Tribunal Upholds Decision to Withhold Report Under FOIA Section 40(2) Based on Data Protection Principles

Citation: [2023] UKFTT 1021 (GRC)
Judgment on

Introduction

The case of Sean Burns v The Information Commissioner ([2023] UKFTT 1021 (GRC)) addresses significant concepts within the domain of information rights, specifically under the Freedom of Information Act 2000 (FOIA) and the UK General Data Protection Regulation (UK GDPR). The primary question revolved around the exemption from disclosure of information under FOIA section 40(2) on the grounds of compliance with data protection principles and whether the Information Commissioner’s office correctly upheld Charities Commission for Northern Ireland’s (CCNI) decision to withhold a report containing personal data as defined by the Data Protection Act 2018.

Key Facts

Sean Burns requested a report from the CCNI examining the activities of a charity known as the Growth for Adolescents and Providing Support Northern Ireland (GAPS NI). After CCNI denied the request, citing the report as exempt information under Section 36(2)(c) FOIA initially, and later Section 40(2) FOIA, Mr. Burns appealed the decision, leading to an assessment by the Information Commissioner and, subsequently, to a tribunal examination.

The Mckee & Hughes v The Charity Commission for Northern Ireland ([2020] NICA 13) ruling was pertinent to the case, as it prompted the CCNI to reassess previous decisions, including those relating to GAPS NI.

Freedom of Information Act 2000 (FOIA)

The tribunal’s analysis primarily hinged upon FOIA’s stipulations, which permit public access to information unless a valid exemption applies. Two exemptions were under scrutiny:

  1. Section 36(2)(c) FOIA, which is a qualified exemption, depending on whether the public interest in withholding the information outweighs the public interest in disclosing it.

  2. Section 40(2) FOIA, an absolute exemption concerning personal data, where disclosure to the public would contravene data protection principles or if it involves data related to criminal convictions, offences, or allegations (as highlighted in Article 10 UK GDPR).

Furthermore, the legal principles include the data processing basis as per the Data Protection Act 2018 and the UK GDPR. For personal data to be lawfully processed (disclosed in this case), it must fulfill the criteria set forth in Schedule 1, Part 3 of the DPA, which includes the data subject’s consent, or the conditions where the data subject has made the data public.

UK General Data Protection Regulation (UK GDPR)

The application of Article 10 UK GDPR concerning personal data about criminal convictions, offences, or related security measures was central. The processing of such data is only authorized under the control of an official authority or specific UK law safeguarding the individual’s rights and freedoms.

Outcomes

The tribunal’s extensive deliberation led to the conclusion that the exemption under Section 40(2) of the FOIA applied to CCNI’s decision to withhold the report, thus upholding the Information Commissioner’s decision. They found that redacting personal data from the report to make it publishable while complying with Article 10 UK GDPR was not feasible. The prior public availability of the report did not override the lawful processing requirements of the current FOIA request.

Conclusion

The tribunal’s decision reinforces the balance between public access to information and data protection rights. It highlights the application of a narrow interpretation of FOIA requests where broadening the request’s scope is not aligned with the initial inquiry. It also clarifies the enduring protection of personal data related to criminal matters, as delineated by the UK GDPR. Legal professionals dealing with FOIA requests should glean from this case the judiciary’s firm stance on the protection of personal data and the conditions under which it may be exempt from public disclosure.