BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
First-tier Tribunal (General Regulatory Chamber) |
||
You are here: BAILII >> Databases >> First-tier Tribunal (General Regulatory Chamber) >> Harron v The Information Commissioner & Anor [2024] UKFTT 525 (GRC) (24 June 2024) URL: http://www.bailii.org/uk/cases/UKFTT/GRC/2024/525.html Cite as: [2024] UKFTT 525 (GRC) |
[New search] [Printable PDF version] [Help]
NCN: [2024] UKFTT 525 (GRC)
Case Reference: EA/2023/0128
First-tier Tribunal
General Regulatory Chamber
Information Rights
Heard: at York House, Leeds
Heard on: date 28 February 2024
Decision given on: 24 June 2024
Before
TRIBUNAL JUDGE LIZ ORD
TRIBUNAL MEMBER PAUL TAYLOR
TRIBUNAL MEMBER MIRIAM SCOTT
Between
LIAM HARRON
Appellant
and
(1) THE INFORMATION COMMISSIONER
(2) ROTHERHAM METROPOLITAN BOROUGH COUNCIL
Respondents
Representation:
For the Appellant: In person
For the Respondent: Not attending
For the Second Respondent: Not attending
Decision: The appeal is Dismissed.
REASONS
Introduction
1. This is an appeal against the Information Commissioner's (IC) decision notice (DN) IC-171466-X0Q8 dated 8 February 2023, which found that Rotherham Metropolitan Borough Council (RMBC) was entitled to rely on s.40(5B) (personal information) of the Freedom of Information Act 2000 (FOIA) to refuse to confirm or deny whether any information is held. The IC did not require RMBC to take any further steps.
Preliminary matters
2. The Respondents made an application to strike out the appeal on the basis it had no reasonable prospects of success. The application was refused by the First Tier Tribunal on 11 August 2023.
3. We gave permission for the Appellant to call T, a Child Sexual Exploitation victim, to give evidence. We ruled that T's identity was to be anonymised and they would be identified as T in our decision and any transcript of the hearing. That part of the hearing in which T gave evidence was heard in private. A separate case management order has been made to this effect.
Background
4. On 1 February 2022, the Appellant made the following request to RMBC for information:
"This Freedom of Information Act Request (FOIAR) is for a copy of any communications that exist involving the Leader of RMBC, the Chief Executive of RMBC, other officers and external parties about the allegation that a version of the leaked Investigation Report discussed with Leader Chris Read on 10.7.20 was in a bundle for the defence of Waseem Khaliq."
5. On 11 February 2022, RMBC refused to confirm or deny holding the requested information relying on the exemption under s.40(5B) FOIA.
6. The Appellant requested an internal review and set out his understanding of the legislation, which was that i) the UK General Data Protection Regulation (GDPR) does not prohibit all disclosures relating to individuals, only that any disclosures must be fair and appropriate, and ii) senior public or senior civil servants are not exempt and this includes all persons who are considered to be in a "front-facing" position. He said he was not seeking any personal information.
7. The review dated 11 March 2023, upheld the original refusal and explained that stating whether RMBC does or does not hold anything in regard to a "bundle for the defence of" the named individual would be disclosing information about that person.
8. The Appellant complained to the IC, who found on 8 February 2023 that RBMC was entitled to rely on the exemption under s.40(5B) of FOIA. The reasons were that confirmation would reveal whether a defence bundle relating to the Data Subject exists; the Data Subject would have a reasonable expectation that such information would not be disclosed; and there was an insufficient legitimate interest to outweigh the Data Subject's rights and freedoms. Accordingly, it was not possible to satisfy the condition in Article 6(1)(f) of the GDPR.
9. The Appellant appealed to this Tribunal. The grounds of appeal, in summary, are:
1. The IC has erred in law by failing to undertake a scrutiny of RMBC's responses in this case. The IC's consideration of this case can probably best be described as woeful.
2. In particular, the IC has erred in law by failing to understand that [the Appellant] was explicitly clear that [he] was not seeking any third-party personal data. In this context the IC has also failed to address the issue that on at least two previous occasions RMBC did not appear to hesitate to provide third party personal data, such as in the FOIAR responses labelled FOI-802-2021 and FOI-895-2021.
Law
FOIA
10. The Tribunal's remit is governed by s.58 FOIA. This requires the Tribunal to consider whether the decision made by the IC is in accordance with the law or, where the IC's decision involved exercising discretion, whether he should have exercised it differently. The Tribunal may receive evidence that was not before the IC and may make different findings of fact from the IC.
General right of access to information
11. FOIA provides a general duty to disclose information.
12. The relevant parts of section 1 FOIA provide:
(1) Any person making a request for information to a public authority is entitled –
(a) To be informed in writing by the public authority whether it holds information of the description specified in the request, and
(b) If that is the case, to have that information communicated to him.
(2) Subsection (1) has effect subject to the following provisions of this section and to the provisions of sections 2, 9, 12 and 14.
(3) [...]
(4) The information –
(a) In respect of which the applicant is to be informed under subsection (1)(a), or
(b) Which is to be communicated under subsection (1)(b),
is the information in question held at the time when the request is received, [...]
(5) [...]
(6) In this Act, the duty of a public authority to comply with subsection (1)(a) is referred to as "the duty to confirm or deny".
S.40 Personal Information
13. The relevant parts of s.40 provide:
(1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
[...]
(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).
(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies-
(a) Giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)-
(i) Would (apart from this Act) contravene any of the data protection principles, ...
UK GDPR
Article 4 - Definitions
14. The relevant parts of Article 4 provide:
11 "consent" of the data subject means a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 6 - Lawfulness of processing
15. The relevant parts of Article 6 provide:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Article 10 - processing of personal data relating to criminal convictions and offences
16. The relevant parts of Article 10 provide:
1. Processing of personal data relating to criminal convictions or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
2. In the 2018 Act-
(a) Section 10 makes provision about when the requirement in paragraph 1 of this Article for authorisation by domestic law is met;
(b) Section 11(2) makes provision about the meaning of "personal data relating to criminal convictions and offences or related security measures".
The Data Protection Act 2018 (DPA)
17. The relevant parts of the DPA provide:
s.10. Special categories of personal data and criminal convictions etc data
(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.
(5) The processing meets the requirements in [Article 10 of the UK GDPR] for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.
s.11. Special categories of personal data etc: supplementary
(2) In Article 10 of the [UK GDPR] and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to-
(a) the alleged commission of offences by the data subject, or
(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.
Schedule 1 of the DPA - Special categories of personal data and criminal convictions etc data (section 10)
18. The relevant parts of the schedule provide:
Part 3 - Additional conditions relating to criminal convictions etc
29 Consent
This condition is met if the data subject has given consent to the processing.
32 Personal data in the public domain
This condition is met if the processing relates to personal data which is manifestly made public by the data subject.
Issue
19. Whether RMBC, by confirming or denying whether the requested information is held, would contravene any of the data protection principles.
Submissions
Appellant's submissions
20. The Appellant provided a lot of background documents relating to various requests for information that he had made. However, they do not address the exemption relied upon and do not assist his case.
RMBC submissions
21. There were no submissions from RMBC before us.
IC's submissions
22. Confirming or denying whether information is held would identify third party personal data, because doing so would reveal whether a defence bundle relating to a named individual exists.
23. On reviewing the DN it was noted that at the time of the request it had been publicly reported that the Data Subject had been convicted and sentenced for two separate criminal offences. The Appellant also attached a Local Ombudsman Report and email chain in which the Data Subject's public convictions had been noted in media articles. Although not explicitly confirmed, it is likely that the defence bundle referred to is in respect of the convictions that have been made public.
24. In such circumstances, the IC considers that it may be possible to satisfy Article 6(1)(f) GDPR, albeit the terms of the request are not clear as to which defence bundle is being referenced.
25. However, the very existence of a defence bundle would reveal that an allegation of the commission of an offence has been made, and a prosecution has been brought. Such information amounts to criminal offence data.
26. Criminal offence data is given special protection under Article 10 GDPR. It can only be lawfully processed if it satisfies both a condition under Article 6 GDPR, and it is authorised by Member State law providing for appropriate safeguards for the rights and freedoms of the Data Subject.
27. The DPA (s10.5) provides that processing is lawful for the purposes of Article 10 GDPR if it is carried out under the control of official authority (which is not the position in this case), or it complies with a condition under DPA Schedule 1, Parts 1, 2, or 3.
28. The only two conditions which could apply to this appeal are in Schedule 3, namely:
29 This condition is met if the data subject has given consent to the processing.
32 This condition is met if the processing relates to personal data which is manifestly made public by the data subject.
29. There is no evidence that the Data Subject gave his consent to disclosure, nor that he, himself, made the existence of any prosecution clearly available to the public. The legislation makes clear that he must have made the personal data public himself.
30. Accordingly, regardless of the position concerning compliance with Article 6(1)(f) GDPR, it would not be possible to satisfy a condition for processing in respect of Article 10 GDPR, given that any confirmation or denial would reveal criminal offence data.
Discussion and conclusion
31. The reason given for neither confirming nor denying is a technical one. Whilst we note the Appellant's submitted documents and arguments, which provide background to his requests for information from RMBC, they do not address the issue in this appeal of whether confirming or denying that the requested information is held would contravene any of the data protection principles.
32. We have considered the Appellant's grounds of appeal. However, they do not assist him. There is no error on the part of the IC. Scrutinizing RMBC's responses would make no difference to the outcome and, whilst the Appellant may not think he was seeking personal data, the mere confirmation or denial of correspondence on whether the report was in the defence bundle, is itself personal information.
33. The IC has set out clearly the legal reasons why RMBC cannot confirm or deny whether it holds the requested information. Our understanding of the law accords with that of the IC and we can do no better than to endorse the IC's reasoning.
34. In summary, the legal position is:
35. The duty to confirm or deny does not arise if it would contravene any of the data protection principles (s40(5B) FOIA).
36. Processing shall only be lawful if it is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Article 6(1)(f) GDPR).
37. Processing of personal data relating to criminal convictions or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10(1) GDPR).
38. The processing meets the requirements in Article 10 GDPR for authorisation by the law of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1 DPA (s.10(5) DPA).
39. The only conditions which are relevant are condition 29 (consent) and condition 32 (where the personal data is manifestly made public by the data subject). There is no evidence that either condition has been met.
40. Therefore, if RMBC confirmed or denied the information requested, it would contravene the data protection principles of Article 10(1) GDPR.
41. Consequently, RMBC is entitled to rely on s.40(5B) FOIA, which exempts it from the duty to confirm or deny in these circumstances.
Conclusion
42. For the reasons set out above, we find that RMBC is entitled to rely on s.40(5B) of FOIA to refuse to confirm or deny whether it holds the requested information.
Signed Judge Liz Ord Date: 10 June 2024
Promulgated on: 24 June 2024