Tribunal Decision in Darbari Rachhpaul Singh Bedi Case Highlights Balancing Act Between Freedom of Information and Personal Data Protection

Citation: [2023] UKFTT 986 (GRC)
Judgment on

Introduction

In the recent First-tier Tribunal case of Darbari Rachhpaul Singh Bedi v The Information Commissioner ([2023] UKFTT 986 (GRC)), the tribunal examined the boundaries of personal data under the Data Protection Act (DPA) and the Freedom of Information Act (FOIA). The case provides insight into the interface between an individual’s right to access information and the protection of personal data, particularly when a request under the FOIA may indirectly lead to the identification of individuals.

Key Facts

Darbari Rachhpaul Singh Bedi, the appellant, requested specific information from the London Borough of Hounslow regarding properties that had become vacant, aiming to dispute the reasonableness and necessity of decanting him and his wife to a far location as part of a dispute with the Council. The Council provided some information but withheld full addresses of certain properties, invoking Section 40(2) of the FOIA on the grounds that disclosing such data would constitute personal data under the DPA.

After the Council’s internal review and subsequent involvement of the Information Commissioner’s Office (ICO), which sided with the Council’s decision, the matter progressed to the tribunal. The Appellant challenged the classification of the requested information as personal data, arguing it would not lead to identification of any individual and that his legitimate interest justified the disclosure.

The tribunal’s analysis centered around the definition of personal data under Section 3(2) of the DPA and the application of EU Regulation 2016/679 (General Data Protection Regulation or GDPR) criteria, which emphasize the “identifiability” of a natural person. The regulation’s criteria require consideration of all the means ‘reasonably likely to be used’ for identification, considering technology and costs.

The key legal principles applied revolve around:

  1. Identification: Whether the specific data requested could potentially identify individuals directly or indirectly.
  2. Legitimate Interest: Balancing the appellant’s legitimate interest in accessing the information against the data subjects’ privacy rights.
  3. Least Intrusive Means: Whether the already provided data is sufficient to satisfy the appellant’s legitimate interests without necessitating further disclosure.

Outcomes

The tribunal found that the requested information was indeed personal data as it could lead to the identification of individuals combined with publicly available data. Thus, satisfying one of the criteria for disclosure was essential.

Furthermore, the tribunal held that none of the lawful bases enumerated in Article 6 of GDPR (consent, contract, legal obligation, vital interest, performance of a task carried out in the public interest or official authority, and legitimate interest) justified the requested disclosure. The tribunal also noted that the partial addresses and the number of days the properties were vacant provided to the appellant sufficed for his purposes and that if more detailed information were needed for litigation, this could be achieved without public disclosure.

Conclusion

The tribunal’s decision in Darbari Rachhpaul Singh Bedi v The Information Commissioner underscores the delicate balance between freedom of information and protecting personal data. By reiterating the principles of data identification and the necessary lawful bases for processing personal data, the tribunal provides valuable guidance concerning information requests that could potentially impinge upon personal privacy. This case illustrates the need for requesters under FOIA to be aware of the limitations imposed by data protection laws and for public authorities to judiciously apply exemptions where personal data could inadvertently be disclosed.