FOIA Appeal Case Balances Transparency and Data Protection

Citation: [2024] UKFTT 71 (GRC)
Judgment on

Introduction

The case of Christopher McKeon v The Information Commissioner & Anor [2024] UKFTT 71 (GRC) deals with an appeal against a decision made by the Information Commissioner regarding the Freedom of Information Act 2000 (FOIA) request. The appellant sought disclosure of information pertaining to the employment and turnover of staff by Members of Parliament (MPs) which was refused on data protection grounds. This case provides insight into the balance between public interest in transparency and the privacy rights of individuals, emphasizing the legal principles surrounding the FOIA and personal data protection under the GDPR.

Key Facts

Christopher McKeon (the Appellant) requested information from the Independent Parliamentary Standards Authority (IPSA) concerning staff employment and turnover rates for MPs, which was provided in an anonymized form. However, he sought unredacted information, which was denied by IPSA under Sections 40(2) and 40(3A)(a) of the FOIA due to concerns over personal data protection. The Appellant appealed IPSA’s decision to the Information Commissioner, and after its affirmation, appealed further to the First-Tier Tribunal (General Regulatory Chamber) Information Rights (the Tribunal).

The Tribunal’s analysis centered around the legal framework established by the FOIA and the UK GDPR. The key principles at play in this case included:

  1. Public Right of Access (Section 1(1) FOIA): Establishes that there is a general right to access information from public authorities, subject to certain exemptions.

  2. Exemption for Personal Data (Section 40 FOIA): Provides an absolute exemption if the disclosure of personal data would contravene any of the data protection principles.

  3. Data Protection Principles (Article 5(1)(a) GDPR): Dictates that the processing of personal data must be lawful, fair, and transparent, and that the rights of data subjects should be adequately protected.

  4. Identifiability (Article 4 GDPR): Deals with the concept of personal data and stresses the importance of considering all the means reasonably likely to be used to identify an individual directly or indirectly.

  5. Legitimate Interests Assessment: Involves a three-part test to evaluate the necessity of disclosure against the interests or fundamental rights and freedoms of data subjects.

  6. Engagement of the ‘Motivated Intruder’ Test: Explored in Information Commissioner v Magherafelt District Council [2012] UKUT 263 and Miller v Information Commissioner [2018] UKUT 229, which assesses the likelihood of identification of data subjects by third parties.

  7. Risk to Health or Safety (Section 38(1) FOIA): Considers whether the disclosure of information would or would be likely to endanger the physical or mental health or safety of any individual.

The Tribunal adopted the reasoning and the approach taken by the Information Commissioner. Particular emphasis was placed on the legitimacy of the interests for requesting the information, the necessity of the information with regard to those interests, and the potential consequences for the data subjects’ rights and freedoms.

Outcomes

The Tribunal concluded that releasing the information would likely lead to the identification of the individual staff members. Given their or other subjects’ legitimate expectation of privacy, and how their identification could allow for unwarranted and harmful inferential conclusions to be drawn, the Tribunal decided not to disclose the information. It was found that the Commissioner’s decision was correct in law and that the balance of interests weighed in favor of non-disclosure under the data protection principles. As a result, the Tribunal dismissed the appeal.

Conclusion

The Tribunal’s decision in Christopher McKeon v The Information Commissioner & Anor reaffirms the principle that the right to access information held by public authorities is not absolute and must be balanced against the data protection rights of third parties. It demonstrates a rigorous application of the legal framework governing access to information and personal data protection in the UK, taking into consideration the real-world implications of disclosing sensitive information to the public. For practitioners, this case underscores the criticality of context and the potential impact on data subjects when interpreting and applying exemptions to FOIA requests.