62(2A); as applied subject to the Freedom of Information (Definition of Historical Records) (Transitional and Saving Provisions) Order 2012, SI  2012/3029, Sch  7, para 4.

455

25.78  Freedom of Information Exemptions 1

security, however; there has to be a clear argument that disclosure would have an adverse effect on national security for the exemption to be engaged28. It is not necessary to show that disclosure would cause a ‘direct or immediate threat to the UK’29. 25.78 ‘National security’ is not defined, but it goes beyond the security of the UK, or its defence, or the defence of its system of government, to include co-operation with other states in combatting international terrorism. It also extends to guarding against actions directed against other states, with which the UK is in co-operation for those purposes, which may in due course have an adverse impact on the UK or its population. As interpreted by the Information Rights Tribunal, the House of Lords (when it was a court) described ‘national security’ as follows: — It means the security of the UK and its people. — It is not limited to actions targeted by an individual against the UK, its system of government or its people. Protecting democracy, and the legal and constitutional system of the state, also fall within national security. — Action against a foreign state may affect the UK’s security indirectly. — Co-operation between the UK and other states against international terrorism is capable of promoting the national security of the UK30. 25.79 Thus action that is reasonably necessary in order to safeguard any of these objectives or systems would potentially fall within the scope of the exemption. 25.80 Although there has to be real possibility that the UK’s national security would be undermined by the disclosure, the impact on national security does not have to be caused directly or immediately31. It could involve harm caused to an ally, which in the long-term could be expected also to weaken the security of the UK; and thus to harm it indirectly, and in other than immediate terms. 25.81 Safeguarding also includes providing protection for potential targets, without any evidence of an immediate threat of attack. Thus in the case of a request for details of the fleet of vehicle held by the West Yorkshire Fire and Rescue Service, the service argued successfully that, because it operated a national control centre for fire vehicles, dealing with national incidents, disclosure could provide sufficient information to enable the cloning of its vehicles (and thereby, for access to, the security of, the centre to be compromised). There was

28 Commissioner of the Metropolitan Police Service FS 50178276, para 24; endorsed by the Firsttier Tribunal in Philip Kalman v ICO and Department of Transport EA/2009/0111, para 33. 29 ICO: ‘Safeguarding national security (section 24)’, para 10. 30 Secretary of State for the Home Department v Rehman [2002] UKHL 47; interpreted in Norman Baker MP v ICO and the Cabinet Office, and National Council of Civil Liberties EA/2006/0045. 31 Taken from the approach in Rehman (see preceding footnote), a deportation case, per Lord Slynn.

456

FOI Exemptions (sections 21–29) 25.87

no evidence of any plan for an attack; but the control centre was a realistic target, and the concern was plausible. This was sufficient to engage the exemption32. 25.82 The Commissioner summarises the exemption in s 24(1) as allowing a public authority not to disclose information whose release it considers ‘would make the UK or its citizens more vulnerable to a national security threat’33. Mosaic argument 25.83 Even information whose disclosure would not appear to be harmful may, when combined by a motivated requester with other information which they hold (or could obtain), become harmful; known as the ‘mosaic’ effect. While there is uncertainty over what other information may be held by such a requester, the ICO will consider each case on its merits; while expecting the public authority to be able to justify its decision not to disclose the information. Duty to confirm or deny 25.84 There is an exemption in s  24(2) from the duty to confirm or deny, where the exemption from disclosure is required for the purposes of safeguarding national security. The NCND exemption is likewise subject to the public interest test. 25.85 As with FOIA  2000, s  23, the ICO’s guidance stresses that a public authority is not limited to considering the consequences of the actual response it would make (eg to confirm that it held the information); but that it may also take into account what would be revealed by a hypothetical response (eg to deny that the information was held); and that either may engage the exemption. 25.86 The same meanings of ‘national security’ and ‘required for the purpose of’ should be used (see paras 25.77 and 25.78). The authority has to demonstrate a causal link between the confirmation/denial and the harm to national security; but, as with FOIA  2000, s  23, the link need not be direct or immediate. The ICO gives the example of tension between two states, with which the UK is co-operating in fighting terrorism, caused by a political group which targets activities at one of the states. A request for the details of contacts between the UK and the group would be likely to harm this country’s relations with one of the two allies involved; indirectly harming joint activities with that country to fight terrorism. Section 24(2) would enable the Foreign Office to consider responding by neither confirming nor denying that the information was held34. 25.87 As above at para 25.69, the exemption in s 24(2) permitting the authority a NCND response in relation to national security is not treated as mutually exclusive with information covered by FOIA 2000, s 23(5). 32 West Yorkshire Fire and Rescue Service FS50308040, para 19. See also para 23.29. 33 ICO guidance on s 24, (as footnote 29), para 7. 34 See ICO guidance on s 24, (as footnote 29), example following para 23.

457

25.88  Freedom of Information Exemptions 1

Ministerial certificate 25.88 A certificate issued by a ‘Minister of the Crown’ (ie a Cabinet Minister, the Attorney General, or the Advocate General for Scotland or the Attorney General for Northern Ireland – FOIA 2000, s 25(3)), may apply to information not yet held (or even requested) which the authority envisages that it may hold in the future. While this provides conclusive proof that the exemption is engaged (subject to an appeal to the First-tier Tribunal35), the public interest test still has to be weighed. The Commissioner has indicated that she will consider the public interest balance afresh, if there is a complaint to her. Public interest test 25.89 Both exemptions in s 24 are subject to the public interest test; arising in each case only when its application is reasonably necessary to prevent greater vulnerability in the UK to a threat to national security. There is a very weighty public interest in avoiding harm to national security. The exemptions remain qualified, however, so that the public interests on both sides have to be weighed. The need to reassure the public about the limits of human rights restrictions arising from a tight approach to security, for example, or as to their value in the face of the everyday inconvenience caused, may provide strong public interest arguments for disclosure in a particular context. 25.90 The public interest factor in favour of maintaining the exemption will be the degree to which disclosure (or confirmation/denial) would harm national security. If the consequences of an attack would be severe, even a very low risk that disclosure would assist it would provide a very strong public interest in withholding the information36. A wholly unrealistic threat will not give rise to the need for the exemption; it will not be engaged at all if its protection is not reasonably necessary to safeguard national security. Once it has been demonstrated, however, that the exemption is reasonably necessary, the potential impact of disclosure will be the key public interest factor in favour of maintaining the exemption. 25.91 A  further facet of the test of whether disclosure would harm national security would be the degree, if any, that disclosure may discourage co-operation with other countries, to the detriment of the security of the UK. It is important to appreciate, however, that the relevant public interest factors concern the security of this country only. Harm to the security of other countries, by the disclosure of information which may relate to their security arrangements, is not a factor that can be taken into account directly under the FOIA. On the other hand, if a harmful impact on another country would in turn weaken security co-operation between that country and the UK, and thus indirectly weaken the UK’s security in turn, the desirability of avoiding the latter impact may be taken into account37. 35 See FOIA 2000, s 60(3). 36 See Philip Kalman v ICO and Dept of Transport (as footnote 28). 37 See Peter Burt v ICO and Ministry of Defence EA/2011/0004, para 40.

458

FOI Exemptions (sections 21–29) 25.95

25.92 In favour of disclosure, public interest factors will include: — meeting concerns over the proportionality of restricting civil liberties in relation to the security risks, as mentioned above at para 25.89; — explaining the need for security measures and restrictions in order to maintain pubic co-operation with, and support for, them; — reassuring the public that the measures taken are securing their objectives; — informing the public of the restrictions they are under; — casting light on the activities of the security organisations involved, in order to enable the public to assess their effectiveness. Commissioner’s approach to investigations 25.93 The Commissioner has indicated that, because she will need to be satisfied that the exemption applies, and then to consider the public interest, she will normally need to see the information in s 24(1) cases. In some instances, however, submissions from (or discussions with) experienced staff may be sufficient in relation to both questions. She will only exceptionally need access to the information, however, in s 24(2) cases. Sections 24(1) and 23(1) as alternatives 25.94 There is considerable overlap in the subject matter of FOIA 2000, ss 23 and 24. Section 24(1) only covers information, however, which does not fall within s  23(1). This means that the two exemptions cannot be claimed at the same time in relation to the same information: they are mutually exclusive. In consequence, there has been concern that citing one or other of the exemptions may disclose more than was intended about the information being sought. Claiming the exemption in s 24(1), for example, would at least imply strongly that the information did not originate from, or did not relate to, a security body. Claiming the exemption in s 23(1) would confirm that the information did either come from a security body, or was related to one in some way. 25.95 In consequence, some public authorities were omitting to use the exemptions in ss  23(1) or 24(1), and seeking instead to claim that the two exemptions from the duty to confirm or deny (in ss  23(5) and 24(2)) applied instead; even where it was clear that the information was held (those exemptions not being mutually exclusive)38. The claiming of the NCND exemptions, in order to avoid citing the exemption from disclosure of the content, rather than to avoid revealing something by the confirmation or denial itself, is not a correct use of those exemptions.

38 See All Party Parliamentary Group on Extraordinary Rendition (APPGER) v ICO and Foreign and Commonwealth Office EA/2011/0049-0051, para 109.

459

25.96  Freedom of Information Exemptions 1

25.96 The Commissioner instead proposed a ‘pragmatic solution’ to the problem of identifying the type of information from applying one or other of the exemptions. While it is accepted that only of them can actually apply, a public authority may claim them both ‘in the alternative’; without stating which actually applies, and with the refusal notice disguising the true position. The notice should refer to both, state that they are being cited in the alternative, and explain the reasons that could apply to support refusal in the case of each exemption. In the case of s 24(1), the public interest test should also be undertaken and the reasoning should be explained, as to the factors on each side that would apply if this were the applicable exemption; likewise, without specifying whether this is actually the case. 25.97 In the event of a complaint to the ICO, the public authority would need to notify the Commissioner as to which exemption applied in its view. The decision notice from the Commissioner would not make clear which exemption was upheld or denied39. Other relevant exemptions 25.98 Other exemptions that might be relevant in a given case would include s 23 (noting the advice in para 25.96 above as to claiming the two exemptions as alternatives; but also the position on NCND in para 25.87); s 26 (defence); s 27 (international relations); s 38 (health and safety); s 35 (government policy); possibly s 36 (harm to conduct of public affairs); and s 40 (third party personal data, which may need to be protected from disclosure in this context).

Section 26: Defence 25.99 The penultimate exemption in this security/defence group applies to information whose disclosure would, or would be likely to, prejudice defence matters. 25.100 Section 26 provides that information is exempt if its disclosure would, or would be likely to, prejudice: (a) the defence of the British Islands or of any colony; or (b) the capability, effectiveness or security of any relevant forces. The ‘British Islands’ means the UK, the Channel Islands and the Isle of Man40. A colony means the dominions outside the British Islands except for a Commonwealth country, a territory whose external relations are the responsibility of a country other than the UK, or an associated state. The 14 colonies include Gibraltar, the Falkland Islands, the British Antarctic Territory, and Bermuda.

39 This process is explained in greater detail in the ICO’s guidance: ‘How sections 23 and 24 interact’. 40 Interpretation Act 1978, Sch 1.

460

FOI Exemptions (sections 21–29) 25.104

25.101 ‘Relevant forces’ are defined as the armed forces of the Crown, and any forces co-operating with those forces; or, any part of (either type of) those forces. There is no definition of ‘armed forces of the Crown’, although guidance by the Ministry of Justice has described them as any part of the regular or reserve naval, land or air forces of the UK. (This definition excludes the special forces, which are not a public authority for FOIA purposes; while falling within the exemption in FOIA 2000, s 23). Forces co-operating with the armed forces would include the armed forces of other countries which are in formal collective defence arrangements with the UK (eg  through the North Atlantic treaty Organisation [‘NATO’], or the United Nations); or, more informal alliances for particular operational purposes. The ‘capability, effectiveness or security’ of relevant forces is not defined, but the Commissioner advises that this covers information whose disclosure could put the physical safety of the armed forces at risk, or otherwise impair their ability to carry out their duties41. 25.102 Section 26 is a qualified exemption. It covers all recorded information, including historical information. Scope of s 26 25.103 The potential scope of the exemption, in terms of the information included about military activities and measures, is very wide. The Commissioner gives a non-exhaustive list which includes: policy and strategy; military intelligence; operational orders and tactics; troops’ performance; plans and measures covering the maintenance of supplies, military capability including access to weaponry, or the defence of other countries; or, the location of telecommunications equipment. To this might be added: information about operational deployments; IT capability; higher skills training; or, communications arrangements with co-operating forces. Each instance has to be assessed on a case by case basis, against the test of whether disclosure would be likely to cause harm to defence, or the effectiveness of relevant forces. 25.104 The ICO takes the view that the exemption will be largely concerned with information held by the Ministry of Defence, with only a small number of other public authorities regularly holding information falling within it. These will include fire and rescue authorities and other bodies responsible for emergency planning42. It should be pointed out, however, that emergency planning, which is largely civil in nature (eg coping with the consequences of natural disasters, extreme weather, or industrial accidents) may, in major incidents, involve the use of the armed forces in rescue or reconstruction roles. Local authorities or other public agencies with access to information on local armed forces’ capabilities or equipment should not assume that s 26 is unavailable to them in a specific case.

41 All in ICO: ‘Defence (section 26)’, para 6. 42 ICO guidance on s 26, (as footnote 41), para 6.

461

25.105  Freedom of Information Exemptions 1

Duty to confirm or deny 25.105 The duty to confirm or deny does not arise, if, or to the extent that, doing so would, or would be likely to, prejudice any of the matters to which the exemption from disclosure applies43. An authority claiming the NCND exemption has to show how confirmation or denial that the information is held will cause a risk to defence, or to the effectiveness of the forces involved. This may not be a high threshold. Information as to whether a type of weapon was held, for example, ‘would be of considerable interest to any hostile power’, according to the First-Tier Tribunal in Donnie Mackenzie v ICO44. Prejudice to defence or to military effectiveness 25.106 Having established that the exemption fits the facts of the request (or of the confirmation or denial), it is then necessary to examine whether the prejudice (harm) test is met. Would disclosure harm, or be likely to harm, the defence of the country (or its colonies), or the capability, effectiveness or security of any relevant forces? The first level of test (‘would’) requires it to be more likely than not that the harm would occur; the second level (‘would be likely’) requiring a real and significant likelihood of harm (but less than 50%). 25.107 In considering the harm test, it is relevant to take into account any information already in the public domain which, while it may be harmless in itself, when combined with the requested information could make its disclosure harmful. 25.108 In terms of harm to the defence of the country, the timing and circumstances of the request may be important. What is required to defend the country, or the likelihood that harm would follow from a disclosure, may be significantly greater during a time of hostilities, or of preparation for them, than during peacetime. It may be necessary to consider what is actually required for the defence of the country; not every disclosure about a military matter will affect adversely a significant aspect of its defence. Internal security threats should be considered as well as external military ones; there being a degree of crossover with the exemption in s 24. 25.109 In relation to the second limb of potential harm, to capability, effectiveness, or security of relevant sources, the Commissioner gives examples in her guidance of certain types of information which may cause such prejudice. The list includes: — the composition of a military force, or the location of units, ships or aircraft (or their names or numbers); — details of military movements; — details of casualties; 43 FOIA 2000, s 26(3). 44 EA/2013/0251, para 10.

462

FOI Exemptions (sections 21–29) 25.115

— military tactics or positions; — names of individual service personnel or prisoners of war. NB. Both the third and fifth of these categories may well also involve the personal data of the individuals involved, requiring attention in handling to the data protection implications; and, in the context of an FOI question, the consideration of possible exemptions under s 40 of the Act45. 25.110 The above list is substantial, but it is important that it is treated only as a starting point. For the exemption to apply, it is necessary to identify a particular type of harm or damage that may result; and its degree of likelihood. If there would be no, or only a negligible, risk that an enemy could gain advantage from the disclosure, the exemption will not apply. 25.111 As with the harm test in general, the public authority should consider the severity of the harm that could result, and balance this with its degree of likelihood. A severe level of harm, even if only unlikely to occur (provided that it is not negligible), may well create a sufficiently serious level of risk to meet the harm test. A degree of harm which is less serious, but which is reasonably likely to follow disclosure (albeit under a 50% chance), will likewise probably be sufficient to meet the test46. 25.112 The Commissioner points out that the government security markings on official documents are of limited assistance in examining the harm test; and should certainly not be taken as an automatic indicator of exemption, since they take into account a number of issues beyond the consequences of disclosure for defence47. Public interest test 25.113 The exemptions (from disclosure and from the duty to confirm or deny) are qualified rather than absolute; notwithstanding the strong public interest in maintaining the defence of the country and its (or associated) armed forces. The public authority has thus to examine and explain (briefly, unless the matter goes to the Commissioner) the degree of seriousness of the harm that it has identified; balancing severity and likelihood, as indicated above at para 25.111). 25.114 In favour of disclosure, factors will include the standard ones of furthering public understanding of public issues, promoting accountability, or allowing individuals to understand public decisions. There may also be arguments that greater openness would increase public understanding of the rationale for military action; or, support improvements in provision. 25.115 In relation to particular military episodes (including unsuccessful ones), or issues such as the levels or suitability of equipment, controversial matters are 45 See Chapter 27 on FOIA 2000, s 40 below. 46 See also para 24.92(b). 47 ICO guidance on s 26, (as footnote 41), para 22.

463

25.116  Freedom of Information Exemptions 1

likely to arise from time to time on which there may be a considerable public demand for openness or explanation. While public interest, in the sense of curiosity, is not a factor in favour of disclosure, a genuine concern to establish as much as can safely be divulged of the facts surrounding a difficult or disputed military issue – particularly if the information already available leaves legitimate questions unanswered – will carry significant weight in public interest terms. 25.116 Arguments for maintaining the exception will generally be variations on the need to avoid the risk of harm identified; and the greater the risk (in terms of severity and/or likelihood) the stronger the public interest arguments against the disclosure. The Commissioner mentions avoiding compromising a military operation, or harm to the security of troops or civilians (eg by revealing a weapons route). The disclosure of information received from an ally could harm future co-operation with that country, particularly if it objects to the disclosure. 25.117 As with the potential degree of harm, the timing of the request will also be important to the public interest test. The public interest in disclosing information about a forthcoming military operation will be much lower than in relation to one which has occurred. The public interest in disclosing historical information, or in adding to the information publicly available about a more recent operation (but one which has concluded) will have some weight. Care should still be taken, however, to consider any benefit which may be accorded to an enemy in the future (eg over equipment continuing in use, or over tactical issues which could be expected to recur); even over information about past events. 25.118 In Chris Cole v ICO and Ministry of Defence48, concerning drone operations in Afghanistan, the First-Tier Tribunal said that a ‘very substantial public interest’ in disclosure would be needed to outweigh the public interest in maintaining the exemption, in a case where the ‘capability, effectiveness or security of the forces was likely to be a matter of life and death’. Other relevant exemptions 25.119 As with the other exemptions in this suggested group, the exemptions in ss  23 (information from security bodies), 24 (national security), or 27 (international relations) may also be relevant to information to which the defence exemption may apply. In relation to defence contracts, s 43 (commercial interests) may be relevant; and, in particular cases, the personal data exemption (s 40) may also need to be considered.

Section 27: International relations 25.120 This group is concerned with international relations, and devolved government relations; and the exemption in FOIA  2000, s  27, may overlap to a degree with the previous group concerned with security, defence and foreign 48 EA/2013/0042 and 0043, para 68.

464

FOI Exemptions (sections 21–29) 25.125

affairs. It stands apart from them, however, in cases involving international relations which do not concern security or military matters. 25.121 FOIA 2000. s 27(1) provides that information is exempt if its disclosure would, or would be likely to, prejudice (ie harm): (a) relations between the UK and any other state; (b) relations between the UK and any international organisation or international court; (c) the interests of the UK abroad; or (d) the promotion or protection by the UK of its interests abroad. 25.122 Information is also exempt under FOIA 2000, s 27(2), if it is confidential information which has been obtained from another state, or from an international organisation or international court. An ‘international court’ is one which is not an international organisation, and is established by a resolution of an international organisation of which the UK is a member; or by an international agreement to which the UK is a party (eg the European Court of Human Rights). An ‘international organisation’ is any such organisation which includes two or more states; or any organ of such an organisation (eg  the United Nations). A  ‘state’ includes the government of any state, and any organ of its government (eg its legislature). 25.123 Information obtained from a state, organisation, or court, is treated as confidential under the section while: (a) the terms on which it was obtained require it to be held in confidence; or, (b) the circumstances in which it was obtained make it reasonable for the state, organisation or court to expect that it will be held on those terms. 25.124 While the exemption under s 27(1) is based on a test of harm before the exemption applies, there is no express requirement for harm to be demonstrated where confidential information would be divulged under s 27(2). It is assumed that a breach of confidentiality, in the context of international relations, is sufficient to incur harm without a requirement for its demonstration. There is also no requirement for the breach to be actionable, unlike the condition for FOIA 2000, s 41, to apply (and doubtless reflecting the more limited scope for such proceedings to be brought). 25.125 There is an exemption from the duty to confirm or deny if, or to the extent that, confirming or denying would or would be likely to, harm any of the matters mentioned above in para 25.121, or would involve the disclosure of any confidential information obtained from another country, international organisation or international court. This includes (as in the instances above in paras 25.36 and 25.59) information which has not yet been recorded. It will be noted that the exemption applies only to information ‘obtained from’ the other country (ie on the same pattern as confidential information in FOIA 2000, s 41). A note from the Prime Minister to the US President could not, therefore, fall within this limb of the exemption49. 49 Stephen Plowden v ICO and FCO, EA/2011/0225 and 0228 (21 May 2012), para 36.

465

25.126  Freedom of Information Exemptions 1

25.126 The likelihood of harm is that it ‘would’ occur as a result of disclosure (ie more probable than not); or, that it ‘would be likely’ to occur, meaning there is a real or significant chance (but below 50%). 25.127 In Campaign Against the Arms Trade v ICO and Ministry of Defence50 the Tribunal applied the approach to the prejudice test that had been developed in Hogan51, in the context of s  27(1). The test of likelihood should rest on what was probable, as opposed to possible or speculative. Prejudice required some degree of detriment, and should be ‘real, actual or of substance’ (as described in Hogan, para  30). In the context of s  27(1), prejudice can be real and of substance if it ‘makes relations more difficult or calls for particular diplomatic response to contain or limit damage which would not otherwise have been necessary’. In other words, it is sufficient to meet the test of harm in s 27(1) if some action by diplomats to repair relations would be required. It was not necessary to show that ‘actual harm to the relevant interests in terms of quantifiable loss or damage’ would be likely: exposure to the risk of an adverse reaction could be sufficient. This approach has been endorsed by the Tribunal since52. 25.128 The Upper Tribunal has said (in what is a binding judgment) that appropriate weight should be given to evidence from the executive branch of government about the prejudice likely to be caused, since it has unrestricted access to advice and is better informed than a judge about the likely attitude of foreign and intelligence services, or the consequences of disclosure in relation to the prevention of terrorism53. 25.129 The Commissioner’s current guidance on this exemption originated in 2004 before the full implementation of the FOIA  2000 (although updated in January 2006), and is in urgent need of revision. As well as the government departments most obviously dealing with international relations, it points to the police, NHS, prison services and local authorities as potentially receiving requests for information which might be exempt under FOIA 2000, s 27, because disclosure would harm the UK’s international relations. The range of such information could include UK policy in relation to other states, international trade partnerships, arrangements for state visits, or international relations undertaken by universities. The focus of the exemption is on the harm to the UK’s relations, rather than to the interests of any other public body involved, or on any other harm (eg to an area or sector of the UK).

50 EA/2007/0040. See paras 80–81. Heard also with Nicholas James Gilby v ICO and Foreign and Commonwealth Office EA/2007/0071 and 0078-79. 51 EA/2005/0026/30. See footnote 15. 52 See most recently All Party Parliamentary Group on Drones v ICO EA/2016/0176, paras 58–59. 53 All Party Parliamentary Group on Extraordinary Rendition (APPGER) v ICO and MOD [2011] UKUT 153 (AAC) at para 56; referring to R (on the application of Mohamed) v Secretary of State for Foreign and Commonwealth Affairs [2010] EWCA Civ 65, per Lord Neuberger MR at para 131.

466

FOI Exemptions (sections 21–29) 25.135

Public interest test 25.130 The main public interest factor in favour of maintaining the exemption identified in the Commissioner’s guidance is in avoidance of the harm that would be likely to be caused to international relations, as described above (para 25.127). 25.131 In relation to arguments in favour of disclosure, the familiar general arguments apply of furthering understanding of the public debate, promoting accountability in decision-making and the spending of public money, and allowing individuals and other bodies to understand decisions which affect their lives. In individual cases, such as those concerning decisions to go to war, these may carry greater weight54. Other relevant exemptions 25.132 Other relevant exemptions are likely to include: s  23 (information supplied by security bodies), s  24 (national security), s  26 (defence), s  35 (government policy formulation), or s 43 (commercial interests).

Section 28: relations within the UK 25.133 This exemption applies to information which may harm relations between any of the UK government and the devolved administrations in Scotland, Northern Ireland or Wales. Information is exempt if its disclosure would, or would be likely to, prejudice relations between the UK government, the Scottish Administration, the Executive Committee of the Northern Ireland Assembly, or the Welsh Government. It is not restricted, however, to information held by those bodies. If information is held by another public body (eg a local authority in one the nations of the UK) whose disclosure would, or would be likely to, have the prejudicial effect outlined in the preceding paragraph, as between two or more of the administrations, the exemption may apply. 25.134 There is also an exemption from the duty to confirm or deny where, or to the extent that, confirmation or denial would, or would be likely to, harm relations between any of the administrations. 25.135 The exemption does not appear to give rise to many decisions; and may not be widely used. The Commissioner’s guidance on this exemption is general, and dates back to 2008. There has been one decision (involving two hearings) 54 As recognised in Stephen Plowden/Foreign and Commonwealth Office v ICO EA/2011/0225 and 0228 (21 May 2012), para 81 (although lessened on the facts at paras 91–92). On appeal, the Upper Tribunal ([2013] UKUT 0275 (AAC), para 16 considered that the FTT had erred in law both in its approach to the public interest, and by taking a sentence by sentence approach to the disputed information (the transcript of a telephone conversation between the UK Prime Minister and the US President), to the exclusion of the package as a whole. The FTT, when the case was remitted to it, took a different view as to the balance of the public interest; upholding the appeal by the Foreign Office against disclosure (28 January 2014).

467

25.136  Freedom of Information Exemptions 1

of the First-tier Tribunal involving this exemption. This drew on the approach taken to the test of prejudice under s 27 (international relations) in the case of Campaign Against the Arms Trade, discussed above at para 25.127. The tribunal decided, in the context of s 28, that a likelihood of actual harm from disclosure was not required to be shown for the exemption to be engaged. Exposure to the risk of harm to relations was sufficient. The harm was substantial ‘if it makes relations more difficult or calls for particular diplomatic response to contain or limit damage which would not otherwise have been necessary’55. Other relevant exemptions 25.136 Other relevant exemptions may be those covering: information accessible by other means (s  21); international relations (s  27); government policy formulation etc (s 35); or, the effective conduct of public affairs (s 36).

Section 29: the economy 25.137 The exemption in s  29(1) applies to information whose disclosure would, or would be likely to, harm the economic interests of the UK or any part of it; or harm the financial interests of the UK government or any of the devolved administrations (as defined in s 28(2)). The exemption may apply in respect of anticipated harm to the national economy, or to a regional or local economy. The financial interests of the UK government, or of the devolved administrations, would include their ability to raise revenue through taxation, or to borrow on the capital markets. It might be argued also to cover information whose disclosure might affect adversely the levels of short-term or long-term interest rates in the UK, or nationally or regionally, if there were a significant consequent impact on government borrowing costs. 25.138 There is also an exemption from the duty to confirm or deny in s 29(2) where, or to the extent that, confirming or denying would, or would be likely to, harm the economic or financial interests covered by the exemption in s 29(1). 25.139 Both exemptions are qualified, and thus reliant on the public interest test in any given instance. Economic interests – s 29(1)(a) 25.140 As the ICO’s guidance makes clear, the interests protected are those of the relevant economy as a whole, rather than individual interests56. If, for example, a particular disclosure would be likely to harm the trading position of a local employer, it would be difficult to establish that this exemption applied, unless a significant impact on the local economy could be demonstrated. This was 55 The Scotland Office (Stage 2) v ICO EA/2007/0070, paras 51–53. 56 ICO: ‘The economy (section 29)’, para 6.

468

FOI Exemptions (sections 21–29) 25.143

the case, however, in Derry City Council v ICO57, a well-known and formative FOI decision over an agreement concerning levels of landing charges between Ryanair and Derry City Airport, which was operated by the local council. The Tribunal recognised that any prejudice to the commercial interests of the council in relation to the airport would also prejudice the economic interests of the region, such as to engage the exemption in s 29(1) as well as that in FOIA 2000, s  4358. Disclosure would affect the council’s negotiating position with other airports, such that the council would have suffered harm if the disclosure had been made both in 1999, when the agreement was concluded, and in 2005 (when the information was requested)59. By the time of the request, however, in 2005 the risk of prejudice was too low to outweigh the public interest in the information being disclosed60. 25.141 The Commissioner draws attention in her guidance to a range of types of information held by public authorities which may affect the economy, which is not limited to information concerned narrowly with economic management or development. These include61: — information held by the public authority in its role as a major customer, employer or investor (nationally, regionally or locally); — information concerning health or environmental policy (eg  on types of transport use; another example might be levels of industrial illness amongst older workers in an area, which may affect its skills base) which may have an adverse impact on a local economy if disclosed; — information relevant to the impact of regional or trade policy on promotion of the local economy. Financial interests – s 29(1)(b) 25.142 The Commissioner recognises a significant public interest in favour of the disclosure of enough information to enable the public to understand and assess the financial integrity and cost-effectiveness of the UK government and devolved administrations. This may be balanced by a public interest in avoiding damage from releasing too much information, or disclosing information after too short a period62. 25.143 Information affecting the financial interests of the UK or national government might, in the view of the Commissioner, cover (in addition to specific information on public spending and borrowing levels, or forthcoming Budget proposals)63: 57 58 59 60 61 62 63

Derry City Council v ICO EA/2006/0014. As footnote 56, para 29. As footnote 56, para 25. As footnote 56, para 28(b). As footnote 56, para 20. As footnote, 56, para 12. As footnote 56, para 21.

469

25.144  Freedom of Information Exemptions 1

— market trends in the nation/region, affecting interest rates and government borrowing; — information about financial regulation held by regulatory bodies; — information about levels of currency reserves; — the finances of public corporations (for which the government or devolved administration may ultimately be responsible). 25.144 The Commissioner has accepted that a request for the source code for computer applications used by the Land Registry engaged the exemption in s 29(1) (b). The Registry as a trading fund relied upon the system for the registration of titles to generate revenue, as well as providing reliable property information on which large transactions in the economy could proceed. Disclosure of the source code could compromise this system if security was breached. The financial burden of its loss would fall on the government; and the likely harm to .levels of economic activity was sufficient to engage the exemption. The public interest favoured maintaining the exemption64. Duty to confirm or deny 25.145 There may be an exemption from the duty to confirm or deny where, for example, confirming that information was held about potential changes to the tax system could cause individuals to alter their financial arrangements to preempt the changes; thus harming the government’s finances.65 Another example could be if a denial that information was held about a particular tax haven were to encourage greater exploitation of its advantages than previously; leading similarly to a loss of tax income to the UK government. Test of prejudice 25.146 The test of harm is the familiar one of ‘would’ adversely affect (ie more probable than not); or ‘would be likely to’ cause such harm (‘significant and weighty chance’, or ‘may very well be’ test in Lord (at paras 9.9, 24.92(a)–(b) and 25.45 above), falling short of 50%)66. The stronger the likelihood of harm (or the greater the severity of the consequences, even at a low level of risk) the greater will be the weight of the public interest against disclosure. 25.147 Distortion of the financial markets, by the release of information about the economy, is recognised as being generally damaging to the economy. The timing of announcements or disclosures can also significantly affect their financial consequences. The Commissioner has accepted that the disclosure of estimates 64 HM  Land Registry, Decision Notice FS50208350. The Registry had agreed to disclose the information by the time of the decision. 65 ICO, guidance on s 29, (as footnote 56), para 15. 66 [2003] EWHC 2073.

470

FOI Exemptions (sections 21–29) 25.152

made by HMRC case officers of its potential liability to costs in taxation cases (if they were lost) would have had a distorting effect on financial markets, and on the confidence of investors.The greater public interest did not lie in disclosing information which would have a detrimental effect on the economy67. 25.148 The Commissioner warns that public authorities should also recognise, however, that withholding information which might be thought likely to damage business confidence in a particular area, may have the opposite effect to that intended. Instead, enabling businesses to make informed decisions about the area’s prospects may better assist its economic interests; so that the public interest arguments may apply in either direction. 25.149 The ICO warns also against confusing the interests of a company, with which a public authority may have developed a close working relationship in the course of a regeneration programme, with harm to the financial interests of the area’s government (or to the economy of the area). A claim that disclosure would dissuade a contractor from entering an agreement, for example, would need a sound basis; or, even if it were made out, the public interest test might still favour disclosure. The ICO suggests also that it may be that the exemptions in s  43 (commercial prejudice) or s  41 (confidential information) would more appropriately reflect the concerns of a private sector partner68. Public interest test 25.150 The Commissioner distinguishes a public interest in transparency about the UK government or other public authorities in this country, from any interests which citizens of other countries may have in knowing about the actions of governments or companies based in the UK (although foreign citizens may ask FOI questions). 25.151 The arguments in favour of disclosure will be variants of the familiar ones concerning: public understanding and participation in debate; accountability and transparency (particularly in relation to the spending of public money); or, enabling individuals and legal persons to understand decisions made which affect them. 25.152 Those suggested by the Commissioner as potentially against disclosure include69: — disclosure causing financial instability to an institution or country, in the UK or abroad, which affects the economic interests of the UK, or the financial interests of one of its governments; — avoiding harm from a disclosure which will pre-empt taxation or benefits announcements etc;

67 Her Majesty’s Revenue and Customs (HMRC): FS50095271, paras 78–84 and 91. 68 See ICO guidance, as footnote 56, paras 33-37. 69 ICO guidance, as footnote 56, para 43.

471

25.153  Freedom of Information Exemptions 1

— avoiding harm from a selective disclosure which could adversely affect financial markets, where financial regulation relies on the disclosure of market-sensitive information to the market as a whole; — disclosure of information received from confidential sources (including foreign regulators) which would be likely to reduce the flow of such information in; — avoiding the harm from disclosure of an assessment of the viability of an institution or economy. 25.153 To these might be added: — avoiding harm from the premature disclosure of an assessment of the trading or financial difficulties affecting a major employer, and of the knock-on economic consequences for a regional UK economy; — avoiding harm from disclosure of Treasury forecasts of future adverse currency movements against the pound; — avoiding the harm from disclosure of an analysis of the exploitation of tax loopholes, or the UK’s strengths and weakness in combatting tax evasion. 25.154 Factors likely to be relevant to the resolution of the public interest balance may include: the severity of the harm, balanced with its level of likelihood (as indicated above at para 25.14670); the numbers of people affected; the scale of financial resources affected; the impact on public or business confidence; the desirability of enabling businesses and individuals to understand major economic issues facing the country; the importance of transparency in relation to local economic developments affecting individuals; the extent to which the issues, and the potential harm from disclosure, are ‘live’. 25.155 Several decisions demonstrate the importance that timing can have in determining the balance of the public interest, as follows. Summaries are set out in the ICO’s guidance on s 29: — Information on recent contacts between the Cabinet Secretary, and companies and lobbying groups, were withheld under s  29(1)(a); on the basis that a limited public interest in disclosure was outweighed by their recent nature, and by significant prejudice from the disclosure of information which was important to the government in developing policy71. — Information held by the Treasury on inflation forecasts was withheld; (unusually) because disclosure could cause misunderstanding, and destabilise the financial markets72. — Information fed by the Treasury into its macro-economic model, used to forecast the UK’s economic performance, was correctly refused, because

70 See also paras 9.9, and 24.92(a)–(b). 71 Cabinet Office: FS50502589. 72 HM Treasury: FS50474293.

472

FOI Exemptions (sections 21–29) 25.159

of the risk that disclosure could influence economic behaviour, and thereby harm the economic interests of the UK. The timing of the request in relation to the information was an important factor73. 25.156 Apart from the Derry case cited above at para 25.140, and its confidential Schedule, there had at the time of writing been only one other decision of the First-tier Tribunal involving s 29. The case of Department of Work and Pensions v ICO74, concerned three requests made to the DWP for disclosure of the names of organisations participating in government schemes to help unemployed people back into work; characterised as ‘workfare’. In refusing to confirm or deny whether the information was held, the DWP argued that the targeting of hosts for the schemes by campaign groups would lead to their withdrawal; increasing the cost of the scheme, and harming the national economy through undermining the operation of the schemes as a whole, with a knock-on effect on the economy. The ICO countered that there was insufficient evidence that disclosure would lead to such campaigns, and so the prejudice test was not met. The Tribunal agreed. It said that the DWP’s case relied on the argument that the withdrawals would be so extensive as to undermine the working of the schemes as a whole, and have a consequent impact on the national economy. It was not convinced on the evidence that this would take place; nor that there was a causal link between disclosure and any withdrawals which might occur. As a result, s  29 was not engaged, on the facts. 25.157 A decision of the Upper Tribunal, dealing with similar facts, and which was heard beforehand, had not involved a claim that s 29 applied75. Other relevant exemptions 25.158 The exemptions in s 22 (information intended for future publication); in some instances, s 33 (information for audit functions); s 35 (formulation of government policy) or, s 43 (commercial prejudice) may also be relevant.

Commercial prejudice (section 43) 25.159 Preserving the order in the FOIA 2000, this exemption is dealt with at paras 26.212ff below.

73 HM Treasury: FS50105898. 74 EA/2014/0074, 0109 and 0130. 75 Department of Work and Pensions v ICO and Zola [2014] UKUT 0334 (AAC).

473

CHAPTER 26

Freedom of Information Exemptions 2 FOI EXEMPTIONS (SECTIONS 30–44) Section 30: Investigations and proceedings 26.1

Section 30 covers information which:

•

is (or has been) held for criminal investigations, or for further investigations undertaken for prosecutions; or

•

was obtained from confidential sources, for use in investigations or criminal or civil proceedings. (This includes information from such sources used by regulators for the purposes of their statutory functions, as listed in s 31(2)).

Section 30(1)(a)–(c): criminal investigations and proceedings 26.2 The terms of s 30 are complicated, and it is best to examine them by individual subsection. Under s 30(1), information is exempt if it has at any time been held by the authority for the purpose of: (a) any criminal investigation which the authority has a duty to conduct, with a view to ascertaining whether someone should be charged with an offence; or, whether someone who has been charged with an offence is guilty of it (ie the former covers an initial investigation before charge, and the latter a further investigation after charge to support a prosecution) (s 30(1)(a)); (b) any investigation by the authority, which may lead it to decide to institute criminal proceedings, which it has a power to do (s 30(1)(b)); or (c) any criminal proceedings, where the authority has a power to conduct such proceedings (s 30(1)(c)). 26.3 The exemption in s 30(1) is thus class-based. It may be claimed only by a public authority which has one of the following functions, and has held the information for the purpose of that function: (a) a duty to investigate a criminal matter, with a view to charging a person or investigating further for a prosecution; (b) a power to conduct a criminal investigation, where it may decide to prosecute in the given case; or (c) a power to conduct criminal proceedings, where it has held the information for that purpose. 474

FOI Exemptions (sections 30–44) 26.8

26.4 If a public authority claims that it has a duty to investigate, under s 30(1) (a), it will be expected to demonstrate the duty (which will generally be in statute); and also to identify which offences are relevant. Any investigation under s 30(1) (a) has to be (or to have been) conducted with a view to ascertaining whether someone should be charged; or, if they have already been charged, whether they are guilty (ie undertaken for the purposes of the prosecution proceedings). If the investigation fails to lead to a charge or a successful prosecution (as the case may be), however, the exemption will still apply. 26.5 The variants in s 30(1)(a) to (c) recognise that public authorities have differing powers. They are intended to cover information used in the whole criminal justice process of investigation and prosecution. Investigations by the police will fall under s 30(1)(a); their role being initial investigation, charging, and further investigation after a person has been charged, in preparation for trial. Other public authorities such as regulators have both investigatory and prosecuting powers; but may also have vetting procedures as to whether a particular potential offence should be pursued before they investigate beyond the initial stage. These (including vetting or pre-investigative stages1) will be covered by s 30(1)(b). The Crown Prosecution Service has no investigatory powers, but conducts prosecutions on the basis of evidence collected by the police or other agencies, and will be covered by s 30(1)(c). This part of s 30 will also protect information generated between the end of an investigation and the start of (or during) criminal proceedings. 26.6 The reference in s 30(1)(b) to a power to institute ‘criminal proceedings’ includes military offences, and thus a court martial2. 26.7 A  power to undertake proceedings will usually be conferred on the authority itself; but may have been conferred on an official or employee of the authority, or on a Minister of a government department. In such cases, the authority is deemed to hold the power3. 26.8 If the authority was acting in accordance with one of these types of function, any information which it held at any time for the purpose of one of those functions will fall within the exemption (subject to the public interest test). The information need not originally have been obtained or held for one of those purposes; nor need it still be held for that purpose (as opposed to another purpose); provided that at any time it has been held for the investigation/prosecution purpose. One caveat is that, after a decision not to prosecute, information generated after that decision will fall outside the exemption. If the matter began as a criminal investigation (eg by a regulator), but changed its nature to result in a civil sanction being imposed, the information remains covered by the exemption. Likewise, if criminal proceedings were not initially envisaged, but may by the time of the request be instituted by the authority, the exemption will apply.

1 2 3

See ICO: ‘Investigations and proceedings (section 30)’, para 21; and Stephen Wynn v ICO and The Serious Fraud Office EA/2011/0084, para 26. FOIA 2000, s 30(5). FOIA 2000, s 30(4).

475

26.9  Freedom of Information Exemptions 2

26.9 There is no need to demonstrate prejudice in order for the exemption to be engaged. On the other hand, if there would be unlikely to be any (or other than negligible) harm from the disclosure, the public interest test is unlikely to favour maintaining the exemption. Section 30(2): confidential sources 26.10 Section 30(2)(b) contains a separate exemption, covering information, obtained or recorded for a number of purposes, which ‘relates to the obtaining of information from’ confidential sources. A  ‘confidential source’ is a person who provides information but does not wish to be identified as its source. They include: — informants, often from within the criminal community; — witnesses, who give evidence on the condition that their identity will not be revealed; — anonymous informants to regulators; — undercover police officers; — covert human intelligence sources (‘CHIS’). 26.11 The information is exempt if: (a) the information was obtained or recorded by the authority for the purpose of any of the following of its functions relating to— (i) investigations falling within section 30(1)(a) or (b) [ie as in para 26.3 above]; either an investigation with a view to ascertaining whether someone should be charged with an offence; or, an investigation, by an authority with a power to prosecute, with a view to doing so; (ii) criminal proceedings which the authority has a power to conduct [ie the same function as in s 30(1)(c)]; (iii) investigations (other than those covered in (i) above) which are conducted by the authority for any of purposes listed in s 31(2) (eg investigating improper conduct, or regulatory action4) under either prerogative [ie Crown] or statutory powers; or (iv) civil proceedings brought by or on behalf of the authority, which arise out of investigations under (i) or (iii) above; AND (in each case) (b) the information relates to the obtaining of information from confidential sources.

4

See explanation of s 31(2) below at paras 26.30 and 26.47.

476

FOI Exemptions (sections 30–44) 26.15

26.12 The purpose of the exemption in s  30(2) is, therefore, to protect confidential sources of intelligence about criminal and other unlawful behaviour, and to seek to ensure that those sources remain available to those fighting crime or other wrong-doing. The importance of safeguarding their role is in itself an important public interest factor in favour of maintaining the exemption. 26.13 For the exemption to apply, the information has to relate to both the investigations/proceedings (in para  26.11) being undertaken by the public authority, and to the obtaining of the information from a confidential source. The latter is not limited to the confidential information itself, but includes anything which ‘relates to the obtaining of [the] information’. This could include the practical arrangements for obtaining the information, any technology involved (eg  listening equipment), methods of observation, training, any payments to sources etc. The confidentiality in issue is not that of the information obtained, but of the relationship between the source and the public authority. 26.14 The information does not have to be obtained or recorded in connection with any particular investigation, provided that the obtaining or recording is for the purposes of the authority’s functions relating to such investigations or proceedings5. Example: s 30(2) and confidential sources A  local authority has been experiencing problems with enforcing school attendance in one part of its area. It has powers to prosecute parents of non-attenders, where those parents have failed to pay fines. It deploys an investigator to seek the cause of the problems. She poses as a new resident of the area, and makes inquiries. The authority then receives an FOI request for any information held concerning the use by it of covert sources to assist prosecutions. The information gathered falls within the exemption in s  30(2)(a)(i), as information held relating to an investigation by the authority of possible offences, which may lead it to decide to institute criminal proceedings which it has a power to conduct. The information will be exempt on this basis; subject to the public interest test. Information held about the use of the confidential source, her identity and methods, and the arrangements made for her apparent arrival in the area, relate to the obtaining of information from confidential sources, and fall within the exemption in s 30(2), subject to the public interest test.

26.15 As with s 30(1), the exemption in s 30(2) is class-based (ie information relating to the use of confidential sources) and so no test of prejudice (ie harm) has to be met before it can apply.

5

FOIA 2000, s 30(2)(a).

477

26.16  Freedom of Information Exemptions 2

26.16 Information identifying a confidential source will also be that person’s personal data; so that the exemption for the personal data of third parties, where disclosure would be unfair or contravene the data protection principles (FOIA 2000, s 40(2) and (3A)) may also apply. Historical records 26.17 A historical record cannot be exempt under s 30(1), but may be exempt under s 30(2)6. Historical records may also be exempt under s 31. Duty to confirm or deny 26.18 There may be an exemption in a given case from the duty to confirm or deny in relation to information which is (or which, if held, would be) exempt under s 30(1) or 30(2). Either exemption is subject to the public interest test. Public interest test 26.19 The s  30 exemptions are designed to ensure that offences are effectively investigated and prosecuted, and confidential sources protected, by withholding from disclosure information whose release would be likely to harm either a particular investigation, or the process in general of investigation and prosecution. The preservation of confidential sources from being identified, or discouraged from participating, forms an important part of this protection. While investigations are in process, public authorities need a ‘safe space’ in which to consider the issues without pressure from the media or public scrutiny. 26.20 Factors relevant to the balance of the public interest are likely to include: (a) the stage which a particular investigation has reached. There is generally a weighty public interest in maintaining the exemptions while an investigation is continuing, for reasons such as: — avoiding alerting a suspect to the use of covert intelligence early in the investigation; — preserving a thinking space for the investigators at an early stage. Once the investigation has concluded, the public interest wanes, although it may remain important to preserve the identity of confidential sources, to avoid fear of their being identified. An unsolved case could, moreover, be reopened; which would give rise to a further public interest in avoiding prejudice to any future investigation.

6

By virtue of an exclusion in FOIA 2000, s 63(1). See para 25.72 above in relation to the evolving period applied to historical records.

478

FOI Exemptions (sections 30–44) 26.22

(b) whether the information is in the public domain (or to what extent): if information is in the public domain, it can add weight to both sides of the balance. On the one hand, it can reduce the importance of securing its disclosure in response to an FOI request. On the other, the argument that harm would be likely to result from disclosure becomes more difficult when the information is already known. The identity of the source, or confirmation of the method used to obtain the information, may be of great importance in establishing the quality of the information to which it relates. Information revealed in open court during a trial may have been relatively widely heard or reported at the time (although it will have been noted, or its significance understood, by a much smaller number). The expectation is that such information recedes from public view after a relatively short time. On that basis, the information may no longer be in the public domain in other than a formal sense, or to a limited degree only. The timing of a request involving information, all or part of which has been disclosed in open court, will be important in relation to the weight of the public interest in either disclosing or in maintaining the exemption. (c) The value of the information sought, or whether it is significant or sensitive: this may relate either to the effectiveness of the criminal justice system, or to the subject of the investigation or proceedings. The Commissioner points to the request sent by the Guardian newspaper to the police force which investigated the case involving the former Liberal Leader, Jeremy Thorpe, for alleged incitement to murder. In weighing the public interest in maintaining the exemption in s 30(1), the Tribunal took into account whether the information assisted in understanding if the investigation was properly conducted. If there had there been evidence of faults in the investigation, this would have increased the weight favouring disclosure7. (d) whether there is any evidence that an investigation has not been properly conducted, which the information in issue may disclose. 26.21 Distress from disclosing information relating to investigations or prosecutions, including to victims or family members, is not a factor that is relevant to the effectiveness of an investigation or prosecution, or to the protection of confidential sources. The Commissioner suggest that it may be relevant to consider FOIA 2000, s 38 (health and safety) in such cases. Relationship of ss 30 and 31 26.22 As seen above, the purpose of the s  30 exemptions is to protect investigations of potential crimes, or which may lead to a decision to start a prosecution; and to protect confidential sources. Section 31 protects investigations which do not fall within s 30, and they are mutually exclusive. They can, however, 7

Guardian Newspapers Ltd v ICO and Chief Constable of Avon and Somerset Police EA/2006/0017.

479

26.23  Freedom of Information Exemptions 2

be used in parallel. If a crime is committed against a public authority and referred to the police, the latter can protect their investigation from disclosure under s 30(1). The public authority, faced with an FOI request about it, could use s 31 to protect the information it has passed to the police, if disclosure would harm the police investigation (eg by enabling suspects to be more fully aware of the investigation). (See below at paras 26.33–26.34 re FOIA 2000, s 31). 26.23 The two duties to confirm or deny in ss  30 and 31 are not mutually exclusive. Other relevant exemptions 26.24 Apart from s 31, other relevant exemptions may be: s 40 (in relation to information about individuals); s  41 (confidential information); s  23 (security bodies); or, s 24 (national security).

Section 31: Law enforcement 26.25 Unlike s 30, the exemption in s 31 requires harm to be demonstrated. They are closely linked: the exemption from disclosure in s 31 only applies where the equivalent exemption in s  30(1) does not; making it important to be clear which of them applies in a given case. (The equivalent exemptions from the duty to confirm or deny are not mutually exclusive). On the other hand, s 31 provides a range of exemptions designed to protect law enforcement which, because they apply to a wider range of bodies than s 30, and in situations where the latter does not, supplement and reinforce those in s 30. 26.26 Section 31 may be claimed by any public authority; unlike s 30 which applies only to those with law enforcement functions of investigation or prosecution. A  public authority may have no law enforcement function, but if it holds information whose disclosure would be likely to harm the prevention or detection of crime, the exemption in s 31 will in principle be engaged. 26.27 The authority may take into account, moreover, ‘mosaic’ or ‘precedent’ effects (ie, respectively, whether disclosure would be likely to be harmful if the information were combined with other information; or, whether disclosing part of the information held on a subject would lead to a demand for disclosure of other parts, where disclosure of the whole would be harmful). 26.28 The Commissioner advises that there is a very strong public interest in protecting the law enforcement capabilities of public authorities. It is important, however, to identify the likelihood of harm from disclosure, and the consequences, and not to treat the exemption as absolute8. 26.29 While, as with the exemption in s 30, it would be easier to approach the many terms of s 31 by subsection, it is necessary first to look at the section as a 8

ICO guidance: ‘Law enforcement (section 31)’, para 88.

480

FOI Exemptions (sections 30–44) 26.30

whole, in order to examine the connections between s 31(1) and s 31(2). Section 31(1) states that information – where it does not fall within the exemption in s 30 – will be exempt if its disclosure would, or would be likely to, harm one or more of the following: (a) the prevention or detection of crime; (b) the apprehension or prosecution of offenders; (c) the administration of justice; (d) the assessment or collection of a tax or duty (ie a tax on goods or services), or any similar [financial] imposition; (e) the operation of immigration controls; (f) the maintenance of security or good order in prisons, or other institutions where individuals are lawfully detained; (g) the exercise by any public authority of its functions for any of the purposes specified in s 31(2) (relating to investigations or enforcement). This is the commonest ground of exemption of this type, and may relate to harm to the exercise for the ‘purposes’ in s 31(2) of the functions of another public authority than the one answering the FOI question (see para 26.30 below); (h) any civil proceedings brought by or on behalf of a public authority (NB again, of any public authority), which arise from an investigation conducted for any of the purposes in s 31(2) (see likewise para 26.30 below); the investigation having been conducted, by or on behalf of the authority, under prerogative or statutory powers; or (i) any inquiry held under the Fatal Accidents and Sudden Deaths (Scotland) Act 1976 (on a similar basis to (h) above9). 26.30 Section 31(2) sets out the ten ‘purposes’, for which the functions referred to in sub-ss (1)(g)–(i) have to be exercised, and which would be likely to be harmed by disclosure in order for the exemption to apply. The purposes are: (a) ascertaining whether any person has broken the law; (b) ascertaining whether any person is responsible for improper conduct; (c) ascertaining whether regulatory action would (or may in future) be justified; (d) ascertaining whether a person is fit or competent to manage a company or other corporate body, or to practise a profession or other activity which he or she is (or seeks to become) authorised to carry on; (e) ascertaining the cause of an accident; (f) protecting charities against misconduct or mismanagement in their administration;

9

This work does not deal in detail with specifically Scottish provisions.

481

26.31  Freedom of Information Exemptions 2

(g) protecting the property of charities from loss or misapplication [misuse]; (h) recovering the property of charities; (i) securing the health, safety and welfare of persons at work; or (j) protecting other persons (than persons at work) against risk to their health and safety from (or in connection with) the actions of those at work. 26.31 As with other prejudice-based exemptions, it is necessary both to show the anticipated harm (to the required level of likelihood), and that the public interest in maintaining the exemption outweighs the public interest in disclosure, before the exemption will apply in a given case. 26.32 It can be seen from the above that the first part of the section (s 31(1)(a)– (f)) is concerned with the protection of information whose disclosure would be likely to harm what the Commissioner calls ‘general law enforcement activities’ (eg  crime prevention and detection, administration of justice, immigration controls etc). The second part (s 31(1)(g)–(i)) is engaged when functions which public authorities carry out for the purposes listed in s 31(2) (eg enforcing against improper conduct, or professional unfitness, or health and safety risks) would be likely to be harmed by disclosure. (The third part, concerning the exemption in s 31(3) from the duty to confirm or deny, is dealt with below at para 26.48). The term ‘law enforcement’ should be interpreted broadly. As can be seen from the combined scope of the two subsections, it ranges beyond enforcement of the criminal law to include: regulatory action; professional competence and probity; the fitness of directors or managers of companies; charity administration; or, health and safety risks to workers, or to the public10. The components of s 31(1) Crime prevention and detection – s 31(1)(a) 26.33 This covers any aspect of the prevention or detection of crime, so that it could include information on policies or methods. Examples would include information about a new policy on detecting money laundering, operational plans for policing major events, or a revised deployment of undercover police resources in relation to organised crime. Information about specific investigations, on the other hand, would fall within s 30(1). 26.34 The exemption also applies to information held by any public authority; including one without any role in investigations or prosecutions. It could include information which the latter authority has passed to a public body with crimefighting functions . It could also apply to information held by the public authority which, if disclosed, would make it more vulnerable to crime (eg  its security arrangements with its bank, or the security procedures at its premises). The

10 See William Thomas Stevenson v ICO and North Lancashire Teaching Primary Care Trust [2013] UKUT 181 (AAC), para 75.

482

FOI Exemptions (sections 30–44) 26.36

information does not have to held for a crime-prevention purpose to be exempt. It may be information held for the normal purposes of the authority’s functions which, if disclosed, would be likely to harm crime prevention or detection. In Voyias v ICO and London Borough of Camden11, information about empty properties in the borough, which was collected for council tax purposes and to assist the council’s policies to reduce the number of empty homes, was held to have been correctly judged as likely to be used by squatters if it was disclosed12. In the same way, information about the addresses of elderly or vulnerable people in an area, held to assist in the provision of social care in individuals’ homes, may be likely, even if anonymised, to harm crime prevention. 26.35 In terms of the ‘mosaic effect’, information may appear innocuous in itself, but be capable of being combined with other information available in the public domain to provide a bigger picture which could harm crime prevention. In the above example, information about the addresses of vulnerable people (with names removed) could be compared with addresses from the published version of the electoral register to identify households containing a vulnerable person. A well as the risk of burglary identified above, the household could also be targeted with other illegal ‘scams’, such as individuals posing as financial advisers calling door to door to offer loans, seeking bank details or access to individuals’ finances. Example: Crime prevention Westborough District Council has supplied some information to HMRC about payments to one of its contractors, a sole trader whom the tax inspectors suspect of evading his VAT liability. An FOI question, made on behalf of a group campaigning for lower public spending, asks for a list of contract payments made in the last year, and to whom they have been paid. The council contacts HMRC, which tells it that it is still investigating the contractor’s VAT returns, and that disclosure would harm its investigation. The council may apply the exemption in s 31(1)(a) to avoid disclosing that piece of information; subject to the public interest test.

Apprehension or prosecution of offenders – s 31(1)(b) 26.36 This exemption shares ground with the previous one on the prevention and detection of crime. The Commissioner suggests that it might apply more to information about procedures in relation to the apprehending or prosecuting of offenders, where disclosure would be harmful (eg if disclosing a police force’s plan to target particular criminal groups for three months would hamper efforts to secure arrests). It may also apply to an authority which does not have crime11 EA/2011/0007 (First-tier Tribunal decision dated 22  January 2013), paras 26–31. See also para 26.50. 12 Squatting has since become a criminal offence. At the time it was not, but was associated with criminal damage.

483

26.37  Freedom of Information Exemptions 2

fighting functions, but has assisted another authority which does have such functions, with information; as in the example in the preceding paragraph. Administration of Justice – s 31(1)(c) 26.37 The exemption covers likely harm to the administration of justice. As the Commissioner points out, this is a broad term which applies to the justice system as a whole. It may be used by a public authority in relation to proceedings that have been brought by another body, to avoid undermining them by making a disclosure. While this may overlap with the previous exemption (harm to the prosecution of offenders), it may also apply more generally to cover information whose disclosure could harm the right to a fair trial. 26.38 The guidance includes the example of a forensic evidence service provided by the government to the police in Northern Ireland, where evidence had been provided for a murder trial. The Commissioner upheld the claim of the authority that disclosure would be likely to harm the right to a fair trial (s 31(i) (c)); while recognising that the previous exemption in s 31(1)(b) could also have applied (by assisting those facing prosecution to cover their tracks; or to adopt techniques to avoid detection in future)13. 26.39 Another example might be if a public authority has developed pioneering software to use in detecting money laundering. It has been used to assist in apprehending a syndicate of suspected offenders now awaiting trial. Disclosure of a report on its capabilities, and potential applications, before the trial process has begun would clearly be likely to harm both the trial itself and the apprehension of other offenders in the future, engaging the exemptions in s 31(1) (a) or (b). If disclosure would also harm the administration of justice, perhaps by revealing the need for courts to update their IT in some cases to be able to handle the software during trials (and thus that there may be constraints as to the location and timing of future proceedings, which would affect the speed of prosecutions), the exemption in s 31(1)(c) may also be applicable. 26.40 The exemption is available to the courts, tribunals or other judicial bodies to enable them to avoid disclosure which would affect adversely their operation or administrative arrangements. It would also cover harm to the process of judicial appointments, arrangements affecting witnesses or jurors, liaison between the criminal courts and prisons or other parts of the wider justice system, or in the civil courts with the carrying out of the processes for hearings or court orders. Assessment or collection of tax or duty – s 31(1)(d) 26.41 The scope of this exemption is also broad, and is likely to cover all forms of national and local taxation, as well as excise duties (taxes on traded goods or services). Harm to the assessment or collection of any such tax, duty or [financial] imposition may arise either from the effect in a particular enforcement case, or in 13 Northern Ireland Office: FS50209828, para 30.

484

FOI Exemptions (sections 30–44) 26.45

relation to those seeking to evade a form of taxation. If disclosure would enable tax to be more easily avoided (ie for a tax loophole to be lawfully exploited to a greater extent), it may fall within the exemption, since there would be likely to be harm to the amounts collected in tax by the state14. Harm to specific operations by HMRC to seek to prevent tax evasion (eg smuggling) would also give rise to the exemption. Operation of immigration controls – s 31(1)(e) 26.42 The exemption here will apply if disclosure, would, or would be likely to, harm the operation of immigration controls. This includes both the physical points of entry into the country, and systems such as the processing of immigration or asylum applications, or the issuing of work permits. It is necessary to show that harm is likely from disclosure; not merely that the information relates to the system. The guidance includes an example where the Home Office was asked for information about arrangements for a flight that had been chartered for the deportation of failed asylum seekers. It was unable to withhold information about the ratio of guards to asylum seekers since this altered with each flight; and details of the arrangements for one particular past flight would not assist anyone wishing to obstruct a future deportation. Maintenance of security in prisons – s 31(1)(f) 26.43 This exemption will cover security arrangements within and outside prisons, and any information likely to harm the orderly running of prisons. The Commissioner suggests that it might extend to information whose disclosure could worsen a volatile atmosphere within a prison. It is suggested that this is correct, provided the test of likely harm would be met. The ‘other institutions’ referred to in the drafting will include any institution where people are ‘lawfully detained’. These currently include Young Offender Institutions, Secure Hospitals, Secure Training Centres, Local Authority Secure Units, and Immigration Detention and Removal Units (potentially overlapping with the previous exemption). 26.44 The guidance includes the example of a request for a floorplan of HMP  Belmarsh, which was correctly refused on the ground that it could potentially be of assistance to a person planning an escape15. Another example might be information about regular vehicle movements in and out of a prison. Exemptions linked to functions in s 31(2): ss 31(1)(g)–(i) 26.45 The three remaining exemptions in s 31(1)(g)–(i) are linked to a list of ten ‘purposes’ in s 31(2). The purposes to which they apply were summarised at

14 See Paul Doherty v ICO and Her Majesty’s Revenue and Customs (HMRC) EA/2011/0202, paras 5–9. 15 FS 50383346.

485

26.46  Freedom of Information Exemptions 2

para 26.30, and are set out more fully at para 26.47 below. The three exemptions are as follows: •

where disclosure would, or would be likely, to harm the exercise by a public authority of any of its functions for the purposes listed – s 31(1)(g);

•

where there would, or would be likely to be, harm to civil proceedings brought by (or for) a public authority, arising from an investigation conducted for any of the purposes listed under prerogative (ie  Crown) or statutory powers – s 31(1)(h);

•

where (in Scotland) there would, or would be likely to be, harm to an inquiry under the Fatal Accidents and Sudden Deaths Inquiries (Scotland) Act 1976 arising from an investigation conducted, for any of the purposes listed in s 31(2), under prerogative or statutory powers – s 31(1)(i).

26.46 The first is the most common. Before the exemption is engaged, the public authority claiming it has to: — show which public authority has been entrusted with the function to fulfil one of the purposes in s 31(2) (which could be a different authority to itself); — show how the function would fulfil the purpose; — show how disclosure would harm the exercise of the function for that purpose. Example: harm to exercise of another public authority’s function The police have investigated the circumstances of a road accident in which a public employee was injured near to his place of work. The Crown Prosecution Service (‘CPS’) is considering whether charges should be brought against the driver involved (ie for the purpose of ‘ascertaining’ whether the law has been broken, under s 31(2)(a)). The injured man’s employer, a quango, holds a copy of the police investigation report. It could claim the exemption in s 31(1)(g), if the report were requested from it under the FOIA 2000, on the basis that there would be likely to be harm to the CPS’s consideration (or to any continuing police investigation) if the details were disclosed at this stage (eg from premature publicity). It would need some evidence from the CPS or the police that this was likely. Any likely harm to the employer from disclosure would not be relevant, since it does not have the investigatory or prosecution functions involved.

Section 31(2) purposes 26.47 The ‘purposes’ listed in s 31(2), for which the functions in s 31(1)(g)–(i) have to be exercised, are: 486

FOI Exemptions (sections 30–44) 26.47

(a) ascertaining whether any person has broken the law: the ascertaining may be undertaken by another public authority than the one answering the FOI question. ‘Ascertaining’ connotes, however, ‘some element of determination’ of (in this context) non-compliance with the law16. Example: s 31(2)(a) (FCO case) A  request to the Foreign Office for information about a leak investigation did not fall within the exemption in s 31(1)(g), read with s 31(2)(a), because while the FCO would identify a suspect, another body had the function of ‘ascertaining’ or determining whether they had failed to comply with the law17. The rationale for the Tribunal’s decision is somewhat difficult to reconcile with the wording of s 31(1)(g), which makes clear that the exercise of the function which would be likely to be harmed by disclosure can be by ‘any’ public authority. It may be that the outcome of the case would have been different if the FCO had reached the point in its investigation of handing the matter to the CPS, or another body with prosecution powers, by the time of the request; so that the prejudice to the ‘ascertaining’ by that body of whether there had been a breach of the law could be demonstrated. This point as to timing may be the real significance of the decision (and the distinction with the example at para 26.46 above). (b) ascertaining whether any person is responsible for improper [ie unethical] conduct; the ICO advises that she would generally expect there to be a formal code of conduct in each case, and a definition of improper conduct in the relevant field. This exemption may overlap with that in s 31(2)(d) (see below in this paragraph); (c) ascertaining whether circumstances exist which justify regulatory action under an enactment. This may cover enforcement notices, fines or other sanctions, revocation of licences, or public censure. The harm from disclosure is not to the particular regulatory action itself, but to the ability of the regulator to determine whether any such measures should be taken in the circumstances. Example: s 31(2)(c) The Food Standards Agency (‘FSA’) argued that disclosing information about whether meat from cloned livestock had entered the human food chain (and specifically, that it had received no applications to authorise the sale of such meat) would be likely to harm current investigations by local authorities of possible action against meat producers18.

16 Foreign and Commonwealth Office v ICO EA/2011/0011, para 33. This does not, in the view of the author, exclude the ‘ascertaining’ by the police of whether evidence exists, in a criminal case, to support a potential prosecution by the CPS. 17 As footnote 16. 18 FS 50379523.

487

26.48  Freedom of Information Exemptions 2

(d) ascertaining a person’s fitness or competence to manage a corporate body, or in carrying on a profession or other authorised activity. A person’s suitability for a role relates to their fitness for it, while their competence refers to their skills. The ICO advises that the function of determining these is ‘most likely’ to have derived from statute. This will no doubt generally be the case, but the Act does not require it, and s 31(2) refers to ‘purposes’ rather than ‘functions’. It seems that the findings of a self-regulating professional body could also be relied upon by a public authority in this context, provided the authority also itself had express or implied statutory functions to enforce those findings (eg as matters of staff discipline, in relation to a staff member to whom the body’s conclusions related); (e) ascertaining the cause of an accident: a number of public authorities have responsibilities to conduct such investigations. The guidance refers to an example where information on an ‘incident’ (ie  an occurrence dealt with before an accident ) was withheld. The exemption could extend to such information, provided it could be demonstrated that disclosure would be likely to undermine ongoing or future investigations into accidents; (f) protecting charities against misconduct or mismanagement; (g) protecting the property of charities from loss or misapplication; or (h) recovering the property of charities; These three exemptions (f)–(h) raise issues normally dealt with by the Charity Commission, rather than the Information Commissioner. (i) securing the health, safety and welfare of persons at work; (j) protecting persons other than those at work against risk to their health and safety arising from or connected with, actions of persons at work. These two exemptions (i)–(j) most naturally relate to functions of the Health and Safety Executive. While all employers have health and safety obligations in relation to their employees, and to the public, the exercise of these do not give rise to the exemption, since they are not specific roles given to them as part of their functions. Thus the activities of an NHS primary care trust which had a function of monitoring and improving healthcare were capable of falling within the exemption in s 31(2)(j)19; whereas the normal health and safety functions of an employer would not. 26.48 The duty in s 31(3) to confirm or deny applies, unless disclosing this information would, or would be likely to, itself harm any of the activities listed in s 31(1), summarised at para 26.29 above. The NCND exemption, as opposed to the rest of s 31, is not mutually exclusive with the same exemption under s 30. If requests concern a particular individual or body, and are likely to be repeated, and confirming that certain information was held in a particular case would be harmful if a different answer were to be given on another occasion (eg whether a 19 See William Thomas Stevenson v ICO (as footnote 11 above) para 82; and discussion at paras 69–84 of the judgment.

488

FOI Exemptions (sections 30–44) 26.53

particular person was under investigation); it may be better to adopt a consistent approach to cases of that kind by neither confirming nor denying as a general approach20. (The harm, on which the exemption would rely, would be that likely to arise if an actual investigation were to be confirmed). Public Interest test 26.49 The exemptions in s 31 are not absolute, and cover a variety of activities. There is a very strong public interest in preventing harm to law-enforcement activities21, and the avoidance of such harm is likely to form the core of the public interest arguments against disclosure; but both the likely harm, and the public interest in avoiding it, have to be demonstrable in relation to the specific information in each case. Some of the public interest arguments will overlap with those relating to s 30. There is a general public interest in disclosure, in holding law enforcement bodies to account and maintaining public confidence through increasing the transparency with which they carry out their functions, and these will need to be weighed against each other. 26.50 There is a strong public interest in protecting individuals from the impact of crime, which includes its psychological effects. An increased fear of crime can be taken into account, even if the likelihood is judged to be less serious than may be perceived. In the Voyias case (see also para 26.34 above) the Upper Tribunal stressed: the breadth of criminal activity which could result from squatting in empty houses, including reducing the quality of life for neighbours; the risk of encouraging wider crime; and, the likelihood that criminals would change their behaviour if a list of empty properties were available. Equally, only realistic possibilities of likely criminal activity, and their consequences, should be taken into account22. 26.51 In relation to non-criminal matters, the relevant public interest factors will be those concerned with protecting the interest concerned (eg in preserving the effectiveness of investigations of professional competence). The timing of a disclosure, perhaps before lines of inquiry have been fully pursued, when investigators may need ‘thinking space’ away from public scrutiny, may be important as to the likely level of harm. 26.52 Information provided confidentially to an investigation may be protected under s 31(2), without needing to show harm to the specific investigation. The public interest may be in avoiding harm to a confidential source; or, if the source is not confidential, in avoiding harm from discouraging individuals from voluntarily passing information to investigations. 26.53 As well as promoting accountability, the circumstances of the case may point to there being significant weight in favour of disclosing particular 20 See ICO guidance on s 31 (as footnote 8 above), paras 79–87. 21 See footnote 8 above. 22 London Borough of Camden v ICO and YV [2012] UKUT 190 (AAC), paras 10–14. See also para 26.34.

489

26.54  Freedom of Information Exemptions 2

information; including where there has been controversy over the type of action undertaken, or how it has been carried out. This may be sufficient to outweigh what may also be good arguments not to disclose methods or operational approaches. Similarly, if there is some evidence of a lack of thoroughness in an investigation, undertaken in response to concerns about the activities performed, care should be taken to give proper weight to the public interest arguments for disclosure. A mere allegation that information affecting probity is being withheld is not sufficient, without more; some plausible basis is needed. If the information being sought would reveal some wrongdoing, however, this would be a strong public interest factor in favour of disclosure. Historical records 26.54 Unlike s  30, the exemption in s  31 applies to historical records, if there would be continuing harm from their disclosure. (See para  25.72 as to the changing periods for maintaining such historical records). After 100 years from the year following the creation of the information, the exemption in s 31 ceases to apply; including in relation to confirming or denying the existence of the record23. Other relevant exemptions 26.55 Section 40 (including confirming or denying the existence of a record about a third party individual) may be relevant in cases involving s  31. Other possibilities, apart from 30, may be s  38 (health and safety), s  35 (policy formulation), or s 36 (prejudice to conduct of public affairs).

Section 38: Health and Safety 26.56 Preserving the order in the FOIA 2000, this exemption is dealt with at paras 26.177ff below.

Section 32: Court, inquiry or arbitration records 26.57 Section 32 provides an absolute exemption for information ‘held only by virtue’ of being contained in documents created or held for the purposes of proceedings of a court, inquiry or arbitration. (A ‘court’ includes a tribunal in this context). The purpose is to protect the judicial system’s processes of ‘discovery’ (where each side in litigation lists the relevant documents it holds, and exchanges it for lists from the other party or parties); and exchange of documents, from being circumvented by FOI.

23 FOIA 2000, s 63(4) and (5).

490

FOI Exemptions (sections 30–44) 26.63

26.58 The courts and similar bodies are not subject to the Act, so the main authorities likely to rely on this exemption will be those public authorities which have been party to court or similar proceedings about the matters underlying the request; or, which have a regular relationship with the courts because of their functions. 26.59 The exemption applies to information of the types specified in s  32; and, which is held by the public authority only by virtue of being contained in such a document. This will exclude from the exemption documents or their content which, while they may have been used (or will be) in court proceedings, were not drawn up for that purpose; unless they are no longer being held also for the original purpose, and are now held solely for the purposes of the proceedings. 26.60 The issue is largely dependent on the route by which the information was acquired, or for which it was created. If the document was originally created for proceedings, but information is subsequently extracted from it for another use, that information will still be covered by the exemption24. If it is not clear whether it was created for the purpose of proceedings, a ‘dominant purpose’ test may be used to establish the main purpose. If the authority is satisfied that the main purpose for its creation was for use in particular proceedings etc, it may apply the exemption. If it finds that it was primarily created for another purpose, it cannot claim the exemptions in s 32(1)(c) or 32(2)(b)25. 26.61 The types of documents specified are those: — filed with (or otherwise placed in the custody of) the court, or an inquiry, for the purposes of proceedings (eg claim forms, witness statements); — served upon a public authority (ie by another party in proceedings) for the purposes of the proceedings (eg disclosure lists, skeleton arguments); — created by the court, or a person conducting an inquiry (eg the judge’s notes); or, by a member of court staff, for the purposes of the proceedings (eg  a record in a case management system). 26.62 The exemption applies to the duty to confirm or deny to the same extent as to disclosure. 26.63 The proceedings will need to be in process, to the extent that documents are being created, filed or exchanged. Subject to the point in the following paragraph about historical records, there is no time limit for the exemption’s continued application, once any proceedings have been concluded. As noted above at para 26.57, however, the exemption applies only so long as the information continues to be held ‘only by virtue’ of being contained in documents created or held for the proceedings.

24 ICO guidance: ‘Court, inquiry or arbitration records (section 32)’, paras 40–42. 25 Ie the exemptions for documents created by the court or its staff, or by a person conducting an inquiry or arbitration (see ICO guidance, as footnote 24, paragraphs 50–56).

491

26.64  Freedom of Information Exemptions 2

Historical records 26.64 The exemption does not apply to an historical record26. As indicated above, the period is reducing towards 20 years by the end of 2022 (see para 25.72). Other relevant exemptions 26.65 Other relevant exemptions would include s 40(2) and (3A), in relation to personal data; and, s  21, in relation to information which is ‘reasonably accessible’ elsewhere. Under the Civil Procedure Rules (‘CPR’), there is a right of access at the discretion of the court in civil cases (and this is an area in which the courts’ view is changing towards greater access). The information might also have been published elsewhere (eg in the press). There is no equivalent regime in criminal cases.

Section 33: Public Audit functions 26.66 Section 33 provides an exemption for information about public audit functions. It applies to public authorities that have functions to carry out audits, or similar inspections, of other public authorities, where disclosure would or would be likely to harm those functions; subject to the public interest test. 26.67 There is also an exemption from the duty to confirm or deny where disclosure of whether the information was held would, or would be likely to, harm the audit functions. 26.68 The section says that the exemption applies to any authority which has functions in relation to audits of the accounts of other authorities; or, to the examination of the ‘economy, efficiency or effectiveness’ of their use of resources. Information held by such an authority, whose disclosure would, or would be likely, to harm the exercise of any of its functions as to those matters will be exempt (and the duty to confirm or deny will likewise not arise); subject, in either case, to the public interest test. 26.69 The exemption applies only to authorities which have those functions, arising from statute or informally. This will include bodies such as the National Audit Office, or the Northern Ireland Audit Office. (The Audit Commission for Local Authorities and the National Health Service in England was abolished in 2015). Other bodies examining efficiency or effectiveness (and which can therefore claim the exemption) include the Office for Standards in Education, Children’s Services and Skills (‘Ofsted’), HM  Inspectorate of Prisons, or the Care Quality Commission. In the case of Ofsted, for example, the ICO accepted that this arose through examination in the school inspection process of the use of financial resources27. 26 FOIA 2000, s 63(1). 27 FS50123184, para 32.

492

FOI Exemptions (sections 30–44) 26.75

26.70 It cannot apply, however, to internal audit by public authorities of their own activities. It also does not apply to the body being audited. It appears to be uncertain, however, whether (for example) if a local authority were to audit another public body under an exercise of its general powers – perhaps in connection with a wider exercise of public scrutiny – it would be eligible to claim the exemption in those circumstances. 26.71 The sorts of information which might be capable of being withheld include draft audit reports, correspondence by the auditors with the audited body, or information provided to the auditors by whistle-blowers. Harm to the flow of information to auditors, or efficiency scrutineers as a result of disclosure, would be significant in public interest terms. The exemption would not apply to methodologies already in the public domain, or a report whose findings had already been published; conversely, a methodology which had not been published, and whose future effectiveness would be likely to suffer from disclosure, would be included. The proposed timing of disclosure would be important. The harm could be to a particular scrutiny exercise, or to general audit procedures. Public interest test 26.72 Arguments in favour of maintaining the exemption would include ensuring that the function could be carried out effectively, and protecting the integrity of the process. The preservation of the free flow of information from informed persons to auditors would be likely to carry weight; both in general, and in specific instances where it might previously have proved to be relevant. On the other hand, publicity in some specific cases could be expected to encourage greater disclosure of information about them; and this might need to be balanced with the public interest in not discouraging other flows in the future. 26.73 In favour of disclosure, arguments such as improving the accountability of public bodies, as well as developing public knowledge of and participation in debate, and enhancing the accountability of decision-making, will all be relevant. 26.74 The timing could be an argument for disclosure, if the main report or decisions had been made; or against, if the process was still ‘live’. Historical records 26.75 The same rules will apply to public records as above for court records (see para  25.72); the exemption in s  33 is removed where the information is in an historical record28. The instances where there would be harm to the audit functions after a period of that length may arise only rarely.

28 FOIA 2000, s 63(1).

493

26.76  Freedom of Information Exemptions 2

Other relevant exemptions 26.76 Other exemptions may apply only occasionally, given the specific scope of s  33, but potentially-related matters might arise under: s  30 (investigations by public authorities), or s 31 (law enforcement); s 35 (policy formulation) or s 36 (prejudice to conduct of public affairs); or, s 41 (information provided in confidence) or s 42 (legal professional privilege).

Section 34: Parliamentary Privilege 26.77 Parliamentary privilege is not defined in the Act. It is a set of constitutional principles which protect the ‘proceedings’ of Parliament from being questioned in any court; and also the right of either House to manage its own affairs and to exercise sole jurisdiction over its own proceedings. There is no precise definition of ‘proceedings’, but they include formal actions of eitherHouse, their business, or decisions. Debates, questions, select committee proceedings, and the work of officials arising from such proceedings, or on behalf of either House, are included. This means that (for example), unpublished reports, memoranda accepted by committees, correspondence involving members or officials relating to proceedings, bills and amendments introduced into either House, or papers from external advisers to either House, or papers produced by the Library of either House relating in either case to proceedings, may give rise to the exemption. 26.78 The exemption applies where disclosure of the requested information would infringe the privileges of either House; and thus the exemption is required to avoid this consequence. The exemption is absolute. The duty to confirm or deny does not apply if, or to the extent that, exemption from that duty too is similarly required to avoid an infringement. The ICO advises that authorities outside Parliament which may be in doubt, as to whether confirmation or denial that they hold information would infringe Parliamentary privilege, should contact the relevant House for advice. Example: Parliamentary privilege The Chair of your organisation has been asked to give evidence to a House of Lords select committee in six weeks’ time on a controversial policy issue. The timetable has not yet been published by the committee. Your colleagues are in discussion with the select committee staff over which areas the Chair should cover, in a memorandum to accompany her evidence. Campaigners on the issue hear something about it and ask under the FOIA 2000 for the date of her appearance, and any supporting documentation. You would be right to seek the advice of the select committee staff over whether you should confirm or deny that the correspondence is held.

26.79 A certificate signed by the Speaker of the House of Commons, or by the Clerk of the Parliaments (the senior official in the House of Lords), is conclusive 494

FOI Exemptions (sections 30–44) 26.84

evidence that exemption from either or both of the disclosure duties is required. Such a certificate may be issued at any stage; eg  while the public authority (whether the relevant House, or another authority) is dealing with the request; or later (eg when the ICO is considering a complaint). 26.80 While the exemption applies mainly to information requested from the two Houses of Parliament, it also applies to public bodies holding information which is relevant to Parliamentary proceedings. This is particularly the case with government departments, which will hold a considerable amount of such information, because of their regular liaison with select committees which either shadow their work, or hold inquiries of relevance to them; as well as in relation to primary and secondary legislation sponsored by the department, and Parliamentary Questions for which it drafts answers for delivery in either House. The exemption may also apply to any other public authority which has become involved in working with Parliament. 26.81 It is important to apply the exemption correctly; there is less discretion to disclose information which could be exempt than elsewhere under the FOIA. This is because, while disclosing too little will breach the FOIA as much as under any other exemption, disclosing too much would be a breach of Parliamentary privilege. Care is needed, therefore, by public authorities which do hold such information. If your authority does not deal with these issues regularly, and receives an FOI request involving such information, but the scope of what may be privileged information is not clear, it would be sensible (and the ICO advises) that you seek advice on that point from the relevant House. 26.82 Correspondence with a public authority from an MP or peer, or a Minister, is not privileged, unless it relates also to current or potential proceedings in either House, since privilege issues may arise inadvertantly. Care is needed, therefore, if the Parliamentarian concerned is involved in current or forthcoming proceedings on the matter (eg as a member of a Commons standing committee on a bill; or of a select committee undertaking scrutiny in the relevant area of policy). 26.83 Both Houses now routinely publish large amounts of information. While much of it will not be privileged, once published, some may be. The Commissioner suggests that one response to an FOI question, concerning information published by either House of Parliament, could be to exempt the information under s 21, on the basis that it is reasonably accessible elsewhere. If this is the not case (perhaps because, although formally published, the information does not appear to be reasonably accessible), advice may still be necessary from the relevant House, as to whether disclosure by your authority would infringe Parliamentary privilege29.

Section 35: Government policy 26.84 The exemption in s 35 is available to the government only. It contains four types of exemption. The Commissioner now recognises these are ‘designed

29 ICO:’Parliamentary privilege (section 34)’, paras 27–28.

495

26.85  Freedom of Information Exemptions 2

to protect good government and provide a safe space for policymaking’30. The ICO was not always so understanding of the need for such protection; initially taking a rather restrictive view of s 35. 26.85 The exemption is class-based, and the classes are broad; there is no need to show harm for it to be engaged. On the other hand, the exemption is subject to the public interest test; and there is no automatic public interest in (or extra weight attaching to the public interest arguments for) withholding disclosure. In practice, the harm from disclosure will need to be identified as part of the public interest test. 26.86 The exemption provides in s 35(1) that information held by a government department, or the Welsh Government, is exempt if it relates to: (a) the formulation or development of government policy; (b) Ministerial communications; (c) the provision of advice by any of the Law Officers, or any request for such advice; (d) the operation of a Ministerial private office. 26.87 Once a decision as to government policy has been taken, any statistical information used to provide an ‘informed background’ is not to be regarded as falling within s 35(1)(a) or s 35(1)(b) above. 26.88 The duty to confirm or deny does not arise in relation to information which is exempt under subsection (1) (or which would be if it were held by the public authority). 26.89 In assessing the public interest in relation to s  35(1)(a) above (formulation of government policy), regard must be had to the particular public interest in disclosing factual information used (or intended to be used) to provide an informed background to the decision. In other words, the authority has to give special weight to the public interest in disclosing background information, even on decisions yet to be taken. 26.90 In terms of overall scope, governement policy includes the policy of the Executive Committee of the Northern Ireland Assembly, and of the Welsh Government. The law officers in Scotland, Wales and Northern Ireland are included (see s  35(5)). ‘Ministerial communications’ are defined in s  35(6) as any communications between Ministers within the administrations in the UK, Northern Ireland and Wales (although not between ministers in different administrations31). They also include the proceedings of the UK or Welsh Cabinets (or a committee of them); or of the Executive Committee of the Northern Ireland Assembly. A ‘Ministerial private office’ incudes any part of a government

30 ICO: ‘Government policy (section 35)’, page 3, Overview; and see also para 6. 31 See ICO guidance on s  35, as footnote 30, para  101, which suggests the exemption in s  28 (prejudice to relations within the UK) in such cases.

496

FOI Exemptions (sections 30–44) 26.93

department which provides ‘personal administrative support’ to a Minister of those three governments (including a junior Minister in Northern Ireland). The different elements of the exemption 26.91 The Commissioner advises treating the four elements of the exemption as separate exemptions: policy formulation; Ministerial communications; advice from the Law Officers; and, the operation of Ministerial private offices. The relevant public interest arguments will vary between them, and the ICO advises the following: (a) policy formulation: public interest arguments will be strongest when the policy process is ‘live’; (b) Ministerial communications: there will be a significant public interest in protecting ‘collective responsibility’, particularly if views on the issue being discussed differ within government; (c) Law Officers’ advice: the public interest question will be whether disclosure would undermine the convention that such advice is given confidentially; (d) Ministerial private offices: public interest arguments should concentrate on any potential damage to the effective administration of private offices, arising from the content of the information in question; rather than as a generic argument about information of that kind. 26.92 The information covered must ‘relate to’ one of the four types of activity; the term should be applied broadly. The information may have been created in relation to the activity; but need not have been. It may have preceded the activity and been used later as part of it; or may even have been created after the activity, if it refers back to it32. If the majority of a given piece of information relates to the activity, any associated information will also do so. If a document cannot be divided, it may be considered as a whole; and even a minority of a document may draw it within the scope of the exemption: in a case about information in on a crisis in school funding, one bullet point of a note on the factual background referred to a potential policy approach; and this was sufficient for the whole document to be covered by the exemption33. (a)  Policy formulation or development 26.93 The purpose of the element in s 35(1)(a) is to ‘protect the integrity of the policy-making process’ by preventing disclosures which would undermine it

32 See Dermod O’Brien v ICO and Department for Business, Enterprise and Regulatory Reform (DBERR) EA/2008/0011, (decision 7 October 2008), para 20(2). 33 Department for Education and Skills (DFES) v ICO and Evening Standard EA/2006/0006.

497

26.94  Freedom of Information Exemptions 2

and result in ‘less robust, well-considered or effective policies. In particular, it ensures a safe space to consider policy options in private’34. 26.94 Beyond stating that it includes the policy of the Northern Ireland Executive and the Welsh Government, the Act does not define ‘government policy’. The guidance refers to the process by which government translate its vision into programmes of action, at either high or detailed levels35. At Cabinet level, a policy will be decided by that body or a Cabinet sub-committee. Within a department, policy will be approved by a minister. It should not be assumed, however, that all matters approved by Ministers are policy, as they may also become involved in operational issues which have political importance. Policy ‘formulation or development’ does not include its application or implementation. Policy formulation 26.95 ‘Formulation’ includes the analysis of options, the identification of risks, consulting on and recommending proposals, and promoting legislation (if it is required). It lasts up to the point of decision; or, in some cases, up to the announcement of the policy. The Commissioner accepts that the formulation and implementation of a policy may overlap in some cases. If difficulties are envisaged with the implementation, this may affect the approach to its formulation; and this may continue even after an initial decision on it has been taken. 26.96 The ICO does not accept, however, that policy is a continuous process36. In her view, it is more likely that periods of policy-making will be followed by periods of implementation; which may in certain cases be followed by further policy-making. The Tribunal agrees with this approach37. 26.97 The ICO suggests three characteristics of policy-making38: — the final decision will be made by a Minister or the Cabinet; — the government intends to achieve a real-world outcome or change; — the consequences will be wide-ranging. 26.98 It is respectfully contested that the second and third of these suggested characteristics are too narrow. Policy-making within government is from time to time undertaken with the aim of avoiding unpalatable options, by producing alternatives; or in order to delay a decision until a more propitious time. It may arise from political priorities which, while important and legitimate, may not have ‘real-world’, or wide-ranging, consequences. While such decisions (or episodes in the formulation of a policy) may, at least in some cases, carry a lesser weight of public interest in their non-disclosure, it is respectfully suggested that 34 ICO guidance on s 35, as footnote 30, para 23. 35 ICO guidance on s 35, as footnote 30, para 26. 36 ICO guidance on s 35, as footnote 30, para 37. 37 See DFES v ICO and Evening Standard, as footnote 33, para 75(v). 38 ICO guidance on s 35, as footnote 30, para 42.

498

FOI Exemptions (sections 30–44) 26.103

they should not be seen as outside policy-making simply because they do not fall into the three criteria suggested above. 26.99 The Commissioner rightly, however, notes that the sensitivity or otherwise of information considered for disclosure may vary over time (both up and down); and thus that the timing of a request may be very important in assessing the public interest. Policy development 26.100 The Commissioner sees the ‘development’ of policy as including the review, improvement or adjustment of existing policy, when this is done at a significant level. It is suggested that the extension of a policy to a new area or group (or its withdrawal from an existing field of application) may also constitute ‘development’. The Commissioner suggests that if the original policy is seen as a framework of ‘rules’, adjustments within those rules should be seen as implementation, rather than policy development39. While this will often be the case, it is also suggested that authorities should be entitled to treat new aspects of a policy as falling within ‘development’, where it can be shown that the issues have moved outside the confines of the previous rules. The ICO advises that a decision in a specific case is unlikely to be a policy development; unless it leads of itself to a review or extension of the policy; and that a government response to a question will likewise not be a policy development where it merely explains or justifies the position; unless it too involves a review. 26.101 Since the information has to be held by a government department to fall within the exemption, non-departmental public bodies – which are not government departments – may not claim it (and should consider FOIA 2000, s  36 instead). Executive agencies and non-ministerial departments are government departments, however, and may rely on s 35. Such departments will hold some information about the formulation or development of policy, although as operational bodies they are likely to have less involvement with Ministers, and may often only assist with policy-making rather than being directly involved with it. 26.102 If information ‘relates to’ both policy formulation/development, and to implementation, the former need not predominate in order for the information potentially to fall within the exemption: a significant element of policy will be sufficient. Policy formulation and development – public interest test 26.103 If the focus of this element of the exemption is on protection of the integrity of policy-making, the public interest factors should similarly be

39 ICO guidance on s 35, as footnote 30, para 56.

499

26.104  Freedom of Information Exemptions 2

concerned with this aspect. The main elements of the public interest in favour of maintaining the exemption will be: (i) the ‘safe space’; (ii) the ‘chilling effect’; (iii) collective responsibility; and (iv) (borrowing from decisions under the EIR) the avoidance of a distraction from the public debate. 26.104 It is important to note that there is no inherent public interest in withholding information relating to policy which falls within the exemption40. The same balance applies as in other exemptions, and each case has to be considered on its merits. There is no constitutional or overriding public interest argument (other than in the weight given to ‘collective responsibility’) to withhold information on policy formulation or development; and it is not correct to withhold any type of such information as a matter of course. Given the breadth of the information potentially falling within the exemption, therefore, the public interest arguments both limit its effective scope, and can make the outcome finely-balanced. (i)  Safe space 26.105 The main ground will generally be a need to maintain a ‘safe space’ in which to consider policy without: the distraction of premature disclosure or scrutiny; the need to devote resources to explanation of options before they have been fully considered; or even the risk of attempted lobbying which may distort priorities. The relevant timing is the date of the request. The discussions may be those of officials, or of politicians or other decision-makers. As indicated at para 22.40 in relation to the same issues under the EIR, the need for a safe space may take a number of forms. Examples might include where: — the full and frank discussion of the options may be inhibited by concern over its reception on publication; — the disclosure of options, before they have been fully assessed, may lead to some being given inadequate consideration, or being prematurely discarded; — external factors (such as the public response to publication at that time) may exercise a disproportionate influence over decision-making, or inhibit discussion; — options may be described differently, with greater account taken of presentational issues than of critical analysis, if they are likely to be scrutinised in public (especially at, or shortly after, the time of the decision);

40 See Office of Government Commerce v ICO and Attorney General [2008] EWHC 737 (Admin), paras 76–79. See also DFES v ICO and Evening Standard, as footnote 33, paras 27–36 and 69ff.

500

FOI Exemptions (sections 30–44) 26.107

— opening the debate to public scrutiny, before all the information necessary to describe and explain the options has been assembled, may distort the decision-making process; — a likelihood of disclosure may cause internal discussion or communication to be conducted with a greater eye to presentational or procedural issues, if this would make decision-making less innovative or efficient; or inhibit the frank testing of options; — opening those taking the decision to external interference or distraction may inhibit the range of options or compromises under discussion, or otherwise harm the decision-making process; — resources may to be diverted from the policy-making process to explaining the options considered or rejected, or to handling the public response; — long-term issues may be less thoroughly-considered, if the perceived impact of disclosure would narrow options for the future; — an expectation of an adverse impact from disclosure on financial or other markets may lead to the exclusion of relevant information, or policy alternatives, from the matters under consideration; or constrain the thoroughness of scrutiny; — a perceived risk of adverse repercussions on diplomatic relations, following publication, may cause relevant information or considerations to be omitted from the decision-making process, or to be examined less closely. The avoidance of any of these adverse consequences, if they were likely to occur in any given case, would also be relevant to the public interest test. 26.106 The issues are substantially the same in relation to the EIR (reg 12(4)(d) and (e)), and FOIA  2000, s  36. Attention is drawn in particular to the limited public interest which may attach to the publication of draft versions of documents, where the final versions have been published41. See also the discussion of the safe space in the context of the EIR, reg 12(4)(d) and (e) in Chapter 22 at paras 22.40–22.47 and 22.70–22.72; and in relation to FOIA 2000, s 36, in this chapter at para 26.161(iii). 26.107 The timing of the request is often very important, in terms of the prejudice said to be caused to the process. If the matter is ‘live’, there is likely to be a strong public interest in not disclosing information about it, other than exceptionally42. When a policy has been finalised, the Commissioner advises that the public interest arguments for protecting the process will become weaker; while accepting that a government may need a safe space for a further short period, even after the policy process is complete, in order to explain its policy and ‘frame the debate’; although this would need to be justified in each case43.

41 See paras 22.38 and 22.42–22.43. 42 See ICO guidance on s 35, as footnote 30, para 81. 43 ICO guidance on s 35, as footnote 30, paras 87-88.

501

26.108  Freedom of Information Exemptions 2

26.108 If the decision has been taken, and there is no apparent need for it to be developed or reviewed in the manner described above, there may be no continuing need for a safe space; or it may be relevant to consider whether the exemption for policy formulation and development under s 35(1)(a) continues to apply (see Amin case, at para 22.70). On the other hand, if the matter properly still forms part of development, and there would be likely still be an adverse effect if published (eg as to financial or diplomatic consequences), this may provide evidence of a continuing value in a safe space for a period afterwards; or, show that exemptions such as those in FOIA 2000, s 29 (the economy) or s 27 (international relations) would be relevant; additionally, or instead of s 35. It may also be the case that the need for a safe space may recede after an initial announcement; but then recur when a further stage of policy development is required (eg to deal with unforeseen difficulties requiring a review of the policy). Or, as acknowledged in Webber (para 24), relying on Amin (para 110), harm caused to a need to revisit the issue in the future by a disclosure now in response to the request can also be taken into account44. 26.109 Once a policy has been announced, the public interest arguments for disclosure of the considerations which went into its development, and possibly of the process involved (especially if in some way unusual) are likely to become weightier. If there is also a continuing value in a safe space, therefore, it may have to be balanced against this likely increase in weight in favour of disclosure. 26.110 This increased weight will add to the generally strong public interest in favour of disclosure, because the nature of and importance of governmental policy-making, in order to promote accountability, increase public understanding of decision-making, and assist public debate about, and scrutiny of, public policy decisions45. Departments should also always be alert to factual background information ‘which has been used, or is intended to be used, to provide an informed background to decision-taking’ (s 35(4)); and to the particular public interest in its disclosure. 26.111 One feature of the policy process which is not greatly considered, however, is that the announcement of a major government policy (eg as a result of a White Paper and successful consultation on it) often requires legislation before it can be implemented. The process of Parliamentary consideration of a major measure involves considerable departmental resources, often undertaken over one or two years, in drafting (or commissioning the drafting) of the proposed legislation, discussing the proposals in detail with interested organisations, briefing Ministers on it, explaining its effects as it is debated in both Houses, and considering (or giving reasons to resist) amendments put forward to it in debates. Many changes are also usually made at a detailed level to bills as they progress through Parliament; and from time to time major changes are also introduced or accepted. The process involves policy formulation and development, and illustrates how the process of determining a policy is often much wider than a single point of decision.

44 Cabinet Office v ICO and Webber [2018] UKUT 410 (AAC); Amin v ICO and Department for Energy and Climate Change [2015] UKUT 527 (AAC). See also para 22.70. 45 ICO guidance on s 35, as footnote 30, para 90.

502

FOI Exemptions (sections 30–44) 26.114

26.112 It may also be borne in mind that the implementation of a policy, after its formal approval, may take months or years; and may itself include a number of policy questions as to how it is to be applied. Much of the practical impact of legislation, for example, comes from its implementation in statutory instruments, or statutory or voluntary codes; the terms of which are only broadly prescribed in the primary statute, and which are often extensively discussed (after enactment of legislation) with interest groups before they are introduced (or, in the case of codes, on occasion produced by the industry or professional organisation concerned). While it is acknowledged that the ICO accepts that periods of policymaking may follow implementation, as well as precede it (see para 26.96 above), it is respectfully suggested that this routine process of how new policies are introduced after their approval is insufficiently considered in the ICO’s guidance. While there is a distinction between practical questions which properly fall within the implementation, rather than the ‘formulation’ or ‘development’, of policy at those later stages, there will also be occasions when how the new policy is to be applied itself gives rise to questions of policy. Examples might be: whether to exempt certain persons or categories from the new rules, for a ‘policy’ reason; the tightness or otherwise of any regulatory regime applying to those rules; the content of codes of guidance (particularly in an innovative area), which can affect the breadth or depth of the policy’s impact; or, whether the implementation of the legislation is delayed for a significant period, for ‘policy’ reasons, or even (on occasion) proceeds at all.

(ii)  Chilling effect 26.113 The second ground is that there would be likely to be a ‘chilling effect’ from disclosure on the openness or candour of future internal debate. This occurs less frequently than the safe space. It is generally taken to apply only to officials, although there is no reason why the openness of debate amongst politicians or other ultimate decision-makers may not also be inhibited in this way. The problem with the chilling effect is that it is speculative: the effect, if there is one in a given case, is usually posited to be likely to occur to a future debate, rather than to the present one (although if there is likely to be an effect on the present issue, that can be a powerful argument). The inhibition in most cases has, therefore, to be envisaged in future similar circumstances, as arising from a disclosure of the information held about the present matter, and as applied to the present. While this may be difficult, it is not impossible to demonstrate. It also reflects a genuine issue; albeit one which the ICO and Tribunal have sometimes been reluctant to recognise. 26.114 Officials, and decision-makers, may be placed in a difficult personal position by disclosure of their advice, or of the views they expressed in reaching a decision. The formation and taking of policy decisions are often extremely difficult, involving important choices in constrained circumstances. It is inherent that they may be publicly controversial, once announced. Those making, rather than framing, the decision may often face the greatest difficulties, as they will be required to defend the policy publicly; even where they may personally have 503

26.115  Freedom of Information Exemptions 2

preferred a different option, or where they may have disappointed their supporters by agreeing to a compromise proposal. The inhibiting effect created by exposing their private deliberations, while making the decision, may readily be apparent in a given case. It may also be possible to demonstrate how such an inhibiting effect would harm the quality of the present decision-making process (eg by meaning that the options were not so thoroughly tested by the individuals concerned). The issue may be whether that inhibiting effect, if it would operate in relation to the decision in hand, could be expected to apply also to a similar decision in the future. 26.115 The issue in relation to officials has arguably become somewhat sidetracked by discussion of whether impartiality and fearless advice can be expected of civil servants in giving unwelcome advice to politicians46. It is suggested that insufficient weight has been given to awkward situations which can arise in a stressful working environment; or to situations where discretion may be needed in order to make advice more effective. The fundamental issue, however, is not whether officials should be expected to be personally robust in their dealings with Ministers (even in the much more challenging environment created by social media and mass communications); but whether disclosing the terms in which frank advice has been given could be expected, if published, to make such candour less likely to be used in future. This may be relevant if, for example, the published terms of the advice proved to be embarrassing for the Ministers or officials involved. 26.116 The Commissioner’s view, as expressed in her guidance, is that ‘chilling effect arguments cannot be dismissed out of hand and are likely to carry some weight in most section 35 cases’ (see also para  22.74)47. Such arguments are more often successfully relied upon, however, than this quotation might imply. The ICO goes on to say that they do not ‘automatically carry significant weight’, and that arguments for a chilling effect must rely on timing, whether the policy is ‘live’, and the content and sensitivity of the information in question. They can operate in different ways: — if the policy is live, a chilling effect argument about those continuing discussions can have ‘significant weight’; — if the policies, that are said potentially to face a chilling effect, are ‘closely related live policies’ (eg in a similar area, or on an allied topic) they may ‘also carry weight’; — once the policy has been finalised, however, the arguments become more ‘speculative’. 26.117 The considerations may best be summarised as:

46 See DFES v ICO and Evening Standard EA/2002/0006, paras 72 and 75(vii), (DFES case); & Scotland Office v ICO 2007/0128, paras 70–71. 47 ICO guidance on s 35, as footnote 30, para 204; based on Friends of the Earth v ICO and Export Credits Guarantee Department [2008] EWHC 638 at para 38; in which Mitting J referred to the DFES case (in footnotes 33 and 46), paras 27–36, and 53, 63 and 70.

504

FOI Exemptions (sections 30–44) 26.120

— Generic arguments about future debates as a whole being compromised will not be successful: it is necessary to show why the specific disclosure is likely to have an inhibiting effect on the candour of future advice of a particular type. — If the issue remains current, and there would be likely to be a chilling effect on later stages of that issue, if it can be demonstrated; there may be a strong argument against disclosure. A chilling effect on a similar future issue (or a recurrence of the present one, if it is reviewed from time to time) is also likely to have some degree of weight. — A genuine concern over the likely consequence of disclosure for the candour (including the means of expression) of future advice, especially unwelcome advice, which can be explained straightforwardly, should be pursued rather than discounted (particularly if the main reason not to do so would be because of concerns that officials would be perceived as insufficiently robust). (iii)  Collective responsibility 26.118 The convention of Cabinet ‘collective responsibility’ holds that government Ministers may express views freely and disagree privately before a Cabinet decision is taken, but are deemed all to be in agreement once the decision is made. Ministers are similarly jointly responsible for the government’s policies and decisions, and expected to defend them. In return, the privacy of opinions expressed in Cabinet and ministerial committees should be respected. The convention is regarded as central to the operation of government in the UK’s unwritten constitution, and the Commissioner’s view is that it will always carry significant weight where it applies48. It will arise where a disclosure would demonstrate divergent views, where they were expressed, as this would undermine the unity and smooth running of government. 26.119 The weight may be reduced to a degree if the politicians concerned are no longer politically active, or if other materials on the matter such as memoirs have been published, or if a significant length of time has passed since the issue concerned. Whether the confidentiality which is protected by the convention would be undermined in a particular case, however, will depend upon the circumstances. Whether the issue is still ‘live’ will be less important, since the need to defend it, and the confidentiality surrounding decisions about it, will continue for a period after the issue itself has been resolved; and the constitutional principle will remain in place. (iv)  Distraction from debate 26.120 The Commissioner does not refer to this factor in her guidance on s 35, but it arises in the context of EIR, reg 12(4)(d), and is dealt with at paras 22.49– 48 ICO guidance on s 35, as footnote 30, para 213.

505

26.121  Freedom of Information Exemptions 2

22.50. There seems to be no reason why it could not apply in the context of this exemption, in appropriate cases. It applies to information requested which is a draft, where the final version of the information concerned (eg a report) has been published. The argument is that publication of the draft would be likely to distract from public debate on the substance of the issue concerned, by diverting it into a different discussion about whether the draft had been altered before publication; and, if so, by whom, whether this was justified, and for what reasons. Obviously this argument would apply only in certain factual circumstances. The ICO has sought to limit it to cases where any distraction could not be limited by publishing an accompanying explanation, but this seems unlikely to arise on the facts; and is unsupported by authority. Other factors 26.121 The ICO refers to another issue, in her guidance on unfinished documents under the EIR (reg 12(4)(d)), namely whether publication of the draft material would be likely to assist understanding or shed light on the issue concerned. This would appear also to have potential application in the context of FOIA  2000, s 3549. 26.122 A  further issue in relation to the EIR, which also may be relevant to s 35, arises where publication could be misleading. The ICO makes clear in her guidance on reg  12(4)(d) that, while this situation generally has no weight in public interest terms, because it could be met by the production of explanatory material alongside the published information, there may occasions when it is difficult to avoid a misleading impression; or where the effort would be disproportionate. Such situations may give rise to a public interest in favour of maintaining the exemption. (See para 22.52). (b)  Ministerial communications 26.123 Any information relating to Ministerial communications is potentially within the scope of this element of the exemption. The category is obviously very substantial, and so its scope is limited in practice by the public interest test. 26.124 The exemption is intended to protect the Ministerial process of government, by preventing disclosure which would hamper ministerial debate within government, or significantly expose disagreement between ministers to those outside it. It does not apply however, to protect ministers from embarrassment. Some information will fall under the policy formulation limb as well – in which case both may be claimed – although the public interest should be assessed separately for each category of information, as different arguments may apply.

49 See para 22.51.

506

FOI Exemptions (sections 30–44) 26.128

26.125 The communications around which the exemption applies are those between ministers, or sent on their behalf. Others may be copied in, provided the communication is from a Minister or on their behalf, and has been sent to another Minister. (It appears that communications directed to an official, who would receive it on behalf of a Minister, are not covered). A  communication from a Minister’s private secretary, who writes to another Minister, is included. ‘Communications’ may include written communications, meetings, telephone conversations (of which notes are taken by officials), and notes of meetings of Cabinet and other ministerial committees. Since information has only to ‘relate to’ such communications, the information in issue can either be such a communication itself, or refer to one. This means that subsequent correspondence discussing a previous ministerial communication will also be covered; as will emails or minutes referring to meetings about such a communication, or a handwritten note about the communication. Attachments to a Ministerial communication will also be included, including ones which pre-dated the communication (although the ICO warns that the public interest arguments for withholding such an attachment may be weaker). Drafts of a communication ‘relate to’ it; even if the communication was not sent. Notes of conversations are likewise included; even if hand-written or personal. Cabinet minutes are clearly covered; and are rarely disclosed50. 26.126 On the other hand, a memo by a civil servant referring to a minister’s view, but not sent on behalf of the Minister, or not referring to a specific Ministerial communication, will fall outside the exemption. Much of the email traffic between, for example, special advisers to different Ministers is likely to fall outside this element of the exemption, unless it refers to such a communication. Ministerial communications – public interest test 26.127 The public interest factor most relevant to information relating to Ministerial communications concerns the need to protect collective responsibility (see para  26.118 above). Before making the argument, however, the authority will need to establish that collective responsibility is relevant to the information in question; for which the test is whether it reveals the view of that Minister. 26.128 The arguments for maintaining collective responsibility, which could be undermined by a disclosure showing clear disagreements, and contradictions with what ministers who were privately opposed to a decision have said in its support since, may be supplemented by arguments for a ‘safe space’ (in which to be able to debate issues in private) or a ‘chilling effect’. In the latter case, the argument might be that frank internal debate would be inhibited in future – following a disclosure in this case – by concern that views expressed privately would be later be subject to a similar such disclosure. 50 An exception was a request for the minutes of the Cabinet meeting at which Michael Heseltine resigned over the Westland affair in 1986 (Cabinet Office v ICO EA/2010/0031). A period of 19 years had passed, most of the Ministers involved no longer had active careers, and other accounts had since been published.

507

26.129  Freedom of Information Exemptions 2

(c)  Law Officers’ advice 26.129 The third limb of the exemption covers information which relates to the advice of the Law Officers, or any requests for such advice to be provided. The Law Officers (who include the Attorney General and the Solicitor General, who are Parliamentarians) are the government’s principal legal advisers; but they are members of the government, rather than civil servants. They have to be consulted on key legal questions facing the government. Government receives much other legal advice from its professional lawyers, both in separate legal departments and internally within its policy or service departments. Such advice is likely to be covered by the exemption in s 42 for legal professional privilege, rather than by this exemption. 26.130 By longstanding convention, the government does not reveal whether or not the Law Officers have given advice on an issue (nor its content, or the questions leading to it), in order to protect the decision-making process where it has been informed by legal advice. The exemption from the duty to confirm or deny may, therefore, be the first recourse of a government department facing a request for the advice of the Law Officers, or whether it has been sought or received. In some cases, the government may wish to disguise the fact that its legal advice was not received from the Law Officers (which might tend to suggest that the legal issue was not considered to be of the greatest importance, or that it did not raise mixed political and legal issues requiring their involvement). 26.131 The Law Officers’ advice itself will usually, in FOI terms, be covered also by the exemption for information which is protected by legal professional privilege (FOIA 2000, s 42). Both exemptions can apply to the same piece of advice. 26.132 As with ministerial communications, a wide range of information can ‘relate to’ the provision of the advice, or any request for it. It may refer to the advice, or give an account of it. The requests leading to the advice are specifically included; but this may include not only any formal questions put to the Law Officers, but also consideration of whether to seek such advice (even if, in the view of the ICO, it was not in the event sought; since this would reveal that their advice had not been given51). In the same way, information about other advice, which discloses (even by implication) that the Law Officers were not consulted, would relate to the provision of their advice; and thus be exempt. Public interest factors – Law Officers 26.133 The key public interest factor will be the importance of maintaining the convention of confidentiality as to the Law Officers’ advice. This has been given ‘real weight’ by the High Court, ‘even in the absence of evidence of particular damage’52. Thus it will be important to establish whether the exemption applies 51 ICO guidance on s 35, as footnote 30, para 129. 52 Her Majesty’s Treasury v ICO and Evan Owen [2009] EWHC 1811 (Admin), paras 54(i)–(ii).

508

FOI Exemptions (sections 30–44) 26.137

on the facts; since if it does, there is a significant public interest against disclosure without demonstrating more. The exemption is not absolute, however, and strong public interest factors in favour of disclosure in a particular case could still have greater weight. In this context, it may be noted that the ICO ordered disclosure in 2006 of those parts of information requested in connection with the Attorney General’s legal advice before the Iraq War in 2003, which led to, or supported, the concluded views of the Attorney General made public on 17 March 2003. This should be regarded, as the ICO recorded in the Enforcement Notice, as being a ‘highly exceptional’ case; and the ICO did not believe that ‘wider precedent implications’ should be deduced from it (Enforcement Notice, 22  May 2006). See also para 26.205 on this point.’ 26.134 Additional weight may be added in favour of withholding the information if the issue remains ‘live’, since it can be argued as well that the government needs to preserve a safe space in which to complete its consideration. (d)  Operation of any ministerial private office 26.135 Information held by a government department or by the Welsh government is exempt if it relates to the operation of any ministerial private office53. The latter is defined to mean any part of a government department which provides ‘personal administrative support’ to a Minister of the Crown, a Northern Ireland Minister or junior minister. It also includes any part of the administration of the Welsh government which provides such support to members of that government. 26.136 It appears, therefore, that the scope is not limited to the activities of officials who staff a Minister’s ‘private office’, but includes also other support to the minister in carrying out his or her official activities. This might include at different times the assistance of a press officer, departmental Parliamentary staff, security staff, a driver (if not attached directly to the private office), IT staff etc. 26.137 The Commissioner takes the view, however, that the scope is limited to information relating to the ‘operation’ of a private office (in a narrow sense of how it is organised); and that a private office is defined as providing ‘administrative support’54. The ICO interprets this to mean support of a relatively routine kind such as: procedures for handling Ministerial papers; the Minister’s diary; circulation lists for documents etc. This underestimates the scope of information which ‘relates to’ the operation of a private office. There is no evident basis for the ICO’s limited approach, other than the use of the word ‘administrative’ in s 35(5). It may be noted that the word has a higher connotation in civil service terms than in general usage, relating to the activities of more senior (rather than junior or middle-ranking) civil servants. The understandable concern on the part of the Commissioner may be to avoid the creation of an exemption which, if it were taken to apply to all the information which flows through a private office 53 FOIA 2000, s 35(1)(d). 54 ICO guidance on s 35 (as footnote 30), para 147.

509

26.138  Freedom of Information Exemptions 2

(ie all the information seen by a minister in his or her official role), would cover a very broad range indeed. While acknowledging this as a legitimate concern, it remains the case that the ‘operation’ of a private office should be seen as extending into more significant matters than has been the case under the guidance; while still remaining within the scope of ‘administrative’ matters, in the normal sense of the word. These would include: the staffing of the private office; practical arrangements concerning the interface between the private and official activities of the minister (since a private office is in touch with its minister up to – and often beyond – that boundary); the handling of Parliamentary questions and other Parliamentary business; procedures for liaison within the department with senior civil servants; internal protocols for ministerial consultation; the timing and management of ministerial responses; liaison and working arrangements with legislative Bill teams; liaison with outside organisations, journalists, experts, or senior figures in the commercial or policy worlds relevant to the department; or, the roles and at least some of the activities of the Minister’s special advisers (other activities of whom may be covered by the policy formulation element of the exemption). 26.138 The ICO says that the exemption is rarely used, and that its principles are not well-established. This may be because of the limited scope accorded to it by the Commissioner. Public interest test – private office 26.139 The key public interest factor is whether disclosure would be likely to harm the effective operation of the private office concerned. The ICO advises that there is no inherent weight in withholding information covered by this limb of the exemption; it will depend in each case on the content of the information and its degree of sensitivity; and the consequent effect of its disclosure. The ICO characterises this as a ‘safe space’ factor, enabling the private office to focus efficiently on supporting the Minister without interference or distraction from outside. 26.140 While the emphasis on a safe space as the key public interest factor is unobjectionable, the potential difficulty with this approach may be that, if the ICO is unduly focused on more routine aspects of the work of a private office, the content in question may not be of great sensitivity; and thus the consequences of disclosure may be of lesser significance in many instances than would otherwise be the case. While the ICO does give examples in her guidance of requests properly refused (on grounds, for example, of avoiding distraction to the work of a private office by publishing emails about the procedure for answering Parliamentary questions), there remains uncertainty as to whether admitting a higher level of information to the scope of the exemption would enable also a greater weight of public interest factors against disclosure to be recognised. 26.141 The ICO mentions the protection of officials from criticisms of decisions for which Ministers are accountable; and security concerns about travel and other arrangements involving Minsters. Both are significant factors which may, in particular situations, merit substantial weight. 510

FOI Exemptions (sections 30–44) 26.145

26.142 Much of the information requested to which this exemption may apply (especially if given a more serious level of application), is likely to be ‘live’ at the time of the request; enhancing in general the weight of any public interest factors attaching to it which are in favour of maintaining the exemption. Statistical information 26.143 Once a decision as to government policy has been taken, any statistical information which was used to provide an informed background to the decision is excluded from the exemptions in s 35(1)(a) (policy formulation) or (b) (Ministerial communications). This includes statistics (facts presented in numerical form) and analysis of them. These have to be based on mathematical analysis, rather than opinion, to be excluded from the exemption55. The ICO suggests that a public announcement (of a policy or decision) may be taken as the point of decision for this purpose56. Neither confirm nor deny – s 35 26.144 There is an exemption from confirming or denying, in s 35(3), on the basis of the same four exemptions. The public interest test against disclosure focuses on what hypothetical confirmation or denial would reveal, and why this would harm ‘good government’; which then has to be balanced with the public interest in knowing whether the information is held. In general, confirming that information is held may not damage the safe space. In relation to Law Officers’ advice, however, there is a strong public interest in avoiding undermining the convention that government does not reveal whether the Officers have advised (unless this is already known, or the issue is obviously of sufficient importance). Section 35 – overall public interest and remaining points 26.145 The ICO offers a summary of the public interest factors relevant to s 3557. These are reflected in the discussion above in relation to the separate elements of the exemption, and also in respect of the EIR exceptions for unfinished documents (reg  12(4)(d)) and internal communications (reg  12(4)(e)), which raise similar issues58. If more than one element of the s 35 exemption applies, the public interest should be assessed separately.

55 Department of Work and Pensions v ICO EA/2006/0040. 56 ICO guidance on s 35 (as footnote 30), para 168. 57 See ICO s 35 guidance (as footnote 30), paragraphs 197ff. 58 See respectively: paras 26.103–26.122 (policy formulation); 26.127–26.128 (ministerial communications); 26.133–26.134 (Law Officers); 26.139–26.142 (private offices); 22.39–22.55 (unfinished documents) and 22.68–22.87 (internal communications).

511

26.146  Freedom of Information Exemptions 2

26.146 The reduction in the period after which a document becomes an historical record may be relevant in this context in particular cases59. Alternative to s 35 26.147 Sections 35 and 36 (prejudice to conduct of public affairs) are mutually exclusive. If there is doubt as to whether s  35 applies, however, s  36 may be claimed in the alternative to s  35. The public interest arguments are similar (although an opinion of the ‘qualified person’ is necessary under s 36). Other relevant exemptions 26.148 Other relevant exemptions may include: s 22 (information intended for future publication); s  27 (international relations); s  28 (relations within UK); s 29 (the economy); s 36 (conduct of public affairs; including in the alternative as in the preceding paragraph); s 40 (personal information); s 41 (information provided in confidence); or, s 42 (legal professional privilege).

Section 36: Prejudice to the effective conduct of public affairs 26.149 Section 36 exempts information whose disclosure would, or would be likely to: (a) harm collective responsibility (including of the Welsh government) or the work of the Executive Committee of the Northern Ireland Assembly; (b) inhibit the free and frank provision of advice or exchange of views; or (c) otherwise prejudice the effective conduct of public affairs. 26.150 Other than in relation to statistical information, the authority’s ‘qualified person’ has to give a ‘reasonable opinion’ that disclosure would, or would be likely to, cause the effects above, before the exemption will be engaged. The ICO strongly advises authorities to keep records of the process by which the reasonable opinion was reached. 26.151 Other than for the two Houses of Parliament, the exemption is qualified. 26.152 Where information which is held by a government department or the government is not exempt information under s  35, s  36 may apply to that information. Thus if the information would engage s  35, it is excluded from s 36; even if the balance of the public test under s 35 would be in favour of its disclosure. It is important, therefore, that those bodies check first whether s 35 applies to some or all of the information. If there is doubt over whether s  35 may be engaged, however, attention is drawn to the potential to claim the two exemptions in the alternative to each other, as outlined at para 26.147 above. 59 See para 25.72.

512

FOI Exemptions (sections 30–44) 26.157

Qualified person 26.153 The qualified person is identified either in relation top the type of organisation in s 36(5)(a)–(n), in a minority of cases; or under s 36(5)(o), which defines the person as a Minister of the Crown, the authority itself (ie its highestranking officer), or any officer or employee who is authorised by a Minister. There is no longer an active list of such officers. If none has been identified, or is unknown, an authority should request an authorisation via the Ministry of Justice. An authority cannot choose its own qualified person. Another official may be the qualified person on an acting basis; but not on a temporary basis in the absence of the qualified person. Another official (eg the FOI officer) may prepare the matter for the qualified person’s consideration. 26.154 The issue for the qualified person to determine is how likely it is that the prejudice or inhibition will occur. The exemption is not engaged without the opinion. The opinion should be in place before the exemption is formally claimed (eg after 20 working days), or before the deadline is extended (if necessary). It is notable that the exemption can still be engaged, however, if the opinion is available by the completion of any internal review60. 26.155 The reasonableness required is not that the opinion is correct in the view of the ICO; nor even that it is the most reasonable opinion, or the only reasonable conclusion that could be reached. The test is that it should not to be irrational or absurd, and thus not be unreasonable. It will be the latter if no reasonable person, in the position of the qualified person, could have reached that conclusion. 26.156 If the exemption is challenged, the ICO will consider whether the opinion was reasonable, in the light of all relevant factors. These may include whether the prejudice relates to the specific subsection of the exemption claimed; the nature and timing of the request; or, the degree of the qualified person’s involvement with, or knowledge of, the issue. The ICO stresses that it is in the interests of the authority to make available all the evidence and argument which led to the opinion; the more easily to enable the ICO to find in favour of the opinion, as one of the range of reasonable conclusions which could be reached In ICO v Malnick, the Upper Tribunal said that Parliament has chosen to confer responsibility on the Qualified Person for making the ‘primary (albeit initial) judgment as to prejudice’, and that those persons hold senior roles in their organisations. It follows that, although their opinion is not conclusive (save in relation to the Houses of Parliament, under s 36(7)), it ‘is to be afforded a measure of respect’61. 26.157 The choice of ‘would’ or ‘would be likely’, in relation to the likelihood of harm, is relevant to the degree of weight to be given in the public interest test to the prejudice or inhibition claimed to be in risk. There is no bar in the statute, however, on choosing them in the alternative. The authority would then need to assess the public interest separately in those alternative scenarios. 60 ICO: ‘Prejudice to the effective conduct of public affairs (section 36)’, paras 16 and 75 (although there will have been a procedural breach in those circumstances of FOIA 2000, s 17(1)). 61 ICO guidance on s  36, as in footnote 60 above, para  24. ICO  v Malnick and ACOBA [2018] UKUT 72 (AAC), para 29.

513

26.158  Freedom of Information Exemptions 2

26.158 The qualified person should be careful to avoid applying a ‘blanket approach’ to s 36 issues, since the opinion may not be reasonable in consequence. 26.159 In relation to information held by either House of Parliament, a certificate signed by the Commons Speaker, or Clerk of Parliaments in the Lords, as to his or her reasonable opinion, is conclusive; and will lead to an absolute exemption for that information. 26.160 No reasonable opinion is required for statistical information. The authority may disclose it; or apply the same qualified exemption to it without a reasonable opinion. ‘Statistical information’ includes the raw data, the methodology, and the outcome; as well as the statistics produced62. Nature of the harm – s 36 26.161 The nature of the prejudice under s 36 is similar to the elements of harm under FOIA 2000, s 35; or EIR, reg 12(4)(d) or (e)63. (i) Collective responsibility: where disclosure would, or would be likely, to harm collective responsibility. This element of the exemption applies where s 35 does not, to protect the same constitutional convention. Attention is drawn, as above, to the possibility of claiming the two exemptions in the alternative; which would protect the position of the public authority in the event of a challenge in which the ICO took a different view from the authority as to how the two exemptions might apply to the information held. Information held by public authorities which are not government departments may, if disclosed, engage the exemption (s 36(2)(a)(i)). (ii) Northern Ireland and Wales Executives: where disclosure would, or would be likely to, harm the work of the Northern Ireland Executive or the Welsh Cabinet. (The latter operates collective responsibility) (s  36(2)(a)(ii) and (iii)). (iii) Free and frank provision of advice or exchange of views: where disclosure would, or would be likely to, inhibit the ability of officials or others to give free and frank advice; or inhibit both decision-makers or officials from freely and frankly exchanging views for the purpose of deliberation (ie evaluating the arguments). Either or both may be claimed, but the opinion must be specific as to which is/are claimed. The inhibition is to the process, although this may be affected by the content of the information (and the ICO is unlikely to back keeping confidential a discussion or documents which appear to contain nothing significant or controversial) (s 36(2)(b)). The ICO links this provision to ‘chilling effect’ arguments, treating it in effect as concerning future advice64. While it clearly applies to that situation, the wording could also encompass inhibition to the discussion of a current issue, 62 Described in ICO guidance on s 35, as footnote 30, paras 161–64. 63 See, for example, paras 26.105–26.117, 22.40–22.51, and 22.70–22.80 respectively. 64 See ICO’s s 36 guidance, as footnote 60, paras 47–51.

514

FOI Exemptions (sections 30–44) 26.162

if the information requested was ‘live’; and for which the ‘safe space’ should also be considered relevant. Indeed, the protection of a forum in which free and frank advice can be given, or views can freely be exchanged, might be thought precisely to describe a ‘safe space’, when referring to a current issue. It is suggested, therefore that authorities should not feel inhibited from applying safe space arguments, as well as those concerned with a chilling effect, to s  36(2)(b) where the request concerns an issue currently under discussion. In relation to both the chilling effect and the safe space, the discussions in relation to EIR, reg  12(4)(d) and 12(4)(e) and FOIA  2000, s  3565, are relevant here. (iv) Other prejudice to the effective conduct of public affairs: the terms are not defined in the Act, but the ICO suggests that the harm could be to the authority’s ability to offer an effective public service, or to meet its objectives. The effect need not be on the authority involved, but could be on other parts of the public sector. This could include the diversion of resources which other bodies might have to make to deal with the effects of the disclosure (s 36(2)(c))66. This element is seen by the ICO as applying to cases not covered by another exemption. The difficulty with the ICO’s approach is that, if the view is also taken that the safe space is not relevant to element (iii) above, and that this element (iv) is only residual, public authorities outside central government or the devolved administrations would not have an adequate exemption on which to rely for policy or decisions needing a safe space under the FOIA. This would seem invidious, and contrary to good government outside those departments. For this reason, it is suggested that public authorities outside government should feel able to use either s  36(2)(b) or s  36(2)(c) where safe space arguments are relevant. (The ICO points out that the wording of ‘otherwise’ suggests that the harms to be avoided should be different as between the two elements). Examples of other situations in which s 36(2)(c) might be relevant could include where disclosure would be likely to: — jeopardise negotiations with a third party (over a non-financial matter); — pre-empt a forthcoming announcement, to the detriment of its purpose; — undermine trust with a third party with which the authority is working on a policy issue. 26.162 The nature of the safe space, and its duration, are discussed above in the context of FOIA 2000, s 3567; and under EIR, reg 12(4)(d) and reg 12(4)(e))68.

65 66 67 68

See paras 22.40–22.48; 22.70–22.76 and 26.105–26.117. See ICO guidance on s 36, as footnote 60, para 53. See paras 26.105–26.112. See paras 22.40–22.47 and 22.70–22.72.

515

26.163  Freedom of Information Exemptions 2

26.163 Another type of harm which may be claimed relates to a reduction in record-keeping, as a result of disclosure. This is discussed at para 22.77–22.78. Interestingly, the ICO accepts in her guidance on s 36 that there ‘may have been a tendency in recent years towards keeping less detailed minutes’, but maintains that there is no clear evidence linking this to FOI69.

Neither confirming nor denying 26.164 There is an exemption from the duty to confirm or deny, on the same grounds, requiring the qualified person to give their reasonable opinion.

Public interest test 26.165 The qualified person’s opinion does not relate to the public interest test, which should be conducted separately. The opinion is important to the public interest test, however, since if it found that the prejudice ‘would’ occur, the anticipated harm may be given greater weight under the public interest test than if it is only ‘likely’. 26.166 The main public interest consideration in favour of maintaining the exemption will be avoiding the types of harm identified, either to the authority’s deliberations over the issue concerned, to or its (or others’) carrying out of public affairs.

Internal review 26.167 The ICO expects the reasonable person to review their opinion, if there is a request for an internal review.

ICO investigation 26.168 If there is a complaint, the ICO will also expect the authority to provide all the material used in the opinion and its consideration of the request. It is considered very important in s  36 to document how the opinion was reached, since the authority is seen as creating the exemption ‘by its own action’70. Failing full documentation, the ICO has developed a standard form with the guidance, which may be used as the basis of a record.

69 ICO’s s 36 guidance, as footnote 60, para 64. 70 University of Central Lancashire v ICO and Colquhoun EA/2009/003, paragraph 58. See ICO’s s 36 guidance, as footnote 60, paras 77–82, which includes a link to a form : ‘Record of the Qualified Person’s Opinion’.

516

FOI Exemptions (sections 30–44) 26.176

Other relevant exemptions 26.169 Other relevant exemptions may include: s  35 (government policy formulation etc), depending on who holds the information; s  22 (information intended for future publication); s 41 (information provided in confidence); s 42 (legal professional privilege); or, s 43 (commercial interests).

Section 37: Communications with the Royal family, and honours 26.170 This exemption is treated in outline only. It encompasses communications with the Queen, other members of the Royal Family or the Royal Household; and the awarding of honours and dignities by the Crown. 26.171 There is an absolute exemption for information relating to communications with the Sovereign, or with the heir to the throne. Communications with an individual who subsequently becomes the heir to the throne also enjoy an absolute exemption71. 26.172 There are qualified exemptions for information relating to communications with other members of the Royal Family, and with the Royal Household72. 26.173 There is a qualified exemption relating to the awarding of honours and dignities by the Crown. This covers awards such as peerages, knighthoods, medals or Privy Council appointments. 26.174 Under FOIA 2000, s 63(2E), time limits are applied to the exemptions. The exemptions cease to apply on whichever date is the later of five years after the death of the Royal Family member to whom the communication relates (for ss 37(1)(a)–(ac)); or, 20 years after the record was created. In the case of communications with the Royal Household, the time limits are whichever is the later of the death of the monarch reigning when the record was created, or 20 years after the creation of the information. The exemption for honours lapses after 60 years73. 26.175 There is an exemption to enable the authority to neither confirm nor deny that information is held, on the same basis as the relevant exemption from disclosure. 26.176 Other exemptions may be less relevant to information to which s  37 applies, unless the information concerned also overlaps with s 22 (information intended for future publication); s  35 (government policy formulation etc); s  36 (effective conduct of public affairs); or s  41 (information provided in confidence).

71 FOIA 2000, s 37(1)(a), (aa), and (ab). 72 FOIA 2000, s 37(1)(ac) and (ad). 73 FOIA 2000, s 63(3).

517

26.177  Freedom of Information Exemptions 2

Section 38: Health and Safety 26.177 Information is exempt if its disclosure would, or would be likely to: — endanger the physical or mental health of any individual; or — endanger the safety of any individual. 26.178 There is an exemption from the duty to confirm or deny on the same basis. The exemption is qualified. 26.179 The s  38 exemption is concerned with information whose disclosure might pose a risk to people. It is wider than ‘health and safety’ in the normal sense of obligatuons on employers or others to ensure safe working conditions, or to minimise dangers to the public. Examples of the information to which the exemption may apply might be: — information about someone who has recently died, where disclosure might harm the mental health of their surviving relatives; — information whose disclosure could adversely affect public health (eg where research is still being undertaken, and disclosure could unnecessarily undermine public confidence); — the identity of covert surveillance officers. 26.180 The term ‘endanger’ should be equated with ‘prejudice’ or harm; so that the exemption arises where disclosure would, or would be likely to, harm the physical or mental health of any individual, or the safety of any individual. ‘Any individual’ may mean one or more specific individuals, members of the public in general, or particular groups. The risk of harm may thus relate to any of these persons. 26.181 There has to be causal link between the disclosure and the endangerment/ harm anticipated. The choice between the two levels of likelihood of harm would affect the weight of the public interest against disclosure. 26.182 Endangering ‘physical health’ usually means a likelihood of an adverse physical impact, and may relate to a medical matter. Endangering mental health may relate to causing a psychological disorder, or worsening a mental illness, by disclosure. Mere stress or worry caused by a disclosure will be insufficient, however, to engage the exemption. Expert advice may be needed to identify a mental health endangerment. 26.183 Endangering the safety of any individual relates in most cases to information about protecting individuals from a risk of an accident. Thus information about risks posed by a new chemical process with the capacity to poison the air in the vicinity, and how best to limit the risks involved, could fall within the exemption (although in that case, there could also be strong public interest arguments for disclosure). Vulnerable groups, who might need the protection of the exemption, might include: 518

FOI Exemptions (sections 30–44) 26.187

— scientists involved in animal experimentation; — a spokesperson on a controversial issue, whose statements have attracted worrying personal criticism on social media; or — volunteers working with those living on the streets at night, in an area with high levels of anti-social behaviour. Public interest test 26.184 Factors supporting a public interest in disclosure would include furthering public understanding of decisions; promoting accountability and transparency; and enhancing accountability for public spending. Factors favouring withholding the information might include: avoiding the disclosure of speculative information which might mislead the public and influence them to act against their own best interests; or, disclosing information which might undermine a system to protect public safety (eg about the frequency of use, or location, of speeding detection measures on roads; or, information about anti-terrorism measures in a particular location). 26.185 Once the exemption is engaged, and if there may be a danger to health or safety of one or more individuals from disclosure, the Commissioner recognises that it will be difficult to identify factors in favour of disclosure which are sufficiently strong to overcome them74. Other relevant exemptions 26.186 There are no obviously closely-allied exemptions, but other exemptions which might have some relevance in particular factual circumstances might be: s 40 (personal information); s 41 (information provided in confidence); or s 43 (commercial prejudice).

Section 39: Environmental information 26.187 This exemption will be described briefly, since it serves a particular statutory purpose. Section 39 was itself amended by the EIR 2004, reg 20(1), to reflect the route [ie the European Communities Act 1972, s 2] through which the EIR were made. Under s 39, any information is exempt (from FOIA) if the public authority: — is obliged by the EIR (or similar regulations) to make the information available to the public, or — would be so obliged but for the application of an exemption.

74 ICO: ‘Health and Safety (section 38)’ para 34.

519

26.188  Freedom of Information Exemptions 2

26.188 The purpose is to allow the request to be dealt with under the EIR, without having also to consider disclosure under the FOIA 2000. An authority will have to be subject to the EIR, in order to be able to claim the exemption. A public interest test formally applies, but there is unlikely to be a public interest in obliging an authority to consider the information under the FOIA 2000, as well as under the EIR.

Section 40: Personal data in FOI requests 26.189 This exemption is dealt with separately and in detail, because of its importance and frequency, in Chapter 27.

Section 41: Information provided in confidence 26.190 Section 41 provides an absolute exemption where the information was obtained by the authority from any other person (which can include another public authority, another corporate body, or an individual); and its disclosure to the public by the authority would constitute a breach of confidence actionable by the person who gave it to the authority, or any other person. Information obtained from another can include information which was imparted to the authority other than in writing (eg orally), and then recorded in a document produced by the authority. Information in contracts will generally not be included, since it will usually have been generated between the parties other potentially than technical information provided by the tenderer or contractor which otherwise meets the description of confidential information. In Driver v ICO, the names of five exporters who had sought compensation from a local authority leading to settlement agreements, following action by it held to be unlawful, was not confidential information within the terms of s  41(1). The names were not information obtained by the public authority from those persons; notwithstanding that those parties had initially approached the authority75. (This position contrasts with that under EIR, reg 12(5)(e), in relation to confidential commercial information; see para 23.104). Information in medical records is treated, for the purposes of the exemption, as imparted by the patient when it comprises a diagnosis or information about the health or care of the person concerned, which has been provided by the medical or social carers involved. 26.191 The term ‘actionable’ means that the other person could sue the authority over it (for breach of confidence) and would be likely to win. 26.192 When determining whether there would be a breach of confidence, the authority will generally need to consider the following: — whether there is a ‘quality of confidence’ about the information (ie it is more than trivial, and not accessible by another means The test of non-triviality (if not obvious) can, if the information is personal in type, be whether the 75 Ian Driver v ICO and Thanet District Council EA/2017/0218, paras 31–40.

520

FOI Exemptions (sections 30–44) 26.192

confider attaches some importance to it, even if it is relatively insignificant to others. Accessibility means that the information is realistically accessible to the public at the time of the request. Information can be inaccessible to the public as a whole, even if it is known to the requester. It can retain the quality of confidence if it has been released to a limited number of people, who have not passed it on; or even if it is already in the public domain to some degree, if disclosure would reveal something new about the subject matter or the context); — whether the information was imparted to the authority in circumstances creating an ‘obligation of confidence’, ie either through explicit conditions (eg set out in a letter or confidentiality clause); or, where the restrictions are implicit from the circumstances (eg as between a client and a professional advising them or in a business context between a customer and a financial adviser or bank); and would be recognised as such by a reasonable person or, might arise from normal practice; — whether disclosure under the FOIA 2000 would be an unauthorised use of the information, which would cause detriment to the person who provided it (unless it concerned the provider’s private life, where it is assumed). This does not require a tangible detriment to be shown (eg financial loss), because the law has moved to seeing a loss of personal privacy as a detriment in itself; reflecting the right to respect for family and private life in Article 8 of the European Convention on Human Rights (‘ECHR’). The authority will be obliged to show that disclosure would be an unauthorised use of the confidential information. A detrimental impact does have to be shown, however, if the information is commercial in nature; — in deciding whether an action for confidence would be likely to succeed, the authority should consider whether there would be a ‘public interest defence’ to the disclosure (meaning that legal action, if taken, would not be likely to succeed because the public interest in maintaining confidentiality would be overridden on other grounds). Originally, those grounds would have been exceptional only, but the test has now become one of proportionality; ie whether there is a public interest in disclosure which overrides the public interest in maintaining the duty of confidence. Such defences might include: information revealing evidence of misconduct or illegality, or exposing maladministration or negligence; or (possibly, but less likely) factors in support of disclosure such as facilitating accountability, or enabling individuals to understand public decisions. The considerations above are derived from the well-known judgment in CoCo v AN Clark (Engineers) Ltd76. There is an exemption from the duty to confirm or deny, on the same basis as above, if confirming or denying would in itself give actionable grounds against the authority. It may also be noted that the duty of confidence may apply after death, since it is treated as continuing to apply to medical or other health records, or banking information, after the person

76 [1968] FSR 415.

521

26.193  Freedom of Information Exemptions 2

concerned has died; and, on occasion, the confidentiality may be applied against surviving relatives or friends as requesters. 26.193 The main public interest arguments for the test of proportionality are set out below. The balance of the test is reversed (from the usual public interest test under the FOIA) in that the public interest in maintaining the confidence is assumed to apply unless it is outweighed by the public interest in disclosure. The default position, therefore, in the event that the latter does not outweigh the former, is that the information is withheld. There is a general weight of public interest in favour of disclosure, for reasons of openness to security and transparency. This is unlikely to be sufficient in itself to support disclosure without an additional factor. Significant weight in favour of disclosure would be added by factors such as misconduct or illegality; for which an allegation, rather than proof, may be sufficient; if it is credible and from an apparently reliable source. Arguments for maintaining confidentiality, on the other hand, which may carry particular weight in specific circumstances, could include: — the wider public interest in upholding the principle of confidentiality, since any disclosure harms that principle to some degree; although the weight to be attached to it will vary with the context. Factors such as maintaining a flow of information to a public authority, received in confidence, may carry weight. — the public interest in avoiding the impact of disclosure on the individual or legal person involved. Examples would include: the avoidance of damage to a commercial position, or the undermining of future negotiations; or, the preservation of privacy where an individual was acting in a personal capacity. Protective markings on documents, however, are likely only to form an initial indication that information may be considered to be confidential by its creators; and, in practice, such documentation may not meet the s  41 conditions. Information passed between government departments is precluded from falling within the exemption by virtue of FOIA, s 81(2). Other relevant exemptions 26.194 Other exemptions which may also be relevant would include: s  23 (information supplied by security bodies); s  24 (information required for safeguarding national security); s  26 (Defence); s  27 (international relations); s 28 (relations within the UK); s 30 (investigations and proceedings; including information from confidential sources); s 31 (law enforcement); s 35 (formulation of government policy etc); s  36 (conduct of public affairs); s  40 (personal information); s 42 (legal professional privilege); or, s 43 (commercial prejudice).

Section 42: Legal professional privilege 26.195 Legal professional privilege (‘LPP’) protects the ability of a client to speak freely to his or her legal adviser, without fear of disclosure, in order to 522

FOI Exemptions (sections 30–44) 26.199

enable them to receive appropriate legal advice. The protection also covers the confidentiality of communications (documents conveying information77) between the lawyer and client; including the questions put by the latter to the former. The principle is intended to ensure fairness between opponents in legal proceedings, and full access by individuals to legal advice without the potential restriction of concern over disclosure of the questions asked, the information imparted to the lawyer, or the advice given. (See EIR section on course of justice, at paras 23.42–23.46). 26.196 ‘Litigation privilege’ protects communications made (at least as the dominant purpose) to provide or obtain legal advice about litigation which is proposed or contemplated, or for use in the litigation78. It might, therefore cover pre-litigation advice about the prospects of success, or documents drawn up for use in the proceedings. It can also cover communications between lawyers and third parties, if made for the purpose of the litigation. For the exemption to apply, there has to be real prospect or likelihood of litigation; not merely a possibility of it. 26.197 ‘Advice privilege’ covers confidential communications between lawyer and client, where no proceedings are in process or contemplated. The exemption applies where the communications are confidential between the client and the lawyer, and their ‘dominant’ (main) purpose is to seek or give legal advice. The advice has to be given in a ‘legal context’; ie to concern legal rights, liabilities, obligations or remedies. It is unlikely to be privileged (protected) if, albeit given by a lawyer, it concerns financial or strategic issues; unless it also covers legal matters. Advice to a legal person as to whether it has properly discharged its legal functions under the law, or what remedies may be available to (or against) it, however, will have a legal function79. 26.198 In either case, it will be very important for the public authority claiming the s 42 exemption to identify the client; since advice privilege does not cover communications with third parties at all; and litigation privilege does so only as outlined above (para 26.196). It will also be important to identify the legal adviser. A  lawyer is a legal adviser acting in a professional capacity. A  legal executive is included80. Legal advice and communications between in-house lawyers and external barristers and solicitors are also included (allowing public authorities to seek specialist advice or advocacy without losing the protection)81. 26.199 Draft documents, or documents which were not sent, are included within ‘communications’, and thus within advice or litigation privilege. Enclosures or attachments will usually not be covered by the privilege, unless they were created with the intention of seeking advice or for use in litigation82. Pre-existing

77 ICO: ‘Legal professional privilege (section 42)’, para 18. 78 ICO guidance on s 42, as footnote 77, para 8. 79 Three Rivers District Council and ors v Governor and Company of the Bank of England [2004] UKHL 48. 80 ICO guidance on s 42, as footnote 77, para 16. 81 Calland v ICO and Financial Services Authority EA/2007/0136. 82 ICO guidance on s 42, as footnote 77, para 18.

523

26.200  Freedom of Information Exemptions 2

documents will not be included, unless they were selected by a lawyer, using skill and judgement (and were not already held by the client), for the purpose of advising them or preparing for litigation83. Waiver or loss of privilege 26.200 The ICO’s guidance approaches LPP largely from the viewpoint of contending parties in litigation; which may be less, rather than more, frequently the circumstances in which s  42 is likely to be relied upon in response to information requests. 26.201 The protection of either element of the exemption can be lost or waived. ‘Waiver’ describes a disclosure to a legal opponent during court proceedings. If the privilege (ie  protection) has been waived in a specific case, it may still continue elsewhere or in other proceedings. In the context of the FOIA, the ICO advises considering whether the privilege has been ‘lost’ (rather than ‘waived’). In this context, a ‘restricted disclosure’ (such as might be made only to an opponent in proceedings and to the court; but not in open court) would not lose the privilege. The same might apply to a confidential disclosure (or a disclosure to a limited number of people with a need to be aware of the advice in the public authority). A disclosure to a business partner might also be restricted84. 26.202 An ‘unrestricted disclosure’, where the disclosure is capable of re-entering the public domain because no restrictions have been placed upon its use in future (such as a disclosure in open court), would not retain the protection. Disclosing the information in public (as occurred in Kirkcaldie, an EIR case, when, as the Tribunal later found, the substance of legal advice had been disclosed at a public council meeting) will mean that the protection is lost85. If a partial disclosure preserves the substance of the content, however, the privilege may be able to be continued. Authorities will need to consider how widely advice has been disclosed, and to what extent, in judging whether the protection has been lost; and should, it is suggested, still exercise care over sharing legal advice beyond those immediately involved, even internally. 26.203 There is no need to show harm from disclosure, as part of engaging the exemption, as s 42 is class-based; but it will be relevant to the public interest test, in the way described below. Duty to confirm or deny 26.204 There is a duty to confirm or deny whether or not the information is held, unless to do so would disclose any legally privileged information (eg as

83 ICO guidance on s 42, as footnote 77, para 20. 84 ICO guidance on s 42, as footnote 77, para 36. 85 Malcolm Kirkcaldie v ICO and Thanet District Council EA/2006/0001, paras 40–41. See also para 23.43.

524

FOI Exemptions (sections 30–44) 26.207

to the nature of the advice, or that the authority had some advice on a related matter)86. The ICO suggests that, if the authority has not sought advice on the matter referred to in the request, it cannot refuse to confirm or deny this, since no legally privileged information would thereby be revealed87. Public interest test 26.205 The key public interest factor is that there is an inherent public interest in non-disclosure, given the importance of protecting the principle underpinning LPP; that clients should be able to have the fullest access to legal advice. (Reference has been made at para 26.133 to the exceptional case relating to legal advice preceding the Iraq War). 26.206 The ICO’s guidance refers to a number of Tribunal decisions on the importance of LPP, but does not in relation to ‘advice privilege’ refer to authority from the Upper Tribunal in Department for Communities and Local Government (DCLG) v ICO and WR; decided by three judges unanimously, led by Carnwarth LJ, the then Senior President. The case concerned a request for legal advice given by an in-house legal adviser to the Planning Inspectorate (‘PINS’). The decision referred to the speech of the then Lord Chief Justice, Lord Taylor of Gosforth, in Regina v Derby Magistrates Court, Ex p. B88, at para 507D: ‘The principle which runs through all these cases, and the many other cases which were cited, is that a man must be able to consult his lawyer in confidence, since otherwise he might hold back half the truth. The client must be sure that what he tells his lawyer in confidence will never be revealed without his consent. Legal professional privilege is thus much more than an ordinary rule of evidence, limited in its application to the facts of a particular case. It is a fundamental condition on which the administration of justice as a whole rests.’ 89 26.207 In addition, the DCLG decision referred to the judgment, in an FOI appeal to the High Court (where they were then heard), in DBERR v ICO and O’Brien90. In a passage approved by the judge in DBERR (para 38), the (then) Information Tribunal had said in Martin Rosenbaum v ICO (para 36) that it was: ‘satisfied that LPP has an in-built weight derived from its historic importance, it is a greater weight than inherent in the other exemption to 86 FOIA 2000, s 42(2). 87 ICO guidance on s 42, as footnote 77, para 46. 88 [1996] AC 487. 89 Department for Communities and Local Government (DCLG) v ICO and WR [2012] UKUT 103 (AAC) (‘DCLG case’), at para 37, and generally paras 37–46 and 50. See also paras 23.44– 23.45 in relation to EIR, reg 12(5)(b). 90 Department for Business, Enterprise and Regulatory Reform (DBERR) v Dermod O’Brien and ICO  [2009]  EWHC  164 (QB), para  38; referring to Martin George Rosenbaum v ICO and House of Lords Appointments Commission EA/2008/0035, para 36.

525

26.208  Freedom of Information Exemptions 2

which the balancing test applies, but it can be countered by equally weighty arguments in favour of disclosure.’ 26.208 The judge in DBERR, Wyn Williams J, had then gone on to say that: ‘the proper approach for the Tribunal was to acknowledge and give effect to the significant weight to be afforded to the exemption in any event; ascertain whether there were particular or further factors in the instant case which pointed to non-disclosure and then consider whether the features supporting disclosure (including the underlying public interests which favoured disclosure) were of equal weight at the very least’91. 26.209 The judges in the Upper Tribunal in DCLG referred to the weight properly to be given to the exemption in any event, for the reason that ‘disclosure would weaken the confidence of public bodies and their advisers in the efficacy of LPP’. The weight to be given to this inherent factor in favour of maintaining the exemption would vary from case to case. The exemption was not absolute. If the advice was very old, or the matter was no longer current, disclosure might damage confidence less than if the information was recent, or related to current matters92. On the other hand, other factors against disclosure might also be added to the principal one; such as (as in that case) the unfairness of giving a requester access to the public authority’s legal advice, without granting the same to the authority93. 26.210 In other words, the Upper Tribunal was saying that there was a very weighty public interest in maintaining the confidentiality of legal advice protected by LPP. This should be applied generally in such cases, so that the information to which LPP applied should normally not be disclosed, unless there was also some special factor in the particular case, which outweighed the inherent public interest in confidentiality to a sufficient extent to justify disclosure. It is respectfully suggested that this is a helpful and straightforward formula for public authorities to apply. Other relevant exemptions 26.211 By its nature, the exemption for information covered by LPP is different to other FOI exemptions. The information in issue, however, may give rise to other exemptions such as: s  30 (investigations and proceedings); s  31 (law enforcement); s  35 (formulation of government policy etc); s  36 (conduct of public affairs); s 41 (information provided in confidence) or, s 43 (commercial prejudice).

91 DBERR case, as footnote 90, para 53; referred to in DCLG, as footnote 89, at para 43. 92 DCLG, as footnote 89, para 45. 93 DCLG, as footnote 89, para 46; referring on that point also to Stephen West v ICO, EA/2010/0120.

526

FOI Exemptions (sections 30–44) 26.215

Section 43: Commercial interests Trade secrets – s 43(1) 26.212 Information is exempt if it constitutes a trade secret; ie  information which gives a competitive advantage to its ‘owner’, which has not been widely disseminated or is not generally known (and is in some sense unique; and whose disclosure would be liable to cause real or significant harm to that person94. It may be thought of as (in a general sense) the property of the legal person whose activities it describes. One distinction, reflected in the ICO’s guidance, is of ‘technical secrets’ from business secrets’; the former referring to inventions, new processes, designs, or formulae; and the latter describing market-related information or intelligence, such as information about costs, pricing, or marketing plans. The latter are less likely to be trade secrets than the former. 26.213 The exemption for trade secrets is class-based, and so requires no consideration of harm caused by disclosure. The exemption is subject to the public interest test, and the harm from disclosure will be relevant to that test. 26.214 Curiously, there is no exemption from the duty to confirm or deny on the grounds that the information is a trade secret; which seems likely to be counter-productive in some cases. The ICO points out, however, that disclosure of the existence or otherwise of the information may also harm the commercial interests of the public authority (or another person) under s 43(2); thus engaging the exemption from the duty to confirm or deny on that ground, rather than because of its status as a trade secret, under s 43(3). Harm to commercial interests 26.215 Information is also exempt if its disclosure would, or would be likely to, prejudice (harm) the commercial interests of any person (including those of the authority holding the information). The circumstances in which such information may be held would include: •

Procurement and tendering processes (eg information about successful and unsuccessful tenderers; the contract; information about the contractor’s performance; plans for the future shape of the service which has been contracted out, plans for its future procurement).

• Regulatory activity (if the public authority is a regulator, including: commercially sensitive information; correspondence between the regulator and a company which may, if disclosed, harm the interests of that company; or, information about licences or permissions issued to that or other companies by the regulator).

94 FOIA  2000, s  43(1): see ICO, ‘Commercial interests (section 43)’, paras 7 and 10; and also Department for Work and Pensions v ICO EA/2010/0073. See also John Connor Press Associates Ltd v ICO EA/2005/0005, para 15, applying the harm test in Lord in the context of the FOIA. (See also paras 9.9, 23.3–23.4, 24.92(a), 25.45 and 26.216).

527

26.216  Freedom of Information Exemptions 2

•

The authority’s own commercial interests (where an authority, or a company which is ‘publicly-owned’95 may engage in commercial activities on its own account. Public authorities with wide general powers, such as local authorities, may also run certain activities on a commercial basis from which they will derive commercial interests).

•

Developing or implementing policy (eg a public authority may have acquired or requested information from the relevant commercial sector, as part of developing or implementing a policy to promote the interests of that sector).

Partnerships with private sector (public authorities working in partnership with private sector bodies on regeneration projects, the delivery of services or facilities on the basis of partnership), are likely to hold an appreciable amount of information about their partner, or the structure of the funding involved, whose disclosure may be harmful to the partner or the authority, or both. 26.216 The key issue, if the exemption in s 43(2) is to be engaged, is for the public authority to be (or would be likely to be) able to show how and why there would be harm to its interests, or those of another person, from the disclosure; and the level of likelihood (above or below 50%) that would be anticipated. Without such harm, and its being at least likely to occur, the exemption will not be engaged (and so considering the public interest test will be irrelevant). The test of likelihood below 50%, set out in R (on the application of Lord) v Secretary of State for the Home Department, was applied to the FOIA, in the context of s 43, in John Connor Press Associates Ltd v ICO (see para 26.212 and footnote 91 above; and also paras 9.9, 24.92(a) and 25.45). 26.217 It is further important to appreciate that it is unlikely that a whole contract will be exempted. It may be that only a few clauses, or sections, contain information whose disclosure would genuinely be harmful; and it will be for the public authority to satisfy itself as to which those clauses or sections are in any given case. 26.218 Disclosure of procurement information may only be harmful if any future contracts (or parts of them) are likely to be similar to the contract (or parts of it) which has been let. If the argument is that there will be harm on retendering the contract, it will be important to be able to show that the contract is in fact likely to be retendered96. 26.219 In assessing any harm, and its likelihood, public authorities subject to disclosure obligations as a matter of course (such as local authorities in relation to expenditure exceeding £500) should consider the impact, on any harm claimed, of its obligations to disclose in any event (although timing of disclosures may also be relevant in such cases). Recommendations in relation to disclosure under publication schemes will also be relevant in this context97.

95 Under FOIA 2000, s 6: see para 24.26. 96 See ICO guidance on s 43, as footnote 94, para 33; and Cranfield University v ICO EA/2011/0146. 97 See ICO guidance on s 43, as footnote 94, paras 38–41.

528

FOI Exemptions (sections 30–44) 26.224

Commercial interests 26.220 A  commercial interest concerns the ability of a person to participate competitively in a commercial activity. Commercial activities relate to the purchase or sale of goods or services. In University of Central Lancashire v ICO and Colquhoun98, the Tribunal accepted that the university’s teaching materials were assets which it had a commercial interest in maintaining; and thus in not disclosing. The selling of its courses was a commercial activity99. Third party interests 26.221 If a public authority wishes to withhold information on the basis of harm (see para 23.113) to its own interests, it needs to provide evidence to support its claim. In the same way, it needs to have received evidence from the third party to support a claim on behalf of that person; or, at least, to be able to show that the concerns cited are those of the third party. In the Derry City Council case, the Tribunal refused to consider harm said to be likely to occur to the airline, Ryanair, from the disclosure of information about landing charges, because the information before it came only from the authority, rather than from the third party; and the Tribunal refused to ‘speculate’ on such harm. This approach has been widely followed since, and should be regarded as effectively a rule. 26.222 It is likely that the only circumstances in which the authority may be able to present concerns on behalf of a third party are where a special factor, such as a genuine time constraint, prevents the third party from doing so itself; and where the authority can rely on its prior knowledge of those concerns. The authority would need to provide evidence that the arguments taken into account by it on this basis did reflect the views of the third party. Such an approach should be exceptional, with the authority taking care not to allow such a situation to develop merely through not having consulted the third party early enough in the process100. As a matter of practice, it may be best wherever possible to follow up a statement made on behalf of a third party with a further submission from the third party itself in support (even if the latter has to come after the deadline for a response to the ICO)101. 26.223 If the third party is not concerned in relation to its own interests, however, the public authority should not claim the exemption on that basis102. 26.224 The ICO stresses the need to consult a third party early (since no extra time is allowed under the 20 working day deadline in order to do so); and advises, as a matter of good practice, that authorities should discuss contracts or agreements with third parties in advance, in relation to their FOIA obligations, 98 EA/2009/0034. See also para 26.168 and footnote 70. 99 See also para 23.100 on commercial information. 100 See ICO guidance on s 43, as footnote 94, para 28. 101 See Derry City Council v ICO EA/2006/0014, para  24; and also paras 23.113–23.122, on consulting third parties in the context of EIR, reg 12(5)(e). 102 See ICO guidance on s 43, as footnote 94, para 29.

529

26.225  Freedom of Information Exemptions 2

in order to manage the private sector body’s expectations103. The ICO also draws attention to the need for care over accepting confidentiality clauses in agreements. While they can usefully flag up the terms whose disclosure the third party may consider particularly prejudicial, the authority should not allow the impression to be given that it will be bound by them, in relation to the FOIA 2000; since it cannot contract out of its statutory obligations. Consultation with the third party, in the event of an FOI request, should also still take place104. 26.225 On the levels of likelihood under the exemption in s 43(2), the tests are the familiar ones that harm ‘would’ occur, or ’would be likely to’ occur; on which see paras 9.9, 23.2–23.4, 24.92(a), and 25.45. The more likely the level of harm (or rather, the public interest in its avoidance); the greater the weight that it will carry in terms of the public interest test. The public authority has to decide the level of likelihood which it anticipates. Public interest test 26.226 There is a strong case for openness and transparency in this area; particularly in connection with spending public money. In Hugh Mills v ICO, for example, the requester sought documents on the setting of a maximum hourly price in domiciliary care contracts. Although disclosure would be likely to harm the commercial interests of the health and social care trust involved, the factors in favour of disclosure outweighed those considerations. They included enabling the public to be better informed of activities carried out on their behalf, and to scrutinise public spending more effectively; and, to ensure openness about the issues of fairness, value for money and the quality of care to be provided105. Promoting accountability for the spending of public money, to improve public understanding of it, will be of significance in the public interest balance; whether enabling the public to feel greater confidence in the integrity of the decisions made by the public authority; or, in enabling individuals more effectively to challenge those decisions. 26.227 Other arguments for transparency will include promoting competition in procurement processes by improving their transparency; and improving the protection of the public (eg if a regulator holds information about potential harm to the public from a product)106. 26.228 Arguments in favour of maintaining the exemption may include where disclosure would (or would be likely to)107: — reduce the authority’s ability to negotiate or compete commercially; — lead to damage to the reputation of the authority or a third party, causing harm to its ability to trade as effectively; 103 ICO guidance on s 43, as footnote 94, para 58. 104 ICO guidance on s 43, as footnote 94, paras 59–61. 105 EA/2013/0263. See ICO guidance on s 43, as footnote 94, para 45. 106 See ICO guidance on s 43, as footnote 94, paras 46–48. 107 See ICO guidance on s 43, as footnote 94, paras 49–52.

530

FOI Exemptions (sections 30–44) 26.233

— reduce the ability of the authority to generate income itself, by trading108 (eg  if disclosure could inform potential competitors of any competitive advantage enjoyed by the authority, and thus weaken it); — disclose information which would be detrimental to the authority in future negotiations on contracts or procurement (eg  by revealing the pricing mechanism, which another organisation could use for gain); — lead to a loss of trust between the authority and a commercial partner (eg affecting adversely a joint project). 26.229 Timing will often be of considerable significance in assessing the public interest under this exemption. Information supplied to an authority by a private sector body may have carried commercial sensitivity at the time of the transmission, but it would be necessary to demonstrate that the commercial harm would continue to be suffered by a disclosure at the time of the request. If the authority can show that the disclosure would still be harmful, however, because of the inherent nature of the information, the exemption may remain available109. 26.230 Similar considerations in relation to the EIR, reg 12(5)(e) (commercial confidentiality) are set out at paras 23.108, and 23.123-128. Other relevant exemptions 26.231 Other relevant exemptions may include s 29 (the economy); and s 41 (information provided in confidence). In cases involving, for example, public/ private partnerships, s 35 (government policy), or s 36 (conduct of public affairs) may also have some relevance.

Section 44: Prohibitions on disclosure 26.232 There is an exemption for information whose disclosure is prohibited by other legislation or legal requirements. The exemption is absolute. (It will be noted that the EIR contain no such provision; claiming, in contrast, under reg 5(6) that measures which are incompatible with disclosure under the EIR do not apply)110. 26.233 The FOI regime operates, therefore, subject to other domestic legislation. Information whose disclosure is prohibited by domestic legislation is exempt from disclosure under the FOIA (FOIA 2000, s 44(1)(a)). The prohibition may take the form of an express prohibition in the relevant statute. (See, for example, the prohibition relating to the Local Government and Social Care Ombudsman 108 See, for example, Council of the Borough and County of the Town of Poole v ICO EA/2016/0074; and ICO guidance on s 43, as footnote 94, para 51. 109 See, for example, Willem Visser v ICO and London Borough of Southwark EA/2011/0188. 110 See EIR section at paras 21.24–21.25; although see also a potential EIR exception (EIR reg 12(5)(d)) which may be relevant in certain cases, as at paras 23.85 and 23.91.

531

26.234  Freedom of Information Exemptions 2

at para  23.85; upheld by the First-tier Tribunal in Commission for Local Administration, and Purser)111. Another form would be where a public authority with a range of statutory powers and duties (collectively, its ‘functions’) is prohibited from disclosing information held in connection with some or all of those functions. In that situation, it is necessary to determine the extent of the prohibition by reference to the boundaries of the relevant functions (ie the powers and duties concerned). 26.234 Exceptions to statutory prohibitions may not be relevant to disclosure under FOI, in many cases, because they will apply only in certain circumstances, or allow disclosures to a limited number of people; whereas FOI is concerned with publication to the world. 26.235 Information is also exempt if its disclosure would be incompatible with an EU obligation (s 44(1)(b)). Such obligations may arise (at the time of writing) from European legislation or treaties. If the obligation has been transposed into UK law, however, the relevant exemption is that in s 44(1)(a) (prohibition under any enactment), rather than s  44(1)(b) (since the transposed legislation is a domestic measure). After Brexit, the exemption in s 44(1)(b) is to refer to ‘retained EU legislation’, with the exemption applying only to that extent. 26.236 There is a further exemption where disclosure would be punishable as a contempt of court (ie powers to protect the integrity of the courts’ proceedings) (s  44(1)(c)). The courts’ powers arise partly from case law and partly from statute. Where disclosure would be contrary to the Contempt of Court Act 1981, the relevant FOI exemption would be s 44(1)(a) at para 26.233 above. 26.237 There is an exemption from the duty to confirm or deny on the same bases as above.

111 Commission for Local Administration in England v ICO EA/2007/0087; Purser v ICO and LGO EA/2010/0188.

532

CHAPTER 27

Personal Data in Information Requests INTRODUCTION 27.1 The exemption in the Freedom of Information Act 2000 (’FOIA 2000’), s 40, forms a very common ground of complaint to the ICO. It is also generally considered to be the most complicated FOI exemption (or Environmental Information Regulations 2004 (‘EIR’) exception). A substantial case law on it has been built up in the First-tier and Upper Tribunals and the higher courts. It straddles the FOIA/EIR on the one hand, and the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 (‘DPA  2018’) (and formerly the Data Protection Act 1998, or ‘DPA 1998’) on the other. 27.2 The purpose of the exemptions in FOIA 2000, s 40 (and EIR, regs 12(3) and 13) is to enable a balance to be struck, where the information sought in an information request (or information falling within the potential response, even if not directly requested) comprises or includes personal data; either of the requester, or particularly of someone else. Since the issues concern the FOIA 2000/EIR, they arise only for controllers in the public sector. 27.3 It will be seen immediately that there is a tension between the FOI and data protection regimes. Under the FOIA 2000, it is a breach of the Act for a public authority to withhold information from disclosure unless it is exempt (or unless there is another ground whereby the duty to disclose does not arise; eg that the request is vexatious or the cost of the search is too high). Exemptions, even where they apply, are to be construed narrowly. The purpose is disclosure; and such disclosure is to the public. Under the GDPR, by contrast, the purpose is to process personal data correctly; and in accordance with the rights of the data subject. A controller breaches the data protection principles if it wrongly discloses the personal data of an individual to others. Openness and privacy stand in potential contradiction, therefore, in relation to personal data; and public authorities have to balance these conflicting demands. 27.4 It is, however, not the case – as is often assumed – that personal data should not be disclosed in response to an FOI request. If the disclosure falls within the rules enabling it, as set out in the GDPR/DPA 2018, then it can and should be made. 27.5 The process of dealing with FOI/EIR requests of this kind is summarised in the following text box. 27.6 References to the FOIA  2000 in this context should be taken, unless otherwise indicated, to refer also to the equivalent exception under the EIR (regs 12(3) and 13), which have the same effect, other than in certain detailed respects. 533

27.7  Personal Data in Information Requests

Personal data in FOI/EIR requests: summary of approach This summary relates to general data processing falling under the GDPR. Slightly different rules apply to law enforcement processing (or to personal data held by the intelligence services, which are not covered in this Chapter). 27.7 In dealing with FOI/EIR requests involving personal data, the controller/public authority needs to do the following: (a) Identify any personal data in the request (of the requester, or others), noting that the definition is broad; (b) Separate the personal data into the following categories: (i) personal data of the requester; (ii) personal data of the requester and another person, where the data relate to both of them, and cannot be divided between them; (iii) personal data of another person. (c) Treat (b)(i) and (ii) as exempt from FOI/EIR, but deal with them as an access request. Disclosure will thus be to the requester only (not to the world): — In relation to (i), the requester is entitled to all of his or her personal data (and the other information to which an access requester is entitled) unless an exemption applies under DPA 2018, s 26 or Schs 2–4; — In relation to (ii), apply DPA 2018, Sch 2, para 16 (ie that the ‘joint’ data are to be disclosed to the requester where, either: (a) the third party consents; or (b) it is reasonable to disclose the data to the requester without the third party’s consent, having regard to all the relevant circumstances, including the factors in Sch 2, para 16(3)). (d) In relation to (iii), any disclosure would be to the world. The requester is in principle entitled to the personal data of third parties, but the authority should not disclose such data if (or to the extent that) any of three conditions is met: — Condition 1: disclosure would breach the first data protection principle, also known as ‘principle (a)’ (or, in theory, any other such principle). Absolute exemption (so no Public Interest Test or ‘PIT’); — Condition 2: disclosure would contravene GDPR, Article  21 (the right to object); but this exemption applies subject to the FOI/EIR public interest test. (Relevant only if the other person/third party has previously objected to the data being processed by the authority); or — Condition 3: the personal data would be exempt from an access request made by the third party, if (hypothetically) he or she were now to make one to the authority (ie an exemption under DPA 2018, s 26 or Schs 2–4, would apply). This exemption is also subject to the FOI/EIR public interest test. 534

Outline of FOIA 2000, s 40 27.11

(e) Duty to confirm or deny: applies to any of the personal data above unless one of the above exemptions applies to the data as well, on the same basis (see paras 27.12 and 27.82 below). (f) Slightly different rules apply to FOI/EIR requests to Part 3 authorities (‘competent authorities’) concerning criminal or criminal justice information (see paras 27.84–27.85 below).

Meaning and scope of personal data 27.8 The meaning and wide scope of personal data are set out in Chapter 3 at paras 3.1–3.9 (and paras 3.10–3.13 for special category personal data). 27.9 It is important to have in mind the breadth of personal data, especially under the changed definition in the GDPR/DPA 2018, when responding to FOI/ EIR requests. Much of the information which may come to light in answering an information request may be personal data – and thus potentially will need to be addressed under this exemption – without this being immediately apparent.

OUTLINE OF FOIA 2000, S 40 27.10 Section 40(1) provides that information constituting the personal data of the person making the FOI request is subject to an absolute exemption under the FOIA 2000 (but see para 27.13 below as to its interpretation). This may include the personal data of another person (a ‘third party’) which are also the personal data of the requester (see also para 27.17 below). The duty to confirm or deny does not arise1. 27.11 FOIA  2000, s  40(2) provides that information falling within an FOI request, which constitutes the personal data of a third party alone (ie which is not also the personal data of the requester) will be exempt if one of three ‘conditions’ is satisfied. These are a mixture of absolute and qualified exemptions, as follows. They apply where: (i) First condition: a disclosure to a member of the public, otherwise than under the Act, of the personal data of the third party would contravene any of the data protection principles, under FOIA 2000, s 40(3A) (absolute exemption). The condition applies where there would be a contravention if the exemptions applying to manual unstructured data did not apply (ie  manual data are covered, both by requests, and potentially by this exemption); (ii) Second condition: a disclosure to a member of the public, otherwise than under the Act, would contravene GDPR, Article 21 (right to object) under FOIA 2000, s 40(3B) (qualified exemption, so subject to the public interest test); or 1

FOIA 2000, s 40(5A).

535

27.12  Personal Data in Information Requests

(iii) Third condition: if (hypothetically) there were a request under GDPR, Article 15(1) (right of access) by the third party for their personal data; (or an access request by the same person for their law enforcement personal data under DPA 2018, s 45(1)(b)) the information would be withheld from that person under an exemption from the right of access (FOIA 2000, s 40(4A) (a) and (b)) (qualified exemption)2. This condition has also been expanded to apply where an exemption for reasons of national security or defence under DPA 2018, s 26, would apply. 27.12 The duty to confirm or deny does not arise under (i)–(iii) above if confirming or denying would contravene any of the same grounds (and subject to the public interest test in two cases)3. (See paras 27.78 and 27.82).

REQUESTER’S OWN DATA, AND JOINT ‘THIRD PARTY’ DATA 27.13 Although the FOIA 2000 does not say so expressly, a controller/public authority should treat a request involving the requester’s own personal data, which therefore falls within the exemption in s 40(1), as an access request under GDPR, Article 15(1). (The position is in this respect is unchanged from the Data Protection Act 1998 (‘DPA 1998’)). Access requests are dealt with in Chapter 7. 27.14 In particular, it should be noted that: — Strictly speaking, an FOI refusal notice should be issued since an exemption has been applied. This should make clear how the matter is now being handled, and the deadline for response. — The time limit for responses to access requests under the GDPR has been shortened to ‘one month’, which is close to, or the same as, the 20 working day deadline under the FOIA 2000; although this may be extended to three months ‘where necessary, taking into account the complexity and number of the requests’ (GDPR, Article 12(3)). The ICO used to offer a choice in effect between the FOI and data protection deadlines for a response, while preferring the (shorter) FOI one; but this no longer seems to be relevant. — There is no longer a fee for access requests (unless they are manifestly unfounded or excessive: GDPR, Article 12(5)(a)). — Identity checks can be undertaken (only) where the controller/public authority has ‘reasonable doubts’ concerning the identity of the requester (GDPR, Article 12(6)).

2

3

See FOIA 2000, s 2(3)(fa) as to the first condition being an absolute exemption (and, therefore, the second and third conditions, which are not mentioned in s 2, being qualified exemptions). The DPPEC regulations make minor consequential amendments after Brexit to the provisions of the FOIA 2000, s 40. See also paras 27.34 and 27.83. FOIA 2000, s 40(5B), and EIR, regs 13(5A) and (5B).

536

Handling third party data which are not the data of the requester 27.21

27.15 On the other hand, the latter point emphasises that the authority should consider whether it is satisfied that the identity of the requester is accurate; because, whereas under the FOIA, the process is generally ‘applicant blind’, a controller under the GDPR/DPA  2018 has a higher obligation to avoid the disclosure of a data subject’s personal data to the wrong person. 27.16 For the avoidance of doubt, a disclosure of the requester’s data should be to that person alone (as with any access request under the GDPR); not to the world (as with FOI). 27.17 It is quite likely that the personal data of a third party (ie someone other than the requester) will also be the personal data of the requester. This situation, examples, and how to approach it, are examined at paras 7.52–7.59 under ‘Access Requests’ (see also paras 9.60–9.63). The same provisions (in GDPR, Article  15(4) and DPA  2018, Sch  2, para  16) apply to both situations: where this issue arises under an access request under the GDPR; and, where an access request has been converted from an FOI request (or part of an FOI request). 27.18 Wherever possible, the information about a third party should be redacted (edited out); but this will apply only where the data relates to the third party, not to the requester as well. Information about the third party revealing the source of something recorded about the requester will be the data of both parties; as will individual sentences of text, recorded remarks etc of one about the other, or which form part of exchanges or differences of view between them. The information need not name or expressly identify the third party, while still falling into this category, if the identity is apparent from the context. 27.19 Where the information cannot realistically be separated (or it makes no sense to do so, because the identity of the third party would still be apparent) the controller/public authority is obliged to disclose the data concerned to the requester where either the third party gives consent; or, it is reasonable to comply without the consent of the third party, having regard to the factors set out in DPA 2018, Sch 2, Pt 3, para 16. See the section on Access Requests referred to above, and especially paras 7.54–7.58 (and examples) as to how to proceed.

HANDLING THIRD PARTY DATA WHICH ARE NOT THE DATA OF THE REQUESTER 27.20 This is the core of the exemptions in s 40. The rules in the remainder of s 40 concern three types of exemption (the three ‘conditions’) for personal data which are not the data of the requester; or not jointly the data of the requester and another person. The data in issue are thus about someone else – known as a ‘third party’. Sometimes this is the information which the requester is most obviously seeking. In other cases, it may be part only of what is sought; or arise incidentally or accidentally within the information as a whole, while falling within the scope of the request. 27.21 The three conditions should be considered (however briefly) in relation to each item of the personal data falling into this category; and they should be 537

27.22  Personal Data in Information Requests

applied wherever possible. This is because the public authority should not see itself as having a discretion in such cases as to whether to apply any of the s  40 exemptions available (unlike the position elsewhere under FOI). Since the information concerned is personal data, the authority has to apply to itself the more demanding duties of a data controller; albeit in the context of an FOI request. In other words, it should apply the s  40 exemptions (and especially the first one) whenever it can, in order to maintain compliance with the data protection rules. The exemptions can also be easy to miss; unless the text in issue is studied closely, and the exemptions are considered methodically against it.

Note on s 40 guidance from the ICO 27.22 At the original time of writing, the Commissioner’s previous (and substantial) guidance on this exemption was ‘Personal Information, section 40 and Regulation 13’ (version 1.6, 25  May 2018). Notwithstanding its date, the guidance had been only partially updated (in relation to its opening summary) and included most of the text from the previous guidance, which referred to the DPA  1998. More recent, and simpler, guidance on s  40 appeared in April 2019 (version 2.1, 1 April 2019). This Chapter takes account of that more recent guidance. While the latter should obviously be consulted, it is less detailed than its predecessor, notably as to decided cases, and it worth noting that, apartfrom the degree of prominence given in the older guidance to ‘fairness’, which has lesser salience under the GDPR, rather than lawful bases (or ‘data processing conditions’, as they were termed under the DPA  1998), the older guidance remains of some value in relation to this exemption. The 2019 guidance includes a useful flowchart for dealing with a request. The suggested order of steps in the flowchart differs in some details from the order outlined in this chapter. It should also be noted that it states that refusal notices should explain which exemption is engaged (including a reference to the relevant subsection), and the reason. There is a helpful Annex (Annex 1) which summarises the key questions to take into account.

First condition 27.23 The first, and overwhelmingly most common, ground of exemption is that disclosure to a member of the public would breach the data protection principles (FOIA 2000, s 40(3A), and EIR, reg 12(2A)). While in principle this applies to any of the six principles, in practice it relates to the first (‘principle (a)’): that the data should be processed lawfully, fairly and in a transparent manner in relation to the data subject4. 27.24 It is critical to grasp that a disclosure of personal data under FOI/EIR constitutes ‘processing’ of those data as much as any other activity which can 4 The other principles (eg that the data disclosed are accurate (as held), or that the disclosure is done with appropriate security), also apply as separate requirements.

538

Handling third party data which are not the data of the requester 27.27

be carried out on those data. As a result, and notwithstanding that the regime under which the authority is operating is FOI/EIR, the public authority has to comply with the GDPR/DPA 2018 in how it makes any disclosure. The FOI/EIR defer to the GDPR/DPA 2018. As a result, the data protection principles have to be applied. It follows that, unless the first principle is met, the disclosure of the personal data sought cannot take place; notwithstanding that it arises from an FOI request. 27.25 The requirement for ‘lawfulness’ has become more important under the GDPR. Under the DPA  1998, it was interpreted to mean mainly that the disclosure should not be unlawful (eg not prohibited under statute, or regulations specific to an industry or sector, or by a court order or common law); and also that the disclosure should not be a breach of a duty of confidentiality, or of an enforceable contractual term. A  disclosure which breached respect for private and family life under Article 8 of the European Convention on Human Rights (Human Rights Act 1998, Sch 1, Part 1) would similarly be unlawful (although the test will be likely to be the same as for the ‘legitimate interests’ basis under this first condition – see paras 27.35ff). In one sense, this remains the case; although confidentiality, for example, can be overridden by a legitimate public interest in the disclosure taking place (eg in a case of wrong-doing). If there is a domestic provision prohibiting a disclosure of third party data, the authority might wish to consider applying the exemptions in FOIA 2000, s 41 (confidential information) (see paras 26.190–26.194) or s 44 (statutory prohibition) (see paras 26.232–26.237)5; or, under the EIR, in reg 12(5)(e) (commercial confidentiality) (see paras 23.98–23.129). It should be noted, however, that the duty to provide information under the FOIA/EIR will not itself render a disclosure lawful, since the wording of the test is whether a disclosure ‘otherwise than under’ those provisions would contravene a data protection principle (FOIA, s 40(3A); EIR, reg  13(2A)) (see para  27.30). The new guidance refers to ‘lawfulness’ in this sense as ‘general lawfulness’. 27.26 Now, in a broader and more important sense, lawfulness also refers to the requirement for a lawful basis to be in place under GDPR, Article 6 (and, for special category data, GDPR, Article 9, or DPA 2018, Sch 1 – see paras 27.29– 27.30, 27.31–27.63 and 27.64–27.67) without which the disclosure cannot take place.

Place of ‘fairness’ 27.27 ‘Lawfully’ has taken the place of ‘fairly’ as the first consideration referred to in the principle. The emphasis given to it, and the need under the GDPR ‘Accountability’ principle to be able to demonstrate compliance with the data protection principles at all times, means that the recent approach by the Commissioner to s 40 cases in the UK has now been altered. In recent years, the 5 The position would be less clear in relation to data of the requester (or joint data with a third party) (ie an access request) to which a domestic statutory prohibition applied; unless it fell within one of the limited list of exemptions in DPA 2018, Sch 4.

539

27.28  Personal Data in Information Requests

Commissioner (although to a lesser extent the Tribunal and the courts) relied on ‘fairness’ as the primary criterion for assessing whether or not third party data should be disclosed. In the revised 2019 guidance, what had previously been a substantial section (16 pages), and the core test under s 40/reg 13, has been reduced to less than half a page; and ‘fairness’ is equated with whether the disclosure passes the ‘legitimate interests’ test below (paras 27.35ff); where previously the position was the other way around. The value of the former approach was that it enabled an overall view to be taken of the meaning of ‘fairness’, which encompassed the needs of transparency in a particular situation, as well as the privacy or any harm to the individual. In her previous guidance the ICO summarised fairness in this context as follows: that, after considering any sensitive/special category data (whose disclosure is likely to be unfair, since it comprised individuals’ ‘most private’ information), the key considerations in assessing fairness were: (i) The possible consequences of disclosure for the individual; such as fraud or identity theft; threats or harassment; unwarranted communications; harm to emotional wellbeing; harm to career or reputation (demonstrating in each case a causal link between the disclosure and the anticipated impact); (ii) The reasonable expectations of the individual (at the time of the collection of the data, and of the request); the nature of the information (eg as to whether there would be a strong expectation of non-disclosure); the circumstances in which the data were obtained (eg whether expectations were shaped by a Privacy Notice); whether the information had been, or remained, in the public domain; whether the information concerned the individual’s public or private life; and, the impact on reasonable expectations of the FOI principles of transparency and accountability; and (iii) Whether there was a legitimate interest in the public, or the requester, having access to the data; and the balance between any such interest and the rights and freedoms of the individuals whose data were involved. 27.28 Fairness remains a requirement, but practitioners need to be aware of the new emphasis on the importance of the lawful bases; which, in practice, means the ‘legitimate interests’ basis in most FOI/EIR personal data cases. What follows takes account of both the former and present ICO guidance, but concentrates on identifying and weighing the lawful basis (likewise usually of legitimate interests).

Lawful bases in GDPR, Article 6 27.29 The lawful bases of processing, in GDPR, Article  6, are explained in Chapter 5 at paras 5.3–5.81. At least one lawful basis must apply in any instance of processing of personal data; and thus must be in place in every case of disclosure of personal data under the FOIA 2000. 27.30 In almost all the cases determined thus far under FOIA  2000, s  40/ EIR, reg 13, only two of the lawful bases have been relevant; consent (GDPR, 540

Handling third party data which are not the data of the requester 27.33

Article 6(1)(a)) and the ‘legitimate interests’ basis (GDPR, Article 6(1)(f)). The ICO’s view is that the lawful bases are unlikely to be relevant to an information request because they are concerned with the purpose for which processing is undertaken, or with the quality of storage of the data. Basis (c), of legal obligation, does not refer to the duty to answer FOI/EIR requests, because the test for the main s 40/reg 13 exemption is whether disclosure ‘otherwise than under’ these provisions contravenes the data protection principles (see para 27.25).

Consent as lawful basis 27.31 The consent basis requires that the data subject (ie the third party) has given his or her consent to the specific processing. If it is relied upon in the particular case, the consent must be freely given, and relate to the FOI disclosure. It must be demonstrable by the authority/controller6. If written (as would be highly advisable), the request has to have been clearly distinguishable from other matters; and in an intelligible and easily accessible form, using clear and plain language7. The third party has the right to withdraw his or her consent at any time; and has to be told this is the case, and the withdrawal made as easy as giving consent initially. If a withdrawal occurs, it will not invalidate any FOI disclosure by then made; but introduces a difficult issue over any subsequent disclosures sought in relation to the same information8. If the consent necessarily involves more than one person, it must be given by all of those whose personal data are involved. For these practical reasons, as well as the probable reluctance of a third party to give consent in most cases (even if they can be traced), consent is an unattractive basis for an FOI disclosure; other perhaps than in particular circumstances. 27.32 Those circumstances might be where: it is clear that the disclosure is a ‘one-off’, which is likely to be of interest over a short period or unlikely to be repeated (or where the consent will reliably not be withdrawn); the third party is in close touch with the authority or the issue behind the request (eg as a senior member of its staff); time is short, and the authority has the ability to secure consent without delay; or, the circumstances give the third party little interest in withholding consent, or an incentive to disclose (eg in relation to a controversial matter in which that person is involved, where disclosure may appear to them to be the best course; or the only practical one available). Even in those types of circumstances, however, it should be borne in mind that the facts may well be such that the disclosure would meet the legitimate interests basis as well.

Legitimate interests as lawful basis 27.33 The ‘legitimate interests’ lawful basis is that the processing is necessary for the purposes of the legitimate interests pursued by the data controller or

6 7 8

See GDPR, Article 7(1). See GDPR, Article 7(2). See GDPR, Article 7(3).

541

27.34  Personal Data in Information Requests

by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (GDPR, Article 6(1) (f)). 27.34 GDPR, Article 6(1) also states that ‘point (f)’ does not apply to public authorities ‘in the performance of their tasks’. DPA 2018, Sch 19, para 58(8), provides, however, for an exemption from this disapplication to be inserted as a new FOIA 2000, s 40(8) – ie that the lawfulness condition in GDPR, Article 6(1) (f) remains available for the purposes of answering FOI requests9.

Three steps to establish whether the ‘legitimate interests’ basis is met 27.35 Three steps should be taken to establish whether the condition is present, so that third party data can be disclosed. These steps should be applied in every case where reliance on this condition is being considered10: 1. there must be a legitimate interest in disclosure; 2. the disclosure must be necessary to meet the legitimate interest; and 3. the interests and fundamental rights (in data protection terms) of the data subject should not override the legitimate interest in disclosure. (The DPA 1998, using language reflected in many of the cases on FOIA 2000, s  40, said that the disclosure should not be ‘unwarranted’, ie  unjustified, by reason of harm to the rights and freedoms or legitimate interests of the data subject)11. The similarity with the test in her previous guidance, developed by the ICO for overall fairness can be seen (see para 27.27 above). Eight ‘propositions’ were also described by the Upper Tribunal in the Goldsmith case, and referred to by the Court of Appeal in Cooper, which set out a detailed approach to answering the three questions above12. 27.36 Step 1: the test of legitimate interest on the part of the public or requester (see below) should not be difficult to meet in most cases. There is a general public interest in transparency under the FOIA 2000. In addition, there are likely to be specific reasons why an interest is legitimate in any given case. It is necessary, therefore, to go beyond the standard FOI transparency factors to consider the level

9

The equivalent provision for the EIR is DPA 2018, Sch 19, para 307(7), inserting EIR, reg 13(6). See para 27.83. 10 South Lanarkshire Council v Scottish ICO  [2013]  UKSC  55, at para  18, per Lady Hale. In considering the ICO’s previous guidance, or the previous case law, it should be borne in mind that the wording in the GDPR, Article  6(1)(f) is slightly different from that in the former DPA 1998, Sch 2, para 6; although to the same effect. 11 It did not specify whether the requisite likelihood of harm was that it was ‘likely’, or that it ‘would’ be caused (ie more probable than not). 12 Goldsmith International Business School v ICO and Home Office [2014] UKUT 563 (AAC), paras 34-42; Cooper v National Crime Agency [2019] EWCA Civ 16, para 90.

542

Handling third party data which are not the data of the requester 27.38

of legitimate interest in the particular circumstances. The factors of transparency, accountability, the number of people affected, and any relevant responsibility of the third party for the spending of public money, may be relevant to that question. 27.37 In the case involving MPs’ second home expenses, the High Court said of the legitimate interest in disclosure that the expenditure of public money through the payment of salaries and allowances to MPs was a matter of ‘direct and reasonable interest to taxpayers’. Although the House of Commons made the rules, questions of whether payments were within the rules, or even whether those rules were appropriate, had a ‘wide resonance throughout the body politic’, bearing on public confidence in the democratic system (see footnote 16 below). This illustrates the nature of a very substantial (public) legitimate interest in disclosure; although it is not suggested that the interest required to be identified would need always (or even rarely) to be at this level. 27.38 Decisions in the Upper Tribunal, which pre-dated the GDPR, cast some doubt, however, on whose ‘legitimate interest’ should be in issue; whether it is that of the public or of the requester. In Haslam, the issue could be answered in both ways, because the requester was a local journalist pursuing a story with a public interest (ie  which elected councillors of the relevant local authority were in arrears over their council tax); so that he was presumed to represent both13. In Nursing and Midwifery Council, which Haslam followed, the Upper Tribunal considered the legitimate interests in the context of the concerns of the two separate requesters14. The Commissioner’s guidance, however, (with which the author respectfully agrees) is that both types should be considered; at least where the requester notifies their private interest to the authority, so that it is aware of it. The rationale for this approach is that FOI/EIR are concerned with the interests of the general public in transparency; not with what may in some cases be an intense private concern of an individual requester which bears little relation to (or, at least, may greatly exceed) a legitimate interest of the public. While FOI/EIR requests are usually ‘applicant blind’, the issue here is in general to balance the privacy interests of the data subject with those of the general public in publication; not (as a general rule) to balance the private interests of the two individuals concerned (the requester and the third party data subject). Balancing the privacy interests of the data subject with the interests (however legitimate) of another private individual could produce a very different result; and lead to more disclosure of individuals’ personal data (to the world) than may be considered justified or fair. Each case has to considered, however, on its merits. The ICO’s advice is that there may be a direct link between a private interest and a wider legitimate interest in disclosure. The controller/authority will often not be aware of the requester’s interest in the disclosure; but if the requester informs the controller/public authority of his or her interest, the controller should take this into account when considering disclosure (and also consider whether this identifies a wider legitimate interest of the public). It should also be borne in mind that, while the private interests of the requester may be sufficient to found 13 [2016] UKUT 139 (AAC), paras 60–61. For the Commissioner’s guidance, see ICO: ‘Personal information (section 40 and regulation 13)’, paras 82–84. 14 ICO v 1) CF and 2) Nursing and Midwifery Council [2015] UKUT 449 (AAC), paras 20–24.

543

27.39  Personal Data in Information Requests

a legitimate interest, they may not be weighty enough on their own to justify disclosure to the world, under the third step, where the information is free of any duty of confidence and its use cannot be controlled15. 27.39 Second step: if the first test is met (as will usually be the case), the second is that disclosure has to be ‘necessary’ to meet that interest. The two are thus linked: does this disclosure need to be made to meet this interest? The test was originally interpreted to mean that there was no alternative to disclosing those precise personal data, and could not be met by disclosing less. A more flexible approach was taken in the MPs’ expenses allowances case. The Information Tribunal said that the necessity test was whether the legitimate aim could be achieved by means that ‘interfere less with the privacy of the MPs’. The Divisional Court in that case developed the approach of the Tribunal, based on the interpretation of the European Court of Human Rights when justifying an interference with recognised rights. The Divisional Court said that the meaning of ‘necessary’ was whether there is a ‘pressing social need’, and whether the interference (ie  with the data subject’s rights) was both ‘proportionate as to means, and fairly balanced as to ends’16. In Halpin (see footnote 15), para 31, the Upper Tribunal said that it should be established both that there is a pressing social need, and that there are no other means of meeting it. In Goldsmith, the Upper Tribunal said that a disclosure that was ‘necessary’ was more than desirable, but less than indispensable or absolutely necessary. See also Hussain in the High Court17. In South Lanarkshire Council v Scottish ICO, Lady Hale said that it was well-established in community law that, ‘at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary’ (followed in Goldsmith and Hussain, and confirmed by the Court of Appeal in Cooper)18. 27.40 In Gibson v ICO and Craven DC19, the council’s Chief Executive had departed, under a compromise agreement containing a confidentiality clause, after questions had arisen about the financial management of the local authority. There was a legitimate public interest in knowing the terms of the compromise agreement, and its cost. Only the total public cost was ordered to be disclosed, however, rather than the detailed terms of the agreement. The Tribunal found that the legitimate interest in disclosure outweighed the privacy interests of the chief executive only to that extent. Disclosure of most of the terms would not enlighten

15 See, for example, ICO v Halpin [2019] UKUT 29 (AAC), paras 19-20. 16 See Corporate Officer of the House of Commons v ICO and (1) Ben Leapman, (2) Heather Brooke, (3) Michael Thomas EA/2007/0060, 0061, 0062, 0063, 0122, 0123, 0131, para 60A. See also para 59. Corporate Officer of the House of Commons v ICO and Heather Brooke, Ben Leapman, and Jonathan Michael Ungoed-Thomas [2008] EWHC 1084 (Admin), para 43. See also Stone v South East Coast Strategic Health Authority and ors [2006] EWHC 1668 (Admin), para 60. 17 Goldsmith, as footnote 12, para  37 (based on earlier authorities); Hussain v Sandwell Metropolitan Borough Council [2017] EWHC 1641 (Admin), para 230. See also Haslam v ICO (as footnote 13), para 62. 18 South Lanarkshire Council v ICO [2013] UKSC 55, at para 27; Cooper, as footnote 12, paras 89–91; Hussain (as footnote 17), para 230. 19 EA/2010/0095.

544

Handling third party data which are not the data of the requester 27.43

the public as to whether the settlement was justified; and an assurance in a report by the district auditor, that there were no matters on which the auditor needed to take action, might be of more assistance. In that sense (although not expressed in those terms) the decision may be seen as relying in part on there being an alternative route to meet the legitimate need for public reassurance; and thus that the ‘necessity’ for public disclosure was not met. 27.41 The Commissioner gave examples in her previous guidance of ICO decisions relying on necessity. In one case, there was a legitimate public interest in parents, rather than only involved professionals, having access to the names of persons in charge of child day care centres when researching the available provision. The names were provided to government, the police and social care services, but parents could not check that the person in charge was registered before using a centre, and so a disclosure to the public was necessary to meet that legitimate objective20. In another case, however, the test was not met. The request was for statements provided by certain nurses in the course of investigations of complaints about fitness to practise. There was found to be a legitimate interest in knowing about whether individuals were fit to practise. The legitimate interest was met, however, by the Nursing and Midwifery Council maintaining those standards and investigating complaints. Disclosure to the public of individuals’ complaints histories was not necessary, since there was an alternative arrangement which enabled the legitimate interest to be satisfied21. 27.42 Third step: the third step is to balance the legitimate interest in disclosure with the privacy or other interests of the third party: does the former outweigh the latter, or should the privacy interests be regarded as of greater weight than the legitimate interest, so that they override it? 27.43 Earlier versions of the Commissioner’s guidance identified four factors that should be considered when weighing this balance: (i) whether the information in issue related to the third party’s public or private life. To this may be added whether they are in a public-facing role (even if not senior), or whether they have responsibility for public money; either of which would be likely to reduce the weight to be given to their privacy; (ii) the potential harm or distress to the individual; (iii) whether the individual had objected; (iv) the reasonable expectations of the individual.To these may be added (as reflected in the most recent guidance); (v) whether the information is already in the public domain; and (vi) whether the information is already known to some individuals. These factors often overlap. They are examined in turn below, including examples from decided cases.

20 Ofsted (Office for Standards in Education) FS50090869, para 63. 21 Nursing and Midwifery Council FS50169734, para 27.

545

27.44  Personal Data in Information Requests

(i)  Public or private life 27.44 A  request for details of the travel allowance claims made by MPs (preceding the second homes’ case) established for the first time that the privacy interests of public officials are not paramount, in contrast to the view taken (at least at the time) of the privacy interests of other individuals. This will, therefore, reduce the weight of those interests in the legitimate interests/privacy balance. Regard should be had, in terms of fairness also, to whether the data relate to the individual’s public or private life22. The nature of the information in issue will, therefore, be significant in assessing this factor. 27.45 The main expenses allowances case, involving MPs’ second homes, established firmly that public officials such as MPs should expect public scrutiny in relation to activities or expenditure linked to their official role23. There is a ‘sliding scale’ in the protection of privacy, depending on where an official stands with regard to public-facing or internal functions24. A  headteacher is probably close to the opposite end of the scale from elected officials such as MPs25. It should be expected, however, that the sliding scale will not apply to the same extent (ie to protect an official who is towards the private end of it) where the information sought relates to concerns about the use of public funds; a factor referred to in that case. 27.46 Senior staff should now expect a greater degree of scrutiny than junior staff; affecting in turn their reasonable expectations of privacy. Thus the total pay of senior officers is disclosable26; and publication of the precise salary of a CEO in the public sector would now be expected27 (if not already publicised via the Publication scheme). 27.47 Another factor may be whether, while not senior, an individual is in a public-facing role, which would diminish their expectation of privacy, by comparison with others who are at a similar level of seniority but lack the public element to their work. 27.48 An example of the different considerations applying to public officials was shown in a case involving the refusal under s 40 of a request from a local journalist for the names of local councillors who had received reminders for non-payment of their council tax. This was upheld by the ICO and First-Tier Tribunal. The Upper Tribunal found, however, that while the non-payment of council tax by a councillor had a private element in the same way as for other private individuals, it had a public dimension because councillors were barred by statute from voting on the council’s budget if they were more than two months in arrears. The default thus ‘strikes at the heart’ of a councillor’s functions. The

22 Corporate Officer of the House of Commons v ICO and Norman Baker MP EA/2006/0015 and 0016, paras 77–79. See also paras 27.27–27.28. 23 As footnote 16. 24 Roger Salmon v ICO EA/2007/0135, para 44. 25 Kenneth Blake v ICO EA/2009/0026, paras 32–33. 26 Corby Borough Council FS 50062124, page 3. 27 Michael Dicker v ICO EA/2012/0250, para 14.

546

Handling third party data which are not the data of the requester 27.51

legitimate public interest in knowing the name of a defaulting councillor was ‘compelling’, at least where the councillor was in default for over two months. Thus while an individual who was in arrears could expect his or her privacy to be protected, such interests were outweighed in the case of a public official who was being prevented, by reason of the arrears, from performing one of his or her core roles as a councillor28. 27.49 On the other hand, information relating to some personal matters of even a senior official will properly remain private. Thus whether senior officials lived within the boundaries of the local authority for which they worked was not disclosable, because it concerned their private rather than their professional lives29. (ii)  Potential harm or distress 27.50 The level of harm or distress expected to be suffered by the third party, its degree of likelihood, and whether it can be justified, are significant factors which should be considered in all cases. Disclosures which may expose an individual to fraud, identity theft or harassment are unlikely to be justifiable. Other more indirect consequences, such as harming a person’s future job prospects by disclosing a previous application form, may be difficult to justify. Where the legitimate interest is present, but not of unusual weight, the potential for harm or distress may be sufficient to avoid disclosure; at least of the more damaging information. On the other hand, the likely harm or distress may not be determinative where the legitimate interest arises for a weightier or unusual reason; or, where disclosure would serve an important purpose. The nature of the information, and the level of harm or distress its disclosure would be likely to cause, should be examined in each case. A likely causal connection between the disclosure and the harm needs to be established, in order for the harm to be taken into account. Extra weight should be given to the interests of a child or vulnerable adult. (iii)  Whether the individual had objected or expressed concern 27.51 The ICO’s 2019 guidance is that, if the third party has expressed concern about the disclosure, the controller/public authority should carefully consider their reasons, weighed against the legitimate interest in disclosure, and whether they are reasonable in the circumstances. The controller/public authority may consult the individual, but there is no obligation to do so. It is suggested, however, that this is often a less significant factor, operating more as an indicator of the individual’s view of the disclosure; save insofar as it may illustrate the consequences of disclosure, in terms of harm or distress. In many cases, the

28 Dale Haslam v ICO and Bolton Council EA/2014/0029; [2016]  UKUT  0139 (AAC); EA/2014/0029, paras 40 and 54. 29 Wrexham County Borough Council FS 50114028, paras 24 and 29–30. See also para 27.62.

547

27.52  Personal Data in Information Requests

individual will be unaware of the FOI question, and the authority will not consult them about it; and so this factor will not arise. (See also paras 27.68–27.74 below on objections relevant to the second condition). (iv)  Reasonable expectations 27.52 This is an important factor, which frequently forms the core of the reason for refusal. Reasonableness should be assessed objectively (ie what the reasonable person would consider to be reasonable); and the third party should be deemed to be a ‘reasonably balanced and resilient individual’30. The authority may, however, make its own reasonable judgments as to what such expectations would be; it has no obligation to seek the views of the data subject (and it follows that the expectations do not need to be the precise ones which the third party holds). The expectations concerned should be considered as they would have been both at the date when the personal data were collected, and at the date of the request. Thus assurances may have been given to the individual at the time of collection, which remain valid. On the other hand, the circumstances may have changed; societal attitudes may have altered; or, the public authority may have revised its approach by the time of the request. A  number of factors may be relevant to what the third party may reasonably expect. These include, in addition to whether the information concerns public or private life (see paras 27.44–27.49): (a) the increased awareness in society of the importance of both privacy, and privacy rights under the Human Rights Act 1998; and of transparency in the public sector. Thus the context may be important, with greater transparency expected; for example, in relation to the performance of public duties or the spending of public money; (b) the nature or content of the information; or the consequences of its release. There is, for example, a high expectation of privacy in relation to an individual’s personal data concerning internal disciplinary matters, even where the individual employee concerned is senior (but see para  27.59 below)31. A  staff member of an organisation has a reasonable expectation that an absence record relating to himself or herself will be used for the purposes of staff administration only, and will not be published32. This could be expected to apply to other personnel records held for these purposes, as a general rule, or unless disclosure were justified exceptionally. Other areas where there is a recognised expectation of privacy are in relation to: special category data; criminal offence data; information concerning family life; or, information concerning children;

30 Trago Mills (South Devon) Ltd v ICO and Teignbridge District Council EA/2012/0028, para 65. 31 Rob Waugh v ICO and Doncaster College EA/2008/0038, para 40; Kenneth Blake, as footnote 25, para 34. 32 Cambridgeshire County Council FS50107704, para 25.

548

Handling third party data which are not the data of the requester 27.52

(c) the circumstances in which the personal data were originally obtained, which may affect the reasonable expectations of the data subject about the uses to which their personal data will be put. Thus, a complainant to a public authority about the conduct of another person has a reasonable expectation of privacy in relation to their complaint (at least, unless it was made clear beforehand that this would not be the case). Both successful and unsuccessful applicants for a post, even at a senior level, have a reasonable expectation that the personal data in their applications will not be published33. It will be relevant to consider whether the individual provided the information with an expectation that it would be kept confidential (and whether this expectation was reasonable). It will also be necessary to consider whether the circumstances (eg  as to expectations of transparency in the public sector) have changed since the information was collected; (d) any relevant parts of the authority’s Privacy Notices, either at the time when the data were collected, or subsequently if relevant, may have influenced a third party’s reasonable expectations. Privacy Notices should reflect that FOI/EIR requests may be made for the personal data of third parties; that the test of disclosure would be whether it would contravene principle (a) of the GDPR; and, that the authority has a legal obligation to process personal data in order to consider how to respond to such requests. Such statements in Privacy Notices would reflect both the requirements of the GDPR as to transparency, and the aims of the FOIA/EIR as to transparency and accountability. The ICO’s view, however, is that even without such a clear reference in a Privacy Notice, individuals should reasonably be assumed to be aware of these obligations. Individuals should also be informed of their right to object (in GDPR, Article 21) to the processing of their data. This applies where the processing is undertaken, as will generally be the case in the public sector, on the ‘public task’ lawful basis in GDPR, Article 6(1)(e); or, also on the ‘legitimate interests’ basis in Article 6(1)(f), if that applies in a given case; (e) other factors, such as any specific assurances of confidentiality given to the third party; or, any expectations which reasonably arise from policy or practice in the area concerned, may be relevant. It is relevant to consider, however, whether any specific assurance of confidentiality was reasonable; perhaps, in the case of a staff member, in the light of their role or seniority. In relation to existing policy or practice, the ICO advises that these should be balanced against a consideration of the rights and interests of the individuals concerned, taking other factors relevant to this exemption into account. Thus a policy, for example, in relation to disclosure of the expenses of senior staff might not accord with the reasonable expectations of junior staff.

33 Peter Bolton v ICO and East Riding Council EA/2011/0216, paras 19 and 40.

549

27.53  Personal Data in Information Requests

(v)  Whether the information is already in the public domain 27.53 The consequences of disclosure may be less harmful for the third party if the information is already in the public domain. The ICO’s updated guidance (April 2019) points to a number of factors which may affect the weight of this consideration: — whether the information is known only to the requester, or realistically is accessible to the public as a whole. — whether it has only appeared as speculation (eg  on social media, or in a newspaper article), or is available from an authoritative or official source. The weight of this factor against disclosure would be greater if the former were the case. — whether, if the information was previously published, it is still public knowledge. Thus, for example, a newspaper article published some years ago may have been forgotten, unless it has been made permanently or easily accessible. The issue of whether the information was published with the consent of the third party is also relevant; especially with information volunteered (or appearing to be volunteered) onto social media. The ICO advises that it should not be assumed that information on a publicly accessible page on social media has been put there by the individual, or with their consent34. Relevant questions are: — Whether the information is available to all, or a closed group; or what the individual intended in that regard (so far as it can be ascertained). — Whether the individual intended their personal data to be published; or if it was done without their consent. — Whether the information is about a minor (with which particular care is required). The ICO does advise, however, that while no search of a possible public domain need be carried out where there a large number of names, it may be reasonable to expect the controller to carry out more detailed checks for a smaller number of people. (It is suggested that this may be interpreted as an expectation which should be taken to arise where there is some reason to expect that the information may have been published in this way). (vi)  Whether the information is already known to some individuals 27.54 Where certain people could, from personal knowledge, identify a person from the information in issue, whereas an ordinary member of the public would not, the controller/authority should consider whether the information is actually in the wider public domain. The important issue will be whether those people,

34 See also Surrey Heath Borough Council v ICO and John Morley [2014] UKUT 0339 (AAC).

550

Handling third party data which are not the data of the requester 27.58

who would be able to identify the individual, would learn anything new about him or her if the information were disclosed; and, if so, what impact this would be likely to have on the individual35.

Reaching the balance 27.55 The balance will come down to the relative importance or weight of the legitimate public interest in disclosure as against the weight of the third party’s privacy or other interests. The decision is similar to, but not identical with, the public interest test generally under the FOI/EIR. The precise difference is that there is no presumption of disclosure. The weight of the privacy interests do not need to outweigh that of the legitimate interest; the opposite is the case (ie the authority should not disclose unless the legitimate interest is weightier). More broadly, rather than a public interest in non-disclosure, there is a right to data privacy, and the protection of other rights arising from data processing, arising from the statutory provisions in that area. In a broader sense still, however, there is a basic similarity of objectives: to assess whether disclosure or non-disclosure is the better outcome in terms of balancing FOI transparency with (in this case) data privacy, or the harm to individuals that may arise in the context of this form of data processing. Every case is different.

Examples of weightier legitimate interest 27.56 There is a strong legitimate public interest where the accountability of public spending is in issue, as in the MPs’ expenses case. The evidence in that case raised concerns about the levels of effective control and accountability; leading to questions as to whether public confidence in the public body was lacking. These were sufficiently significant to override the concerns of MPs as to their personal privacy, and their expectations based on what were construed as assurances that information, beyond the totals claimed, need not be disclosed. Although the Tribunal (upheld by the Divisional Court) did not order full disclosure, it exempted only certain information, such as some categories of sensitive personal data, third party data, or information relating to security measures at MPs’ homes36. 27.57 In Gibson above at para 27.40, the legitimate public interest in knowing the total cost of a compromise agreement with the former chief executive was sufficient in the circumstances to outweigh a confidentiality clause which would otherwise have prevented its disclosure. 27.58 If the information in issue relates to the central role or functions of a public official, and the ability of that person to perform the role effectively, the legitimate interest may be strong enough to require disclosure even of private

35 See Peter Dun v ICO and National Audit Office EA/2010/0060. 36 See footnote 16; and also para 27.63, and footnote 42 below re publication.

551

27.59  Personal Data in Information Requests

financial matters between the individual and the authority, and falling outside the expenditure of public money; as in Haslam above at para 27.48. 27.59 If there is some special factor or set of circumstances, it may be that even well-founded expectations of confidentiality should be given lesser weight than a legitimate interest which is of especial weight on the facts. If there is a local or national controversy about an issue, or about local mismanagement, or if there are suspicions that the full factual background is being withheld to avoid embarrassment or more serious consequences, the legitimate interest raised by the FOI question may be too weighty to be answered in terms of normal expectations of ‘data privacy’ because those expectations do not address the seriousness of the issue raised. If there is ‘evidence of wrong-doing’, the reasonable assumption of privacy in relation to disciplinary hearings, for example, is likely to be removed (Waugh, para 4037); leaving unclear what would constitute sufficiently weighty ‘evidence’ in such cases. In a case involving the amount paid under a compromise agreement to a group of six former employees of a local authority who had been whistleblowers, in settlement of employment tribunal proceedings over their sacking for highlighting alleged management lapses at children’s homes, the legitimate public interest in disclosure of the total paid to them (rather than how the sum was divided between them) outweighed the prejudice to the individuals concerned38. The sum appeared to be substantial, and the Commissioner considered that the council had ‘failed to meaningfully account’ for the spending in its annual accounts, by including it within an overall spending figure for children’s and education services. While disclosure of the total payment was not within the reasonable expectations of the individuals, and they were not ‘public facing or particularly senior’, the public’s legitimate interest in understanding the financial impact on the council was not adequately satisfied by the annual accounts. Disclosure of the total would not sufficiently prejudice the individuals to outweigh the legitimate interest of the public in knowing the financial cost. 27.60 In relation to the duty to confirm or deny, the Tribunal has rejected the argument that it is always an unfair interference with privacy to confirm or deny the existence of a complaint of professional misconduct against an individual (where there had been no finding of wrongdoing or malpractice)39. This might arise, for example, where there appeared to be some ground for concern over the conduct of the investigation of the complaint.

Examples of weightier interests of the individual 27.61 In Rob Waugh (at para  27.52(b) above), the reasonable expectations of the departed head of a further education college, who left under the terms of a compromise agreement, that any details of allegations against him should not be disclosed, outweighed the legitimate interest in disclosure of the issues 37 See footnote 31. 38 Wakefield Metropolitan District Council FS 50178553, paras 46, 48, and 52–53. 39 Mrs Colleen Foster v ICO EA/2013/0176, para 18.

552

Handling third party data which are not the data of the requester 27.64

involved. This was particularly the case, given the ‘substantial detriment’ and ‘significant invasion of his privacy’ which the Tribunal considered would result from disclosure40. Similarly, in Kenneth Blake (at para 27.45 above), the privacy interests of a headteacher, in the investigatory report relating to a disciplinary hearing about her not being disclosed, were sufficient to outweigh the legitimate interest in disclosure. On the facts, the Tribunal was not persuaded that there was any wider public interest in the report, or that the issues were relevant beyond the school. Disclosure would have a prejudicial effect in the headteacher, her career, and her ability to carry out her functions in the school; as well as causing her distress. 27.62 As already indicated (para 27.49), whether the locations of the homes of senior officials were within the boundary of the public authority for which they worked, was too great an intrusion on their privacy since it would not ‘materially affect or influence the officer in his/her capacity as a public servant.’41. 27.63 In the MPs’ expenses case, as also already indicated above (para 27.56), some personal data, including of third parties, banking or credit card information, or security arrangements (including any home addresses where there was a special reason for confidentiality, such as stalking or a terrorist or criminal threat), were not ordered to be disclosed, as those types of personal data went beyond what was required by the legitimate interest in disclosure42.

Special category and criminal offence data 27.64 It is significant that there is in GDPR, Article  9(2) (setting out the exceptions or conditions under which special category data may be processed), or DPA 2018, Sch 1 (which expands it) no equivalent to the GDPR, Article 6(1) (f) condition. There is thus no ‘general’ lawful basis which may be available to support disclosure of special category/sensitive personal data. Only two lawful bases for special category data appear to be available in specific cases to support disclosure of such data in FOI requests: (a) where the data subject has given his explicit consent to the disclosure (GDPR, Article 9(2)(a)); requiring, in the ICO’s view, a record applying to each individual concerned, which shows specific consent to the FOI/EIR disclosure; or (b) the data subject has himself or herself ‘manifestly’ (ie clearly) made the data public (GDPR, Article 9(2)(e))43. As an example, the ICO points to an MP having put his or her political affiliations into the public domain. She rejects,

40 Rob Waugh, as footnote 31, para 44. 41 Wrexham CBC, as footnote 29 above, para 29. 42 In the event, an unredacted copy of the information in issue was leaked to a newspaper and published before the redacted version had been prepared for release. 43 As was judged to have occurred in part in The Commissioner of the Metropolitan Police Service FS 50088977; one factor contributing to the ICO’s finding that disclosure was not unfair. See paras 23, 52 and 70 of the Decision Notice.

553

27.65  Personal Data in Information Requests

however, a defendant in a criminal trial, who discloses special category information about themselves in a plea of mitigation, from acting deliberately in this context; since they have no option but to make the disclosure in open court, if they are to make such a plea. 27.65 If neither of these lawful bases applies (and no other can be found to apply), there will be no basis for disclosure of special category personal data falling within the FOI/EIR request concerned. In other words, those special category data should not be disclosed. This is a straightforward outcome; and relatively easy to establish. It reflects a clear presumption in relation to special category data; that it has to be treated with care and, as a result, that it is generally unlikely that such data about third parties falling within FOI requests will be disclosed to the public domain. On the other hand, there may be questions as to whether it adequately describes the situations in which disclosure may be appropriate. 27.66 The ICO’s previous guidance included the following passage, in the context of whether it would be ‘fair’ to publish special category (formerly sensitive) PD: ‘the disclosure of such information is likely to be unfair as it comprises information that individuals will regard as the most private…. in the majority of cases it will be in the reasonable expectation of the individual that such information will not be disclosed.’44 This passage is omitted, however, from the most recent guidance. While this may reflect no more than the downgrading of ‘fairness’, in favour of a ‘lawful basis’ for disclosure, it is worth considering whether, in fact, more special category data may be likely to be disclosed in the future; perhaps as a result of greater public concern over terrorism or crime; or, in the context of arguably increasing public discussion of matters of ethnicity, political, religious or philosophical beliefs, health, or sexuality, in relation to individuals in those contexts. Public authorities may generate more special category data, which could in time be the subject of FOI/EIR requests (eg on the basis of the long list of Substantial Public Interest Conditions in DPA 2018, Sch 1; such as monitoring racial or ethnic diversity in relation to senior appointments (Sch 1, Pt 2, para 9); or, in providing support for people with particular disabilities or a medical condition (Sch 1, Pt 2, para 16)). If so, it may be the case that guidance on the potential availability of other lawful bases for the publication of such information in FOI answers may be required in future. 27.67 ‘Criminal offence’ data are defined in GDPR, Article 10 (as supplemented by DPA 2018, s 11(2)), to mean personal data relating to: criminal convictions and offences, or related security measures; the alleged commission of offences by the data subject; proceedings for an offence committed, or alleged to have

44 Version 1.6, para 47.

554

Handling third party data which are not the data of the requester 27.69

been committed, by the data subject; or, the disposal of such proceedings (ie the outcome), including sentencing. Such data are to be processed in the UK, under Article  10, either under ‘the control of official authority’, or under almost the same lawful bases as apply to special category data (DPA 2018, s 10(5))45. The ICO points out that there is no definition in UK law of ‘official authority’ in this context, and so the lawful bases listed in Schedule 1, Pts 1-3, necessarily form the basis of processing. The result is that the lawful bases considered by the ICO to be available for FOI/EIR disclosures of ‘criminal offence’ data are: — the consent of the data subject [NB not “explicit” consent, a slight difference from special category data] (Sch 1, Pt 3, para 29); — personal data which have “manifestly” been made public by the data subject [the same as for special category data]. The same comments, as to whether the scope may need to be expanded in the future, apply as in para 27.66 above.

Second condition GDPR, Article 21 (right to object) 27.68 The second condition of exemption in FOIA 2000, s 40(3B) (and EIR, reg 13(2B) is that disclosure would contravene GDPR, Article 21: the right to object to processing. Under Article 21, an individual may object to processing, and oblige the controller to cease the processing unless it can justify it. The right applies only where the processing is carried out under the lawful bases of the ‘public task’; or ‘legitimate interests’46. The ICO describes the exemption as applying where disclosure would contravene an objection made under Article 21. While this makes clearer sense in terms of language, it may be too broad; enabling an exemption to be considered whenever a person has previously objected, and so potentially blocking too wide a category of information from disclosure. The sense of the language of ‘contravene Article 21’ is that disclosure would in some way infringe, or perhaps undermine, the Article; which implies a narrower set of circumstances in which it would apply (see paras 27.71–27.72 below). 27.69 Where an Article 21 request has been made, the controller should end the processing, unless: (a) the controller can show ‘compelling legitimate grounds’ to continue the processing which: (i) override the interests of the data subject, or (ii) relate to the establishment, exercise or defence of legal claims (GDPR, Article 21(1)); or

45 Namely those in DPA 2018, Sch 1, Pts 1–3: see DPA 2018, ss 10(5) and 11(2), and Sch 1, Parts 1–3; and see paras 17.26–17.28 above. 46 Ie under GDPR, Article 6(1)(e) (or DPA 2018, s 8), or GDPR, Article 6(1)(f).

555

27.70  Personal Data in Information Requests

(b) a further exemption applies for scientific, historical or statistical research for processing carried out for reasons of public interest (GDPR, Article 21(6)). 27.70 The exemption will arise, therefore, where the third party (whose personal data are now in issue in the FOI request) has previously tried to exercise his or her right under GDPR, Article 21. (This should not be confused with an attempt by the third party now, while the FOI request is being assessed, to try to use GDPR, Article 21 to exclude his or her data from the reply. On that point, the ICO advises that the processing to respond to the Article 21 request itself would be on the basis of a legal obligation (ie on a lawful basis in relation to which the right to object does not apply). The ICO says that there is no obligation on a controller/authority to contact individuals to give them an opportunity to object, when an FOI/EIR request involving their personal data has been made. The ICO further advises, however, that when an Article 21 request is made as a result of an FOI/EIR request, the public authority may take into account the reasons given by the individual for the objection, in considering whether the main s 40/reg 13 exemption (ie the first condition) applies in that case. (See para 27.51). 27.71 Where the controller/authority had refused the GDPR, Article 21 request when it was made, because it could show compelling legitimate grounds to continue the processing, it may be that the exemption would have little relevance to the situation. The record will probably reveal that the GDPR, Article  21 request was made and refused. If that part of the correspondence falls within the terms of the request, disclosure now of the fact that the request was made previously, and refused, may not contravene the right unless the record of the refusal, or the reasons for it, disclosed a significance in relation to the data which was not otherwise apparent, or was harmful in some way to the data subject. There might also be some sense in which the wider use of the right by others might be discouraged, arising from publishing the correspondence or the nature of the compelling ground for continuing the processing; but this would appear less, rather than more likely. It may also be the case, where publication of the compelling ground would be damaging to the data subject, that such information might fall within another part of the FOIA  2000, s  40 exemption (eg  on the ‘legitimate interests’ balance, or in relation to general fairness) such that the exemption relating to GDPR, Article 21 would not arise for that reason. 27.72 In contrast, if the authority/controller had not resisted the request, and had ceased processing (as may be more likely), the issue now would be whether disclosing this fact would contravene its previous acceptance. Much is likely to depend on the facts as to the nature of the information excised, and why there was not a compelling reason to process it. In order to continue to give effect to the cessation, it is likely that the authority will have retained some personal data about the third party (eg contact details, and a note that their data – in general, or of a given type – are not to be processed). The authority may also have other data about the third party, if the Article 21 request related to (or was accepted in relation to) only part of the data held about that person. If the effect of disclosing any of this information would be to reveal that an Article 21 objection had been made, the nature of the information deleted, or the reason for its previous processing, the exemption may apply to that information; on the 556

Handling third party data which are not the data of the requester 27.76

basis that disclosing it would expand or revive processing which was supposed to have ceased. 27.73 If the exemption applies, the authority has to consider the public interest test; although situations in which there would be a greater weight for than against disclosure may be exceptional. 27.74 One further factual situation, where the exemption could arise, may be where the authority believes that it has ceased processing (other than any minimal information needed to prevent an inadvertent resumption); but discovers, when the FOI request is made, that it has mistakenly failed to delete all the personal data which should have been removed. In that circumstance, it is easy to see that disclosing now to the public information which the authority had told the third party had been removed from his or her record would ‘contravene’ the right to object; by showing it to have been ineffective; and, moreover by publishing what was supposed no longer to be held. The discouragement to others from trusting that an Article 21 request, once accepted, had been properly implemented would also be relevant to the public interest test. In those circumstances, the test should be no more than a formality. In other situations, the ICO suggests that a relevant public interest factor may be whether circumstances and expectations have changed since the Article  21 objection was accepted; and that the controller/ authority may wish to consult the objector on that point; although there is no obligation on it to do so. The ICO is also concerned to point out that, if the public interest test under this limb of the exemption favours disclosure, the authority should still satisfy itself that disclosure would not contravene the data protection principles (ie the first condition) before making the disclosure.

Third condition 27.75 The third condition arises where, if the third party were hypothetically to have made an access request, an exemption from the right of access would apply, so that the individual concerned would be unable to gain access to his or her personal data (FOIA, s 40(4A)(a); EIR, reg 13(3A)(a)). The rationale is that, if the individual would not be permitted to see the data, there should at least potentially be an exemption preventing the requester (or the world at large) from doing so. There is a separate exemption for processing for law enforcement purposes in s 40(4A)(b) and reg 13(3A)(b). 27.76 One example of a good reason for the exemption would be if it would prevent a vulnerable data subject from coming to know information about themselves indirectly (because disclosure had been made to the public) to which they would be denied access if they had sought it under an access request; where knowledge of the information would be harmful to them. There are a significant number of exemptions to the right of access in the GDPR, which in the UK are set out in DPA  2018, Schs 2–4, or s  26 (national security and defence). (See Table after para 7.76 in chapter on Access Requests. Those for law enforcement processing are set out in DPA 2018, s 45(4)). Some of those for general processing which may potentially be relevant to FOIA 2000, s 40 are listed here: 557

27.77  Personal Data in Information Requests

•

where disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders (DPA 2018, Sch 2, para 2);

•

where, in relation to health, education or social work, disclosure would be likely to cause ‘serious harm’ to the physical or mental health of, or (by reason of harm to their health) the social work provided to, the third party or another individual (DPA 2018, Sch 3, Pt 2, para 5; and Pt 3, para 11);

•

where, in respect of a minor or a person without the capacity to manage their affairs, disclosure to the requester (a person with parental responsibility, or appointed by a court to manage their affairs) would not be in the best interests of the individual (‘child abuse’ data) (DPA 2018, Sch 3, Pt 5, para 21);

• where disclosure of records of the data controller’s intentions in relation to negotiations with the data subject would be likely to prejudice the negotiations (DPA 2018, Sch 2, Pt 4, para 23); •

where the data consist of information in respect of which a claim of legal professional privilege could be maintained in legal proceedings (DPA 2018, Sch 2, Pt 4, para 19);

• where the personal data consist of confidential references given (or to be given) in confidence for the purposes of education, volunteer placements, appointment to office, or the provision by the individual of a service (DPA 2018, Sch 2, Pt 4, para 24). 27.77 There may be a minority of instances where the public interest test would favour disclosure in such cases; but, in most situations, it would be likely that the public interest would favour withholding the information (even without the need to protect the third party) where its public disclosure would compromise the purpose of the DPA exemption. This is likely also to be the case in relation to personal data falling within the national security or defence exemption. The ICO stresses that, if the public interest favours disclosure under this limb of the exemption, the authority should also consider whether the first condition applies instead, before disclosing. She also points out that other FOI/EIR exemptions, such as legal professional privilege or national security, may be relevant to the same information.

Confirmation or denial (FOI) 27.78 In respect of the FOI duty to confirm or deny, there is no duty to do so in respect of the personal data of the requester (FOIA, s 40(5A)). There are three types of exemption from the duty (s 40(5B)), which apply on the same basis as the exemptions from the duty to disclose the information, ie: — where confirming or denying would contravene the data protection principles (absolute exemption); 558

EIR and personal data 27.83

— where confirmation or denial would contravene the right to object (qualified exemption); or — where the information would be exempt from the access right (qualified exemption).

EIR AND PERSONAL DATA 27.79 The EIR have no equivalent provision to FOIA 2000, s 40(1) (ie excepting the personal data of the requester from the FOIA). Regulation 13, concerning personal data under the EIR, applies only to such data ‘of which the applicant is not the data subject’47. It follows that a request for one’s own data cannot be made under the EIR, and is automatically made as an access request under the GDPR/DPA 2018 from the outset. The rules for third party data (where they are also the data of the requester) in DPA 2018, Sch 2, para 16, would likewise apply in the context of the EIR, by the same route. 27.80 In respect of ‘stand-alone’ third party data, EIR, regs 13(2A)–(3A) make the same exemptions as in FOIA  2000, s  40(2)–(4A) as amended. There are, therefore, the same three conditions under which exemptions can apply, on the same basis as in FOIA  2000, s  40; the first (breach of the data protection principles) being absolute. The absolute exemption (or ‘exception’, in the language of the Regulations) in reg  13 is the only such exemption in the EIR; those in the remainder of the Regulations being subject to the public interest test. 27.81 The Commissioner’s guidance on personal data arising in information requests applies equally as between the two regimes (as do the foregoing sections of this Chapter).

Confirmation or denial (EIR) 27.82 There is no duty to disclose the personal data of the requester (EIR, reg  5(3)). There are exemptions from the implicit duty to confirm or deny on the same bases as those applying to the duty to disclose the information (subject to a public interest test in relation to exemptions equating to the second or third conditions)48. 27.83 As in relation to FOIA  2000, s  40 (see paras 5.83 and 27.34), the DPA 2018 amends the GDPR to enable the legitimate interests condition (GDPR, Article 6(1)(f)) to continue to be available to public authorities answering EIR requests (EIR, reg 13(6), inserted by DPA 2018, Sch 19, para 307(7)).

47 EIR, reg 13(1). 48 EIR, reg 13(5A) and (5B)(a)–(c). Regulation 13(5B)(d) refers to exceptions from confirmation or denial in relation to law enforcement processing.

559

27.84  Personal Data in Information Requests

FOI/EIR REQUESTS TO ‘COMPETENT AUTHORITIES’ 27.84 For ‘competent authorities’ processing data for law enforcement purposes under DPA 2018, Pt 3 and Sch 7 (eg most government departments, and bodies with crime-fighting or criminal justice responsibilities) the same rules will apply, in relation to FOI and EIR requests involving personal data (to the extent that either regime applies to those bodies; as will generally be the case) as apply under conditions 1 and 3 above; but read against the data protection principles applying under DPA 2018, Pt 3 (s 34(1)), or the exemptions from the right of access under that Part (DPA 2018, s 45(4)). There is no right to object under Pt 3; and thus the second condition will not apply. 27.85 In relation to personal data that are the ‘joint’ data of the requester and another person, DPA  2018, Pt  3 simply gives the controller a right to exempt information in order to ‘protect the rights and freedoms of others’ in DPA 2018, s  45(4)(e), having regard to their fundamental rights and freedoms; without specifying the elaborate balance set out in Sch 2, para 16 of the same Act for personal data under the GDPR.

560

Appendices APPENDIX 1

GDPR – (informal) list of provisions Chapter headings are shown in capitals, and the titles of sections in bold. The titles of some Articles have been simplified, or explanatory wording has been added after the title in italics (in brackets). Amendments to the UK version after Brexit (as a result of the DPPEC Regulations 2019) are shown as follows: * Bold italic [Square brackets] Round brackets (italic text) Article number

The content of the Article is amended in the UK version after Brexit Article added to the UK version (applies to Article 86A only) Change of title in UK version Note explaining what is changed in the UK version after Brexit

Subject

CHAPTER 1 – GENERAL PROVISIONS 1 2 3 4(1)–(26)

Subject matter and objectives* Scope of GDPR* Territorial scope* Definitions*

CHAPTER II – PRINCIPLES 5 Data protection principles 6 Lawful processing* 7 Consent – conditions 8 Child’s consent to online services* 9 Special category personal data* 10 Criminal convictions and offences personal data (‘Article 10 data’) * 11 Processing not requiring identification 561

GDPR – (informal) list of provisions Article number

Subject

CHAPTER III – RIGHTS OF THE DATA SUBJECT Section 1 – Transparency and modalities 12 Transparency, and modalities to exercise data subject rights* Section 2 – Information and access to personal data 13 Information in Privacy notices (where collected from data subject) * 14 Information in Privacy Notices (where not obtained from data subject) * 15 Right of access* Section 3 – Rectification and erasure 16 Right to rectification 17 Right to erasure (‘right to be forgotten’)* 18 Right to restriction of processing* 19 Obligation to notify other controllers regarding rectification, erasure or restriction Section 4 – Right to object and automated individual decisionmaking 20 Right to data portability 21 Right to object* 22 Automated decision-making, including profiling* Section 5 – Restrictions 23 Restrictions (ie exemptions which can be made in domestic law) * CHAPTER IV – CONTROLLER AND PROCESSOR Section 1 – General obligations 24 25 26 27 28 29 30 31

Responsibilities of controller Data Protection by design and by default Joint controllers* Representatives of controllers or processors not established in European Union (or, in UK, after Brexit)* Guarantees by processors to controllers (in contracts or agreements)* Processing under authority of controller or processor* Records to be kept* Duty to co-operate with supervisory authority (expressed as the ICO, after Brexit)* 562

Chapter VI – Independent supervisory authorities Article number

Subject

Section 2 – Security of personal data 32 Security obligations* 33 Notification of personal data breach to supervisory authority (expressed as the ICO, after Brexit)* 34 Communication of personal data breach to data subject* Section 3 – Data Protection Impact Assessment and prior consultation (with ICO) 35 Data Protection Impact Assessment* 36 Prior consultation (with supervisory authority) (expressed as the ICO, after Brexit)* Section 4 – Data Protection Officer 37 Designation of Data Protection Officer* 38 Position of Data Protection Officer* 39 Tasks of Data Protection Officer* Section 5 – Codes of conduct and certification 40 Codes of conduct* 41 Monitoring of approved codes of conduct* 42 Certification* 43 Certification bodies* CHAPTER V – TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS 44 General principle of transfers 45 Transfers on the basis of an adequacy decision* 46 Transfers subject to appropriate safeguards (ie options for transfers on other bases than adequacy)* 47 Binding corporate rules* 48 Transfers or disclosures not authorised by EU law (ie court judgments or administrative decisions of third countries, requiring transfers, to be enforceable on basis of international agreements) (Removed after Brexit) 49 Derogations for specific situations (ie one-off exemptions)* 50 International co-operation for the protection of personal data* CHAPTER VI – INDEPENDENT SUPERVISORY AUTHORITIES Section 1 – Independent status 51

Supervisory authority [after Brexit: Monitoring the application of this Regulation]* 563

GDPR – (informal) list of provisions Article number

Subject

52

Independence (of supervisory authority) (or the ICO expressly, after Brexit)* 53 General conditions for members of supervisory authority (Removed after Brexit) 54 Rules on establishment of supervisory authority (Removed after Brexit) Section 2 – Competence, tasks and powers [after Brexit:Tasks and Powers] 55 Competence (Removed after Brexit) 56 Competence of lead supervisory authority (Removed after Brexit) 57 Tasks (of supervisory authority) (or the ICO expressly, after Brexit) 58 Powers (of supervisory authority) (or the ICO expressly, after Brexit) 59 Activity reports (by supervisory authorities) (or the ICO expressly, after Brexit)

CHAPTER VII – COOPERATION AND CONSISTENCY (CHAPTER VII IS REMOVED AFTER BREXIT) Section 1 – Cooperation 60 Cooperation between lead and other supervisory authorities (Removed after Brexit) 61 Mutual assistance (between supervisory authorities) (Removed after Brexit) 62 Joint operations between supervisory authorities (Removed after Brexit) Section 2 – Consistency 63 Consistency mechanism (Removed after Brexit) 64 Opinion of Board (in certain circumstances) (Removed after Brexit) 65 Dispute resolution by Board (Removed after Brexit) 66 Urgency procedure (Removed after Brexit) 67 Exchange of information (Removed after Brexit) Section 3 – European Data Protection Board 68 European Data Protection Board (Removed after Brexit) 69 Independence (of Board) (Removed after Brexit) 70 Tasks of the Board (Removed after Brexit) 71 Reports (by Board) (Removed after Brexit) 564

Chapter IX – Provisions relating to specific processing situations Article number

Subject

72 73 74 75 76

Procedure (of Board) (Removed after Brexit) Chair (of Board) (Removed after Brexit) Tasks of the Chair (Removed after Brexit) Secretariat (Removed after Brexit) Confidentiality (of Board discussions) (Removed after Brexit)

CHAPTER VIII – REMEDIES, LIABILITIES AND PENALTIES 77 Right to lodge a complaint with supervisory authority [after Brexit: with the Commissioner]* 78 Right to effective judicial remedy against supervisory authority [after Brexit: against the Commissioner]* 79 Right to effective judicial remedy against a controller or processor* 80 Representation of data subjects (ie to mandate non-profit body as the representative of the data subject to lodge complaint etc)* 81 Suspension of proceedings (re similar court proceedings) (Removed after Brexit) 82 Right to compensation and liability* 83 General conditions for imposing administrative fines* 84 Penalties* CHAPTER IX – PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS 85 Processing and freedom of expression and information (ie member states to reconcile data protection and freedom of expression in domestic law)* 86 Processing and public access to official documents (ie member states may reconcile data protection with public access to official documents -eg by FOI/EIR)* 86A Processing and national security and defence (inserted after Brexit) 87 Processing of national identification number (ie to be determined by member states) (Removed after Brexit) 88 Processing in the context of employment (ie member states may make specific rules for processing of employment data, by law or collective agreement) (Removed after Brexit) 89 Safeguards and derogations for archiving in the public interest, scientific or historical research purposes, or statistical purposes (ie member states may make exemptions in these areas, subject to safeguards)* 565

GDPR – (informal) list of provisions Article number

Subject

90

Obligations of secrecy (ie member states may make rules to reconcile professional or equivalent obligations of secrecy with data protection, in certain circumstances) (Removed after Brexit) Existing data protection rules of churches and religious organisations (Removed after Brexit)

91

CHAPTER X – DELEGATED ACTS AND IMPLEMENTING ACTS (CHAPTER X IS REMOVED AFTER BREXIT) 92 Exercise of the delegation (ie conditions for exercise of delegated powers by EU Commission) (Removed after Brexit) 93 Committee procedure (ie assisting EU Commission) (Removed after Brexit) CHAPTER XI – FINAL PROVISIONS 94 Repeal of Data Protection Directive (95/46/EC)* 95 Relationship with Directive 2002/58/EC (ie Directive on privacy and electronic communications)* 96 Relationship with previously concluded agreements (ie on cross-border transfers of personal data)* 97 EU Commission reports (Removed after Brexit) 98 Review of other EU legal acts on data protection (Removed after Brexit) 99 Entry into force and application (Removed after Brexit)

566

APPENDIX 2

Correlation Table between GDPR  Recitals and Articles This Appendix sets out the Recitals and their summary topics, and relates them to the relevant Articles of the GDPR. Notes in the right-hand column show the broad subject matter of the Recital or Article, as shown. While after Brexit, the Recitals do not appear to form part of the ‘UK GDPR’, they are likely to continue to be seen as having persuasive value, and as a useful source of information about the purpose of the legislation. The table below is set out in relation to the order of the Recitals, rather than of the Articles, and shows which Articles relate to which Recitals. The order of the headings, however, (ie Chapters and sections) is set out according to the order as in the main part of the GDPR. Chapter headings (ie main groups of GDPR Articles) are shown in capitals. Titles of sections (smaller groups of Articles, although they are not present throughout the GDPR) are shown in bold. The numbers of the Recitals are shown in the left-hand column, and those of the Articles to which they relate in italics in the central column. The notes in the right-hand column indicate the subject of any Recital(s) shown in the left-hand column, unless a specific Recital number (‘R’) or Article number (‘Art’) is indicated. Articles, sections and Chapters which are removed after Brexit (and one which is added) are shown in square brackets. For Articles which are amended after Brexit by the DPPEC regulations, but not removed, see Appendix 1. Recital(s)

Article(s)

Notes on the relevant Recital (‘R’) or Article (‘Art’)

CHAPTER I – GENERAL PROVISIONS 1 1–13 Introductory: fundamental rights and freedoms (R4); role of technology (R6); reasons to replace 1995 Directive and harmonise laws (Rs 9–13); legal obligation and public task bases, and special category data, in domestic law (R10); record–keeping derogation where fewer than 250 employees (R13)) 2, 4(6) 14–18 Scope of GDPR: scope of files (R15); non– application to activities outside EU law [national security, common foreign and security policy] (R16); exclusion of purely personal or household activity (R18) 567

Correlation Table between GDPR Recitals and Articles

19–21

2(d), 10

22–25 (also 36) 26–27, 30 (also 57)

3

28–29 31 32–33 34 35 36 (also 22–25) 37 38

4(1)

4(5) 4(9) 4(1), 7 4(13) 4(15) 4(16) 4(19) Relevant to 4(25), 6(1) (f), 8

Criminal offence and criminal penalties data: non law–enforcement processing by competent authorities under GDPR, and domestic law; restrictions for law enforcement or security reasons on rights and obligations under processing under GDPR by private bodies (R19); processing by courts in judicial capacity to be outside ICO supervision (R20) Territorial jurisdiction (Rs 22–25) Definition of personal data; identifiability; anonymous information (R26); deceased persons (R27) Pseudonymisation (see also R26 above) Limits on public authorities as ‘recipients’ Consent: scientific research (R33) Genetic data Personal data concerning health Main establishment Group of undertakings Children

CHAPTER II – PRINCIPLES 39 (also 50, 5(1)(a)–(f) Data Protection Principles (see also 11) 58) 6 40–41 Lawfulness of processing; lawful bases 7 42–43 Consent, including imbalance, or where not necessary to performance of contract 6(1)(b) 44 Contractual lawful basis 6(1)(c) and Legal obligation and “public task” lawful bases. 45 (e) (See also DPA 2018, s 8) 6(1)(d) 46 Vital interests basis 6(1)(f) 47–49 Legitimate interests basis: groups of undertakings (R48); network and information security (R49) 5(1)(b), 6 50 Compatibility of processing, and lawful bases. Derogation (second sub-paragraph) where consent, or for important objectives of general public interest. Legitimate interest in relation to processing re criminal acts or public security. 568

Chapter III – Rights of the data subject

51–56

9

57 (also 26–27, 30)

4(1)

Special categories of personal data: general prohibition on processing, and adaptations by domestic law (Rs 51–52) [see DPA 2018, s10 and Sch 1]; health and healthcare (Rs 52–53); genetic and biometric data (R53); public health (R54); religious organisations (R55); political opinions (R56). Additional information identifying data subject

CHAPTER III – RIGHTS OF THE DATA SUBJECT Section 1 – Transparency and modalities 58 (also 39) 5(1)(a), 12(1) Transparency 12 59 Mechanisms to exercise rights

Section 2 – Information and access to personal data 60–62 13–14 Rights to information in Privacy Notices (Rs 60–61); derogations (R62) 15 63 Right of access 12(6), 15 64 Identity checks Section 3 – Rectification and erasure 65 16–17 Right to rectification and right to erasure (‘to be forgotten’) 17,19 66 Notification to controllers of exercise of right to erasure (and also of rectification or restriction – Article 19) 18, 4(3) 67 Right to restriction of processing 20 68 Right to data portability Section 4 – Right to object, and automated individual decision–making 21 69 Right to object 21(2)–21(4) Right to object to direct marketing 70 22 71 Automated decision–making; (second sub-para of Recital) safeguards for data subjects 22 (also 72 Inclusion of profiling in GDPR rules 4(4), 13(2) (f), 14(2) (g), 15(1)(h), 21(1)

569

Correlation Table between GDPR Recitals and Articles

Section 5 – Restrictions 23 73 Exemptions (“restrictions”) in domestic law, applying to Arts 5, 22, 34 where corresponding to rights in Arts 12–22. (See DPA 2018, s 15 and Schs 2–4). CHAPTER IV – CONTROLLER AND PROCESSOR Section 1 – general obligations 74–76 (also 78)

24

Responsibilities of controller; risks to rights and freedoms of data subjects (R75); evaluation of risk (R76) 77 (see also 24(3), 28(5) Codes of conduct, certification, guidelines; for 98–100) controllers and processors 25 78 Data protection by design and default 26 (also 24, Joint controllers; allocation of responsibilities of 79 28) controllers and processors 27 80 Representatives of controllers or processors not established in the EU 81 28–29 Guarantees of compliance by processors; contracts or agreements 30 82 Records by controllers and processors

Section 2 – security of personal data 32 83 Security (84 – see below) 33 85, 87–89 Notification to ICO of data breach 86 (also 87) 34 Communication of data breach to data subject Section 3 – Data Protection Impact Assessment (DPIA) and prior consultation with the ICO 35 84, 90–93 Data protection impact assessments; criteria for DPIA (R91); joint DPIAs (R92); prior assessment by domestic government (R93) 36 94–96 Consultation with ICO on DPIA (including prohibition of processing); role of processor (R95); domestic government to consult ICO in preparing legislation (R96) Section 4 – Data Protection Officer 97 37–39 Data Protection Officers

570

Chapter VI – Independent supervisory authorities (amended after Brexit to THE COMMISSIONER)

Section 5 – Codes of conduct and certification 40, 43 (and Codes of conduct and certification mechanisms 98–100 see also R77 and R166) CHAPTER V – TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS 44 101 Conditions for transfer to third countries, including onward transfers (45) 102 GDPR is without prejudice to international agreements between EU and third countries about transfers; so far as they do not affect GDPR 45 103–105 Adequacy decision by EU Commission; human rights and other conditions of adequacy decisions (Rs 104–105) 45(3) 106 Monitoring and review by EU Commission of adequacy decisions 45(5)–45(6) Revocation of adequacy decision. (See also Recital 107 169 below) 46–47, 49(1) Transfers subject to appropriate safeguards 108 (d), 49(4), (binding corporate rules, standard clauses, 49(5) authorised contractual clauses); transfers by public authorities 46(1)(c) and Safeguards additional to standard data protection 109 (d) clauses by controllers or processors 47(2)(f) and Binding corporate rules within international groups 110 (m) of undertakings 49 111–113 Derogations for specific situations 46 114–115 Appropriate safeguards by controller or processor in absence of adequacy decision; limitation of purported regulation in third countries (R115) 50 116 International co–operation for the protection of personal data CHAPTER VI – INDEPENDENT SUPERVISORY AUTHORITIES (AMENDED AFTER BREXIT TO THE COMMISSIONER) Section 1 – Independent status (amended after Brexit to Monitoring the Application of this Regulation) 117–120 51–52 Establishment of supervisory authorities 121 [53–54] General conditions for members of supervisory authority; rules for establishment and members

571

Correlation Table between GDPR Recitals and Articles

Section 2 – Competence, tasks and powers (amended after Brexit to:Tasks and Powers) 122 [55] Competence of supervisory authorities 57, 60–62 123 Supervisory authorities to co–operate (see also R125 below) 124 [56] Lead supervisory authorities 125–126 (see [56(1)], Competence of lead authority to make binding also R133) [60–62] (see decisions; co–ordination with other supervisory also R123 authorities involved. above) 127 (see also [56(2)–56(6)] Handling of local case by non–lead supervisory 130) authority, or lead authority 128 [55(2)] Exception for processing by public authority or private body in public interest: only local supervisory authority is competent 129 57–58 Tasks and powers of supervisory authorities 130 [56(4) (see Lead supervisory authority to co–operate with also Art supervisory authority with which the complaint 56(2))] was lodged (if different), and their powers and obligations (Article 56(2)–(4)) 131 [(56(2))] Subject matter of complaint in one member state, outside main establishment, not likely substantially to affect data subjects elsewhere; settlement or enforcement by local supervisory authority 57(1)(d) 132 Awareness–raising by supervisory authorities to micro, small and medium–sized enterprises [CHAPTER VII – COOPERATION AND CONSISTENCY] [Section 1 – Cooperation] 133 (Also [60–61] Mutual assistance between supervisory authorities 124–126) 134 [62] Joint operations by supervisory authorities [Section 2 – Consistency] 135 [63] Consistency mechanism 136 [64–65] Opinion of European Data Protection Board (simple majority) (Article 64); binding dispute resolution by Board (two–thirds majority) (Article 65) 137–138 [66] Urgency procedure (including urgent opinion or urgent binding decision by simple majority – see Article 66(4)) 572

Chapter IX – Provisions relating to specific processing situations

[Section 3 – European Data Protection Board] 139–140 [68–76] European Data Protection Board; secretariat (R140) CHAPTER VIII – REMEDIES, LIABILITIES AND PENALTIES 141, 143, 145 77–78 Right to lodge complaint with supervisory authority; and to judicial remedy against decision, or failure to act, of supervisory authority; right to seek annulment of Board decision by European Court of Justice; right to remedy by national court against decision of supervisory authority (R143) 80 142 Right for individual to mandate not–for–profit body etc as representative to lodge complaint or seek remedies (143 as 141 above) 144 [81] Suspension of proceedings on same subject matter as other proceedings 145 (as 141 above) 82 146–147 Right to compensation and liability 83 148, 150 Penalties, including administrative fines 84 149, 152 Criminal penalties (R149); penalties set by domestic law (R152) (150 as 148 above) – 151 Equivalents to administrative penalties in Denmark and Estonia (152, as 149 – above) CHAPTER IX – PROVISIONS RELATING TO SPECIFIC PROCESSING SITUATIONS 85 153 Derogations by member states reconciling protection of personal data with right to freedom of expression and information; including journalistic, academic, artistic and literary purposes 86 154 Processing and public access to official documents – [86A] (Art 86A added after Brexit to UK GDPR; re national security and defence) 155 [88] Domestic law (or collective agreements) on processing in employment context

573

Correlation Table between GDPR Recitals and Articles

156–163

89

164 165

[90] [91]

Safeguards by member states for processing for purposes of archiving in the public interest, or scientific or historical research; or, for statistical purposes Domestic law on professional secrecy Existing data protection rules of churches and religious associations

[CHAPTER X – DELEGATED ACTS AND IMPLEMENTING ACTS] 166–168 [92] (also Delegations to EU Commission, and procedures 12(8) and 43(8) 45(5) 169 Urgent action by EU Commission where adequate level of protection not provided by third country or international organisation (see also R107 above) (1, 2) 170 Subsidiarity and proportionality CHAPTER XI – FINAL PROVISIONS 94 171 Repeal of Directive 95/46/EC; transitional arrangements European Data Protection Supervisor: consulted on 172 GDPR 95 173 Separation of GDPR and Directive 2002/58/EC on publicly available electronic services

574

APPENDIX 3

Data Protection Resources The following are suggested as key resources in relation to data protection. The Information Commissioner’s (‘ICO’s’) website (at https://ico.org.uk) should always be the first recourse. Only certain pieces of the ICO’s guidance are referred to directly below. Guidelines issued by the European Data Protection Board (‘EDPB’; formerly the Article 29 Working Party) are available at: https://edpb.europa.eu/our-worktools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

GENERAL General Data Protection Regulation: Regulation (EU) 2016/679 (‘GDPR’) (including Recitals). Data Protection Act 2018 (‘DPA 2018’), Parts 1-2 and 5-7; and ‘Data Protection Act 2018: Explanatory Notes’ (c.12-EN). [See also below re ‘DPPEC’ Regulations]. ICO guidance on GDPR (summary guidance: ‘General Data Protection Regulation’; and more detailed guidance available through links in many of the sections) on ICO website. ‘An Introduction to the Data Protection Bill’ (ICO) [until replaced by guidance on the DPA 2018], on ICO website at: https://ico.org.uk/media/for-organisations/ documents/2258303/ico-introduction-to-the-data-protection-bill.pdf Former Data Protection Act 1998, (‘DPA 1998’) and former EU Data Protection Directive (Directive 95/46/EC) (for comparison).

PERSONAL DATA ‘What is Personal Data?’, ICO website. (For comparison under former DPA  1998, see ICO: ‘Determining what is personal data’; also Common Services Agency v Scottish Information Commissioner [2008]  UKHL  47, paras 25–27; and, Department of Health v ICO [2011] EWHC 1430 (Admin), paras 46–56).

TRANSPARENCY AND PRIVACY NOTICES ‘Guidelines on Transparency under Regulation 2016/679’, Article  29 Working Party, WP 260 rev.01 575

Data Protection Resources

‘When should we provide privacy information to individuals?’ – detailed guidance on ICO’s website on the Right to be Informed (Privacy Notices).

LAWFUL BASES OF PROCESSING ICO guidance on ‘Lawful Basis for Processing’ (under ‘Guide to the General Data Protection Regulation’). ‘Guidelines on Consent under Regulation 2016/679’, former Article 29 Working Party, WP 259 rev.01. ICO website: ‘Legitimate Interests’ (detailed guidance), including: ‘When can we rely on legitimate interests?’ and, ‘How do we apply legitimate interests in practice?’. DPA 2018, section 10 and Schedule 1, Parts 1, 2 and 4: processing of special category personal data.

RIGHT OF ACCESS ‘Subject Access Code of Practice’, ICO, version 1.2 (2017) [until replaced].

OTHER INDIVIDUAL RIGHTS ICO guidance on ‘Individual Rights’ (under ‘Guide to the General Data Protection Regulation’). (As background on ‘right to be forgotten’: Google Spain SL and Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Case C-131/12).

EXEMPTIONS DPA 2018, s 15 and Schs 2–4. ICO guidance on ‘Exemptions’ (under ‘Guide to the General Data Protection Regulation’). R (on the application of Alan Lord) v Secretary of State for the Home Department [2003] EWHC 2073 (Admin), para 100.

DATA SHARING ICO: ‘Data Sharing Code of Practice’[until replaced]. Digital Economy Act 2017, s  35; and Digital Government (Disclosure of Information) Regulations 2018, SI  2018/912. Also separate regulations for Scotland (SI 2018/243) and Wales (SI 2018/551). 576

Data Breaches

Legal guidance by Ministry of Justice, ‘Public Sector Data Sharing: Guidance on the Law’. Available on: https://webarchive.nationalarchives. gov.uk/20150603223548/https://www.justice.gov.uk/downloads/informationaccess-rights/data-sharing/annex-h-data-sharing.pdf.

INTERNATIONAL TRANSFERS Article 29 Working Party/EDPB: WP 256 rev.01 and WP 257 rev. 01 (on Binding Corporate Rules) EDPB: ‘Guidelines 2/2018 on derogations of Article  49 under Regulation 2016/679’.

ELECTRONIC COMMUNICATIONS AND MARKETING Privacy and Electronic Communications (EC  Directive) Regulations 2003, SI 2003/2426. ICO’s set of guidance: ‘The Guide to Privacy and electronic communications’.

DATA PROTECTION IMPACT ASSESSMENTS (DPIAS) ICO: ‘Data Protection impact assessments’ (DPIA summary guidance). ICO’s detailed guidance on DPIAs, including: ‘What is a DPIA?’; ‘How do we carry out a DPIA?’; ‘When do we need to do a DPIA?’; and, ‘Examples of processing ‘likely to result in high risk’. Guidelines on ‘Data Protection Impact Assessment’, Article 29 Working Party/ EDPB, WP 248 rev.01.

DATA PROTECTION OFFICERS ICO: ‘Data protection officers’ (part of ‘Guide to the General Data Protection Regulation’). Article  29 Working Party/EDPB, ‘Guidelines on Data Protection Officers (‘DPO’)’, WP 243 rev.01.

DATA BREACHES ICO: ‘Personal data breaches’ (part of ‘Guide to the General Data Protection Regulation’). Article 29 Working Party/EDPB: ‘Guidelines on Personal data breach notification under Regulation 2016/679’, WP250 rev.01. 577

Data Protection Resources

ENFORCEMENT ICO: ‘Regulatory Action Policy’ (updated 2018).

LAW ENFORCEMENT DIRECTIVE, AND ARTICLE 10 PROCESSING DPA 2018, Part 3. Processing of Article 10 personal data: DPA 2018, s 10(5), and Sch 1, Pts 1–3. EU  Directive 2016/680, on protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

AMENDMENTS TO DATA PROTECTION ACT 2018 AND THE GDPR Department for Digital, Culture, Media and Sport: ‘Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019’, 13 December 2018. (Updating technical note entitled ‘Data protection if there’s no Brexit deal’, 13 September 2018). The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419 (the ‘DPPEC’ Regulations), and accompanying Explanatory Memorandum. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No 2) Regulations 2019 (concerning the EU/US Privacy Shield). Data Protection Act 2018, ‘Keeling Schedule’ (showing changes made by the ‘DPPEC Regulations’) – available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/779334/Keeling_Schedule_for_Data_Protection_ Act_2018.pdf General Data Protection Regulation, ‘Keeling Schedule’ (showing changes made by the ‘DPPEC Regulations’, January 2019) – available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/ attachment_data/file/779335/Keeling_Schedule_for_GDPR.pdf (NB Care may be needed, however, as the same link has also led to an earlier Keeling Schedule (dated January 2018) showing changes made (before Brexit) by the DPA 2018, Sch 6, in relation to the ‘applied GDPR’).

578

APPENDIX 4

Environmental Information Regulations (‘EIR’) Resources The ICO’s website (at https://ico.org.uk) should always be consulted first on these issues, since it is now as comprehensive on the EIR as on the FOIA; including detailed guidance on each exemption (‘exception’). Only certain pieces of the ICO’s guidance are referred to directly below. DEFRA, which was the lead department for the introduction of the EIRs, produced detailed and summary guidance at that time, after a consultation exercise, which has been archived at: https://webarchive.nationalarchives.gov. uk/20121204132220/http://archive.defra.gov.uk/corporate/policy/opengov/eir/ guidance/whatis.htm DEFRA also produced the Code of Practice on discharging EIR obligations, which remains current, and to which the ICO has added a commentary (see below).

GENERAL Council Directive 2003/4/EC on public access to environmental information. Environmental Information Regulations 2004, SI 2004/3391. Convention on Access to Information, Public Participation in Decision-making and Access to Justice in Environmental Matters (‘Aarhus Convention’), 25 June 1998 (available at: https://www.unece.org/fileadmin/DAM/env/pp/documents/ cep43e.pdf). United Nations Economic Commission for Europe (UNECE): ‘The Aarhus Convention: an Implementation Guide’ (second edition, June 2014) (available at: https://www.unece.org/env/pp/implementation_guide.html). DEFRA: ‘Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 (SI 2004 No. 3391)’, February 2005 (available at: https://ico.org.uk/media/for-organisations/ documents/1644/environmental_information_regulations_code_of_practice. pdf). – accompanied by an ICO commentary (‘Regulation 16 Code of Practice – Discharge of obligations of public authorities under the EIR’, version 1.0); available at https://ico.org.uk/media/for-organisations/documents/2013835/ eir-regulation-16-code-of-practice.pdf). ICO: ‘What is Environmental Information? (regulation 2(1), EIR)’. 579

Environmental Information Regulations (‘EIR’) Resources

DEFINITION OF ENVIRONMENTAL INFORMATION/BOUNDARY WITH FOIA Department for Energy and Climate Change v Information Commissioner and Henney [2015]  UKUT  0671 (AAC); Department for Business, Energy and Industrial Strategy v Information Commissioner and Alex Henney [2017] EWCA Civ 844, paras 37–44 and 53–54 (scope of EIR definition; and information ‘on’ a measure). Glawischnig v Bundesministerium fur Sicherheit und Generationen. Case C-316/01 (2003) (for comparison, on ‘remoteness’). Department for Business, Enterprise and Regulatory Reform (DBERR) v ICO EA/2007/0072, paragraph 29 (re dominant purpose).

WHO IS COVERED BY EIR Fish Legal [2012] UKUT 177 (AAC); Case C-279/12.

CHARGING FOR ENVIRONMENTAL INFORMATION ICO: ‘Charging for environmental information (regulation 8)’ (due to be revised in later 2019). East Sussex County Council v ICO Case C-71/14, 6 October 2015. Markinson v ICO EA/2005/0014.

EIR ‘EXCEPTIONS’: GENERAL R  (Lord) v Secretary of State for the Home Department [2003]  EWHC  2073 (Admin), para 100 (on meaning of ‘likely’ prejudice/harm). Christopher Martin Hogan and Oxford City Council v ICO EA/2005/0026 and 0030 (on causality of harm). Office of Communications (Ofcom) v Information Commissioner, [2011] EU ECJ, Case C-71/10 (on aggregating public interest factors in favour of maintaining an exception).

INDIVIDUAL EIR EXCEPTIONS ICO: ‘Manifestly unreasonable requests – Regulation 12(4)(b)’, version 1. Craven v Information Commissioner and the Department of Energy and Climate Change [2012]  UKUT  442 (AAC), para  22 (on application of reg  12(4)(b) to vexatious requests); upheld in the Court of Appeal, in (1) Dransfield v ICO and Devon County Council (2) Craven v ICO [2015] EWCA Civ 454, paras 78–79. 580

Individual EIR exceptions

— on vexatious requests generally, see also: Information Commissioner v Devon County Council and Dransfield [2012] UKUT 440 (AAC), paras 24–39; and Dransfield/Craven in the Court of Appeal (as above), at paras 61–73). ICO: ‘Material in the course of completion, unfinished documents and incomplete data (regulation 12(4)(d)’. Secretary of State for Transport v ICO EA/2008/0052 (on distraction from public debate). Mersey Tunnel Users Association v ICO EA/2009/0001, para  27 (on public interest in disclosing drafts of documents); and, Wirral Metropolitan Borough Council v ICO EA/2012/0117, paras 22–27 (on safe space and chilling effect in local government, and draft versions of published documents). Basildon District Council, FER0321779 (on reliance on draft information). ICO: ‘Internal Communications (regulation 12(4)(e))’. ICO: ‘International Relations, defence, national security or public safety (regulation 12(5)(a))’. Campaign Against the Arms Trade (CAAT) v ICO EA/2007/0040. Also Matthew Sinclair v ICO and Department of Energy and Climate Change EA/2011/0052; and Export Credit Guarantee Department v ICO and Mr N Hildyard EA/2008/0071 (on harm to international relations). Department for Communities and Local Government (DCLG) v ICO and WR [2012] UKUT 103 (AAC), paras 42–43 and 67 (on public interest and legal professional privilege). Kirkcaldie v ICO and Thanet District Council EA/2006/001, paras 13–15 (on legal professional privilege under reg 12(5)(b)). ICO: ‘Intellectual Property Rights (regulation 12(5)(c))’. ICO: ‘Confidentiality of proceedings (regulation 12(5)(d))’. Benjamin Archer v ICO and Salisbury District Council EA/2006/0037, paras 67–70 (on scope of exception in reg 12(5)(d)). Chichester District Council v ICO and Friel EA/2011/0180, [2012] UKUT 491 (AAC), para 18 (on application of reg 12(5)(d) to ‘exempt information’ regime in local authorities). ICO: ‘Confidentiality of commercial or industrial information (regulation 12(5) (e))’, version 1.2. Bristol CC v ICO and Portland and Brunswick Squares Association EA/2010/0012 (on test for application of reg 12(5)(e)). South Gloucestershire Council v ICO EA/2009/0032 (on scope of confidentiality between parties). Brighton and Hove City Council FER0073984 (example of application of reg 12(5)(e) to waste contract). 581

Environmental Information Regulations (‘EIR’) Resources

London Borough of Southwark v ICO and Glasspool EA/2013/0162 (application of reg 12(5)(e) to housing viability assessment). ICO: ‘Interests of the person who provided the information to the public authority (regulation 12(5)(f))’. Redcar and Cleveland Borough Council FER0066999 (example of application of reg 12(5)(f) to pre-application planning information).

582

APPENDIX 5

Freedom of Information Act (‘FOIA’) Resources The ICO’s website (at https://ico.org.uk) is the primary source, including a wide range of guidance on the FOIA process and detailed guidance on each exemption. Only certain pieces of the ICO’s guidance are referred to directly below.

GENERAL Cabinet Office: ‘Freedom of Information: Code of Practice’ (revised s  45 Code; issued July 2018). Available at https://assets.publishing.service.gov.uk/ government/uploads/system/uploads/attachment_data/file/744071/CoP_FOI_ Code_of_Practice_-_Minor_Amendments_20180926_.pdf — accompanied by ICO: ‘Section 45 Code of Practice – request handling’ (August 2018). Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000’; available at: https://ico.org. uk/media/for-organisations/research-and-reports/1432475/foi-section-46-codeof-practice-1.pdf — accompanied by ‘ICO: Section 46 Code of Practice – records management’, version 1.1. ICO: ‘Determining whether information is held’, version 3.0 (relevant also to EIR). Guidance on ICO’s website on Publication Schemes (including charging). ICO: ‘Time Limits for compliance under the Freedom of Information Act (section 10)’. ICO: ‘When to refuse to confirm or deny information is held’. Freedom of Information and Data Protection (Appropriate Limits and Fees) Regulations 2004, SI 2004/3244. ICO: ‘Requests where the cost of compliance exceeds the appropriate limit’ (and other guidance on charging of fees where the cost is above or below the limit). Freedom of Information (Release of Datasets for Re-Use) (Fees) Regulations 2013, SI 2013/1977. ICO: ‘The public interest test’. ICO: ‘Refusing a request: writing a refusal notice’. 583

Freedom of Information Act (‘FOIA’) Resources

VEXATIOUS AND REPEAT REQUESTS Information Commissioner v Devon County Council and Dransfield [2012] UKUT 440 (AAC), paras 24–39; upheld in the Court of Appeal, in (1) Dransfield v ICO and Devon County Council (2) Craven v ICO [2015] EWCA Civ 454, paras 78–79. ICO: ‘Dealing with Vexatious requests’. ICO: ‘Dealing with repeat requests’. FOI exemptions. Christopher Martin Hogan and Oxford City Council v ICO EA/2005/0026 and 0030 (on causality of harm). R (on the application of Alan Lord v Secretary of State for the Home Department [2003] EWHC 2073, paras 99–100 (on ‘likely’ harm). Derry City Council v ICO EA/2006/0014 (prejudice to economic interests under s 29(1)(a); harm to commercial interests under s 43, including need for evidence from third party affected). ICO: ‘Law Enforcement (section 31)’. ICO: ‘Government policy (section 35)’. Department for Education and Skills (DFES) v ICO and Evening Standard EA/2006/0006, para 75 (principles for application of s 35(1)(a). See also paras 27–36). Also paras 72 and 75(vii) on chilling effect. Scotland Office v ICO EA/2007/0128, paras 70-71 (on chilling effect). ICO: ‘Prejudice to the effective conduct of public affairs (section 36)’. ICO: ‘Legal Professional Privilege (section 42)’. (See also DCLG case cited in Appendix 4 on the general public interest in maintaining the confidentiality of legal advice; also Department for Business, Enterprise and Regulatory Reform v Dermod O’Brien and ICO [2009] EWHC 164 (QB)). University of Central Lancashire v ICO and Colquhoun EA2009/0034 (on scope of commercial assets). ICO: ‘Commercial interests (section 43)’. ICO: ‘Prohibitions on disclosure (section 44)’.

584

APPENDIX 6

Re-use of Public Sector Information Public sector bodies covered by the Re-use of Public Sector Information Regulations 2015, SI  2015/1415, reg  3, are obliged to make much of the information they produce available for re-use (reg 4(1)). The category of public sector bodies is narrower than all FOIA authorities. ‘Re-use’ means the use of public sector information (or a ‘document’, in the language of the regulations) for a purpose other than the initial public task for which it was produced; perhaps by republishing it with other information, or by using it as part of producing a new product. This includes, but is not confined to, commercial uses. It does not include transfers within a public sector body, or between such bodies. Public sector information (or documents) is information (or any part of a document) produced by a public body as part of its ‘public task’. The ICO interprets this to means its core role and functions, as they are defined in legislation, or by custom and practice. The Regulations do not apply to information not falling within the core role and functions of a public body. There is also no obligation where the information concerned would be exempt from disclosure under other information access legislation (eg the FOIA or EIR, or form a data protection access request [although at the date of writing the regulations had not been updated to refer to the GDPR or DPA 2018]). The ICO advises that this is the case save in respect of information which would be exempt under FOIA, s  21; since if it is already accessible to the requester it is likely also to be available for re-use. Where another person than the authority holds the intellectual property rights to the information, the Regulations similarly do not apply to that information (reg 5(1)(b)).

SCOPE OF THE REGULATIONS Bodies subject to the regulations are listed in reg 3, including central and local government and other specified public bodies. The regulation applies to libraries, museums and archives. (The latter form a separate group which have discretion over releasing information for re-use; see below). The regulations do not apply however, to educational or research establishments, public service broadcasters, or cultural or performing arts bodies.

ASSET REGISTERS A body subject to the regulations has to identify the information available for re-use (reg 5(2)(a)); and, on the ICO’s interpretation, publish a list of the main information it holds relating to its public task, whether or not the information 585

Re-use of Public Sector Information

concerned is already published. Much of the information is likely to overlap with the authority’s publication scheme, and the ICO advises that it may be possible to combine them.

FORMALITIES FOR REQUESTS Requests for re-use should be made in writing, including a name and address for correspondence, and specifying the information sought for re-use, and the intended new purpose (reg 6). No application has to be made if the information is made available under the Open Government Licence (‘OGL’), which sets terms with which the user must abide. An individual application has to be responded to within 20 working days (reg 8). The deadline may be extended if the information is extensive, or if the request raises complex issues; in which case, the requester has to be informed within the 20 working day period, and given an estimate of the data of availability.

DUTY TO PERMIT RE-USE Re-use must be permitted (assuming the information would not be exempt from disclosure under another access regime), unless the body is a library museum or archive; in which case it may decide whether to allow re-use (reg 7(1) and (2)). Where the information has not previously been disclosed, however, the ICO advises that the request should be treated as an information/access requests made under the relevant legislation. This is in order that the potential for exemption is tested. Once that has been considered, the request for re-use should be processed.

FORMAT FOR RESPONSE The information should be made available in the format and language in which it is held (reg 11(1)(a)). If it is not already held in an ‘open format and machine readable format’, with metadata, but it is ‘possible and appropriate’ to do so, the authority should supply it in that way (reg  11(1)(b)). (‘Machine readable’ means, the ICO advises, that the information is structured so that software can extract specific parts of the data. Definitions of the meanings of requirements in reg 11(1) and (2) as to ‘open format’, and ‘formal open standards’ are in reg 2).

CHARGES Charges may be made for re-use, with exemptions. Where a charge may be made, it can in most cases cover only the marginal [ie extra] cost of the reproduction, provision and dissemination of the information (which is unlikely to be the full disbursement cost). The marginal cost will often be too low to reclaim. Information made available via a website is likely to be free in most cases. Information made 586

Complaints and enforcement

available under the Open Government Licence may not be charged for. Certain public sector bodies may charge more than the marginal cost, where (reg 5(2)): — A substantial part of the cost relates to the performance of their public task; — The public body is required to raise revenue from the document to cover a substantial part of its costs, relating to collection, production, reproduction or dissemination; or — The body is a library (including a university library), museum or archive. Limits on total charges are defined in reg 15(5)–(9). Regulation 16 obliges public bodies to determine, so far as possible, standard charges, conditions, and bases of calculations; and to make these publicly available. Otherwise it must indicate its criteria or give other charging information to an applicant on request.

CONDITIONS AND LICENCES Conditions may be placed on release, through licences, but these should be as limited as possible; and not unnecessarily restrict the way the data can be re-used, or competition (reg  12). There must be no discrimination between applicants for comparable purposes, in relation to conditions imposed (reg 13). The Open Government Licence allows the re-use of information without payment, for any purposes, and with very limited conditions. Other forms of licence are available on the UK Government Licensing Framework (to be found at: http://www.nationalarchives.gov.uk/information-management/re-usingpublic-sector-information/uk-government-licensing-framework/). Exclusive licensing arrangements are generally not permitted (reg 14). Exceptions include, for example, where it is necessary for the provision of a service in the public interest (reg 14(2)). The validity of exclusive arrangements should be reviewed at least every three years (reg 14(3)), and such arrangements must be published (reg  14(4)). Such an arrangement should not normally exceed 10 years, after which (if it does) it is to be reviewed in the 11th year; and a review repeated, if still applicable, every seven years thereafter. Separate rules apply to ‘digitised cultural resources’.

COMPLAINTS AND ENFORCEMENT A public body must establish a procedure to enable complaints to be made. Any complaints must be made in writing, and the authority must respond within a reasonable time, with reasons (reg 17). Under regs 17–18, a dissatisfied applicant may then complain to the ICO. The ICO may issue a binding decision notice, as under the FOIA, on matters not including a complaint that a charge exceeds the marginal cost. In the latter case, the ICO may only issue a non-binding recommendation. A decision notice may be appealed to the First-tier Tribunal (‘FTT’). An information notice or an enforcement notice, as under the FOIA, may also be appealed where a decision notice can be issued. 587

Re-use of Public Sector Information

Where the ICO may only issue a non-binding recommendation about a charge (reg 19(4)), the public body must, however, respond within 20 working days to inform the ICO what action (if any) it intends to take; and on what timescale. If the complainant is dissatisfied, he or she may appeal to the FTT; in which case the respondent would be the public body, rather than the ICO. The public body may also appeal a non-binding recommendation. No recommendation need be issued by the ICO in response to a complaint, if the complainant has not exhausted the authority’s complaints procedure, or has caused an undue delay before lodging the complaint.

DATASETS The provisions in the FOIA as to datasets, introduced by the Protection of Freedoms Act 2012 (see para 24.18), concern making datasets available for re-use where they have been requested under the FOIA; covering format, charges and licences for their re-use. The obligation of an FOI authority is to make a dataset, disclosed under that Act, available in a re-usable electronic form. Unless satisfied that it is not appropriate to do so, the authority must also make the information available in its Public Scheme. If the dataset fell under the Re-use Regulations, however, (for example because it was produced as part of the public task of the authority, as may often be the case) any charges for re-use are calculable, and any licence arrangements should be made, under the Re-use Regulations rather than the FOIA. The ICO summarises the effect for an FOI authority, as being that the FOIA applies to the format in which the dataset has to be made available, but the Re-use Regulations apply to the charges and licences. On the other hand, if the dataset does not fall under the Re-use Regulations, the provisions in the FOIA (instead of those in the Re-Use Regulations) as to licences and charges will apply to it. Outline and detailed guidance on the Re-Use Regulations is available on the ICO’s website.

588

Index

A Aarhus Convention see also UNECE Convention Implementation Guide 19.19 academic purpose data processing for 9.4, 93–9.100 access freedom of information right of 24.20, 24.49, 24.103 access, individual right of acknowledgment of request 7.26 additional copies, fees for 7.64 additional information about processing 7.5, 7.12 automated decision-making, subject of be informed of rights 7.63 categories of data, subject to informed 7.63 child, access request on behalf of 7.29– 7.32, 7.38 Cloud computing services 1.5 complaints, subject to be informed 7.63 controller’s duty and responsibility 7.6, 7.50, 7.51 controller’s right to refuse 7.4 cost limit exception 7.46–7.49 credit reference agencies 7.15 data portability 7.70 Data Protection Act provisions 7.2, 7.7 Data Protection Officer’s role 14.23 dialogue with requester 7.16–7.20 erasure, subject to be informed of right 7.63 excessive requests 7.33–7.37, 17.13 exemptions from 7.4, 7.45, 7.71–7.76, 9.1, 9.11ff, 10.47, 10.48 extended deadline 7.42–7.45 failure to give proper effect to 7.76 fees 7.33, 7.37, 7.64 format of request 7.14 further information required to clarify request 7.16–7.20, 7.22 GDPR provisions 7.2, 7.4–7.6, 7.11, 7.39 generally 7.1, 7.5–7.11 ICO Code of Practice 7.16 identity checks 7.21–7.25, 7.38, 7.45 intention to prevent 16.57 joint controllers 7.51 law enforcement processing 17.10, 17.11, 17.13

access, individual right of – contd location of information 7.26–7.28 manual unstructured data 7.46–7.49 mixed personal data 7.9, 7.10 multiple access 1.5 national security, protection of 17.11 object, subject to informed of right 7.63 oral requests 7.13 penalty regime 7.76 plan for search 7.26–7.28 processor’s responsibility 7.50 prohibited or restricted by enactment 9.150–9.159 public security, protection of 17.11 purposes of the processing, information to be given 7.63 recipients, information to be given 3.38, 7.63 record-keeping 7.28 rectification, subject to be informed of right 7.63, 8.1, 8.2 redacted documents 7.69 refusal of request 7.33–7.37, 7.73–7.75 request form 7.38 response, format 7.65–7.68 response, information accompanying 7.63 rights and freedoms of others 7.9, 7.53 search terms used 7.28 sharing personal data and 10.47, 10.48 source of data, information as to 7.63 storage period, subject to be informed 7.63 third-country transfers, declaration of 7.63 third party, access request by 27.75–27.77 third party, response sent directly to 7.70 third party data 7.9, 7.10, 7.52–7.59, 7.76, 27.17 third party requesting, on data subject’s behalf 7.29–7.32, 7.38 timescale for response 7.39–7.45 transparency and language considerations 7.60–7.62 unfounded requests 7.33–7.37, 7.45, 17.13 accountability confidential proceedings 23.92 data breaches 15.7 Data Protection Impact Assessments 13.1 lawful bases of processing 5.40

589

Index accountability – contd principle of 1.6, 4.1, 4.2, 4.16–4.22 record-keeping 5.40 accuracy data subject contesting 8.27, 8.31 definition of inaccuracy 4.13 failure to comply with principle 16.19 law enforcement processing data 17.5 manual unstructured data 3.37 principle of 4.2, 4.13 systems for testing 4.13 adequacy of data collection 4.2 of data protection, international data transfers 11.4, 11.6–11.9 GDPR regulations 2.33 of law enforcement processing data 17.5 administration of justice data processing necessary for 5.27, 5.121, 8.54 freedom of information exemption 26.29, 26.32, 26.37–26.40 adoptions records and reports disclosure restrictions 7.76, 9.6, 9.150, 9.151, 9.154, 9.155 advertising, online Data Protection Impact Assessments 13.12 agriculture environmental information 19.54 Andorra international transfers 11.7 appeals assessment notice, against 16.10, 16.11, 16.47, 16.48 DPIA decisions 13.48 enforcement notice, against 16.18, 16.47, 16.48 environmental information regulations 20.1, 21.44–21.47 freedom of information requests 24.99– 24.102 generally 13.48, 16.47, 16.48 information notice, against 16.3, 16.47, 16.48 penalty notice, against 16.32, 16.34, 16.47, 16.48 penalty variation notice, against 16.47, 16.48 urgency procedure, against 16.51 appropriate policy document additional safeguards 5.90 contents 5.90 definition 5.89 special category data 5.89–5.91 substantial public interest processing 5.105, 5.106, 5.116

archiving data processing safeguards 2.21 archiving in public interest exemptions from rights 9.4, 9.101, 9.107, 9.108, 9.109–9.113 post-Brexit 5.114, 9.111 Privacy Notice 9.113 processing necessary for 5.113, 5.114, 10.27 public task basis 5.41 Argentina international transfers 11.7 armed forces see also defence; national security freedom of information 24.24 military offences, investigations and proceedings 26.6 prejudice to military effectiveness 25.106–25.112 Article 29 Working Party 13.26, 14.5, 14.23 artistic purpose data processing for 9.4, 9.93–9.100 assessment notice actions which may be required 16.10 appeals 16.10, 16.11, 16.47, 16.48 failure to comply with 16.25, 16.40 offences in relation to 16.14, 16.15 Parliamentary privilege and 16.13 purpose 16.10 restrictions on use 16.13 urgency procedure 16.11, 16.51 audit functions exemptions from rights 9.4, 9.35–9.37 freedom of information exemption 20.4, 25.1, 26.66–26.76 historical records 26.76 automated calls direct marketing by 12.4, 12.16 automated decision-making children and 8.77 Data Protection Impact Assessments 8.81, 13.12 decisions authorised by law 8.74, 8.76 exemptions from rights 8.84, 9.28, 9.93, 9.115 explicit consent of data subject 8.74, 8.75, 8.79 information to be given 7.63 law enforcement processing 17.12 meaning 7.63, 8.73 necessary decisions 8.74, 8.75 Privacy Notices 8.82 profiling 8.72, 8.73, 10.39 refusal of requests to 8.76 review by human decision-maker 2.2 right not to be subject to 8.72–8.84, 17.12 safeguarding interests of data subject 8.75

590

Index automated decision-making – contd sharing personal data 10.39 significant effects 8.73 special category data 8.79 transparency obligations 8.76, 8.82 unreasonable requests 8.76 automated or structured processing data portability, right of 8.40 Data Protection Impact Assessment (DPIA) 13.11 GDPR 3.15, 3.35–3.37 generally 3.35–3.37, 7.63 intelligence services 2.15 Privacy Notices 6.7 restriction 8.26 systemic 13.11 B balancing test legitimate interest basis 5.47, 5.49, 5.51– 5.59, 5.68–5.73, 27.42, 27.43 Bank of England data protection exemptions 9.4, 9.38, 9.39 freedom of information 24.24 behaviour tracking 3.32, 3.33, 13.11 biometric data Brexit 2.33 Data Protection Impact Assessments 13.14 definition 3.54 law enforcement processing 17.6 sharing 2.33, 10.39 special category data 3.11, 3.12 Board of the Pension Protection Fund functions exemptions from rights 9.43–9.48 Board of the Pension Protection Fund Ombudsman functions exemptions from rights 9.43–9.48 Brexit archiving in public interest 5.114, 9.111 cross-border data flows 2.21, 3.56, 3.69, 4.1, 11.9, 11.15, 11.36, 11.37 data breaches 15.12, 15.14, 17.19 Data Protection Act 2018 2.5–2.7, 2.20, 2.33, 9.3–9.8, 9.97, 9.99, 9.103 Data Protection Officers 14.11, 14.24 data protection principles 4.7 DPPEC 1.6, 2.3–2.7, 2.33, 23.153 enforcement after 16.1, 16.49 environmental information 18.3, 18.9, 18.14, 21.24, 23.95, 23.153 exemptions under DPA 2018 9.3–9.8, 9.97, 9.99, 9.103 FOIA 27.14

Brexit – contd GDPR and 2.3–2.7, 2.10, 2.19, 2.26, 2.31, 2.33, 3.15, 3.67–3.69 genetic, biometric or health data 2.33 international data transfers 2.33, 3.56, 3.69, 4.1, 11.9, 11.15, 11.36, 11.37, 17.21–17.25 lead supervisory authority 3.56 manual unstructured data 2.26, 2.33, 3.37, 9.3 national security and defence 4.7, 4.9, 9.162 `one-stop-shop’ 3.56 penalty regime 16.25, 16.40–16.42 Privacy Notices 6.6 processors 3.29 public interest, reference to 5.46 recipients 3.38 broadcasters freedom of information 24.24 browsing activity profiling 3.32, 3.33 built environment environmental information 19.1, 19.4, 19.5, 19.33–19.35, 19.46, 19.47 C Caldicott principles 3.49 Canada international transfers 11.7 charity fund-raising, direct marketing 12.1 investigations 23.48 protection against misconduct 9.32, 26.30, 26.47, 26.48 protection of property of 9.32, 26.30, 26.47, 26.48 recovery of property of 26.30, 26.47, 26.48 Charity Commission functions exemptions from rights 9.43–9.48 child access request on behalf of 7.29–7.32, 7.60 automated decision-making 8.77, 10.39 connected toys 13.14 consent by 3.50–3.52 data collected from 8.18, 8.21 Data Protection Impact Assessments 13.7, 13.14 legitimate interest basis 5.45, 5.70, 5.79 online services offered directly to 10.39, 13.14 Principal Reporter, children’s hearing in Scotland 9.160, 9.161 processing necessary to safeguard 5.144– 5.146, 10.27

591

Index child – contd processing personal data of 13.7 sharing personal data of 10.39 child abuse data right of access exemption 9.145–9.149, 27.77 children’s hearings right of access exemption 7.76, 9.60, 9.61 children’s services regulatory functions relating to 9.4, 9.40–9.42 chilling effect exception, environmental information 22.48, 22.73–22.76 freedom of information and 26.103, 26.113–26.117, 26.128, 26.161 client data legitimate interest basis 5.48, 5.62 Cloud computing services access to 1.5 data storage 1.5 service provider 3.19 collective responsibility environmental information 22.79, 22.80 commercial information commercial interest, meaning 26.220 commercial prejudice 25.1, 25.159, 26.212ff confidentiality 23.98–23.128 lawful basis for processing 5.10 meaning 23.100 provided in confidence 26.190 third party interests 26.221–26.225 trade secrets 26.212–26.214 commercial relations automated decision-making 8.72 compensation data protection contraventions 16.50 financial loss, for 16.50 non-material damage, for 16.50 competent authorities FOI information requests to  27.84–27.85 law enforcement processing 2.13, 2.19, 2.22, 17.3, 17.18 competition fair competition provisions 9.32 complaint Data Protection Officer, to 14.23 freedom of information requests 25.70, 25.71, 25.98 other EU state, made in 7.63 right to lodge 7.63 compliance court order requiring 16.49 court remedies 16.49–16.58 confidence, breach of 16.50

confidential information actionable 26.190, 26.191 commercial 23.98–23.128, 26.190 commercial interests, harm to 26.215– 26.219 confidential references 9.4, 9.84–9.86, 27.77 criminal investigations 26.10–26.16, 26.194 Crown honours, dignities or appointments 26.173–26.176 data breaches 15.3 environmental information 23.98–23.128, 26.187, 26.188 freedom of information exemption 25.1, 26.10–26.16, 26.170–26.237 health and safety issues 26.177–26.186 industrial 23.98–23.128 information provided in confidence 26.190–26.194 law enforcement 26.194 legal professional privilege 26.194, 26.195–26.211 national security 26.194 personal data in information requests 27.1–27.85 protective markings on documents 26.193 restricted or prohibited by enactment 26.232–26.237 Royal family, communications with 26.170–26.176 Royal Household, communications with 26.170–26.176 sharing 10.20, 10.21 trade secrets 26.212–26.214 confidential proceedings accountability principle 23.92 common law confidentiality 23.83, 23.86 disclosure would adversely affect 23.78– 23.96 environmental information 21.25, 22.88, 23.78–23.99 legal 23.79 meaning of proceedings 23.79–23.82 public interest test 23.90–23.96 `quality of confidence’ 23.86 statutory right to confidentiality 23.83– 23.85 transparency principle 23.92 consent as lawful basis automated decision-making 8.74, 8.75, 8.79 box-ticking 3.40 Caldicott principles 3.49 child, of 3.50–3.52 clear imbalance between controller and data subject 3.43

592

Index consent as lawful basis – contd commercial contexts 5.10 data portability and 5.8, 8.39 EDPB guidelines 3.47 electronic means, sought by 3.41 explicit 5.8, 5.93, 8.18, 8.74, 11.26 extent 5.5 formulation of declaration 5.5 freely given 3.39, 3.42–3.44 generally 5.3–5.8, 5.93, 17.28, 27.31, 27.32 health service 3.49 ICO guidance on 5.5 incapacity of data subject 5.96, 5.97 informed 5.5 international data transfers 11.26 meaning 3.39, 3.40, 5.5 oral 3.40, 3.42 record-keeping 3.42 right to object and 5.8 right to withdraw 3.42 special category data 5.8, 5.93, 27.64 third party 7.55 valid 5.5 what constitutes consent 3.40–3.48 withdrawal 3.42, 5.5, 8.18 written 3.40, 3.42, 5.5 consumer protection enforcer functions exemptions from rights 9.43–9.48 contract confidentiality obligations 24.20 data portability 5.12 information provided in confidence 26.190 as lawful basis of processing 5.9–5.12 standard contractual clauses 2.33, 3.27, 11.15 controller access requests, duty as to 7.4, 7.6, 7.50, 7.51 accountability principle and 4.19–4.22, 5.40 assessment notices 16.1, 16.10–16.15, 16.25 based outside EU 3.57, 3.62 data breaches, reporting 15.1 Data Protection Officer, designation 14.1 data sharing 3.16 default, data protection by 3.60, 3.61 definition 3.16–3.18 design, data protection by 3.58, 3.59 documented instructions from 3.26 established in EU 3.63–3.66 exercise of official authority vested in 5.27, 5.30 joint controllers 3.16, 13.43, 16.50 law enforcement processing, obligations 17.14–17.20

controller – contd legal obligation of, as lawful basis of processing 5.13–5.23, 5.40 legitimate interest of 5.45, 5.47 monitoring compliance 14.24 passing data to processor 10.4, 10.5 processor, contracting with 3.20–3.29 relevant and appropriate relationship with data subject 5.49 sharing personal data 10.1 standard contract clauses 3.27 statutory 3.17 control test environmental information 21.5, 21.6 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data intelligence services 2.15 copyright in databases 23.64–23.77 employees and 23.66 environmental information exemption 23.63–23.77 corporate body dishonesty or malpractice in 9.32 corporate finance exemptions from rights 9.4, 9.74–9.76 cost-benefit analyses environmental information  19.1, 19.31, 19.32 cost limit/cost ground environmental information 20.2, 20.4, 21.27, 22.16 freedom of information 20.4, 24.20, 24.57–24.64 individual right of access 7.46–7.49 counselling lawful basis for processing 5.141–5.143 court or tribunal records environmental information exemption 23.40, 23.52–23.54, 23.60– 23.62 freedom of information exemption 25.1, 26.57–26.65 covert human intelligence sources (CHIS) freedom of information 26.10, 26.14 credit reference agency access request to 7.15 credit-worthiness profiling 3.32, 3.33 crime prevention or detection data see also criminal data; law enforcement processing apprehension or prosecution of offenders 26.29, 26.36 confidential sources 26.10–26.16 exemptions from rights 9.4, 9.11–9.19, 27.77

593

Index crime prevention or detection data – contd freedom of information exemption 25.1, 26.1–26.56 GDPR provisions 2.14 generally 2.7, 2.17 historical records 26.17, 26.55, 26.64 military offences 26.6 mosaic effect 26.27, 26.35 Privacy Notice exemption 6.19 risk assessment systems 9.4, 9.11, 9.20–9.22 sharing personal data and 10.14, 10.27 special category data 5.130–5.135, 10.27 criminal act legitimate interest basis 5.61 criminal data see also crime prevention or detection data; law enforcement processing Article 10 processing 2.14, 2.33, 17.26– 17.28 Data Protection Impact Assessments 13.15 generally 2.5, 2.14 third parties 27.64–27.67 cross-border processing see also international data transfers Brexit 2.21, 3.56, 3.69, 4.1, 11.9, 11.15, 11.36, 11.37 Law Enforcement Directive 2.13, 17.1 Crown exercise of function of 5.27, 5.117–5.120, 8.54, 10.27 Crown honours, dignities or appointments exemptions from rights 9.4, 9.57–9.59 freedom of information 26.173–26.176 Privacy Notice exemption 6.19 cultural sites environmental information 19.1, 19.4, 19.34, 19.35, 19.45 D dactyloscopic data 3.54 database copyright 23.64–23.77 data breach accidental 3.53, 15.2 accountability principle and 4.16–4.22, 15.7 alteration of data, unlawful 15.2 Brexit 15.12, 15.14, 17.19 data subjects in more than one EU state 15.12 definition 3.53, 15.2 deliberate 15.2 destruction of data, unlawful 15.2 high risk to data subjects, where 15.8– 15.12

data breach – contd ICO powers 15.11 law enforcement processing 17.19, 17.20 loss of devices containing data 15.3 negligent 15.2 notifying data subjects 15.8–15.10 notifying ICO 15.1, 15.5–15.7 penalty regime 15.14 preparations for 15.1, 15.5, 15.8, 15.15 processors and 15.13, 15.15 proportionality principle 15.10 recording 15.1 risk assessment 15.4 unauthorised access 15.2, 15.3 unauthorised disclosure 15.2 unlawful 3.53, 15.1–15.3 vicarious liability 4.18 data controller see controller data minimisation Data Protection Impact Assessments 13.27 principle of 3.58, 4.2, 4.12 tests to be applied 4.12 data portability, individual right of access requests 7.70 consent basis, data provided on 5.8, 8.39 contract basis 5.12 excessive requests 8.44 exemptions from rights 8.48, 9.11ff, 10.47 format of information 8.34–8.36, 8.45– 8.47 format for requests 8.44 General Data Protection Regulation 2.2 generally 8.34–8.43 identity checks 8.44 intention to prevent 16.57 legal obligation basis 5.22 limitations 8.39–8.43 public task basis 5.44 purpose of right 8.38 refusal 8.44 right of erasure and 8.42 right and freedoms of others 8.43 sharing personal data and 10.47 special category data 8.39 timing of response 8.44 transmission to another controller 8.37 unfounded requests 8.44 vital interest basis 5.26 data processing automated see automated or structured processing conditions see lawful bases of processing definition 3.14, 3.15 exemptions from requirements 2.4, 2.21 lawful bases of see lawful bases of processing

594

Index data processing – contd purpose see purpose of data processing system, certification 2.33 data processor see processor data protection access, right of 7.2, 7.7 activity outside scope of GDPR 2.4, 2.19, 2.20, 2.22–2.27 activity within scope of GDPR 2.4, 2.17, 2.19, 2.20 adding to or amending exemptions 9.8 automated decision-making see automated decision-making breaches see data breach Brexit 1.6, 2.3–2.7 default, by 3.60, 3.61 deletion or return of data 3.26 design, by 1.6, 3.58, 3.59 enforcement regime 2.29 exemptions generally 1.6, 9.1ff extra-territorial 2.33 GDPR see General Data Protection Regulation identifiable individuals see identifiable individual impact assessments see Data Protection Impact Assessment Information Commissioner 2.16, 2.25, 2.28, 2.33, 18.1 intelligence services  2.7, 2.8, 2.15, 2.19, 2.22 law enforcement processing see law enforcement processing lawful bases of processing see lawful bases of processing legitimate interest see legitimate interest need for, generally 1.1–1.3 principles see data protection principles privacy and 1.1–1.6 processing, definition 3.15 regulatory system 1.3 rights see individual rights security services 2.7, 2.15, 2.19 special category data 1.6, 2.4, 3.13 standard contractual clauses 2.33, 3.27, 11.15 territorial scope 2.6, 3.62–3.69 Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations application 2.3 Brexit 1.6, 2.3, 2.7, 2.33, 23.153 UK GDPR 2.3, 2.7, 2.10, 2.33 Data Protection Act 1998 exemptions under 1.6 generally 2.2 indirect identification 3.4 transposition of GDPR into UK law 2.18

Data Protection Act 2018 background to 2.10–2.12 Brexit and 2.5–2.7, 2.20, 2.33, 9.3–9.8, 9.97, 9.99, 9.103 exemptions under 1.6, 9.1ff Explanatory Notes in Bill 2.6 GDPR and 2.4, 2.5, 2.10–2.12, 2.17–2.19 generally 2.1, 2.3, 2.4–2.9 international transfers of personal data 2.21 Keeling Schedules 2.33 main provisions 2.20–2.32 manual unstructured data 3.37 personal data in information requests 27.1 structure 2.20–2.32 Data Protection Convention 2.33 Data Protection Directive 2.2 Data Protection Impact Assessment (DPIA) accountability principle 13.1 appealing ICO decisions 13.48 automated decision-making 8.81, 13.12 automated evaluation, where 13.11 children 13.7, 13.14 circumstances requiring 13.4–13.17 consultation with ICO 13.19, 13.39, 13.42–13.48, 14.27 consultation with individuals 13.18, 13.22 criminal data 13.15 data minimisation 13.27 Data Protection Officer’s role 13.4, 13.40, 13.53–13.55 describing the processing 13.9, 13.21 exemptions 13.59 format 13.2 generally 1.6 high risk to data subjects, where 13.4– 13.7, 13.14, 13.39, 13.42 ICO’s capacity to screen 13.56 identifying need for 13.9, 13.20 individual rights and freedoms and 13.4 insurance underwriting 13.15 integrating outcome into project plan 13.49, 13.50 internal stakeholders 13.24 international transfers 13.27 invisible processing, where 13.12 joint controllers 13.43 keeping under review 13.51 large scale data processing 13.7, 13.11, 13.12, 13.15 law enforcement processing 17.17 loan applications 13.15 mandatory 13.4, 13.5, 13.11, 13.14, 13.15 necessity of the proposed processing 13.26, 13.27 outsourcing 13.52 previous DPIA, where 13.57, 13.58

595

Index Data Protection Impact Assessment (DPIA) – contd Privacy Impact Assessment compared 13.4 profiling, where 8.81, 10.39, 13.7, 13.11, 13.15 proportionality considerations 13.26, 13.27 purpose 13.1 recording outcome of 13.38–13.41 reducing information flow complexity 13.36 risk identification and assessment 13.9, 13.10, 13.28–13.33 risk mitigation measures 13.34–13.37, 13.39 scope 13.21 sensitive data 13.12 sharing personal data 10.10, 10.38–10.42 signing off 13.38–13.41 special category data 13.15 stages of 13.18–13.51 subjects prevented from exercising rights, where 13.12 systematic monitoring, where 13.12 vulnerable subjects 13.7, 13.12, 13.14 data protection legislation use of term 2.10 Data Protection Officer (DPO) access to personal data 14.18 access to processing operations 14.18 advisory role 14.24, 14.25 Brexit 14.11, 14.24 confidentiality, bound by 14.22 contact details, publication 14.16 as contact point with ICO 14.24, 14.27 co-operation with supervisory authority 14.24 data subjects’ right to contact 14.23 decision not to appoint 14.13 designation 14.1–14.14 group of undertakings 14.12 independence 14.17–14.23 large scale data processing 14.8, 14.9 management responsibility 14.17 monitoring controller or processor 14.24 position, generally 14.17–14.23 public authorities 14.12 regular and systematic monitoring by 14.5–14.9 reporting to managers 14.21 resources available to 14.18 risks assessment 14.26–14.28 role 13.4, 13.5, 13.40, 13.53–13.55, 14.17–14.28 skills and experience required 14.15 when required 14.1–14.14

data protection principles accountability 1.6, 4.1, 4.2, 4.16–4.22, 5.40 accuracy 4.2, 4.13 breach 16.40 Brexit and 4.7 data minimisation 4.2, 4.12 generally 4.1, 17.5 human rights 27.25, 27.52 information already known to some individuals 27.43, 27.54 information already in public domain 27.43, 27.53 integrity and accountability 4.2, 4.16– 4.18 law enforcement processing 17.5 lawfulness, fairness and transparency 4.2, 4.3–4.5, 4.21, 5.1, 27.22–27.28 legitimate interest see legitimate interest purpose limitation 4.2, 4.6–4.11, 4.21 respect for private and family life  27.25 storage limitation 4.2, 4.14, 4.15 transparency 1.6 data protection proceedings communications connected to 16.7 dataset FOIA Code of Practice 24.20 freedom of information 24.18, 24.20 meaning 24.18 data sharing see sharing personal data data subject consent see consent data manifestly made public by 5.101, 5.102, 17.8 enabling monitoring by 3.58 negotiations with, exemptions from rights 9.4, 9.80–9.83, 27.77 reasonable expectations 4.7–4.9, 5.52, 27.43, 27.52, 27.61 relationship with controller 5.49 representation of 16.59 rights see individual rights vital interests of, protection 5.24–5.26 data use legal 1.3 misuse 1.3 regulation 1.3 decisive influence 21.4, 21.5 default, data protection by GDPR requirement 3.60, 3.61 meaning 3.60 defence see also national security Brexit and 4.7, 4.9, 9.162 confidential information 26.194 data protection 7.76, 9.6, 9.162, 9.163

596

Index defence – contd environmental information exemption 20.4, 23.5–23.9, 23.19– 23.24, 23.38 freedom of information exemption 20.4, 25.1, 25.53–25.74, 25.99–25.119 GDPR exclusion 2.17, 2.27 DEFRA Code environmental information 21.18–21.21 democratic engagement data processing necessary for 5.27, 5.29, 5.43, 8.54 political opinions, special category data 3.11, 5.29, 5.43 Denham, Elizabeth, Information Commissioner 2.1 design, data protection by data minimisation principles 3.58 enabling monitoring by data subjects 3.58 GDPR requirement 3.58, 3.59 meaning 1.6, 3.58 pseudonymisation 3.58, 3.59 security features, generally 3.58, 3.59 transparency 3.58 destruction schedule environmental information 22.4 devolved governments economic interests 25.137 policy, freedom of information 26.90 relations between 25.1, 25.120, 25.133– 25.135, 26.194 direct marketing see marketing, direct disabled individual processing which supports 5.140 special category data 5.32 disciplinary investigation data disclosure would harm 23.48 disclosure see also sharing personal data legal persons, between 10.5 required by law 6.19 discrimination, risk of DPIA assessment 13.7 dishonesty protection of public against 5.133–5.135, 9.32, 10.27 DNA identifiable individuals 3.6 E economic analyses environmental information 19.1, 19.31, 19.32 economic factors identifiable individuals 3.5 economic well-being of individual processing necessary for 5.147–5.149

education data court, processed by 9.5, 9.140, 9.141 educational record, definition 9.139 exemptions from rights 9.5, 9.139–9.144, 27.77 GDPR exclusion 2.17 serious harm test 9.5, 9.142–9.144 special educational needs statements 7.76, 9.6, 9.150, 9.151, 9.156, 9.157 education worker third party data of 9.4, 9.64–9.66 elected representative see also Parliamentary privilege disclosure to 5.165–5.168, 10.27 informing about prisoners 5.169, 5.170 responding to requests 5.161–5.164 electronic communications see also marketing, direct meaning 12.4 electronic mail direct marketing by 12.5–12.11 emissions environmental information 19.8, 19.9– 19.14 employee contract basis 5.11 copyright and 23.66 employee data 5.48, 5.62 health and safety 9.32, 26.30, 26.47, 26.48 medical assessment 5.107 occupational pension, processing necessary for 5.154–5.156 profiling work performance 3.32, 3.33 employment law obligations as lawful basis 5.94, 5.95, 10.27 encrypted data data breaches and 15.4 generally 10.43 energy policy and consumption environmental information 19.54 enforcement notice see also enforcement regime appeals 16.18, 16.47, 16.48 cancellation 16.48 contents 16.18 failure to comply with 16.25, 16.40 freedom of information requests 24.103, 24.104 generally 16.1 Parliamentary privilege and 16.20 purpose 16.16, 16.19 restrictions on use 16.20 right of erasure, enforcement 16.19 right of rectification, enforcement 16.19 special purposes processing 16.20 types of failure giving rise to 16.16

597

Index enforcement notice – contd urgency procedure 16.17, 16.18, 16.51 variation 16.48 enforcement regime appeals see appeals appeals period 16.34 assessment notices see assessment notice Brexit 16.1, 16.49 complaints to ICO 16.46 court order requiring compliance 16.49 court remedies 16.49–16.58 enforcement notices see enforcement notice environmental information 20.1 freedom of information 24.103, 24.104 generally 2.29, 16.1 ICO’s prosecution powers 16.1, 24.105 information notices see information notice penalty notices see penalty notice powers of entry see entry, powers of powers of inspection 2.29, 16.10, 16.22– 16.24 types of failure 16.16 entry, powers of assessment notices 16.10 freedom of information 24.103 generally 2.29, 16.22 notice demanding access 16.23 reasonable force, use of 16.24 unreasonably refusal of access 16.23 environment, functions relating to organisations with 21.1 environmental enforcement data disclosure would harm 23.48 environmental harm exceptions where disclosure would cause 23.1–23.154 environmental information accurate and comparable, data must be 22.56, 22.57 activities affecting elements 19.15–19.29 administrative measures 19.17 advice and assistance 22.1, 22.15, 22.22, 22.28–22.30, 22.34, 22.73 agriculture 19.54 appeals 20.1, 21.44–21.47 areas covered 19.54 background papers, request for 22.38 biological diversity and its components 19.4, 19.6 Brexit and 18.3, 18.9, 18.14, 21.24, 23.95, 23.153 built environment 19.1, 19.4, 19.5, 19.33– 19.35, 19.46, 19.47 chilling effect exception 22.48, 22.73– 22.76 collective responsibility and 22.79, 22.80

environmental information – contd commercial interests exception 22.85, 22.86, 23.77 conditions of human life 19.35, 19.42– 19.44 confidential information 23.98–23.128, 26.187, 26.188 confidential proceedings 21.25, 22.88, 23.78–23.99 confirming/denying information held 21.17, 27.82, 27.83 conservation matters 19.54 contamination of the food chain 19.1, 19.35, 19.38–19.41 control test 21.5, 21.6 copyright exemption 23.63–23.77 cost-benefit analyses 19.1, 19.31, 19.32 cost grounds for refusal 22.7, 22.16– 22.25 cost limit 21.27, 22.16 cost limit exemption 20.2, 20.4 costs and charges 21.27–21.42 course of justice, disclosure would harm 23.39–23.62 court or tribunal records exemption 23.40, 23.52–23.54, 23.60–23.62 cultural sites  19.1, 19.4, 19.34, 19.35, 19.45 database copyright 23.63–23.77 defence, disclosure would harm 20.4, 23.5–23.9, 23.19–23.24, 23.38 definition 19.1–19.3 DEFRA Code 21.18–21.21 destruction schedules 22.4 disbursement costs 21.35 discharges 19.8 disclosure, presumption in favour of 21.26 draft documents 22.37 duty to disclose 20.2 East Sussex case 21.29–21.31 economic analyses 19.1, 19.31, 19.32 electronic information held in deleted form 22.5 elements of the environment 19.4–19.6 emissions 19.8, 19.9–19.14 enactments preventing disclosure 21.24, 21.25 energy policy and consumption 19.54 enforcement regime 20.1 environmental agreements 19.17 Environmental Information Regulations 18.1–18.15, 19.1, 19.54 environmental plans 19.17 environmental programmes 19.17 EU Directive 18.7 exceptions 20.2, 20.4, 22.1–22.88, 23.1– 23.154

598

Index environmental information – contd express presumption in favour of disclosure 20.2 factors affecting elements 19.1, 19.7– 19.14, 19.18 fair trial, data disclosure would prejudice 23.50, 23.51 FIA and 18.1, 18.4–18.6, 18.10–18.15, 20.1–20.4, 21.1–21.10, 24.4–24.7 fire prevention and fire-fighting 19.54 fishing 19.54 flooding 19.54 food safety 19.54 former Ministerial override 21.48, 21.49 forms 19.1 generally 18.1–18.5, 18.10 global warming 19.54 harm, exceptions where disclosure would cause 23.1–23.154 Henney case 19.23–19.27 holding environment information, meaning 21.11–21.14 housing development 19.48–19.53, 19.54 human health and safety  19.1, 19.33–19.54 incidental impact, measures producing 9.20–9.29 incomplete data, requests for 22.1, 22.35–22.55 Information Commissioner 20.1 information not held 22.1–22.6 information requests 18.1, 18.2 intellectual property rights exemption 23.63–23.77 interaction between elements 19.4 internal communications, requests involving 22.1, 22.58, 22.59–22.88, 23.77 international relations exemption 23.5– 23.9, 23.10–23.18, 23.38 landscape 19.4, 19.5 land use planning and development 19.48–19.53 law enforcement, disclosure would harm 23.40, 23.47–23.51, 23.58, 23.59 legal advice exemption 22.83, 22.84 legal professional privilege 22.88, 23.40, 23.42–23.46, 23.56, 23.57 legitimate interest basis 5.83–5.85 material requested is in course of completion 22.1, 22.35–22.55 measures affecting elements 19.1, 19.15– 19.29 misleading material 22.52 mixed EIR/FOI requests 21.9, 21.10 national security, disclosure would harm 20.4, 21.48, 21.49, 23.5–23.9, 23.25–23.34, 23.38

environmental information – contd natural sites 19.4 neither confirm nor deny (NCND) 23.7– 23.9 noise 19.8, 19.54 oral requests 20.2 organisations subject to 21.1–21.8 Parliamentary privilege 20.4 payment in advance 21.41, 21.42 personal data exception 22.81, 22.82 personal data in information requests 27.1–27.9, 27.79–27.85 private sector 21.5–21.8 property searches 19.54 public access, generally 18.8 public health 19.54 public interest see public interest public safety, disclosure would harm 23.5–23.9, 23.35–23.37 radioactive waste 19.8, 19.54 records managements procedures 20.1 redactions, cost of 21.32, 21.33 refusal of request 21.44–21.47 Regulation 4 duty 21.15, 21.16 regulations 18.6–18.9 remoteness principle 19.20–19.22 reports on implementation of legislation 19.1, 19.30 request too general 22.1, 22.26–22.34 retention schedules 22.4 safe space, need for 22.40–22.47, 22.70– 22.72 schedule of costs, publication 21.40 single species, on 19.6 special powers test 21.5, 21.6 third party data in information requests 27.1–27.9, 27.79–27.85 time limit extensions 21.43 time limits, generally 20.1, 20.2, 21.43 transport, roads and traffic 19.54 unclear requests 22.27 understanding, whether disclosure would assist 22.51 UNECE Convention 18.7, 18.9 unfinished documents, requests for 22.1, 22.35–22.55 unreasonable requests 20.4, 22.1, 22.5, 22.7–22.22 up to date, data must be 22.56, 22.57 vexatious requests 22.7, 22.8, 22.10– 22.15, 22.21 viability assessments 19.32 waste collection and management  19.8, 19.54 water supply 19.54 e-Privacy Directive direct marketing 5.63, 12.3 objection by automated means 8.69

599

Index e-privacy regulation generally 12.3 equality of opportunity or treatment special category data 5.122–5.126, 10.27 erasure, individual right of child, data collected from 8.18, 8.21 data portability and 8.42 direct marketing, objection to 8.18 enforcement notices 16.19 exemptions from rights 8.19, 8.25, 9.11ff generally 8.17–8.25, 17.7 grounds for 8.18 identity checks 8.20 information to be given 7.63 law enforcement processing 17.10, 17.13 legal obligation basis 5.22 notification to other controllers 8.22–8.24 oral requests 8.20 public task basis 5.44 refusal 8.20 timing of response 8.18, 8.20 unlawfully processed data 8.18 unreasonable requests 8.20, 21.27 erasure policy appropriate policy documents 5.89 European Charter of Fundamental Rights 18.9 European Data Protection Board (EDPB) 12.3, 14.5 guidelines on consent 3.47 international data transfers 11.18, 11.31 European Economic Area (EEA) transfers outside 11.2 transfers within 11.1 European Union (EU) see also international data transfers areas outside competence of 2.17 common foreign and security policy 2.22 controller based outside 3.57, 3.62 controller established in 3.63–3.66 processor based outside 3.57, 3.62 processor established in 3.63–3.66 threat to security of member state 17.21 transfers of personal data outside 4.1 European Union (Withdrawal) Act generally 2.3, 2.7 examination scripts and marks exemptions from rights 9.4, 9.87–9.91 explicit consent automated decision-making 8.74, 8.75, 8.79 as lawful basis 5.8, 5.93, 8.18, 8.74, 11.26 special category data 5.8, 5.93, 27.64 F facial recognition technology 3.54 Data Protection Impact Assessments 13.14

fairness exemptions from requirement 9.1 fair competition provisions 9.32 law enforcement processing 17.5 principle of 4.2, 4.3–4.5, 4.20, 27.27, 27.28 Fair Processing Notice see Privacy Notice Faroe Islands international transfers 11.7 filing systems automated 3.35–3.37 manual 3.35–3.37, 4.14 storage limitation 4.14, 4.15 Financial Conduct Authority functions exemptions from rights 9.43–9.48 financial information credit reference agencies 7.15 profiling 3.32, 3.33 financial loss compensation for 16.50 data breach resulting in 15.3 risk of, DPIA assessment where 13.7 financial markets freedom of information exemption 25.1, 25.137–25.159 Financial Ombudsman freedom of information 24.24 functions, exemptions from rights 9.43– 9.48 financial regulators investigation of complaints against 9.43– 9.48 financial services dishonesty or malpractice in 9.32 fingerprint data 3.54 fire prevention and fire-fighting environmental information 19.54 fishing environmental information 19.54 flooding environmental information 19.54 food chain contamination 19.1, 19.35, 19.38–19.41 food safety environmental information 19.54 fraud prevention, lawful bases for processing 5.48, 5.61, 5.70, 5.138 risk, DPIA assessment 13.7, 13.28 freedom of expression generally 8.19 freedom of information access, right of 24.20, 24.49 administration of justice 26.29, 26.32, 26.37–26.40 advice and assistance 24.20, 24.42, 24.43 alteration of records 24.105

600

Index freedom of information – contd appeals 24.99–24.102 apprehension or prosecution of offenders 26.29, 26.36 archived information 24.15 armed forces 24.24 audit functions 20.4, 25.1, 26.66–26.76 Bank of England 24.24 broadcasters 24.24 central government 24.24 charging for requests 24.47–24.56 Code of Practice (also Section 45 Code of Practice, or revised s 45 Code) 24.19– 24.22, 24.29, 24.33, 24.37, 24.39, 24.42, 24.43, 24.53, 24.94, 24.98 Code of Practice on records management 24.22 commercial prejudice 25.1, 25.159, 26.212ff communicating with requester 24.20 complaints 25.70, 25.71, 25.98 concealment of records 24.105 conducting the search 24.44 confidential information see confidential information confirm or deny, duty to 24.1, 24.41, 25.35–25.37, 25.48, 25.49, 25.84– 25.87, 25.105, 25.145, 26.18 confirming/denying information held 27.78 cost limit exemption 20.4, 24.20, 24.57– 24.64 court and tribunal records 25.1, 26.57– 26.65 covert human intelligence sources (CHIS) 26.10, 26.14 crime prevention 26.33 criminal investigations and proceedings 25.1, 26.1–26.56 data made public by data subject 5.101, 5.102, 17.8 datasets 24.18, 24.20 defacement of records 24.105 defence exemption 20.4, 25.1, 25.53– 25.74, 26.194 Definition Documents 24.16 destruction of records 24.105 devolved government relations exemption 25.1, 25.120, 25.133– 25.135 devolved governments, generally 26.90 disclosure prevented by law 24.15 disclosure required by law 25.19, 25.20 distress of staff, requester causing 24.69 duty to disclose 24.1 economic interests exemption 25.1, 25.137–25.159

freedom of information – contd economy 25.137 effect of disclosure 24.1, 24.2 EIR and 18.1–18.15, 20.1–20.4, 21.1– 21.10, 24.4–24.7 enforcement notices 24.103, 24.104 environmental information 26.187, 26.188 exemptions 20.4, 24.3, 24.15, 24.57– 24.92, 25.1–25.159, 26.1–26.237 factors against disclosure 24.84, 24.88 factors in favour of disclosure 24.84, 24.86, 24.89 fees 24.8, 24.40, 24.47–24.64, 25.18 fines 24.105 format of response 24.45, 24.46 Freedom of Information Act 18.1, 18.4– 18.6, 18.10–18.15, 20.1–20.4, 24.1 future publication, information intended for 25.1, 25.21–25.34 generally 8.19 government policy see government policy handling datasets 24.20 harassment of staff 24.69 health practitioners 24.16 health and safety exemptions 26.30, 26.47, 26.48, 26.177–26.186 historical records 26.10–26.16, 26.55, 26.64 ICO powers of entry 24.103 ICO sanctions 24.103, 24.104 identity of requester 24.90 immigration controls 26.29, 26.32, 26.42 information, definition 24.4 information accessible in part 25.15 information available elsewhere 25.1, 25.3–25.20, 26.20 information available to a category 25.16 information no longer readily available 24.15 information notices 24.103, 24.104 information protected from disclosure 24.15 information requests, form and content 24.33–24.36 information requests, generally 24.27– 24.36, 24.50–24.56 internal reviews 24.20, 24.97, 24.98 international relations exemption 20.4, 25.1, 25.120–25.132, 26.194 law enforcement exemption 25.1 law enforcement investigations or proceedings 25.1, 26.1–26.56 Law Officers’ advice to government 26.86, 26.91, 26.129– 26.134

601

Index freedom of information – contd legal professional privilege 26.194, 26.195–26.211 legitimate interest basis 5.83–5.85 local government 24.24 medium in which information held 24.27 military offences, investigations and proceedings 26.6 Ministerial communications 26.86, 26.91, 26.123–26.128 Ministerial override 24.106, 24.107 Ministerial private office, operation 26.86, 26.91, 26.135–26.142 mixed EIR/FOI requests 21.9, 21.10 mosaic effect 26.27, 26.35 motive of requester 24.69–24.76, 24.90 National Health Service 24.24 national security exemption 20.4, 25.1, 25.53–25.119, 26.194 neither confirm nor deny (NCND) 25.58– 25.67, 25.84, 25.87, 25.95, 25.98, 25.105, 26.144 offences 24.105 parish councils 24.16 Parliamentary privilege 20.4, 24.24, 25.1, 26.77–26.83 penalty regime 24.105 personal data, generally 24.4–24.7 personal data in information requests 27.1–27.77 police 24.24, 24.25, 26.10 precedent effect 26.27 prisons etc, exemption 26.29, 26.43, 26.44 pseudonym, requester using 24.34, 24.35 Publication Schemes see Publication Scheme under FOIA public authority, definition 24.23–24.26, 24.28 public authority, information held by 24.4, 24.28–24.32 public authority duties 24.1–24.4, 24.23– 24.26 public authority exercise of functions and 26.45, 26.46 public interest test 20.1, 26.145 publicly owned companies 24.23, 24.26 public policy exemption 25.1 qualified exemptions 24.37, 24.41, 24.81, 24.83, 24.93, 24.94 quangos 24.24 reasonably accessible information available elsewhere 25.1, 25.3–25.20 recorded information 24.27 records management 24.22 refusal notices 24.93–24.96 regulators 24.24

freedom of information – contd relations within UK 25.133 repeated requests 24.34, 24.77–24.80 research information exemption 25.1, 25.38, 25.39–25.52 response to information requests to 24.1, 24.27–24.32, 24.37–24.40, 24.45, 24.46 right to information, generally 24.27 routine business, information given as 24.21 Royal family, communications with 26.170–26.176 Royal Household, communications with 26.170–26.176 schools 24.16 Section 45 Code 24.19–24.22 security and defence exemption 20.4, 25.1, 25.53–25.119 taxation enforcement exemption 26.29, 26.34, 26.35, 26.41 template guides to information 24.16 third party consultation 24.20, 25.50, 25.51 third party data in information requests 27.1–27.77 time limits for response 24.20, 24.37– 24.40 trade secrets 26.212–26.214 transparency obligation 24.20 types of information, separating 24.4– 24.7 universities 24.24 valid requests 24.33–24.36 vexatious requests 20.4, 24.20, 24.34, 24.65–24.76 Freedom of Information Act information not held 22.2 G General Data Protection Regulation (GDPR) access, right of 7.2, 7.4–7.6, 7.11, 7.39 activity outside scope of 2.19, 2.20, 2.22–2.27 activity within scope of 2.4, 2.17, 2.19, 2.20 adequacy decisions 2.33 adequacy regulations 2.33 application in UK 2.2, 2.3, 2.5, 2.17 applied GDPR 2.10, 2.23–2.26, 2.33, 3.15 Articles 2.31 automated decision-making 2.2 automated or structured processing 3.15, 3.35–3.37 biometric data 3.54 Brexit 2.3–2.7, 2.10, 2.19, 2.26, 2.31, 2.33, 3.15, 3.67–3.69 consent 3.39–3.52, 5.5

602

Index General Data Protection Regulation (GDPR) – contd controller, definition 3.16–3.18 criminal personal data 2.14 data portability 2.2 data processing, definition 3.14, 3.15 Data Protection Act 2018 and 2.4, 2.5, 2.10–2.12, 2.17–2.19 default, data protection by 3.60, 3.61 design, data protection by 3.58, 3.59 domestic legislation required by 2.4, 2.10 exemptions on powers or duties in 9.1ff extra-territorial application 2.33 filing system 3.35–3.37 generally 2.1 health, data concerning 3.55 identifiable living individuals 3.1–3.3 identification, definition 3.3–3.6 international data transfers 2.33, 11.1, 11.2 Keeling Schedules 2.33 lawful bases of processing 5.1, 5.2, 5.92–5.114 main establishment 3.56, 3.57 manual processing 3.35–3.37, 4.14 manual unstructured data 3.37, 3.67 penalty regime 2.29 personal data, generally 3.1, 3.2 personal data breach, definition 3.53, 15.2 personal data in information requests 27.1, 27.11, 27.13–27.17 pre-Brexit 2.19, 2.22–2.25 principles see data protection principles processing, definition 3.14, 3.15 processing, restriction of see restriction of processing processor, definition 3.18, 3.19 processor, obligations 3.20–3.29 profiling, definition 3.32, 3.33 pseudonymisation 3.5, 3.34, 3.58 recipient, definition 3.38 Recitals to 2.31–2.32 relating to, definition 3.7–3.9 restriction of processing see restriction of processing right to be forgotten 8.17 security requirements 3.26, 4.16, 4.17 special category personal data 3.10–3.13, 27.64 territorial scope 3.62–3.69 transparency principle 4.3–4.5 UK GDPR 2.3, 2.7, 2.10, 2.33, 3.15, 3.37 genetic data Brexit 2.33 identifiable individuals 3.6 law enforcement processing 17.6 sharing 2.33, 10.39 special category data 3.11, 3.12

global warming environmental information 19.54 government department environmental information 21.1 exercise of function of 5.27, 5.117–5.120, 8.54, 10.27 government policy, freedom of information and chilling effect 26.103, 26.113–26.117, 26.128, 26.161 collective responsibility 26.103, 26.118, 26.119 distraction from debate 26.120 draft material, publication 26.121, 26.122 formulation or development 26.85, 26.91, 26.93–26.122 freedom of information 26.84–26.169 Law Officers’ advice to government 26.86, 26.91, 26.129– 26.134 Ministerial communications 26.86, 26.91, 26.123–26.128 Ministerial private office, operation 26.86, 26.91, 26.135–26.142 overall public interest 26.145 prejudice to effective conduct of public affairs 26.149–26.169 role of qualified person 26.147, 26.150, 26.153–26.160, 26.164, 26.165 safe space, need 26.103, 26.105–26.112 statistical information used 26.87, 26.143, 26.160 group of undertakings Data Protection Officer 14.12 prior consultation with ICO 14.27 transfer of data within 5.48, 5.62 Guernsey international transfers 11.7 H health, public see public health health care services see also National Health Service data on provision 3.55 processing necessary for 5.107–5.110, 10.27 regulatory functions relating to 9.4, 9.40–9.42 health data Brexit 2.33 court, processed by 9.5, 9.116, 9.117 data subject’s wishes and expectations 9.5, 9.118–9.120 definition 3.55 environmental information 19.1 exemptions from rights 9.5, 9.116–9.126, 27.77

603

Index health data – contd GDPR exclusion 2.17 law enforcement processing 17.6 medical records 26.190 serious harm test 9.5, 9.121–9.126 sharing 2.33 special category data 3.11, 5.107–5.112, 10.27 supports individuals with a particular disability or medical condition 5.140 health practitioner freedom of information 24.16 health and safety confidential information 26.177–26.186 freedom of information exemptions 26.30, 26.47, 26.48 investigation, data disclosure would harm 23.48 public, data disclosure would harm 23.5, 23.35–23.37 public protection functions 9.32 Health Service see National Health Service health worker third party data of 9.4, 9.64–9.66 historical records, freedom of information court and tribunal records 26.64 law enforcement investigations or proceedings 26.17, 26.55 Privacy Notice 9.107, 9.108 public audit function 26.76 security records 25.54, 25.72, 25.73 historical research exemptions from rights 9.4, 9.102–9.108 Privacy Notice 9.107, 9.108 processing necessary for 5.113, 5.114, 10.27 right to object 8.52 housing development environmental information 19.48–19.53, 19.54 human fertilisation and embryology data disclosure restrictions 7.76, 9.6, 9.150– 9.153 human rights data protection principles 27.25, 27.52 I Iceland international transfers 11.1 identifiable individual data protection, generally 2.5 directly identifiable 3.3 factors 3.5, 3.6 genetic factors 3.6 identifiable living individual, definition 3.1–3.3 identifiers 3.5

identifiable individual – contd indirectly identifiable 3.3, 3.4 IP address 3.5 ISP address 3.3 recorded information 3.3 identification definition 3.3–3.6 identity theft data breaches 15.3 generally 1.2, 5.70 risk of, DPIA assessment where 13.7, 13.28 immigration data exemptions from rights 9.4, 9.23–9.27 GDPR exclusion 2.17 immigration enforcement data disclosure would harm 23.48, 26.29, 26.32, 26.42 impact assessment see Data Protection Impact Assessment inaccuracy definition 4.13 individual rights access see access, individual right of automated decision-making, right not to be subject to 8.72–8.84, 17.12 breaches 16.40 confirmation/denying data being processed 7.5 data portability see data portability, individual right of data protection, generally 1.3 Data Protection Officer’s role 14.23 erasure see erasure, individual right of General Data Protection Regulation 2.2 rectification see rectification, individual right of restriction of processing 7.63, 8.26–8.33 right to be forgotten 8.17 right to object see object, individual right to subjects prevented from exercising 13.12 industrial information confidentiality 23.98–23.128 meaning 23.100 Information Commissioner role and functions 2.16, 2.25, 2.28, 2.33, 18.1 Information Commissioner’s Office (ICO) appeals see appeals assessment notices 16.1, 16.10–16.15, 16.25 certification by 3.61 Code of Practice on Subject Access 7.16 complaints to 16.46 Data Sharing Code 10.3, 10.8ff DPIA consultations 13.19, 13.39, 13.42– 13.48, 14.27

604

Index Information Commissioner’s Office (ICO) – contd DPO as contact point with 14.24, 14.27 enforcement by 16.1, 24.103, 24.104 enforcement notices 16.1, 16.16–16.21 environmental information 20.1 freedom of information, sanctions under 24.103, 24.104 information notices 16.1, 16.2–16.9, 16.25 journalism, review processing in context of 2.29 model Publication Scheme 24.14–24.17 non-payment of charges to 16.43–16.45 operation and functions 2.28 other supervisory authorities and 2.28 penalty notices 16.25–16.45 penalty regime see penalty regime powers of entry and inspection 2.29, 16.10, 16.22–16.24, 24.103 prosecution powers 16.1, 24.105 Publication Scheme, approval 24.8, 24.11 Regulatory Action Policy 16.4, 16.43, 16.45 reporting data breaches to 15.1, 15.5–15.7 information flow Data Protection Impact Assessments 13.36 information notice accompanying information 16.3 appeal against 16.3, 16.47, 16.48 content 16.3 data protection proceedings and 16.7 failure to comply with 16.9, 16.25, 16.40 freedom of information requests 24.103, 24.104 generally 16.1, 16.2–16.9 legal professional privilege 16.7 offences in relation to 16.15 Parliamentary privilege 16.7 purpose 16.2 response to, court order requiring 16.5 restrictions on use 16.6, 16.7 special purposes processing 16.6 urgency procedure 16.3, 16.51 when appropriate 16.16, 16.21 information request environmental information 18.1–18.15 freedom of information 18.1, 18.4, 18.5, 18.10 information technology (IT) IT security, legitimate interest basis 5.48, 5.61 service provider 3.19 innovative use of technology Data Protection Impact Assessments 13.12, 13.14

insurance purpose processing necessary for 5.150–5.153, 10.27 insurance underwriting Data Protection Impact Assessments 13.15 integrity principle of 4.2, 4.16–4.18 intellectual property right environmental information exemption 23.63–23.77 intangible asset, as 23.63 meaning 23.63 public interest test 23.74–23.76 intelligence services data protection 2.7, 2.8, 2.15, 2.19, 2.22 GDPR exclusion 2.22, 2.27 internal communications environmental information requests 22.1, 22.58, 22.59–22.88, 23.77 internal stakeholder Data Protection Impact Assessments 13.24 international data transfers see also cross-border processing adequacy decisions 2.33 adequacy regulations 2.33 adequate level of data protection 11.4, 11.6–11.9 appropriate safeguards 11.4, 11.15–11.25 available pathways 11.2–11.4 binding corporate rules 2.33, 11.15, 11.18–11.21 Brexit 2.33, 3.56, 3.69, 4.1, 11.9, 11.15, 11.36, 11.37, 17.21–17.25 certification schemes 11.15 codes of conduct 11.15, 11.16 contract clauses 11.15, 11.17, 11.22– 11.25 Data Protection Act 2018 2.21 Data Protection Impact Assessments 13.27 derogations 11.4, 11.26–11.31 European Data Protection Board 11.18, 11.31 European Economic Area 11.1, 11.2 GDPR generally 2.33, 11.1, 11.2 identifying 11.3 involuntary 11.3, 11.5 Law Enforcement Directive 2.13, 17.1 law enforcement processing 2.13, 17.1, 17.21–17.25 meaning 11.5 non-repetitive 11.4, 11.32–11.35 penalty regime 16.40 public authorities 11.27 public interest 11.26, 11.28, 11.29

605

Index international data transfers – contd safe countries 11.7 transit through non-EEA countries 11.5 UK GDPR 2.33 US Privacy Shield arrangement 11.4, 11.10–11.14 international relations exemption confidential information 26.194 environmental information 23.5–23.9, 23.10–23.18, 23.38 freedom of information 20.4, 25.1, 25.120–25.132, 26.194 public interest 23.38 Internet Protocol (IP) address identifiers 3.5 internet service provider (ISP) address 3.3 invisible processing Data Protection Impact Assessments 13.12 Isle of Man international transfers 11.7 Israel international transfers 11.7 J Japan international transfers 11.7 Jersey international transfers 11.7 journalistic purpose, data processing for exemptions from rights 9.4, 9.93–9.100 review by ICO 2.29 unlawful acts 5.136, 5.137 judicial appointments exemptions from rights 9.4, 9.52–9.56 judicial independence or proceedings exemptions from rights 9.4, 9.52–9.56 K Keeling Schedules 2.33 L land use planning and development environmental information 19.48–19.53 Law Enforcement Directive (LED) cross-border processing 2.13, 17.1 transposition into UK law 2.5, 2.13, 17.1 law enforcement investigations or proceedings confidentiality, generally 23.79 confidential sources 26.10–26.16 court or tribunal records 23.40, 23.52– 23.54, 23.60–23.62 data disclosure would harm 23.40, 23.47– 23.51, 23.58, 23.59 fair trial, disclosure prejudicing  23.50, 23.51

law enforcement investigations or proceedings – contd freedom of information exemption 25.1, 26.1–26.56 historical records 26.17 legal professional privilege 22.88, 23.40, 23.42–23.46, 23.56, 23.57 mosaic effects 26.27, 26.35 public interest test 23.55–23.62 `without prejudice’ correspondence 23.46, 23.55 law enforcement processing Article 10 processing 2.14, 2.33, 17.26– 17.28 competent authorities 2.13, 2.19, 2.22, 2.27, 17.3, 17.18 competent authorities, persons other than 17.26–17.28 conditions 17.8 controller’s obligations 17.14–17.20 criminal data 2.5, 2.14, 13.15 data breach notifications 17.19, 17.20 Data Protection Impact Assessments 17.17 data protection principles 17.5 generally 2.13, 2.19, 2.22, 2.27 information for data subjects 17.9 international transfers 2.13, 17.1, 17.21– 17.25 lawful bases for 17.28 national security certificates 17.25 periodic reviews 17.5 processor’s obligations 17.14–17.19 purposes for which the data may be processed 17.4 restrictions 17.25 rights of data subjects 17.10–17.13 risk rights and freedoms of individuals 17.17, 17.20 sensitive processing 2.13, 17.6, 17.7, 17.27 time limits for data retention 17.5 up to date, data must be kept 17.5 lawful bases of processing accountability principle 5.40 administration of justice 5.27, 5.121 appropriate policy documents 5.90 archiving 5.113, 5.114 consent 5.3–5.8, 5.93, 8.18, 8.74, 11.26, 17.28, 27.31, 27.32 contract 5.9–5.12 counselling 5.141–5.143 employment law obligations 5.94, 5.95 exemptions 5.92–5.177, 9.1 GDPR Article 9 bases 5.92–5.114 GDPR generally 5.1, 5.2 generally 1.6, 17.8, 27.29, 27.30

606

Index lawful bases of processing – contd health and social care 5.107–5.110 historical research 5.113, 5.114 law enforcement processing 17.28 legal obligation 5.13–5.23, 10.25 legal proceedings or claims 5.103, 5.104 legitimate interests  5.45–5.85, 27.33–27.67 not for profit organisation, processing by 5.98–5.100 parliamentary purposes 5.27, 5.29, 5.121, 8.54 personal data made public by data subject 5.101, 5.102 public health 5.111, 5.112 public interest 2.21, 5.105, 5.106, 5.115, 5.116 public sector 2.21 public task 5.27–5.44 scientific research 5.41, 5.113, 5.114 sharing personal data 10.10, 10.22–10.28 social protection obligations 5.94, 5.95 social security obligations 5.94, 5.95 special category data 1.6, 2.4, 2.21, 5.2, 5.86–5.91, 10.27, 10.28, 27.64–27.67 statistical purposes 5.113, 5.114 Statutory and government purposes 5.117–5.119 substantial public interest 5.105, 5.106, 5.115–5.177, 10.27 vital interests 5.24–5.26, 5.96, 5.97, 17.28 lawfulness see also lawful bases of processing exemptions/lawful bases 5.92–5.177 law enforcement processing 17.5 principle of 4.2, 4.3–4.5, 4.20, 5.1, 27.23–27.26 lead supervisory authority Brexit 3.56 legal effects automated decision-making 8.72–8.84 legal judgment publication 5.171, 5.172 legal obligation as lawful basis of processing 5.13–5.23, 10.25 legal proceeding disclosure required by 5.103, 5.104, 6.19, 7.76, 8.16, 9.4, 9.28–9.30 legal professional privilege environmental information 22.88, 23.40, 23.42–23.46, 23.56, 23.57 exemptions from rights 9.4, 9.68–9.70, 27.77 freedom of information 26.194, 26.195– 26.211 information notices and 16.7 waiver or loss 26.200–26.203

legal services regulatory functions relating to 9.4, 9.40–9.42 legitimate interest assessment (LIA) test 5.59–5.73, 5.76 balancing test 5.47, 5.49, 5.51–5.59, 5.68–5.73, 27.42, 27.43 child as data subject 5.45, 5.70, 5.79 client data 5.48, 5.62 Data Protection Impact Assessment 5.71, 5.76 data subjects to be informed of use 5.76 employee data 5.48, 5.62 Environmental Information regulations 5.83–5.85 erasure, right of 8.18 Freedom of Information regulations 5.83– 5.85 Impact Assessment  5.76 information already known to some individuals 27.43, 27.54 information already in public domain 27.43, 27.53 as lawful basis of processing 5.45–5.85, 27.33–27.67 marketing purposes, data processing for 5.48, 5.62, 5.63, 5.78 necessity test 5.47, 5.50, 5.66–5.68, 27.35, 27.39–27.41 object, right to see object, individual right to potential harm or distress 27.43, 27.50 privacy and 5.50, 5.51, 5.53, 5.54, 5.57, 5.68, 5.72, 5.80, 5.81 Privacy Notice 5.76 proportionality 5.51 public authorities 5.80, 5.81 public or private life 27.43, 27.44–27.49, 27.61–27.63 public spending accountability 27.56– 27.60 public task basis and 5.81 purpose test 5.47, 5.50, 5.64, 5.65, 27.35–27.38 reasonable expectations of data subject 4.7–4.9, 5.52, 27.43, 27.52, 27.61 reasonable expectations of third party 4.7–4.9, 5.52, 27.43, 27.52, 27.61 record-keeping 5.77 relevant and appropriate relationship 5.49 sensitive data 5.70, 5.73 sharing personal data 10.25 special category data 5.70, 5.82 test to be met, generally 5.47, 27.27, 27.28, 27.35–27.43 third party, disclosure to 5.52

607

Index legitimate interest – contd third party, of 5.45, 5.47, 27.33–27.67 third party, potential harm or distress to 27.43, 27.50 vulnerable individuals 5.70 warning factors checklist 5.74, 5.75 legitimate purpose data collection must be for 4.2, 4.6 Liechtenstein international transfers 11.1 list brokering Data Protection Impact Assessments 13.12 literary purpose data processing for 9.4, 9.93–9.100 literary work intellectual rights 23.65 loan application Data Protection Impact Assessments 13.15 local authority confidential proceedings 23.81 licensing prosecutions 23.48 monitoring officer functions 9.43–9.48 sharing personal data 10.18 local government freedom of information 24.24 location or movements identifiers 3.5 tracking 3.32, 3.33, 13.11 loss of data see data breach loyalty scheme Data Protection Impact Assessments 13.14 M main establishment lead supervisory authority 15.12 meaning 3.56, 3.57 post-Brexit 3.56, 3.57 representatives 3.57 management forecast exemptions from rights 9.4, 9.77–9.79 manifestly made public by data subject 5.101, 5.102, 17.8 manifestly unfounded or excessive access requests 7.33–7.37, 17.13 manual unstructured data 16.55 accuracy 3.37 Data Protection Act 2018 3.37 excluded rights of access 7.47 individual right of access 7.46–7.49 post-Brexit position 2.26, 2.33, 3.37, 9.3 pre-Brexit position 2.22, 2.26, 2.33, 3.37, 9.3 UK GDPR 3.37, 3.67

marketing, direct automated calls 12.4, 12.16 campaigning materials 12.1 charity fund-raising 12.1 claims management services 12.17 consent to 12.5–12.11, 12.15 data retention 12.11 definition 12.1 electronic communications and 12.1– 12.20 electronic mail, by 12.5–12.11 enforcement 12.19, 12.20 e-Privacy Directive 5.63, 8.69, 12.3 exemptions 12.19 fax, by 12.4 lawful bases for the processing 12.2 national security 12.19 objection to 8.18, 8.49, 8.50, 8.59–8.61, 12.2 Privacy and Electronic Regulations 12.3– 12.4 promotional materials 12.1 public electronic communications service, by 12.14 soft opt-in 12.5, 12.7–12.11 telephone, by 12.12–12.16 Telephone Preference Service  12.12, 12.13 unsolicited marketing 12.5 use of information for more than one purpose 12.18 marketing purposes legitimate interest basis 5.48, 5.62, 5.63, 5.78 sharing child’s personal data for 10.39 membership organisation processing carried out by 5.98–5.100 Minister of the Crown exercise of function of 5.27, 5.117–5.120, 8.54, 10.27 Ministerial certificate confirming national security exemption 17.25, 23.34, 25.56, 25.88 Ministerial communications freedom of information 26.86, 26.91, 26.123–26.128 Ministerial override former, EIR 21.48, 21.49 freedom of information 24.106, 24.107 Ministerial private office, operation freedom of information 26.86, 26.91, 26.135–26.142 minor see also child access request on behalf of 7.29–7.32 misuse of private information 16.50 money laundering special category data 5.139, 10.27

608

Index monitoring by data subjects enabling 3.58 monitoring of data subjects generally 13.11, 13.14, 14.5 N national economic interests freedom of information exemption 25.1, 25.137–25.159 state security, relating 2.17 National Health Service Caldicott principles 3.49 consent 3.29 freedom of information 24.24 national security see also defence; terrorism Brexit 4.7, 4.9, 9.162 confidential information 26.194 data protection exemptions 7.76, 9.7, 9.162, 9.163 direct marketing exemption 12.19 environmental information exemption 20.4, 21.48, 23.5–23.9, 23.25–23.34, 23.38 freedom of information exemption 20.4, 25.1, 25.53–25.119 GDPR exclusion 2.17, 2.27 historical records 25.54, 25.72, 25.73 meaning 25.78 Ministerial certificate confirming 17.25, 23.34, 25.56, 25.88 mosaic argument 23.30, 23.31, 25.83 national economic interests 2.17, 25.1, 25.137–25.159 rights of data subjects and 17.11 security bodies 23.32, 23.33 necessity test data collection, generally 4.2 legitimate interest basis 5.47, 5.50, 5.66– 5.68, 27.35, 27.39–27.41 negotiations with data subject 9.4, 9.80– 9.83, 27.77 neither confirm nor deny (NCND) environmental information 23.7–23.9 freedom of information 25.58–25.67, 25.84, 25.87, 25.95, 25.98, 25.105, 26.144 Network Rail freedom of information 24.24 new technology Data Protection Impact Assessments 13.12, 13.14 New Zealand international transfers 11.7 noise environmental information 19.8, 19.54

Norway international transfers 11.1 not for profit organisation processing carried out by 5.98–5.100 nuclear processing and waste environmental information 19.54 O object, individual right to automated means, objection by 8.69 balancing interests 8.58 consent and 5.8 direct marketing, data processing for 8.18, 8.49, 8.50, 8.59–8.61, 12.2 exceptions and exemptions 8.69–8.71, 9.11ff, 10.47, 10.48 excessive requests 8.69 historical research, data processing for 8.49, 8.52, 8.64–8.68 identity checks 8.69 information to be given 7.63 legal obligation basis 5.22 legitimate interests, data processing for 8.18, 8.49, 8.51, 8.62, 8.63 new data 8.56 profiling 8.56 public task, data processing for 8.49, 8.51, 8.53–8.58 refusal 8.69 response to 8.70 right to erasure 8.18 scientific research, data processing for 8.49, 8.52, 8.64–8.68 sharing personal data and 10.47, 10.48 statistical purposes, data processing for 8.49, 8.52, 8.64–8.68 third parties 27.68–27.74 timing of response 8.69 unfounded requests 8.69 vital interest basis 5.26 offences defences to 16.53, 16.54, 16.56 generally 16.52–16.58 obtaining or disclosing personal data 16.52 procuring disclosure of personal data 16.52 retaining personal data without consent 16.52 `one-stop-shop’ Brexit 3.56 outsourcing oversight 21.7 P parental orders and reports restrictions on access 7.76, 9.6, 9.50, 9.51, 9.58, 9.59

609

Index parish council freedom of information 24.16 parking enforcement data disclosure would harm 23.48 Parliament exercise of function of 5.27, 5.29, 5.121, 8.54 Parliamentary privilege assessment notices 16.13 enforcement notices 16.20 environmental information and 20.4 exemptions from rights 6.19, 9.6, 9.49– 9.51 freedom of information 20.4, 24.24, 25.1, 26.77–26.83 information notices 16.7 penalty notices and 16.37 penalty notice appeals 16.32, 16.34, 16.47, 16.48 Brexit 16.25 cancellation 16.33 content 16.30 issue 16.25–16.29 Parliamentary privilege and 16.37 process for 16.30–16.34 regulations 16.35 special purposes processing 16.36 types of failure 16.16, 16.25 variation 16.33 when appropriate 16.25, 16.26, 16.38, 16.39 penalty regime Brexit 16.40–16.42 cooperation with ICO 16.28 data protection principles, breach 16.40 effective, proportionate, and dissuasive penalties 16.27 fines 16.25 GDPR obligations, breach 16.40 generally 2.29, 16.25 individual rights, breach 16.40 international data transfers 16.40 matters to be taken into account 16.28, 16.29 maximum amount of penalty 16.40–16.42 monetary 7.76, 16.42 non-payment of charges to ICO 16.43– 16.45 penalty variation notice, appeals 16.47, 16.48 previous infringements 16.28 pension, occupational processing necessary for 5.154–5.156 Pensions Ombudsman functions exemptions from rights 9.43–9.48 Pensions Regulator functions exemptions from rights 9.43–9.48

personal data breach see data breach commercial value 1.1, 1.4 definition 1.3, 3.1, 3.2 EIR information requests, in 23.153, 27.1–27.9, 27.79–27.85 FOI information requests, in 27.1–27.77 freedom of information and 24.4–24.7 GDPR see General Data Protection Regulation generally 1.1, 18.10 identifiable individuals see identifiable individual impact assessments see Data Protection Impact Assessment lawful bases of processing see lawful bases of processing privacy and 1.1–1.6 protection see data protection re-identification 16.55 relating to, definition 3.7–3.9 relating to more than one individual 1.6 rights see individual rights sale 16.55 scope 27.8, 27.9 sharing see sharing personal data special category see special category data test to establish status as 3.1–3.10 third party see third party data planning and development enforcement, data disclosure would harm 23.48 environmental information 19.48–19.53 police freedom of information 24.24, 24.25 undercover officers 26.10 political opinion data law enforcement processing 17.6 lawful processing 5.99, 5.157–5.160 special category data 3.11, 5.29, 5.43 political organisation processing carried out by 5.98–5.100, 5.157–5.160 precedent effect freedom of information considerations 26.27 Principal Reporter Scotland, children’s hearings 9.160, 9.161 prisoner informing elected representative about 5.169, 5.170 prison or other place of detention freedom of information exemption 26.29, 26.43, 26.44 privacy data protection, generally 1.1–1.6 e-Privacy Directive 12.3

610

Index privacy – contd legitimate interest basis 5.50, 5.51, 5.53, 5.54, 5.57, 5.68, 5.72, 5.80, 5.81 public officials 27.44–27.49 third parties 27.7, 27.11, 27.13–27.85 Privacy and Electronic Communications Regulations (PECR) 2.33, 12.2–12.4 Privacy Impact Assessment (PIA) Data Protection Impact Assessment compared 13.4 Privacy Notice archiving 9.113 automated decision-making 8.82 Brexit 6.6 content 6.8–6.17 data not obtained from data subject 6.13– 6.17, 6.18 data obtained from data subject 6.9–6.12, 6.18 exemptions from requirement for 6.18– 6.19, 10.32, 10.33, 10.47 generally 6.4–6.7 historical research 9.107–9.109 legal obligation basis 5.21 legitimate interest basis 5.76 meaning 6.5 notice to be proactively drawn to 6.7, 10.31 public task basis 5.40 recipient 3.38 scientific research 9.107–9.109 sharing personal data 10.10, 10.29–10.37, 10.47, 10.48 transparency 1.6, 4.3, 6.1–6.7 Privacy Shield arrangement United States 11.4, 11.10–11.14 private information misuse 16.50 private sector environmental information regulations 21.5–21.8 performance of public task 5.32, 5.36 personal data, generally 24.4 sharing personal data 10.6, 10.24 processing automated 3.35–3.37 definition 3.14, 3.15 law enforcement see law enforcement processing lawful bases see lawful bases of processing manual 3.35–3.37, 4.14 purpose see purpose of data processing restriction of see restriction of processing processor access requests, duty as to 7.50 accountability principle 4.19–4.22

processor – contd assessment notices 16.1, 16.10–16.15, 16.25 based outside EU 3.57, 3.62 controller, contracting with 3.20–3.29 controller passing data to 10.4, 10.5 Data Protection Officer, designation 14.1 definition 3.18, 3.19 deletion or return of data by 3.26 engaging another processor 3.25 established in EU 3.63–3.66 law enforcement processing, obligations 17.14–17.19 monitoring compliance 14.24 obligations under GDPR 3.20, 3.25–3.29 post-Brexit 3.29 standard contract clauses 3.27 profiling automated decision-making 8.72–8.84, 10.39 Data Protection Impact Assessments 8.81, 10.39, 13.7, 13.11, 13.15 definition 3.32, 3.33, 7.63 extensive 13.11 meaning 8.73 monitoring 14.5 right to object 8.56 sharing personal data 10.39 systemic 13.11 property search environmental information 19.54 proportionality principle data breaches 15.10 Data Protection Impact Assessments 13.26, 13.27 legitimate interest 5.51 penalty regime 16.27 protective markings on document confidential information 26.193 pseudonymisation data breaches and 15.4 data sharing 10.13 definition 3.34 generally 3.5, 3.34, 3.58 requester using pseudonym 24.34, 24.35 risk created by, DPIA where 13.7 unauthorised reversal 15.3 public administrative body environmental information 21.1–21.8 Publication Scheme under FOIA adoption and maintenance 24.1, 24.8– 24.17 approval by Commissioner 24.1, 24.8, 24.11 Code of Practice 24.20 contents 24.8, 24.12, 24.14 Definition Documents 24.16

611

Index Publication Scheme under FOIA – contd fees 24.47–24.49 information available elsewhere 25.5, 25.9 manner of publication 24.10 model scheme 24.13, 24.14–24.17 review 24.8, 24.9, 24.17 revocation of approval 24.11 template guides to information 24.16 public authority data disclosure would harm exercise of functions 26.45, 26.46 Data Protection Officer 14.1–14.3, 14.12 definition in FOIA 24.23–24.26, 24.28 environmental information, holding 21.11–21.14 freedom of information duties 23.23– 23.26, 24.1–24.4 international data transfers 11.27 legitimate interest basis 5.80, 5.81 publicly owned companies 24.23, 24.26 public domain information already in 27.43, 27.53 public health environmental information 19.54 processing necessary for 5.111, 5.112, 10.27 public interest administration of justice 5.27, 5.121, 8.54 aggregation of factors 21.22, 21.23 appropriate policy document 5.105, 5.106, 5.116 archiving in see archiving in public interest Brexit and 5.46 defence of, generally 16.54, 23.38 documenting processing and reasons 5.40 EIR, confidential proceedings 23.90–23.96 freedom of information 20.1, 26.145 intellectual property rights 23.74–23.76 international data transfers 11.26, 11.28, 11.29 international relations 23.38 law enforcement 23.55–23.62 lawful basis for processing 2.21, 5.105, 5.106, 5.115, 5.116 national security 23.38 restriction, data subject to 5.44 statutory and government purposes 5.117–5.120 substantial 5.105, 5.106, 5.115–5.177, 10.27 task carried out in 5.27–5.44 test 20.1, 22.6, 22.8, 22.10, 22.13, 22.14, 22.23–22.25, 22.33, 22.39, 22.67, 22.68, 22.69, 22.87, 23.2, 23.7, 23.9, 23.33, 23.74–23.76, 23.90–23.96 use of data in 1.3 vital interest and 5.25

publicly owned company freedom of information 24.23, 24.26 public official privacy 27.44–27.49, 27.61–27.63 public protection functions charities, protection against misconduct 9.32 community interest companies, protection against misconduct 9.32 corporate bodies, dishonesty or malpractice in 9.32 dishonesty, protection against 5.133– 5.135, 9.32, 10.27 exceptions 9.4, 9.32–9.34 fair competition 9.32 financial services, dishonesty or malpractice in 9.32 health and safety 9.32 incompetence, protection against 9.32 maladministration, protection against 9.32 public safety data disclosure would harm 23.5–23.9, 23.35–23.37 public sector lawful basis for processing by 2.21, 5.27–5.44 public security law enforcement processing 17.4 legitimate interest basis 5.61 rights of data subjects and 17.11 public services automated decision-making 8.72 improved targeting 1.4 Public Services Ombudsman for Wales functions exemptions from rights 9.43–9.48 public spending accountability 27.56–27.60 public task lawful basis archiving 5.41 exercise of authority vested in controller 5.27, 5.30 generally 2.21, 5.27–5.44 legitimate interest basis 5.81 private sector 5.32, 5.36 public interest restriction, data subject to 5.39 right to object to 8.49, 8.51, 8.53–8.58 scientific research 5.41 sharing personal data 10.25 special category data 5.30, 5.32, 5.42 statistical purposes 5.41 purpose of data processing academic 5.136, 9.4, 9.93–9.100 artistic 5.136, 9.4, 9.93–9.100 generally 1.6 information to be given 7.63

612

Index purpose of data processing – contd insurance purpose 5.150–5.153, 10.27 journalistic purpose 2.29, 5.136, 5.137, 9.4, 9.93–9.100 law enforcement 17.4 literary 5.136, 9.4, 9.93–9.100 marketing 5.48, 5.62, 5.63, 5.78 parliamentary 5.27, 5.29, 5.121, 8.54 record-keeping 4.6–4.11, 4.18 research 5.113 special purposes processing 5.136 specified purpose 2.21, 4.2, 4.6, 5.41, 5.113, 5.114, 8.52, 9.4, 9.102–9.108, 10.27 statistical 5.113, 5.114 Statutory and government purposes 5.117–5.119 purpose limitation compatible or incompatible purposes 4.6– 4.11 principle of 4.2, 4.6–4.11 reasonable expectations of data subject 4.7–4.9, 5.52, 27.43, 27.52, 27.61 record-keeping 4.6–4.11, 4.18 purpose test legitimate interest basis 5.47, 5.50, 5.64, 5.65, 27.35–27.38 Q quangos freedom of information 24.24 R racial or ethnic origin data diversity within organisations 5.127– 5.129 law enforcement processing 17.6 special category data 3.11, 5.122–5.126, 5.140 radioactive waste environmental information 19.8, 19.54 reasonably accessible information generally 25.1, 25.3–25.20 recipient definition 3.38 post-Brexit 3.38 record-keeping access request details 7.28 accountability principle and 4.18–4.21, 5.40 legitimate interest basis 5.77 purpose of data processing 4.6–4.11, 4.18 rectification, individual right of completion of incomplete records 8.7 enforcement notices 16.19 excessive requests 8.14, 17.13

rectification, individual right of – contd exemptions from 8.16, 9.11ff, 10.47, 10.48 generally 8.1–8.15 identity checks 8.4 information to be given 7.63 informing recipients of rectification 8.11– 8.13 law enforcement processing 17.10, 17.13 oral requests 8.3 recording requests for 8.3 refusal 8.14 right of access and 7.63, 8.1, 8.2 sharing personal data and 10.47, 10.48 third parties 8.11 timing of response 8.1, 8.10 unfounded requests 8.14, 17.13 redacted documents access requests 7.69 reference confidential, exemptions from rights 9.4, 9.84–9.86, 27.77 regulators freedom of information 24.24 regulatory functions data protection exemption 9.40, 9.43 relating to definition 3.7–3.9 relevant data collection must be 4.2 law enforcement data processing must be 17.5 relevant record allowing access to 16.55 definition 16.55 requiring access to 16.55 religious organisation processing carried out by 5.98–5.100 religious or philosophical beliefs data law enforcement processing 17.6 special category data 3.11, 5.122–5.126 repeated request freedom of information 24.34, 24.77– 24.80 manifestly unfounded or excessive access requests 7.33–7.37 representation of data subject generally 16.59 representative main establishment and 3.57 reputational damage data breach resulting in 15.3 risk of, DPIA assessment where 13.7 research data processing safeguards 2.21 freedom of information exemption 25.1, 25.38, 25.39–25.52 as purpose of data processing 5.113

613

Index restriction of processing automated data 8.26 data accuracy, subject contesting 8.27, 8.31 definition 3.30, 3.31 ending 8.31 exemptions from rights 8.33, 10.47, 10.48 format for requests 8.32 identity checks 8.32 law enforcement processing 17.10, 17.13 methods 8.29 notification to be given 8.30, 8.31 response to request for 8.32 right to request 7.63, 8.26–8.33 sharing personal data and 10.47, 10.48 situations where right arises 8.27 storage of data following 8.28 temporary 8.26 unlawful processing 8.27 retail transaction automated decision-making 8.72 retention schedule environmental information 22.4 rights, personal data see individual rights rights and freedoms of others access requests 7.9, 7.53 data breaches 15.2 data portability 8.43 generally 7.9, 17.11 protection of, exemptions 9.4, 9.60–9.66 risk assessment and mitigation see also Data Protection Impact Assessment data breaches 15.4 Data Protection Officer’s role 14.26– 14.28 Royal family communications with, confidentiality 26.170–26.176 Royal Household communications with, confidentiality 26.170–26.176 S safeguarding interests of data subject child or vulnerable individual 5.144– 5.146, 10.27 Safe Harbor scheme United States 11.10–11.14 schools freedom of information 24.16 Schrems, Maximillian 11.11 scientific research exemptions from rights 9.4, 9.102–9.108 Privacy Notice 9.107, 9.108 processing necessary for 5.113, 5.114, 10.27

scientific research – contd public task basis 5.41 right to object 8.52 Section 45 FOIA Code of Practice (or revised s 45 Code) see freedom of information, Code of Practice Section 45 FOIA Code of Practice (or revised s 45 Code) see freedom of information, Code of Practice Section 46 FOIA Code of Practice see Code of Practice on records management security arrangements, record-keeping 4.18 data protection by design 3.58 GDPR requirements 4.16, 4.17 law enforcement processing breaches 17.19, 17.20 national see national security processing in manner that ensures 4.2 responsibility for 3.26 security body information supplied to 25.53 security services data protection regime 2.7, 2.15, 2.19 self-incrimination exemptions from rights 9.4, 9.71–9.73 sensitive data see also special category data Data Protection Impact Assessments 13.12 sharing 10.40 sensitive processing law enforcement processing 2.13, 17.6, 17.7, 17.27 meaning 17.6 retention and erasure of data 17.7 sentencing data generally 2.5 sex life or sexual orientation data law enforcement processing 17.6 special category data 3.11, 5.122–5.126, 5.140 sharing personal data automated decision-making and 10.39 between controllers 10.1, 10.4, 10.5 biometric or genetic data 2.33, 10.39 checklist 10.49 child’s personal data 10.39 Code of Practice 10.3, 10.8ff confidential information 10.20, 10.21 crime prevention, necessary for 10.14, 10.27 Data Protection Impact Assessment 10.10, 10.38–10.42 data sharing agreements 10.4, 10.10, 10.45, 10.47 disclosure required by law 6.19

614

Index sharing personal data – contd duty to share 10.14 end of arrangement, provisions as to 10.10, 10.46 evaluation or scoring 10.40 exemptions and 10.47, 10.48 generally 10.1–10.7 implied powers 10.16, 10.19 information to be given to data subjects 10.10, 10.13 lawful bases for 10.10, 10.22–10.28 legal obligation basis 10.25 legal persons, disclosure between 10.5 legal power to share 10.10, 10.14–10.21 legitimate interest basis 10.25 limits on 10.19–10.21 local authority powers 10.18 meaning 10.1, 10.4 means, clarity as to 10.10, 10.12–10.14 minimising 10.13 multiple sources, combining, comparing or matching from 10.39 non-sensitive data 10.22–10.26 objectives, clarity as to 10.10, 10.12– 10.14 one-off 10.49 pooling between controllers 10.1 prerogative powers 10.17 Privacy Notices 10.10, 10.29–10.37, 10.47, 10.48 private sector 10.6, 10.24 profiling and 10.39 public sector 10.6, 10.10–10.16, 10.24 public task basis 10.25 relevant authorities 10.14 risk, clarity as to 10.13 scope, clarity as to 10.10, 10.12–10.14 security measures 10.10, 10.43, 10.44 sensitive data 10.40 special category data 10.22, 10.27, 10.28 specified persons 10.15 statutory powers 10.14 systemic 10.49 timing 10.13 vulnerable individuals 10.40 within organisations 10.3, 10.7 significant effect automated decision-making 8.73 Data Protection Impact Assessments 13.11 social care processing necessary for 5.107–5.110, 10.27 records 13.14 social factors identifiable individuals 3.5

social media collecting personal data from 13.14 use, generally 1.4, 1.6 social protection obligation as lawful basis 5.94, 5.95, 10.27 social security GDPR exclusion 2.17 processing necessary for 5.94, 5.95, 10.27 social work data court, processed by 9.5, 9.130, 9.131 data subject’s wishes and expectations 9.5, 9.132–9.138 exemptions from rights 9.5, 9.127–9.129, 27.77 serious harm test 9.5, 9.135–9.138 social worker third party data of 9.4, 9.64–9.66 special category data anti-doping in sport 5.173, 5.174 appropriate policy documents 5.89–5.91 automated decision-making 8.79 biometric 3.11, 3.12 data portability 8.39 Data Protection Impact Assessments 13.15 definition 3.10–3.13 democratic engagement, processing necessary for 5.27, 5.29, 5.43 disabled individuals 5.32 elected representative, disclosure to 5.165–5.168, 10.27 elected representative responding to request 5.161–5.164 equality of opportunity or treatment 5.122–5.126, 10.27 explicit consent 5.8, 5.93, 27.64 genetic 3.11, 3.12 health care, processing necessary for 3.11, 5.107–5.112, 5.122–5.126, 10.27 insurance purpose, processing necessary for 5.150–5.153, 10.27 journalism 5.136, 5.137 lawful bases for processing 1.6, 2.4, 2.21, 5.2, 5.86–5.91, 10.27, 10.28, 27.64–27.67 legal judgments, publication 5.171, 5.172 legitimate interest basis 5.70, 5.82 money laundering 5.139, 10.27 occupational pensions 5.154–5.156 political opinions 3.11, 5.29, 5.43, 5.157– 5.160 preventing or detecting unlawful acts 5.130–5.135, 10.27 processing 3.13 protecting public against dishonesty 5.133–5.135, 10.27 public task basis 5.30, 5.32, 5.42

615

Index special category data – contd racial or ethnic origin 3.11, 5.122–5.126, 5.127–5.129, 5.140 religious or philosophical beliefs 3.11, 5.122–5.126 sex life or sexual orientation 3.11, 5.122– 5.126, 5.140 sharing 10.22, 10.27, 10.28 social care, processing necessary for 5.107–5.110, 10.27 standards of behaviour in sport 5.175– 5.177 substantial public interest 5.105, 5.106, 5.115–5.177, 10.27 terrorist financing 5.139, 10.27 third parties 27.64–27.67 trade union membership 3.11 special educational needs statements 7.76, 9.6, 9.150, 9.151, 9.156, 9.157 special powers test environmental information 21.5, 21.6 special purposes processing defence of 16.54 enforcement notices 16.20 generally 5.136 information notices 16.6 penalty notices 16.36 specified person meaning 10.15 sharing personal data 10.15 specified purpose data collection must be for 4.2, 4.6 sport anti-doping in 5.173, 5.174 standards of behaviour in 5.175–5.177 standard contractual clause 2.33, 3.27, 11.15 statistical purpose, data processing for exemptions 9.4, 9.102–9.108 processing necessary for 5.113, 5.114, 8.52, 10.27 public task basis 5.41 right to object 8.52 safeguards 2.21 storage of data Cloud computing services 1.5, 3.19 storage limitation management systems 4.14 principle of 4.2, 4.14, 4.15 subject access right see access, right of supervisory authority generally 3.56, 3.57 lead 15.12 lodging complaint with 7.63 Switzerland international transfers 11.7

systematic monitoring Data Protection Impact Assessments 13.12 T taxation data exemptions from rights 9.4, 9.11–9.19 Privacy Notice exemption 6.19 risk assessment systems 9.4, 9.11, 9.20–9.22 taxation enforcement data disclosure would harm 23.48 freedom of information exception 26.29, 26.34, 26.35, 26.41 technical information confidential 26.190 telephone automated calls 12.4, 12.16 direct marketing by 12.12–12.16 Telephone Preference Service (TPS) 12.12, 12.13 terrorism financing, special category data 5.139, 10.27 freedom of information and 25.53–25.56, 25.78, 25.86, 25.128 mosaic argument 23.30, 23.31, 25.83 sensitive processing 17.6 theft data see data breach identity see identity theft third party data access request by 27.75–27.77 criminal data 27.64–27.67 FOI/EIR information requests, in 27.7, 27.11, 27.13–27.85 individual right of access 7.9, 7.10, 7.52– 7.59, 7.76, 27.17 information already known to some individuals 27.43, 27.54 information already in public domain 27.43, 27.53 judicial capacity, individual acting in  9.56 judicial proceedings 9.56 object, individual right to 27.43, 27.51, 27.68–27.74 potential harm or distress 27.43, 27.50 private data of public officials 27.43, 27.44–27.49, 27.61–27.63 protection 9.4, 9.60–9.66, 27.17 reasonable expectations 4.7–4.9, 5.52, 27.43, 27.52, 27.61 sharing see sharing personal data special category data 27.64–27.67 toys connected 13.14

616

Index Uruguay international transfers 11.7

tracking location or movements 3.32, 3.33, 13.11 trade secrets freedom of information exemption 26.212–26.214 trade union membership data 3.11, 17.6 processing carried out by 5.98–5.100 transparency access requests, responses to 7.60–7.62 automated decision-making 8.76, 8.82 confidentiality obligations in contract 24.20 confidential proceedings 23.92 data protection and 1.6 design, data protection by 3.58 exemptions from requirement 9.1 principle of 4.2, 4.3–4.5, 4.20, 6.2, 27.23, 27.27, 27.37, 27.38, 27.54 Privacy Notices 1.6, 4.3, 6.1–6.7 requirements, generally 6.1–6.3 transport, roads and traffic environmental information 19.54 U UNECE Convention 18.7, 18.9 United Kingdom Accreditation Service (UKAS) certification by 3.61 United States, transfers of data Privacy Shield arrangement 11.4, 11.10– 11.14 Safe Harbor scheme 11.10–11.14 university freedom of information 24.24 University and College Admissions Service freedom of information 24.24 unlawful act journalism in connection with 5.136, 5.137 preventing or detecting see crime prevention or detection data unlawfully processed data restriction of processing 8.27 right of erasure 8.18

V vexatious request environmental information 22.7, 22.8, 22.10–22.15, 22.21 freedom of information 20.4, 24.20, 24.34, 24.65–24.76 viability assessment environmental information 19.32 vital interest of another natural person 5.24 of data subject 5.24, 5.96, 5.97 international data transfers 11.26 as lawful basis of processing 5.24–5.26 public interest and 5.25 volunteer/voluntary provider of information 23.130 vulnerable individual Data Protection Impact Assessments 13.7, 13.12, 13.14 legitimate interest basis 5.70 processing necessary to safeguard 5.144– 5.146, 10.27 processing personal data of 13.7 sharing personal data of 10.40 W waste collection and management environmental information 19.8, 19.54 water supply environmental information 19.54 web tracking 3.33, 13.14 whistleblowing scheme Data Protection Impact Assessments 13.14 wildlife conservation environmental information 19.54 work performance profiling 3.32, 3.33 wrong recipient data sent to 15.3

617