[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	First-tier Tribunal (General Regulatory Chamber)
You are here: BAILII >> Databases >> First-tier Tribunal (General Regulatory Chamber) >> Timms v Information Commissioner [2023] UKFTT 625 (GRC) (19 July 2023) URL: http://www.bailii.org/uk/cases/UKFTT/GRC/2023/625.html Cite as: [2023] UKFTT 625 (GRC)

[New search] [Printable PDF version] [Help]

First-tier Tribunal
General Regulatory Chamber
Information Rights

		Heard: On the papers Heard on: 13 July 2023
		Decision Given On: 19 July 2023

Decision: The appeal is dismissed.

REASONS

Introduction

1. The parties and the Tribunal agreed that this matter was suitable for determination on the papers in accordance with rule 32 of the Chamber's Procedure Rules.
2. This is an appeal against the Commissioner's decision notice IC-129568-H6F5 of 8 June 2022 which held that Nocton Parish Council ('the Council') was entitled to rely on section 40(2) of the Freedom of Information Act 2000 (FOIA) to withhold the requested information. The Commissioner did not require the Council to take any steps.
3. Mr Timms indicated in his grounds of appeal that he did not wish to lodge an appeal in relation to part 2 of the request. Although we note that Mr. Timms disagrees in principle with the Commissioner's decision on part 2, as he is not appealing this part of the decision notice, the tribunal has dealt with part 1 of the request in this decision.
4. There is a short closed annex. It is necessary to withhold the content of this annex from the appellant because it refers to the content of the withheld information and to do otherwise would defeat the purpose of the proceedings.

Factual background to the appeal

5. This matter arises out of action taken by the Council against an individual ('X') in relation to conduct allegations which Mr. Timms asserts were entirely unjustified. The part of the Council meeting in April 2021 in which that alleged conduct and the Council's actions were discussed was held in private, and the minutes have not been published.

Requests, decision notice and appeal

The request

6. This appeal concerns the following request made on 25 August 2021 by Mr Timms:

"Please may I have:

1. Full Minutes of the Extraordinary Meeting held on Mon 27 April 2021^[1]

There may have been a reason to withhold details at the time, but not, as I understand it, after a criminal charge has been made against an individual which was then rejected by the police. Parishioners have a right to know how such a charge could have been brought and what information was disclosed at the time to support the charge.

2. Sta? Salary and Terms & Conditions of Clerk's appointment

In the minutes of the PC Meeting held on 4 May it is stated: "Amount withheld due to con?dentiality".

There is absolutely no reason for the clerk's salary to be withheld. He is a public servant paid for by Nocton Council Tax payers, who have a right to know on what T&C he was appointed. It is clear that his travel expenses are going to be excessive and unprecedented and now that there are no Covid restrictions, he should not normally be allowed to attend Parish Council meetings by Zoom or other on-line method."

7. The tribunal refers to the two parts of the request as 'part 1' and 'part 2' in this decision. This appeal relates only to part 1 of the request.
8. As stated above, only part 1 of the request is in issue in this appeal.

The response

9. On 29 August 2021 the Council responded to the request and withheld the information. It relied on section 41 (confidential information) in relation to part 1 of the request. It relied on section 40(2) (personal data) in relation to part 2 of the request. The Council upheld its position on internal review.
10. Mr. Timms referred the matter to the Information Commissioner on 15 September 2021.

The Decision Notice

11. The Commissioner was satisfied that the requested information was personal data as the information related to X who had an allegation of a criminal offence made against them, and the Parish Clerk, and both those individuals were identifiable.
12. In relation to the information requested in part 1 of the request, the Commissioner concluded that the information was criminal offence data. The Commissioner considered that there was no lawful basis for disclosure because X who had an allegation of a criminal offence made against them had not consented to the disclosure.
13. In relation to part 2 of the request, the Commissioner concluded that Mr. Timms was pursuing a legitimate interest and that disclosure of the Parish Clerk's salary and terms and conditions of employment was, to some degree, necessary to meet that legitimate interest.
14. The Commissioner considered that the Parish Clerk had a strong and reasonable expectation that their salary and terms of employment would remain confidential to them and their employer. Furthermore, the Parish Clerk had expressed concern at the disclosure of the requested information stating that they had not given the Council permission to disclose their salary or terms of employment in response to the request.
15. The Commissioner determined that there was insufficient legitimate interest to outweigh the fundamental rights and freedoms of the Parish Clerk. Therefore, he considered that there is no legal basis for the Council to disclose this information and to do so would be in breach of principle (a):

"Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject."

16. The Commissioner concluded that the Council was entitled to rely on section 40(2) of the FOIA to refuse to provide the requested information.

Notice of Appeal

17. The grounds of appeal relate solely to part 1 of the request. Mr. Timms is no longer pursuing part 2 of the request.
18. In summary, the grounds of appeal are (numbering inserted by the tribunal):

Ground One

The Commissioner only considered the personal information of X. The clerks and councillors do not have a right to privacy.

Ground Two

The Commissioner erred in concluding that X had not consented to disclosure of their personal information. X has not been shown the minutes and has neither consented nor not consented.

19. Mr. Timms makes a number of criticisms of the procedure adopted by the Commissioner but these are outside our remit and, as this is a full merits appeal, any such errors will be corrected by our fresh reconsideration of the matter.

The Commissioner's response

20. The Commissioner begins by addressing part 2 of the request. In the light of Mr. Timms' indication in his grounds of appeal that he is not appealing this aspect, it is not necessary for the tribunal to set out this part of the response.
21. In relation to ground one, the Commissioner submits that the whole of the information requested relates to the personal data of X.
22. In relation to ground two, it is submitted that it is not necessary for the Commissioner to obtain 'proof' that X did not consent to the minutes being published. It is enough for him to rely on the word of the Council.
23. Further the Commissioner submits that even if the information is not special category personal data, it is still the personal data of X and the distress disclosure would cause and X's rights and freedoms far overrides any legitimate interest in disclosure.
24. The Commissioner submits that the remaining issues raised by Mr. Timms are outside the tribunal's jurisdiction.

Mr. Timms' reply

25. Mr. Timms begins by addressing the Commissioner's response in relation to part 2 of the request. As there is no appeal against this aspect of the decision notice, the tribunal does not need to set out this part of the reply.
26. In relation to part 1 of the request Mr. Timms makes a number of points, all of which the tribunal has taken into account. The main points are:

26.1. The Commissioner should have requested the withheld minutes from the Council;

26.2. It is not adequate to simply rely on 'the word' of the Council in relation to the consent or otherwise of X;

26.3. There is no evidence that disclosure would cause X any distress or infringe on X's rights and freedoms;

26.4. The Council has not approached X to ask for their consent;

26.5. It is clearly in the interests of the Nocton parishioners that the minutes are published.

27. The complaints made by Mr. Timms in section C are outside the tribunal's remit and therefore do not need to be set out here.

Evidence

28. We read an open and a closed bundle.
29. The closed bundle contained:

29.1. The withheld information

29.2. Correspondence between the Commissioner and the Council.

30. It is necessary to withhold the above closed information from Mr. Timms because it either consists of the withheld information or refers to the content of the withheld information, and to do otherwise would defeat the purpose of the proceedings.

Legal framework

Personal data

31. The relevant parts of section 40 of FOIA provide:

(1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.

(2) Any information to which a request for information relates is also exempt information if –

(a) It constitutes personal data which does not fall within subsection (1), and

(b) either the first, second or the third condition below is satisfied.

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles...

…

32. Personal data is defined in section 3 of the Data Protection Act 2018 (DPA):

(2) 'Personal data' means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) 'Identifiable living individual' means a living individual who can be identified, directly or indirectly, in particular by reference to—

(a)  an identifier such as a name, an identification number, location data or an online identifier, or

(b)  one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of X.

33. This is in line with the definitions in the UK General Data Protection Regulation (UK GDPR). The tribunal takes the view that the recitals to the GDPR 2016/679 are a useful guide to the interpretation of the UK GDPR. Recital 26 to the GDPR is relevant, because it refers to identifiability and to the means to be taken into account:

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a

manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

34. The definition of "personal data" consists of two limbs:

i) Whether the data in question "relate to" a living individual and

ii) Whether the individual is identified or identifiable, directly or indirectly, from those data.

35. The tribunal is assisted in identifying 'personal data' by the cases of Ittadieh v Cheyne Gardens Ltd [2017] EWCA Civ 121; Durant v FSA [2003] EWCA Civ 1746 and Edem v Information Commissioner [2014] EWCA Civ 92. Although these relate to the previous iteration of the DPA, we conclude the following principles are still of assistance.
36. In Durant, Auld LJ, giving the leading judgment said at [28]:

"Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated."

37. In Edem Moses LJ held that it was not necessary to apply the notions of biographical significance where the information was plainly concerned with or obviously about the individual, approving the following statement in the Information Commissioner's Guidance:

"It is important to remember that it is not always necessary to consider 'biographical significance' to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is 'obviously about' an individual. Alternatively, data may be personal data because it is clearly 'linked to' an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider 'biographical significance' only where information is not 'obviously about' an individual or clearly 'linked to' him."

38. The High Court in R (Kelway) v The Upper Tribunal (Administrative Appeals Chamber) & Northumbria Police [2013] EWHC 2575 held, whilst acknowledging the Durant test, that a Court should also consider:

"(2) Does the data "relate" to an individual in the sense that it is "about" that individual because of its:

(i) "Content" in referring to the identity, characteristics or behaviour of the individual?

(ii) "Purpose" in being used to determine or influence the way in which the individual is treated or evaluated?

(iii) "Result" in being likely to have an impact on the individual's rights and interests, taking into account all the circumstances surrounding the precise case (the WPO test)?

(3) Are any of the 8 questions provided by the TGN are applicable?

These questions are as follows:

(i) Can a living individual be identified from the data or from the data and other information in the possession of, or likely to come into the possession of, the data controller?

(ii) Does the data 'relate to' the identifiable living individual, whether in personal or family life, or business or profession?

(iii) Is the data 'obviously about' a particular individual?

(iv) Is the data 'linked to' an individual so that it provides particular information about that individual?

(v) Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?

(vi) Does the data have any biographical significance in relation to the individual?

(vii) Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?

(viii) Does the data impact or have potential impact on an individual, whether in a personal or family or business or professional capacity (the TGN test)?

(4) Does the data "relate" to the individual including whether it includes an expression of opinion about the individual and/or an indication of the intention of the data controller or any other person in respect of that individual. (the DPA section 1(1) test)?"

39. The data protection principles are set out Article 5(1) of the UK GDPR. Article 5(1)(a) UK GDPR provides: that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 6(1) UK GDPR provides that processing shall be lawful only if and to the extent that at least one of the lawful bases for processing listed in the Article applies.
40. The only potentially relevant basis here is article 6(1)(f):

"Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child."

41. The case law on article 6(1)(f)'s predecessor established that it required three questions to be answered, which we consider are still appropriate if reworded as follows

1. Is the data controller or a third party pursuing a legitimate interest or interests?

2. Is the processing involved necessary for the purposes of those interests?

3. Are the above interests overridden by the interests or fundamental rights and freedoms of the data subject?

42. Lady Hale said the following in South Lanarkshire Council v Scottish Information Commissioner [2013] 1 WLR 2421 about article 6(f)'s slightly differently worded predecessor:

"27. ... It is well established in community law that, at least in the context of justification rather than derogation, 'necessary' means 'reasonably' rather than absolutely or strictly necessary .... The proposition advanced by Advocate General Poiares Maduro in Huber is uncontroversial: necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less. ... "

43. Article 10 UK GDPR provides:

"Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects."

44. Section 11(2) DPA provides:

"In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing."

45. Section 10 DPA provides:

"10 Special categories of personal data and criminal convictions etc data

(1)  Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—

(a)  point (b) (employment, social security and social protection);

(b)  point (g) (substantial public interest);

(c)  point (h) (health and social care);

(d)  point (i) (public health);

(e)  point (j) (archiving, research and statistics).

(2)  The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the UK GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.

(3)  The processing meets the requirement in point (g) of Article 9(2) of the UK GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.  

(4)  Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5)  The processing meets the requirement in Article 10 of the UK GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1."

46. Schedule 1, Part 3, Paragraph 29 DPA provides:

"Consent

This condition is met if the data subject has given consent to the processing."

47. Section 40(2) is an absolute exemption and therefore the separate public interest balancing test under FOIA does not apply.

The role of the tribunal

48. The tribunal's remit is governed by section 58 FOIA. This requires the tribunal to consider whether the decision made by the Commissioner is in accordance with the law or, where the Commissioner's decision involved exercising discretion, whether he should have exercised it differently. The tribunal may receive evidence that was not before the Commissioner and may make different findings of fact from the Commissioner.

Issues

49. The issues for the tribunal to determine are:
50. 1. Does the information relate to an identified or identifiable living individual?
51. 2. Is any or all of the requested information criminal offence data in that it relates to criminal offences or alleged criminal offences by the data subject(s)?
52. 3. In relation to any criminal offence data:

49.3.1. Has the data subject has given consent to the processing?

53. 4. In relation to personal data which is not criminal offence data:

49.4.1. Is the data controller or a third party pursuing a legitimate interest or interests?

49.4.2. Is the processing involved necessary for the purposes of those interests?

49.4.3. Are the above interests overridden by the interests or fundamental rights and freedoms of the data subject?

Discussion and conclusions

The tribunal's remit

54. As stated above, the complaints made by Mr. Timms in section C of his appeal are outside the tribunal's remit.

The withheld information

55. Mr. Timms complains that the Commissioner reached his decision in the absence of the withheld information. The tribunal had before it and took account of the content of the withheld portion of the minutes when reaching its decision. There is additional closed reasoning on this in the closed annex.

Personal data

56. The question for us to determine is whether the withheld information is the personal data of an identifiable living individual or individuals.
57. In our view, the entire confidential section of the minutes are the personal data of X who was the subject of the 'staffing matter' discussed in the confidential part of the meeting on 26 April 2021. The minuted discussions focussed entirely on the actions or alleged actions of that individual and the Council's past or future conduct in relation to those actions.
58. The minutes are biographical in a significant sense, in that they go beyond the recording of X's involvement in a matter that has no personal connotations for that individual. The matter in question had extremely significant personal connotations for that individual. Given the serious nature of the alleged misconduct, it is clearly a life event in respect of which X's privacy would be compromised by disclosure.
59. The focus of the minutes is the conduct of that individual or the Council's action in relation to that conduct either past or future. The minutes are obviously about that conduct or the Council's actions in relation to that conduct. Looked at as a whole the minutes are obviously about that individual and their activities, they are clearly linked to that individual. The minutes provide particular information about that individual and the way in which their conduct was handled by the Council. The central theme of the minutes is the conduct or the Council's action in relation to that conduct.
60. The individual is named in the minutes. Even if the name were redacted, given the number of staff employed by the Council and the information that is evidently in the public domain about this incident, we find, on the balance of probabilities, that a motivated individual would have been able to identify X from the minutes and other information likely to be known by at least a section of the public.

Legitimate interest

61. We accept that Mr Timms has a legitimate interest in the disclosure of the minutes. There is a legitimate interest in transparency and holding the Council to account in relation to decisions taken by the Council. This is particularly so where there is a suggestion where the Council may have acted inappropriately in the action it took in relation to this particular individual.

Reasonable necessity

62. We have considered whether the disclosure of the requested information is reasonably necessary for the purposes of the identified legitimate interests. Disclosure must be more than desirable, but less than indispensable or an absolute necessity. Disclosure must be the least intrusive means of achieving the legitimate aim in question, because it would not be reasonably necessary if it could be achieved by anything less. We must consider whether the legitimate aim could be achieved by means that interfere less with the privacy of the data subjects.
63. There is no public record of the motions passed in the confidential part of the meeting, nor is there any public record of the discussions that lead to those motions. For that reason we accept that disclosure is reasonably necessary for the purposes of the above legitimate interests.

Are the above interests overridden by the interests or fundamental rights and freedoms of the data subject?

64. In assessing the consequences of disclosure we have taken account of the particular nature of the personal information. The information is personal and sensitive. It contains details of alleged serious misconduct and details of the actions the Council proposed to take in relation that that particular individual. There is additional reasoning on this in the closed annex.
65. There is no evidence before us to suggest that X would consent or has consented to the publication of the minutes, or that X would expect the minutes to be published. We conclude that disclosure would not have been within the reasonable expectations of X, because they are contained in part of the minutes clearly marked confidential and relate to a matter which had, at the time of the request, been concluded.
66. We find that there is clear potential for harm and distress given the serious nature of the allegations against X and on the basis of some additional closed reasoning in the closed annex.
67. Taking all the above into account, we conclude that the legitimate interests were overridden by the interests or fundamental rights and freedoms of X.

Criminal offence data

68. In the light of our conclusions above it is not necessary for us to consider whether the information amounts to criminal offence data.

Summary of decision

69. For the above reasons we conclude that the Council was entitled to withhold the requested information under section 40(2) FOIA.

Signed Sophie Buckley

Date: 17 July 2023

Judge of the First-tier Tribunal

Promulgated Date: 19 July 2023

Note 1   This is an error. The date of the meeting is Monday 26 April 2021.    [Back]