ICO - FS50839431: Difference between revisions

From GDPRhub
 
No edit summary
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
[[Category:2019]]
{{DPAdecisionBOX
[[Category:Article 12(5) GDPR]]
 
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
|Jurisdiction=United Kingdom
! colspan="2" |ICO - FS50839431
|DPA-BG-Color=background-color:#023868;
|-
|DPAlogo=LogoUK.png
| colspan="2" style="padding: 20px; background-color:#023868;" |[[File:ICOLOGO.png|center]]
|DPA_Abbrevation=ICO (UK)
|-
|DPA_With_Country=ICO (UK)
|Authority:||[[ICO (UK)]]
 
[[Category:ICO (UK)]]
|Case_Number_Name=FS50839431
|-
|ECLI=
|Jurisdiction:||[[Data Protection in the United Kingdom|United Kingdom]]
 
[[Category: United Kingdom]]
|Original_Source_Name_1=ICO
|-
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616248/fs50839431.pdf
|Relevant Law:||[[Article 4 GDPR#1|Article 4(1) GDPR]]
|Original_Source_Language_1=English
[[Category:Article 4(1) GDPR]]
|Original_Source_Language__Code_1=EN
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
 
|Type=Complaint
|Outcome=Rejected
|Date_Started=
|Date_Decided=01.11.2019
|Date_Published=
|Year=2019
|Fine=None
|Currency=
 
|GDPR_Article_1=Article 4(1) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#1
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1a
|GDPR_Article_3=Article 6(1)(f) GDPR
|GDPR_Article_Link_3=Article 6 GDPR#1f
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_5=
|GDPR_Article_Link_5=
 
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=Section 3(2) DPA
|National_Law_Link_1=http://www.legislation.gov.uk/ukpga/2018/12/section/3
|National_Law_Name_2=40(2) FOIA
|National_Law_Link_2=http://www.legislation.gov.uk/ukpga/2000/36/contents
|National_Law_Name_3=
|National_Law_Link_3=
|National_Law_Name_4=
|National_Law_Link_4=


[[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]
|Party_Name_1=University of Leicester
[[Category:Article 5(1)(a) GDPR]]
|Party_Link_1=
|Party_Name_2=Anonymous
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=


[[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]
|Appeal_To_Body=
[[Category:Article 6(1)(f) GDPR]]
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=


[http://www.legislation.gov.uk/ukpga/2018/12/section/3 Section 3(2) DPA]
|Initial_Contributor=
|
}}


[http://www.legislation.gov.uk/ukpga/2000/36/contents 40(2) FOIA]
[[Category:2019]]
|-
[[Category:Article 12(5) GDPR]]
|Type:||Complaint
|-
|Outcome:||Rejected
|-
|Decided:||1.11.2019
|-
|Published:||n/a
|-
|Fine:||None
|-
|Parties:||University of Leicester Vs. anonymous
|-
|National Case Number:||FS50839431
|-
|European Case Law Identifier:||n/a
|-
|Appeal:||n/a
|-
|Original Language:||[[Category:English]]
English
|-
|Original Source:||[https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2616248/fs50839431.pdf ICO (EN)]
|}
The ICO issued a decisions regarding refusal to access to third party personal data.
The ICO issued a decisions regarding refusal to access to third party personal data.


Line 53: Line 77:


===Facts===
===Facts===
As reminded by yhe ICO itslef, "the complainant has requested information from University of Leicester about external examiners for the department of engineering between the years 2010 to 2018. The University withheld the information, citing section 40(2) (personal information) of the FOIA. "  
The complainant has requested information from University of Leicester about external examiners for the department of engineering between the years 2010 to 2018. The University withheld the information, citing section 40(2) (personal information) of the FOIA.   


The complainant challenged the decision before the ICO.   
The complainant challenged the decision before the ICO.   


===Dispute===
===Dispute===
Is the information personal data? Would a disclosure contravene GDPR principles? What are the legitimate interests at stake? 
The Commissioner considers the scope of her investigation to be to establish whether the Universityis entitled to withhold the requested information under section 40(2) of the FOIA. 
 
===Holding===
As per the applicability of Article Articles 40(2) FOIA, it must be determined whether the withheld information constitutes personal data and, in the affirmative, whether disclosure of that data would breach any of the data protection principles under the Data Protection Act. 
 
According to the ICO the information at stake is personal data. The fact that information constitutes the personal data of identifiable living individuals does not automatically exclude it from disclosure under the FOIA.
 
The second element of the test is to determine whether disclosure would contravene any of the data protection principles. In the present case, the most relevant principle is the one protected under Article 5(1)(a) GDPR: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject".
 
The Commissioner considers that the most likely applicable lawful bases is the legitimate interest of the controller under Article 6(1)(f) GDPR. In considering the application of Article 6(1)(f) GDPR in the context of a request for information under FOIA it is necessary to consider the three-part test: (i) legitimate interest, (ii) necessity and (iii) balancing of conflicting interests.


Is disclosure necessary?
The Commissioner accepts that the complainant has (i) a legitimate interest in seeing the requested information and that the disclosure is (ii) necessary for meeting a legitimate public interest. Such interest is to be (iii) balanced against the data subjects’ interests.


===Holding===
In carrying out the assessment under (iii) it is necessary to consider the impact of disclosure in terms of harm or distress, the reasonable expectations of the individual as well as whether the information is already in the public domain.
While balancing legitimate interest in disclosure against data subject’s interest and fundamental rights and freedoms, the Commissioner considered that the public authority would have infringed Articles 5(1)(a) and 6(1)(f) of the GDPR in disclosing this information. It found that the disclosure was not necessary to pursue a legitimate interest and it would have caused unjustified harm to the data subjects. Overall, the interests and rights of the data subjects were likely to override legitimate interest in disclosure. In conclusion, the ICO decision decided that the University was entitled to rely on the exemption at section 40(2) FOIA.
 
Within the University’s response to the Commissioner’s enquiries, it outlined that at the time of the request, the external examiners for that academic year had also been the external examiners for the previous two academic years. Therefore, the University argued, any student who had concerns about any conflicts of interest an external examiner might have had,would already have had two years in which to complain.
 
Based on the above factors, the Commissioner has determined that there is insufficient legitimate interest to outweigh the data subjects’ fundamental rights and freedoms. The Commissioner therefore considers that there is no Article 6 basis for processing and so the disclosure of the information would not be lawful.
 
In conclusion, the ICO decided that the University was entitled to rely on the exemption at section 40(2) FOIA.


==Comment==
==Comment==

Latest revision as of 16:23, 7 March 2022

ICO (UK) - FS50839431
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(1) GDPR
Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Section 3(2) DPA
40(2) FOIA
Type: Complaint
Outcome: Rejected
Started:
Decided: 01.11.2019
Published:
Fine: None
Parties: University of Leicester
Anonymous
National Case Number/Name: FS50839431
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

The ICO issued a decisions regarding refusal to access to third party personal data.

English Summary

Facts

The complainant has requested information from University of Leicester about external examiners for the department of engineering between the years 2010 to 2018. The University withheld the information, citing section 40(2) (personal information) of the FOIA.

The complainant challenged the decision before the ICO.

Dispute

The Commissioner considers the scope of her investigation to be to establish whether the Universityis entitled to withhold the requested information under section 40(2) of the FOIA.

Holding

As per the applicability of Article Articles 40(2) FOIA, it must be determined whether the withheld information constitutes personal data and, in the affirmative, whether disclosure of that data would breach any of the data protection principles under the Data Protection Act.

According to the ICO the information at stake is personal data. The fact that information constitutes the personal data of identifiable living individuals does not automatically exclude it from disclosure under the FOIA.

The second element of the test is to determine whether disclosure would contravene any of the data protection principles. In the present case, the most relevant principle is the one protected under Article 5(1)(a) GDPR: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject".

The Commissioner considers that the most likely applicable lawful bases is the legitimate interest of the controller under Article 6(1)(f) GDPR. In considering the application of Article 6(1)(f) GDPR in the context of a request for information under FOIA it is necessary to consider the three-part test: (i) legitimate interest, (ii) necessity and (iii) balancing of conflicting interests.

The Commissioner accepts that the complainant has (i) a legitimate interest in seeing the requested information and that the disclosure is (ii) necessary for meeting a legitimate public interest. Such interest is to be (iii) balanced against the data subjects’ interests.

In carrying out the assessment under (iii) it is necessary to consider the impact of disclosure in terms of harm or distress, the reasonable expectations of the individual as well as whether the information is already in the public domain.

Within the University’s response to the Commissioner’s enquiries, it outlined that at the time of the request, the external examiners for that academic year had also been the external examiners for the previous two academic years. Therefore, the University argued, any student who had concerns about any conflicts of interest an external examiner might have had,would already have had two years in which to complain.

Based on the above factors, the Commissioner has determined that there is insufficient legitimate interest to outweigh the data subjects’ fundamental rights and freedoms. The Commissioner therefore considers that there is no Article 6 basis for processing and so the disclosure of the information would not be lawful.

In conclusion, the ICO decided that the University was entitled to rely on the exemption at section 40(2) FOIA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English official version

 to be completed..