ICO - FS50834927: Difference between revisions
No edit summary |
No edit summary |
||
(3 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{ | {{DPAdecisionBOX | ||
|Jurisdiction=United Kingdom | |||
|DPA-BG-Color=background-color:#023868; | |||
|DPAlogo=LogoUK.png | |||
|DPA_Abbrevation=ICO (UK) | |||
|DPA_With_Country=ICO (UK) | |||
|Case_Number_Name=FS50834927 | |||
|ECLI= | |||
|Original_Source_Name_1=ICO | |||
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616251/fs50834927.pdf | |||
|Original_Source_Language_1=English | |||
|Original_Source_Language__Code_1=EN | |||
|Original_Source_Name_2= | |||
|Original_Source_Link_2= | |||
|Original_Source_Language_2= | |||
|Original_Source_Language__Code_2= | |||
|Type=Complaint | |||
|Outcome=Rejected | |||
|Date_Started= | |||
|Date_Decided=01.11.2019 | |||
|Date_Published= | |||
|Year=2019 | |||
|Fine=None | |||
|Currency= | |||
|GDPR_Article_1=Article 4(1) GDPR | |||
|GDPR_Article_Link_1=Article 4 GDPR#1 | |||
|GDPR_Article_2=Article 5(1)(a) GDPR | |||
|GDPR_Article_Link_2=Article 5 GDPR#1a | |||
|GDPR_Article_3=Article 6(1)(f) GDPR | |||
|GDPR_Article_Link_3=Article 6 GDPR#1f | |||
|GDPR_Article_4= | |||
|GDPR_Article_Link_4= | |||
|GDPR_Article_5= | |||
|GDPR_Article_Link_5= | |||
|EU_Law_Name_1= | |||
|EU_Law_Link_1= | |||
|EU_Law_Name_2= | |||
|EU_Law_Link_2= | |||
|National_Law_Name_1=Section 3(2) DPA | |||
|National_Law_Link_1=http://www.legislation.gov.uk/ukpga/2018/12/section/3 | |||
|National_Law_Name_2=Section 40(2) FOIA | |||
|National_Law_Link_2=http://www.legislation.gov.uk/ukpga/2000/36/contents | |||
|National_Law_Name_3= | |||
|National_Law_Link_3= | |||
|National_Law_Name_4= | |||
|National_Law_Link_4= | |||
|Party_Name_1=Ministry of Defence | |||
|Party_Link_1= | |||
|Party_Name_2= | |||
|Party_Link_2= | |||
|Party_Name_3= | |||
|Party_Link_3= | |||
|Appeal_To_Body= | |||
|Appeal_To_Case_Number_Name= | |||
|Appeal_To_Status= | |||
|Appeal_To_Link= | |||
|Initial_Contributor= | |||
| | |||
}} | |||
The ICO issued a decision regarding the refusal to access to third party personal data. | The ICO issued a decision regarding the refusal to access to third party personal data. | ||
Line 63: | Line 89: | ||
On the "legitimate interest" the ICO applied a ''three-part test'': | On the "legitimate interest" the ICO applied a ''three-part test'': | ||
* Legitimate interest test: Whether a legitimate interest is being pursued in the request for information; | |||
* Necessity test: Whether disclosure of the information is necessary to meet the legitimate interest in question; | *Legitimate interest test: Whether a legitimate interest is being pursued in the request for information; | ||
* Balancing test: Whether the above interests override the legitimate interest(s) or fundamental rights and freedoms of the data subject. | *Necessity test: Whether disclosure of the information is necessary to meet the legitimate interest in question; | ||
*Balancing test: Whether the above interests override the legitimate interest(s) or fundamental rights and freedoms of the data subject. | |||
While balancing legitimate interest in disclosure against data subject’s interest and fundamental rights and freedoms, the Commissioner considered that the public authority would have infringed Articles 5(1)(a) and 6(1)(f) of the GDPR in disclosing this information. It found that the disclosure was not necessary to pursue a legitimate interest and it would have caused unjustified harm to the data subjects. Overall, the interests and rights of the data subjects were likely to override legitimate interest in disclosure. Therefore, the ICO decided that the redacted information is exempt from disclosure on the basis of section 40(2) of FOIA. | While balancing legitimate interest in disclosure against data subject’s interest and fundamental rights and freedoms, the Commissioner considered that the public authority would have infringed Articles 5(1)(a) and 6(1)(f) of the GDPR in disclosing this information. It found that the disclosure was not necessary to pursue a legitimate interest and it would have caused unjustified harm to the data subjects. Overall, the interests and rights of the data subjects were likely to override legitimate interest in disclosure. Therefore, the ICO decided that the redacted information is exempt from disclosure on the basis of section 40(2) of FOIA. |
Latest revision as of 16:22, 7 March 2022
ICO (UK) - FS50834927 | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(1) GDPR Article 5(1)(a) GDPR Article 6(1)(f) GDPR Section 3(2) DPA Section 40(2) FOIA |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 01.11.2019 |
Published: | |
Fine: | None |
Parties: | Ministry of Defence |
National Case Number/Name: | FS50834927 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | n/a |
The ICO issued a decision regarding the refusal to access to third party personal data.
English Summary
Facts
The complainant submitted a request to the Ministry of Defence (MOD) under the UK Freedom of Information Act (FOIA) seeking access to a fax cover sheet sent to the Veterans Welfare Service regarding a claim for payment following the death in service of the complainant’s son.
The MOD provided the complainant with a redacted version of the document in question, but sought to withhold the redacted information on the basis of section 40(2) of FOIA, which
The complainant challenged the decision before the ICO, in the ICO's capacity under the Freedom of Information Act.
Dispute
Is the information personal data within the meaning of Article 4(1) GDPR?
Does a disclosure of personal data under the FOIA fall under Article 6(1)(f) GDPR?
Holding
The ICO first held, that "the two main elements of personal data are that the information must relate to a living person and that the person must be identifiable."
On the "legitimate interest" the ICO applied a three-part test:
- Legitimate interest test: Whether a legitimate interest is being pursued in the request for information;
- Necessity test: Whether disclosure of the information is necessary to meet the legitimate interest in question;
- Balancing test: Whether the above interests override the legitimate interest(s) or fundamental rights and freedoms of the data subject.
While balancing legitimate interest in disclosure against data subject’s interest and fundamental rights and freedoms, the Commissioner considered that the public authority would have infringed Articles 5(1)(a) and 6(1)(f) of the GDPR in disclosing this information. It found that the disclosure was not necessary to pursue a legitimate interest and it would have caused unjustified harm to the data subjects. Overall, the interests and rights of the data subjects were likely to override legitimate interest in disclosure. Therefore, the ICO decided that the redacted information is exempt from disclosure on the basis of section 40(2) of FOIA.
Comment
The test applied by the ICO under Article 6(1)(f) seems to be in essence equivalent to the CJEU's proportionality test under Article 52(1) CFR.
Further Resources
Share blogs or news articles here!
English official version
Reference: FS50834927 Freedom of Information Act 2000 (FOIA) Decision notice Date: 1 November 2019 Public Authority: Ministry of Defence Address: Main Building Whitehall London SW1A 2HB Decision (including any steps ordered) 1. The complainant submitted a request to the Ministry of Defence seeking access to a fax cover sheet sent to the Veterans Welfare Service regarding a claim for payment following the death in service of the complainant’s son. The MOD provided the complainant with a redacted version of the document in question but sought to withhold the redacted information on the basis of section 40(2) of FOIA. 2. The Commissioner’s decision is that the redacted information is exempt from disclosure on the basis of section 40(2) of FOIA. 3. The Commissioner does not require any steps to be taken. Background 4. The complainant’s son died whilst on active service with the British Army. The girlfriend of the complainant’s son was awarded a death benefit and pension but the complainant has sought to dispute this decision. The Pensions Ombudsman has reviewed the case and concluded that the payments were appropriately awarded. The complainant was a party to the Pensions Ombudsman appeal and the MOD understands that he had access to all of the papers presented to the Ombudsman. Devon and Cornwall Police have also investigated a claim of fraud in relation to the application made for death benefit payments and found no evidence to support such allegations. Reference: FS50834927 5. The information in the scope of the request is the first page of a three page fax from the Visiting Officer (VO) assigned to the girlfriend of the deceased to a named official at the Veterans Welfare Service. The second and third page of the fax were contained in the papers submitted to the Pensions Ombudsman by the former Service Personnel and Veterans Agency on behalf of the MOD, the first page - consisting simply of a fax cover sheet – was omitted. Request and response 6. The complainant submitted the following request to the MOD on 16 January 2019: ‘I wish to reapply for this Major X's [name supplied] letter. If you turn me down, I can then appeal within the time limit that I was unable to meet last time I put in the request. You have said the letter exists. Your reasons for denying my FOl request are invalid but I realise you would wish me to reapply as part of your time-wasting regime.' 7. This request followed the MOD’s refusal of the following request, its reference FOI2018/05457, which the complainant had submitted on 19 April 2018: ‘The covering letter, included in the evidence file, written by a Major X [Name redacted] (Visiting Officer). This letter should be found as Page 1 of evidence "E5". E5 relates to the Barclays "Joint Account" and has 17.10.2005 written in the left hand column. Pages 2 and 3 of E5 are included in the evidence submitted to the Pensions Ombudsman but page 1 is missing. From the "Evidence considered by SPVA (Norcross) and SPVA (Glasgow) " ANNEX A, submitted to the Pension Ombudsman, supporting the girlfriend's claim for Death Benefit and a pension.’1 8. The MOD responded to the request of 16 January 2019 on 12 February 2019 and confirmed that it held information falling within the scope of the request, albeit at the same time the response also asked the complainant to clarify what information he was seeking. The MOD’s response also referred to its refusal notice of 25 June 2018 in relation to 1 The MOD had responded to this request by confirming that it held information falling within the scope of the request but it considered this to be exempt from disclosure on the basis of sections 30(2) (investigation) and 40(2) (personal data) of FOIA. Reference: FS50834927 request FOI2018/05457, and noted that sections 30(2) and 40(2) of FOIA had been applied to that request. 9. The complainant contacted the MOD on 12 February 2019 and asked it to conduct an internal review of its handling of the request he had submitted to it on 16 January 2019. 10. The MOD informed him of the outcome of the internal review on 22 March 2019. The internal review acknowledged that the initial response to the request had been contradictory given that it both confirmed that the requested information was held whilst it also sought clarification as to the information which was being requested. The internal review concluded that it was clear which document was being sought, namely the covering ‘letter’ of ‘Page 1’ of a fax sent by the Visiting Officer (VO). The review also concluded that this document was not exempt from disclosure under section 30(2) of FOIA, however it was exempt from disclosure on the basis of section 40(2) of FOIA. The MOD also explained to the complainant that for the avoidance of any doubt, the requested document in question was a fax cover sheet completed by the VO during his normal duties and was entirely administrative in nature which likely explained why it was not included in the Pension Ombudsman’s bundle. Scope of the case 11. The complainant contacted the Commissioner on 4 April 2019 in order to complain about the MOD’s failure to provide him with the information that he had requested. 12. During the course of the Commissioner’s investigation of this complaint the MOD provided the complainant with a redacted version of the document falling within the scope of his request on 19 September 2019. The MOD noted that the bulk of the unredacted information relates to recipient and sender details, some of which were printed on all three pages of the fax, and the back account details, which are readily available to him by other means. The MOD confirmed that it remained of the view that the redacted material was exempt from disclosure on the basis of section 40(2) of FOIA. 13. In response the complainant explained to the MOD that in terms of his FOI request what was important to him was not the actual names which had been redacted from the document in the scope of the request but the number of names registered on the bank account in question. Reference: FS50834927 Reasons for decision Section 40 – personal data 14. Section 40(2) of FOIA provides that information is exempt from disclosure if it is the personal data of an individual other than the requester and where one of the conditions listed in section 40(3A)(3B) or 40(4A) is satisfied. 15. In this case the relevant condition is contained in section 40(3A)(a)2. This applies where the disclosure of the information to any member of the public would contravene any of the principles relating to the processing of personal data (‘the DP principles’), as set out in Article 5 of the General Data Protection Regulation (‘GDPR’). 16. The first step for the Commissioner is to determine whether the withheld information constitutes personal data as defined by the Data Protection Act 2018 (‘DPA’). If it is not personal data then section 40 of the FOIA cannot apply. 17. Secondly, and only if the Commissioner is satisfied that the requested information is personal data, she must establish whether disclosure of that data would breach any of the DP principles. Is the information personal data? 18. Section 3(2) of the DPA defines personal data as: “any information relating to an identified or identifiable living individual”. 19. The two main elements of personal data are that the information must relate to a living person and that the person must be identifiable. 20. An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. 21. Information will relate to a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus. 2 As amended by Schedule 19 Paragraph 58(3) DPA. Reference: FS50834927 22. In the circumstances of this case, having considered the withheld information, the Commissioner is satisfied that the redacted information relates to the personal data of a number of individuals namely the sender of the fax, the recipient of the fax, and other individuals who the MOD confirmed it knew were living. The Commissioner is satisfied that the information both relates to and identifies these data subjects. This information therefore falls within the definition of ‘personal data’ in section 3(2) of the DPA. 23. The fact that information constitutes the personal data of an identifiable living individual does not automatically exclude it from disclosure under FOIA. The second element of the test is to determine whether disclosure would contravene any of the DP principles. 24. The most relevant DP principle in this case is principle (a). Would disclosure contravene principle (a)? 25. Article 5(1)(a) of the GDPR states that: “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. 26. In the case of an FOIA request, the personal data is processed when it is disclosed in response to the request. This means that the information can only be disclosed if to do so would be lawful, fair and transparent. 27. In order to be lawful, one of the lawful bases listed in Article 6(1) of the GDPR must apply to the processing. It must also be generally lawful. Lawful processing: Article 6(1)(f) of the GDPR 28. The Commissioner considers that the lawful basis most applicable is basis 6(1)(f) which states: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”3. 3 Article 6(1) goes on to state that:- “Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks”. Reference: FS50834927 29. In considering the application of Article 6(1)(f) of the GDPR in the context of a request for information under FOIA, it is necessary to consider the following three-part test:- i) Legitimate interest test: Whether a legitimate interest is being pursued in the request for information; ii) Necessity test: Whether disclosure of the information is necessary to meet the legitimate interest in question; iii) Balancing test: Whether the above interests override the legitimate interest(s) or fundamental rights and freedoms of the data subject. 30. The Commissioner considers that the test of ‘necessity’ under stage (ii) must be met before the balancing test under stage (iii) is applied. Legitimate interests 31. In considering any legitimate interest(s) in the disclosure of the requested information under FOIA, the Commissioner recognises that such interest(s) can include broad general principles of accountability and transparency for their own sakes, as well as case-specific interests. 32. Further, a wide range of interests may be legitimate interests. They can be the requester’s own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test. 33. The Commissioner understands that the complainant wishes to be provided with the withheld information given his dissatisfaction with the MOD’s continued payment of death benefits in relation to his son’s death. More specifically, the complainant has argued that he needs to However, section 40(8) FOIA (as amended by Schedule 19 Paragraph 58(8) DPA) provides that:- “In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (dis-applying the legitimate interests gateway in relation to public authorities) were omitted”. Reference: FS50834927 see the withheld information in order to understand the evidence submitted to the Pensions Ombudsman. He explained to the Commissioner that he had received, from the Pensions Ombudsman, the 72 page file submitted to it but he did not receive a copy of the fax cover sheet which is the focus of his request. He noted that having had sight of the file he was already aware of evidence submitted to the Pensions Ombudsman and in light of this the MOD could have no legitimate interest in seeking to withhold the requested information, ie because he knew the names and details of the individuals in question. He therefore argued that he needed to see the withheld information in order to understand why it was not included in the file to the Pension Ombudsman. The Commissioner struggles to see any wider legitimate interest in the disclosure of the withheld information, but she accepts that the complainant has legitimate interests in accessing the information and this test is therefore met. Is disclosure necessary? 34. ‘Necessary’ means more than desirable but less than indispensable or absolute necessity. Accordingly, the test is one of reasonable necessity and involves consideration of alternative measures which may make disclosure of the requested information unnecessary. Disclosure under FOIA must therefore be the least intrusive means of achieving the legitimate aim in question. 35. The Commissioner is prepared to accept that disclosure of the withheld information is necessary to meet the interests identified above. 36. With regard to any possible alternative measures, as noted above, rather than disclosure of the redacted information, the complainant explained that what was of concern to him was not the actual names contained on the account, but how many people were registered on the account, and thus how many names linked to the account were included on the fax cover sheet. 37. With regard to the complainant’s suggestion, the Commissioner considers that given the complainant’s knowledge of this subject matter, if the MOD revealed how many names had been redacted from the relevant part of the fax cover sheet, then in effect this would be likely to have the same outcome of revealing to the complainant the identities of those individuals. In light of this, the Commissioner does not consider the complainant’s suggestion that the MOD confirm to him how many names linked to the bank account had been redacted from the fax cover sheet provides a possible alternative means of fulfilling this request. Reference: FS50834927 Balance between legitimate interests and the data subject’s interests fundamental rights and freedoms 38. It is necessary to balance the legitimate interests in disclosure against the data subject’s interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subject would not reasonably expect that the information would be disclosed to the public under the FOIA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure. 39. In considering this balancing test, the Commissioner has taken into account the following factors: • the potential harm or distress that disclosure may cause; • whether the information is already in the public domain; • whether the information is already known to some individuals; • whether the individual expressed concern to the disclosure; and • the reasonable expectations of the individual. 40. In the Commissioner’s view, a key issue is whether the individuals concerned have a reasonable expectation that their information will not be disclosed. These expectations can be shaped by factors such as an individual’s general expectation of privacy, whether the information relates to an employee in their professional role or to them as individuals, and the purpose for which they provided their personal data. 41. It is also important to consider whether disclosure would be likely to result in unwarranted damage or distress to that individual. 42. For the reasons set out above, the complainant argued that he considered there to be a legitimate interest in the disclosure of the withheld information, and moreover that given the detailed information provided to him by the Pensions Ombudsman, it was difficult to understand why this information was not being disclosed. 43. The MOD argued that the individuals named in the document would have no expectation that their names would be disclosed in response to a FOI request and that to provide third party access to this personal data would breach the trust and confidence in the VO role. The MOD explained that it had also taken into account the consequences of disclosure on the individuals if the information was released and it was concerned that disclosure would infringe upon the privacy of those named given the history of this matter and the complainant’s continued dissatisfaction with the decision regarding the death benefit and pension payments. The MOD also argued that as the fax cover sheet had been the subject of police scrutiny as part of an investigation into allegations of fraud in relation to the application made for these payments, and the Reference: FS50834927 police had concluded that there was no evidence to support such a claim, it did not consider there to be any wider legitimate interest in the disclosure of the withheld information. 44. The Commissioner appreciates that the complainant has a legitimate interest in wishing to access the withheld information in order to further understand the decision regarding the death in service payment awarded to his son’s girlfriend. However, the Commissioner agrees with the MOD that it is difficult to see any broader or wider legitimate interests in the disclosure of the information, particularly as the document in question has been the subject of police scrutiny in respect of the allegations of fraud. This is not to say that simply because of the lack of any wider interest in this subject the legitimate interests favour withholding the information. But, the Commissioner appreciates that the individuals involved would have no expectation that their names and personal data would be disclosed under FOIA. On this point, the Commissioner appreciates that the complainant has had access to the file submitted to the Pensions Ombudsman. However, it is her understanding that such access was provided because the complainant was a party to the appeal to the Pensions Ombudsman; it is her understanding that such papers were not provided to the complainant under FOIA. (If information is disclosed by a public authority under FOIA is it considered to be a disclosure that is made to the world at large. In contrast the file provided to the complainant was only disclosed to him as an interested party; it was not disclosed to the world at large.) Furthermore, the Commissioner accepts that disclosure of the withheld information risks invading the privacy of the individuals concerned. 45. She has therefore concluded that there is insufficient legitimate interest to outweigh the data subjects’ fundamental rights and freedoms. The Commissioner therefore considers that there is no Article 6 basis for processing and so the disclosure of the information would not be lawful. 46. Given the above conclusion that disclosure would be unlawful, the Commissioner considers that she does not need to go on to separately consider whether disclosure would be fair or transparent. 47. The Commissioner has therefore decided that the MOD was entitled to withhold the information under section 40(2) of FOIA, by way of section 40(3A)(a). Reference: FS50834927 Right of appeal 48. Either party has the right to appeal against this decision notice to the First-tier Tribunal (Information Rights). Information about the appeals process may be obtained from: First-tier Tribunal (Information Rights) GRC & GRP Tribunals, PO Box 9300, LEICESTER, LE1 8DJ Tel: 0300 1234504 Fax: 0870 739 5836 Email: grc@justice.gov.uk Website: www.justice.gov.uk/tribunals/general-regulatory- chamber 49. If you wish to appeal against a decision notice, you can obtain information on how to appeal along with the relevant forms from the Information Tribunal website. 50. Any Notice of Appeal should be served on the Tribunal within 28 (calendar) days of the date on which this decision notice is sent. Signed ……………………………………………… Jonathan Slee Senior Case Officer Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF