InfoLaw Update - September 2012
Celebrity chefs and Masterchef contestants often prepare several dishes to present a single ingredient in a number of different ways. It is a handy way to demonstrate their mastery of a range of culinary skills – and the versatility of the ingredient in question. For this month’s InfoLaw update, for your delectation, we are serving up data protection in three different decisions.
The store cupboard ingredients
What are we working with? A quick reminder of the basic ingredients which we will be using today…..
Any person making a request for information under the Freedom of Information Act (FOIA) to a public authority is entitled to be informed in writing by the public authority whether it holds the information specified in the request and, if it does hold it, subject to the application of a number of exemptions, to have that information communicated to him/her.
Among other things, information is exempt from disclosure under FOIA if it constitutes personal data about a third party and its disclosure to a member of the public would contravene any of the data protection principles set out in the Data Protection Act 1998 (DPA). The first data protection principle is that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of a number of conditions (set out in Schedule 2 to the DPA) are met. One of these conditions, which will be in the mix of ingredients considered below, is that the processing is necessary for the purposes of legitimate interests pursued by the data controller or the third parties to whom the data are disclosed. If the processing would prejudice the rights and freedoms or legitimate interests of the data subject, however, it will be unwarranted. As a result, deciding whether any processing (such as disclosure) is necessary requires a balancing exercise to be carried out between the competing interests of the data subject and the party whose legitimate interest is being pursued.
Personal data is defined in the DPA as:
“data which relates to a living individual who can be identified
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.
The first dish – data in a disciplinary
In this recipe, personal data processed in the context of disciplinary proceedings are considered in the context of a request under FOIA from a journalist made to Magherafelt District Council concerning disciplinary action it had taken against its staff. The council had prepared, but decided not to release, a summarised Schedule containing details of the penalty issued and reason for the action taken against each of the 15 employees concerned; it did not contain the date of the action, gender, job title or department.
The Commissioner ruled that the information contained in the Schedule was “fully anonymous” and did not therefore amount to personal data. Consequently, he found that the Schedule was not exempt from disclosure pursuant to a request under the FOIA. Subsequently, however, the First-tier Tribunal (Information Rights) (FTTIR) held that the information in the Schedule did constitute personal data under the DPA. It ruled, however, that the Schedule was exempt from disclosure as its disclosure would breach the first data protection principle on the basis of its unfairness to the employees concerned. The Commissioner appealed to the Upper Tribunal.
The Upper Tribunal dismissed the Commissioner’s appeal. It said that the proper approach to the question of whether anonymised information was personal data for the purposes of the DPA in the context of a disclosure request, was to consider whether an individual or individuals could be identified from it, and other information which was in the possession of, or likely to come into the possession of the recipient after it had been disclosed.
Readers will recall that the definition of personal data (set out in its entirety above) refers only to information in (or likely to come into) the possession of the data controller (emphasis added). The Upper Tribunal in this case concluded (by reference, amongst other things, to Recital 26 to the Data Protection Directive) that the definition could extend to persons other than the data controller, even though this has the effect of widening the ambit of the definition in the DPA. The Tribunal concluded that a motivated individual, such as a journalist, would have little difficulty in making enquiries which could lead to the identification of the individuals subject to disciplinary action. Key to this finding included the fact that the Council was a relatively small employer, based in a small community.
Consequently, the Upper Tribunal concluded that the data in the Schedule was “personal data” for the purposes of the DPA. It also held that its disclosure would breach the first data protection principle and therefore that the Schedule was exempt from disclosure.
This decision is interesting as the difficult issue of anonymised data and whether it falls within the definition of personal data has been the subject of divergent interpretations. The tribunal’s conclusion that the starting point is to consider whether individuals can be identified from the anonymised information together with other information in (or which is likely to come into) the possession of the recipient after it has been disclosed, is a sensible and practical one.
The second dish – data in a compromise agreement
In the second recipe, the issue is disclosure of the details of a senior employee’s compromise agreement. In order to determine whether disclosing the information would have breached the employee’s data protection rights, the FTTIR had to balance the employee’s expectation of privacy against what the requester claimed was its legitimate interest, namely the public interest in accountability of expenditure by public authorities.
Trago Mills (South Devon) Ltd (Trago) had a history of planning disputes with Teignbridge District Council relating to shopping centres and other commercial premises. After several of its planning applications had been refused over a period of several years, Trago’s Chairman made a complaint of prejudice and bias against the Council’s senior planning officer (X) who had been responsible for a number of the decisions. In December 2009, an independent external investigation into X’s conduct, which had been commissioned by the Council, found that there was insufficient evidence to substantiate Trago’s allegations. Shortly afterwards, the Council released a statement that X would be taking voluntary early retirement as part of the Council’s cost-saving programme. Trago believed that the real reason for X’s departure was his “misconduct” and that this had been covered up by the Council. Trago submitted a freedom of information request to the Council asking for details of X’s termination package, his contract of employment and the remuneration paid to him during his employment.
In response to the request, the Council provided a redacted copy of X’s contract of employment but refused to disclose other information about X, on the ground that it was exempt information under the FOIA. This view was upheld by the FTTIR because, in the absence of any suggestion of wrongdoing in public office, it was difficult to see why there would be any public interest in the terms of his compromise agreement or details of his remuneration while in employment. This was the case even though X was a senior officer in a public-facing role, responsible for decisions which had potentially serious consequences for planning permission applicants.
There is a balancing exercise to be carried out between, on the one hand, the need for transparency in respect of a public authority’s use of public funds and, on the other, an individual’s reasonable expectation of privacy. Even without an express confidentiality provision, an individual would have a reasonable expectation that the terms on which his employment came to an end would be treated as confidential. In this case, the balance was in favour of X’s expectation of privacy, which outweighed the Council’s duty to be transparent and accountable for the expenditure of public of money. Even if Trago had been able to establish that X had been guilty of wrongdoing in public office, this would only support a legitimate public interest if the wrongdoing had been so serious that the Council could be criticised for not having taken it into account when considering X’s application for early retirement.
This case confirms that there is a strong expectation of privacy in the terms of a compromise agreement, whether or not there is an express provision to that effect, which will not easily be overturned. The Information Commissioner recognises that compromise agreements play an important role in employment relationships in allowing the parties to conclude the relationship in a dignified way, in private. Allowing the terms of compromise agreements to be revealed could significantly undermine their value.
In this case, the FTTIR found that in making the freedom of information request, Trago had been motivated by a personal grievance against X, rather than public interest considerations and, although the Chairman of Trago had made reference to the public interest in local authorities acting fairly and properly, this was not considered a sufficient reason for allowing confidential personal information to be disclosed.
In some instances there will be a more compelling public interest in the disclosure of personal information, including details of termination packages. Where there is a belief that the departing employee of a public authority is being rewarded for failure, there may well be public interest considerations, but there must be more than a speculative allegation of failure or wrongdoing. The seniority of the individual and the circumstances of departure will be relevant factors. In another, similar case, for example, the FTTIR did order a local authority to disclose the financial details of its former chief executive's compromise agreement, where she left in the midst of a financial crisis and had been ultimately responsible for an overspend of £800,000. In those circumstances, the FTTIR did not consider it reasonable for either party to expect that the information in the agreement relating to the use of public funds could be hidden from the public on the basis of a confidentiality clause agreed between them.
And to finish…. recycled data
The Information Commissioner has this month used his powers under the DPA to impose a monetary penalty of £250,000 on a local authority, Scottish Borders Council, after records relating to the pensions of its former employees (which contained both salary and bank account details) were found in a paper recycling bank in a supermarket car park. 848 individuals were affected although another 8,000 records had potentially been at risk.
The Council had, for a number of years, been digitising the pension records of its past employees and former members of the pension scheme. The work had been outsourced but no contract had been put in place with the organisation carrying out the work. For this and a number of other reasons, the Council had clearly failed meet its obligations under the DPA to ensure the appropriate level of security in relation to the personal data of the individuals concerned.
Although the Council had terminated the arrangement with the sub-contractor as soon as the breach was discovered, the Information Commissioner took the view that there was a clear failure to take reasonable steps to prevent this breach. Despite the fact that no adverse effects have been reported to date, that the Council voluntarily reported the breach and has, throughout, been fully co-operative with the Information Commissioner’s office, the amount of the monetary penalty was set at this level to reflect the nature of the confidential personal data in question, that the number of affected (or potentially affected) individuals was so high, that the contravention had been going on since 2005 and that identity fraud and associated financial loss might have resulted.
Clearly, this decision emphasises, if further emphasis were needed, that organisations must realise the importance of properly managing third parties who process personal data on their behalf. This, and the £325,000 penalty levied on Brighton and Sussex University Hospitals Trust after more than 200 hard drives containing sensitive personal data were found to have been sold on an internet auction site, clearly demonstrates that it is as important to consider data protection implications arising out of the destruction of information as it is to consider an organisation’s obligations in the context of other processing. The importance of implementing, maintaining and developing internal processes, particularly in the context of outsourcing, cannot be overstated.
If you require a review (or a taste test) of any of your data protection dishes, please contact us on 01228 552222 or email email@example.com.
About the author
Published: Thursday 20th September 2012
Categorised: Information Law