Case Law Article: Sheldon v ICO - Balancing Transparency and Data Protection Under FOIA & UK GDPR

Introduction

The case of Andrew Sheldon v The Information Commissioner & Anor addresses a dispute related to the Freedom of Information Act 2000 (FOIA) and the UK General Data Protection Regulation (UK GDPR) concerning a request for information made by Andrew Sheldon to Castle Point Borough Council. The key legal contention revolves around the Council’s refusal to confirm or deny whether the requested information was held, invoking Section 40(5B)(a)(i) of FOIA on the grounds of compliance with data protection principles.

Key Facts

Sheldon, the appellant and former leader of the Council, requested specific meeting agendas, minutes, and report titles within a defined timeframe, presumably to assess the Council’s compliance with statutory obligations. The Council refused to confirm or deny possessing the information, citing the potential disclosure of personal data of third parties. Sheldon appealed the Information Commissioner’s Decision Notice supporting the Council, arguing that much of the information could be disclosed without breaching data protection laws.

Legal Principles

Several legal principles and tests were applied to ascertain whether the Council’s response under the FOIA was lawfully justified:

1. Legitimate Interests Basis (Article 6(1)(f) UK GDPR): This basis for lawful processing of personal data requires a balance between the controller’s or a third party’s legitimate interests and the interests or fundamental rights and freedoms of the data subject.

2. The Legitimate Interests Test: As articulated in the South Lanarkshire Council v Scottish Information Commissioner case, it examines if (i) a legitimate interest is being pursued, (ii) processing is necessary for the purposes of those interests, and (iii) processing is not unwarranted by prejudice to the rights and freedoms of the data subject.

3. Necessity and Reasonable Expectation of Privacy: The Tribunal considered whether confirming or denying the possession of requested information was necessary to fulfil Sheldon’s legitimate interest and if an expectation of privacy by the involved individuals was reasonable.

4. Public Interest Test (Section 2(1) FOIA): This test assesses whether the exclusion of the Duty to Inform (in this case, confirming or denying if the information is held) outweighs the public interest in knowing if the information is held by the authority.

5. ‘Motivated Intruder’ Test: This concerns the indirect identification of individuals, recognising the potential for a determined person to use all reasonable means to identify individuals from anonymised or pseudonymised data.

Outcomes

The Tribunal dismissed Sheldon’s appeal on several grounds:

• Confirmed personal data was involved as theoretically Sheldon could identify involved individuals using his background knowledge.
• Determined that the Council’s response under FOIA was subject to a public interest test, instead of being an absolute exemption, which the Information Commissioner had failed to apply in the Decision Notice.
• Concluded that confirming or denying whether information was held would contravene the first data protection principle, as there were other means, less intrusive to privacy rights, to satisfy Sheldon’s legitimate interest.
• Despite the procedural error in not applying the Public Interest Test, the Tribunal ultimately agreed with the outcome of the Commissioner’s decision.

Conclusion

The Tribunal’s careful application of the relevant legal principles to the facts of the case has reinforced the protection of personal data under FOIA and the UK GDPR. It demonstrates a robust approach to balancing the public interest in transparency against the privacy rights of individuals, with clear deference to less intrusive means to achieve a legitimate interest. The Tribunal’s decision serves as a guidepost for public authorities managing FOIA requests implicating personal data and affirms the nuanced legal framework governing information rights.