The relationship between FOI and Data Protection is one that causes frequent tension. Obtaining personal data on third parties held by public authorities under FOI is, rightly, a difficult task. On Sunday it was reported that Cornwall Council refused to release, in response to a Freedom of Information request, the name of a Councillor who had been advised by the Council that they had “erroneously claimed entitlement to Housing Benefit and Council Tax Benefit / Support” while they were a member of the Council, and that the amount involved was less than £5,000. The Council refused to disclose the name of the Councillor on the basis that it was exempt under section 40(2) of the Freedom of Information Act (which exempts the release of personal data where its release would be in contravention of the Data Protection Act (DPA)). This resulted in an interesting discussion between a few individuals on twitter relative to whether the Council was correct to withhold the Councillor’s name.
Lynn Wyeth concluded that it came down to the standard Data Protection Officer’s answer of “it depends” – and it really does; there is a whole heap of information missing which would be relevant to whether releasing the Councillor’s name would breach the DPA.
The starting point in respect of this one is establishing whether it is personal data, clearly it is; not only is it personal data, but it falls within the definition of sensitive personal data in section 2 of the DPA. The information concerned here is personal data concerning the alleged commission of an offence by an individual (claiming benefits to which you’re not entitled being a criminal act). This is an important point because the restrictions placed upon the processing of sensitive personal data are a lot more stringent than personal data which is not considered sensitive under the DPA.
The first Data Protection Principal is clear, that personal data must be processed fairly and lawfully. It goes on to provide that personal data should not be processed unless at least one of the conditions in Schedule 2 is applicable; in the case of sensitive personal data it is also necessary to ensure that one of the conditions in Schedule 3 applies as well.
When it comes to releasing personal data under FOI, the condition in schedule 2 that is most often (if not always) applicable is Condition 6(1). This condition provides:
The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
In other words, a person seeking the release of personal data about a third party under FOI must be able to show that he has a legitimate interest and that it is necessary for the personal data to be disclosed in pursuance of that legitimate interest. I would say that it would generally be the case that uncovering wrong-doing by an elected official while holding public office is a legitimate interest. Unless the matter was reported in the newspapers or in other media at the time the accusation was being pursued by the body concerned, it would be necessary for the data controller to release the personal data in order to enable the third party to pursue their legitimate aim (uncovering misconduct by a public official and holding them to account).
However, this is personal data that falls within the scope of sensitive personal data and as such the very fact that condition 6(1) of Schedule 2 to the DPA is likely to be satisfied it is not the case that releasing the personal data would be fair and lawful. There needs to be a condition in schedule 3 that is applicable as well.
In the normal course of things there wouldn’t, in my view, be a condition in schedule 3 which would apply – unless the data subject consented to the disclosure. However, in certain circumstances it may be possible to use the paragraph 3(b) of Schedule 3 which applies where the processing is necessary:
in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
There are a number of key words here. The first is “necessary”; if there was another way in which the vital interests of another person could be met without the data controller releasing the information then it wouldn’t apply (for example, if there had been a news report revealing the name – but then the FOI request wouldn’t have been necessary in the first place). The next is “vital”; there is not, to my knowledge, any case law on what exactly “vital” means in the DPA – it appears in a number of places within Schedule 3. It could reasonably be argued that uncovering the misappropriation of public funds by an individual elected to public office and holding that individual to account is a “vital” interest of a person other than the data controller (essentially everyone who the data subject is elected to represent). Finally, the data subject’s consent must be unreasonably withheld.
This is where this case becomes particularly complicated. It would seem that no criminal proceedings were ever brought against the councillor in question, and certainly it appears that there has been no conviction. There is a presumption at the very heart of the criminal justice system in each of the legal jurisdictions in the UK: innocent until guilt is established. As there would appear to be no criminal conviction in this case, the Councillor is an innocent member of the public holding elected public office. The fact that there is no conviction, in my view, makes it harder to argue that there are vital interests to be protected.
This isn’t that straightforward though; some weight needs to be given to the fact that this individual was accused of making erroneous claims for benefits while an elected official. Furthermore, it is necessary to give some weight to the fact that some form of procedure was carried out to reclaim overpayments made to the councillor. However, that alone might not be enough to make release of their name under FOI fair and lawful. There are other factors to be considered. For example, if there was a settlement agreement in place which proceeded upon the basis of no admission of liability then that, I suggest, would tend to count against disclosure; especially if this was exactly how an individual who didn’t happen to be an elected member of the council would be dealt with. That leads onto the next issue; was there any preferential treatment given to the Councillor? It would appear not, the Council has said that it was handled in accordance with the normal procedures. Had it not been handled in accordance with normal procedures (e.g. he was given special treatment because he happened to be a councillor) then that might tip the balance in favour of disclosure because it would suggest some level of impropriety over and above the allegation that there was an ‘erroneous claim’.
In essence, these decisions are finely balanced. I’m not going to say whether the Council was right or not to refuse to disclose because I’m not in possession of all of the relevant facts. I don’t know what has gone on behind the scenes here, I don’t know whether the consent of the data subject has been sought let alone withheld unreasonably. The journalist who made the request can make use of their right to request an internal review of the handling of the request and then complain to the Information Commissioner. What I would say though is that simply because an elected official has been accused of something which may or may not amount to a criminal offence is not, in of itself, necessarily a justifiable reason to process personal data by releasing it under the Freedom of Information Act.