Guide to Information Management

A Guide to Information Management
An introduction to the Freedom of Information
Act 2000 and the Data Protection Act 1998.


This paper seeks to set out an introduction to the obligations on public bodies that
handle data which relate to their own organisations or to someone else – often called
Information Governance. This is an area where common law principles, obligations
under contracts and imposed professional obligations apply as well as statutory
schemes under the Acts, and so it is important to understand the framework of laws
which relate to information governance. This should not be taken as a definitive
guide to the law on Information Governance but is designed so that lawyers will have
an idea where to look next.

Professional Obligations under the GMC Code of Conduct
The obligations of professionals to respect the confidentiality of material they hold are
set out in professional rules. For example the duties on doctors regarding
confidentiality start with paragraph 37 of Good Medical Practice 2006 which provides:

“Patients have a right to expect that information about them will be held in
confidence by their doctors. You must treat information about patients as
confidential, including after a patient has died. If you are considering
disclosing confidential information without a patient's consent, you must follow
the guidance in with Confidentiality: Protecting and providing information”

The separate GMC Guide: Confidentiality: Protecting and providing information
1
was
published in 2004 to clarify the framework in which doctors must work. The
principles are explained as follows:


1
http://www.gmc-uk.org/guidance/current/library/confidentiality.asp#1
1
“1. Patients have a right to expect that information about them will be held in
confidence by their doctors. Confidentiality is central to trust between doctors
and patients. Without assurances about confidentiality, patients may be
reluctant to give doctors the information they need in order to provide good
care. If you are asked to provide information about patients you must:
• inform patients about the disclosure, or check that they have already
received information about it;
• anonymise data where unidentifiable data will serve the purpose;
• be satisfied that patients know about disclosures necessary to provide
their care, or for local clinical audit of that care, that they can object to
these disclosures but have not done so;
• seek patients’ express consent to disclosure of information, where
identifiable data is needed for any purpose other than the provision of
care or for clinical audit – save in the exceptional circumstances
described in this booklet;
• keep disclosures to the minimum necessary; and
• keep up to date with and observe the requirements of statute and
common law, including data protection legislation.
2. You must always be prepared to justify your decisions in accordance with
this guidance”
Perhaps the most difficult area is where a doctor feels that disclosure must be made
in the public interest, even against the wishes of the patient. The Guidance, which
very largely follows the common law, provides as follows:

“ Disclosures in the public interest
22. Personal information may be disclosed in the public interest, without the
patient’s consent, and in exceptional cases where patients have withheld
consent, where the benefits to an individual or to society of the disclosure
outweigh the public and the patient’s interest in keeping the information
confidential. In all cases where you consider disclosing information without
2
consent from the patient, you must weigh the possible harm (both to the
patient, and the overall trust between doctors and patients) against the
benefits which are likely to arise from the release of information.
23. Before considering whether a disclosure of personal information ‘in the
public interest’ would be justified, you must be satisfied that identifiable data
are necessary for the purpose, or that it is not practicable to anonymise the
data. In such cases you should still try to seek patients’ consent, unless it is
not practicable to do so, for example because:
• the patients are not competent to give consent (see paragraphs 28 and
29); or
• the records are of such age and/or number that reasonable efforts to
trace patients are unlikely to be successful; or
• the patient has been, or may be violent; or obtaining consent would
undermine the purpose of the disclosure (eg disclosures in relation to
crime); or
• action must be taken quickly (for example in the detection or control of
outbreaks of some communicable diseases) and there is insufficient
time to contact patients.
24. In cases where there is a serious risk to the patient or others, disclosures
may be justified even where patients have been asked to agree to a
disclosure, but have withheld consent (for further advice see paragraph 27).
25. You should inform patients that a disclosure will be made, wherever it is
practicable to do so. You must document in the patient’s record any steps you
have taken to seek or obtain consent and your reasons for disclosing
information without consent.
26. Ultimately, the ‘public interest’ can be determined only by the courts; but
the GMC may also require you to justify your actions if a complaint is made
about the disclosure of identifiable information without a patient’s consent. The
potential benefits and harms of disclosures made without consent are also
considered by the Patient Information Advisory Group in considering
3
applications for Regulations under the Health and Social Care Act 2001.
Disclosures of data covered by a Regulation are not in breach of the common
law duty of confidentiality.
Disclosures to protect the patient or others
27. Disclosure of personal information without consent may be justified in the
public interest where failure to do so may expose the patient or others to risk
of death or serious harm. Where the patient or others are exposed to a risk so
serious that it outweighs the patient’s privacy interest, you should seek
consent to disclosure where practicable. If it is not practicable to seek consent,
you should disclose information promptly to an appropriate person or
authority. You should generally inform the patient before disclosing the
information. If you seek consent and the patient withholds it you should
consider the reasons for this, if any are provided by the patient. If you remain
of the view that disclosure is necessary to protect a third party from death or
serious harm, you should disclose information promptly to an appropriate
person or authority. Such situations arise, for example, where a disclosure
may assist in the prevention, detection or prosecution of a serious crime,
especially crimes against the person, such as abuse of children”
There are a few areas where there are limitations on the above public interest
disclosures in particular concerning notifiable diseases under the Public Health
(Control of Diseases) Act 1984 and Public Health (Infectious Diseases) Regulations
1988 and some very specific rules for hospital doctors (but interestingly not GPs)
under the NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases)
Directions 2000. Under the latter Directions NHS bodies and PCTs are under the
following obligation:
“Every NHS trust and Primary Care Trust shall take all necessary steps to
secure that any information capable of identifying an individual obtained by
any of their members or employees with respect to persons examined or
treated for any sexually transmitted disease shall not be disclosed except-
4
(a) for the purpose of communicating that information to a medical practitioner,
or to a person employed under the direction of a medical practitioner in
connection with the treatment of persons suffering from such disease or the
prevention of the spread thereof, and
(b) for the purpose of such treatment or prevention”
Although breach of GMC principles will largely result in a doctor coming before the
Fitness to Practice panel, the common law is influenced by professional obligations
and vice versa. Thus, in W v. Egdell [1990] 2 WLR 471 the Court of Appeal
considered a case where a consultant psychiatrist had disclosed a medical report to
the Home Office about an offender’s dangerousness without the patient’s permission
even though he had been retained as an expert for the patient and the patient’s
solicitors had decided not to use the report (which was hardly surprising in the
circumstances). The Court of Appeal upheld the right of the doctor to disclose as it
held that:

“the maintenance of the duty of confidence by a doctor to his patient was not
a matter of private but of public interest; that the public interest in maintaining
that confidence had to be balanced against the public interest in protecting
others against possible violence”

A common law duty of confidence.
The classic definition of where the common law imposes a duty of confidentiality on a
person now derives from the speech of Lord Goff in AG v. Guradian Newspapers
[1990] 1 AC 109 [the Spycatcher case] where Lord Goff said as follows at 281:

“.. a duty of confidence arises when confidential information comes to the
knowledge of a person (the confidant) in circumstances where he has notice,
or is held to have agreed, that the information is confidential, with the effect
that it would be just in all the circumstances that he should be precluded from
disclosing the information to others. I have used the word "notice" advisedly, in
order to avoid the (here unnecessary) question of the extent to which actual
5
knowledge is necessary; though I of course understand knowledge to include
circumstances where the confidant has deliberately closed his eyes to the
obvious. The existence of this broad general principle reflects the fact that
there is such a public interest in the maintenance of confidences, that the law
will provide remedies for their protection”

However it is also important now to reflect on the balance between the article 8 right
for privacy and the article 10 right for freedom of expression since these are often in
direct contradiction. This contradiction has been worked out by the House of Lords in
Campbell v. MGN [2004] 2 AC 457, a case involving Naomi Campbell who sued for
damages for the Daily Mirror printing pictures of her leaving a meeting of narcotics
anonymous. It was also worked out more recently in Mosley v News Group
Newspapers Ltd. [2008] EWHC 1777, a judgement of Mr. J ustice Eady which is as
interesting for its legal analysis as for its subject matter – well almost.

The Data Protection Act 1998
The Data Protection Act (“DPA”) requires all organisations which handle personal
information to comply with a number of important principles regarding privacy and
disclosure. Thus the Act applies to both public and private bodies and indeed
anyone who holds information in a systematic way which relates to other people.
What is data under the DPA?
Section 1 defines “data” as follows:
“data” means information which—
(a) is being processed by means of equipment operating automatically in
response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of
such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it
should form part of a relevant filing system, . . .
6
(d) does not fall within paragraph (a), (b) or (c) but forms part of an
accessible record as defined by section 68; or
(e) is recorded information held by a public authority and does not fall within
any of paragraphs (a) to (d);
Hence the definition of “data” is wider for a public authority than for private
individuals.
What is processing of data?
Section 1 also defines “processing” data as follows:
“processing”, in relation to information or data, means obtaining, recording or
holding the information or data or carrying out any operation or set of
operations on the information or data, including—
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or
otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the
information or data;
Thus merely holding data even without carrying out further operations to the data is
processing for the purposes of the Act. The Act states that anyone who processes
personal information must comply with eight principles in Schedule 1 of the Act.
The Act also allows people to find out what personal information is held about them
by making a subject access request. This covers information held electronically and
in some paper records, and includes credit reference details.
If members of the public think they're being prevented from seeing information they're
entitled to, they can ask the Information Commissioner for assistance. The
Information Commissioner's Office is responsible for looking after their rights and
7
making sure personal information isn't misused. Complaints are usually dealt with
informally, but if this isn't possible, enforcement action can be taken by the
Information Commissioner.
All organisations which hold data as data controllers (and they should be registered
with the Information Commissioner's office) must make sure that they comply with the
Data Protection Act. The Information Commissioner provides the following kinds
of guidance to find out how to comply:
• Good practice notes
• Codes of practice
• Technical guidance notes
The eight principles of data protection are set out in Schedule 1 of the DPA and are
as follows:

“1. Personal data shall be processed fairly and lawfully and, in particular,
shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the
conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any manner
incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation
to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept
for longer than is necessary for that purpose or those purposes.
8
6 Personal data shall be processed in accordance with the rights of data
subjects under this Act.
7 Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside
the European Economic Area unless that country or territory ensures
an adequate level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data”
Part II of Schedule 1 provides interpretive provisions to assist with the meaning of
each of the principles. Hence for example the guidance on the sixth principle states:

“A person is to be regarded as contravening the sixth principle if, but only if—
(a) he contravenes section 7 by failing to supply information in accordance
with that section,
(b) he contravenes section 10 by failing to comply with a notice given under
subsection (1) of that section to the extent that the notice is justified or by
failing to give a notice under subsection (3) of that section,
(c) he contravenes section 11 by failing to comply with a notice given under
subsection (1) of that section, or
(d) he contravenes section 12 by failing to comply with a notice given under
subsection (1) or (2)(b) of that section or by failing to give a notification under
subsection (2)(a) of that section or a notice under subsection (3) of that
section”

9
What is Personal Data?
There is a considerable debate about what is and what is not personal data. Section
1 defines personal data as follows:

“personal data” means data which relate to a living individual who can be
identified—
(a) from those data, or
(b) from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication
of the intentions of the data controller or any other person in respect of the
individual;
It is important to note that the above definition contains an “or” and so can be
satisfied by either limb. The Court of Appeal expressed a limited view of the meaning
of personal data in Durant v Financial Services Authority [2003] EWCA Civ 1746. In
that case the Court said as follows:

“.. not all information retrieved from a computer search against an individual's
name or unique identifier is personal data within the Act. Mere mention of the
data subject in a document held by a data controller does not necessarily
amount to his personal data. Whether it does so in any particular instance
depends on where it falls in a continuum of relevance or proximity to the data
subject as distinct, say, from transactions or matters in which he may have
been involved to a greater or lesser degree. It seems to me that there are two
notions that may be of assistance. The first is whether the information is
biographical in a significant sense, that is, going beyond the recording of the
putative data subject's involvement in a matter or an event that has no
personal connotations, a life event in respect of which his privacy could not be
said to be compromised. The second is one of focus. The information should
have the putative data subject as its focus rather than some other person with
10
whom he may have been involved or some transaction or event in which he
may have figured or have had an interest, for example, as in this case, an
investigation into some other person's or body's conduct that he may have
instigated. In short, it is information that affects his privacy, whether in his
personal or family life, business or professional capacity”


The ICO has offered some practical advice as follows:

“A name is the most common means of identifying someone. However,
whether any potential identifier actually identifies an individual depends on the
context. By itself the name J ohn Smith may not always be personal data
because there are many individuals with that name. However, where the name
is combined with other information (such as an address, a place of work, or a
telephone number) this will usually be sufficient to clearly identify one
individual. (Obviously, if two J ohn Smiths, father and son, work at the same
place then the name, J ohn Smith, and company name alone will not uniquely
identify one individual, more information will be required)”

A person has a right to access personal data about themselves but not personal data
about others. This is a right to data – to information – not to documents. Hence
there may well be occasions where the right to access data is fulfilled even though
the documents that are provided are redacted to protect the personal data of others.

In order to process personal data lawfully it is necessary for a data controller to
comply with all of the provisions of Schedule 1 and at least one of the following
conditions in Schedule 2 to lawfully process personal data. The Schedule 2
conditions are:

“1. The data subject has given his consent to the processing.
2 The processing is necessary—
(a) for the performance of a contract to which the data subject is a
party, or
11
(b) for the taking of steps at the request of the data subject with a
view to entering into a contract.
3 The processing is necessary for compliance with any legal obligation to
which the data controller is subject, other than an obligation imposed by
contract.
4 The processing is necessary in order to protect the vital interests of the
data subject.
5 The processing is necessary—
(a) for the administration of justice,
(aa) for the exercise of any functions of either House of Parliament,
(b) for the exercise of any functions conferred on any person by or
under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the
Crown or a government department, or
(d) for the exercise of any other functions of a public nature
exercised in the public interest by any person.
6 (1) The processing is necessary for the purposes of legitimate
interests pursued by the data controller or by the third party or parties to
whom the data are disclosed, except where the processing is
unwarranted in any particular case by reason of prejudice to the rights
and freedoms or legitimate interests of the data subject”
(2) The [Secretary of State] may by order specify particular
circumstances in which this condition is, or is not, to be taken to be
satisfied”

12
Sensitive Personal Data
There are extra protections exist under the DPA for “sensitive personal data”. This is
defined in section 2 of the Act as follows:

“In this Act “sensitive personal data” means personal data consisting of
information as to—
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the
Trade Union and Labour Relations (Consolidation) Act 1992,
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been
committed by him, the disposal of such proceedings or the sentence of any
court in such proceedings”
In order to process sensitive personal data lawfully the data controller must comply
with Schedule 1, one of the conditions in schedule 2 and at least one of the
conditions in schedule 3. The schedule 3 conditions are much tighter and are as
follows:

“1. The data subject has given his explicit consent to the processing of the
personal data.
13
2 (1) The processing is necessary for the purposes of exercising or
performing any right or obligation which is conferred or imposed by law
on the data controller in connection with employment.
(2) The [Secretary of State] may by order—
(a) exclude the application of sub-paragraph (1) in such cases
as may be specified, or
(b) provide that, in such cases as may be specified, the
condition in subparagraph (1) is not to be regarded as satisfied
unless such further conditions as may be specified in the order
are also satisfied.
3 The processing is necessary—
(a) in order to protect the vital interests of the data subject or another
person, in a case where—
(i) consent cannot be given by or on behalf of the data subject,
or
(ii) the data controller cannot reasonably be expected to
obtain the consent of the data subject, or
(b) in order to protect the vital interests of another person, in a case
where consent by or on behalf of the data subject has been
unreasonably withheld.
4 The processing—
(a) is carried out in the course of its legitimate activities by any body
or association which—
(i) is not established or conducted for profit, and
(ii) exists for political, philosophical religious or trade-union
purposes,
14
(b) is carried out with appropriate safeguards for the rights and
freedoms of data subjects,
(c) relates only to individuals who either are members of the body or
association or have regular contact with it in connection with its
purposes, and
(d) does not involve disclosure of the personal data to a third party
without the consent of the data subject.
5 The information contained in the personal data has been made public
as a result of steps deliberately taken by the data subject.
6 The processing—
(a) is necessary for the purpose of, or in connection with, any legal
proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing,
exercising or defending legal rights.
7 (1) The processing is necessary—
(a) for the administration of justice,
(aa) for the exercise of any functions of either House of Parliament,
(b) for the exercise of any functions conferred on any person by or
under an enactment, or
(c) for the exercise of any functions of the Crown, a Minister of the
Crown or a government department.
(2) The [Secretary of State] may by order—
15
(a) exclude the application of sub-paragraph (1) in such cases as
may be specified, or
(b) provide that, in such cases as may be specified, the condition in
subparagraph (1) is not to be regarded as satisfied unless such further
conditions as may be specified in the order are also satisfied.
7A (1) The processing—
(a) is either—
(i) the disclosure of sensitive personal data by a person as a
member of an anti-fraud organisation or otherwise in accordance
with any arrangements made by such an organisation; or
(ii) any other processing by that person or another person of
sensitive personal data so disclosed; and
(b) is necessary for the purposes of preventing fraud or a particular
kind of fraud.
(2) In this paragraph “an anti-fraud organisation” means any
unincorporated association, body corporate or other person which
enables or facilitates any sharing of information to prevent fraud or a
particular kind of fraud or which has any of these functions as its
purpose or one of its purposes.]
8 (1) The processing is necessary for medical purposes and is
undertaken by—
(a) a health professional, or
(b) a person who in the circumstances owes a duty of confidentiality
which is equivalent to that which would arise if that person were a
health professional.
16
(2) In this paragraph “medical purposes” includes the purposes of
preventative medicine, medical diagnosis, medical research, the
provision of care and treatment and the management of healthcare
services.
9 (1) The processing—
(a) is of sensitive personal data consisting of information as to racial
or ethnic origin,
(b) is necessary for the purpose of identifying or keeping under
review the existence or absence of equality of opportunity or treatment
between persons of different racial or ethnic origins, with a view to
enabling such equality to be promoted or maintained, and
(c) is carried out with appropriate safeguards for the rights and
freedoms of data subjects.
(2) The [Secretary of State] may by order specify circumstances in
which processing falling within sub-paragraph (1)(a) and (b) is, or is not,
to be taken for the purposes of sub-paragraph (1)(c) to be carried out
with appropriate safeguards for the rights and freedoms of data
subjects.
10 The personal data are processed in circumstances specified in an order
made by the [Secretary of State] for the purposes of this paragraph”
Exemptions under the DPA
There is a long list of exemptions under DPA, as every government department lined
up during the drafting of the Bill to argue that their functions should be exempt from
the provisions of the Bill. Some areas are obvious such as that for national security,
criminal investigations and taxation. The exemption in respect of healthcare is in
section 30(1) and reads as follows:
“The Secretary of State may by order exempt from the subject information
provisions, or modify those provisions in relation to, personal data consisting
17
of information as to the physical or mental health or condition of the data
subject”
The Secretary of State has issued the Data Protection (Subject Access Modification)
(Health) Order 2000 which applies to personal data consisting of information as to
the physical or mental health or condition of the data subject. It provides under
paragraph 5(1) as follows:
“Personal data to which this Order applies are exempt from section 7 in any
case to the extent to which the application of that section would be likely to
cause serious harm to the physical or mental health or condition of the data
subject or any other person”
If the data controller is not a health professional there is a requirement to consult a
health professional before the exemption is claimed under paragraph 5(2).
There are also provisions which expressly prevent information relating to children
from being disclosed to a parent in the following circumstances in response to a
request by a parent if it has been :
“(a) provided by the data subject (the child) in the expectation that it would
not be disclosed to the person making the request;
(b) obtained as a result of any examination or investigation to which the
data subject (the child) consented in the expectation that the information
would not be so disclosed; or
(c) which the data subject (the child) has expressly indicated should not be
so disclosed”
The right to maintain the confidentiality of medical treatment provided to a child was
recently upheld in Axon, R (on the application of) v Secretary of State for Health &
Anor [2006] EWHC 37 (Admin) although interestingly there was no reference to the
above order in the judgment. This case in turn followed the well known case of
Gillick v West Norfolk and Wisbech Health Authority [1986] 1 AC 112.
18
The Order gives the same rights as a child to a data subject who is incapable of
managing his own affairs and where that person has been appointed by a court to
manage those affairs.
Section 31 is an exemption for those engaged in regulatory activities. It states:

“(1) Personal data processed for the purposes of discharging functions to
which this subsection applies are exempt from the subject information
provisions in any case to the extent to which the application of those
provisions to the data would be likely to prejudice the proper discharge of
those functions”
The regulatory activities include “any relevant function which is designed for
protecting members of the public against:
“(i) financial loss due to dishonesty, malpractice or other seriously improper
conduct by, or the unfitness or incompetence of, persons concerned in the
provision of banking, insurance, investment or other financial services or in the
management of bodies corporate,
(ii) financial loss due to the conduct of discharged or undischarged
bankrupts, or
(iii) dishonesty, malpractice or other seriously improper conduct by, or the
unfitness or incompetence of, persons authorised to carry on any profession
or other activity”
Hence the GMC, GDC and other health regulators would potentially be within the
scope of the section.
There are other exemptions in schedule 7 which include confidential references. The
paragraph states:
“Personal data are exempt from section 7 if they consist of a reference given
or to be given in confidence by the data controller for the purposes of—
19
(a) the education, training or employment, or prospective education, training
or employment, of the data subject,
(b) the appointment, or prospective appointment, of the data subject to any
office, or
(c) the provision, or prospective provision, by the data subject of any
service”
The Data Protection Act sets up a system whereby the Information Commissioner
regulates the release of data by data controllers. Any member of the Public can
appeal to the Information Commissioner about a failure to process information
lawfully under section 42 which states:
“A request may be made to the Commissioner by or on behalf of any person
who is, or believes himself to be, directly affected by any processing of
personal data for an assessment as to whether it is likely or unlikely that the
processing has been or is being carried out in compliance with the provisions
of this Act”
The Information Commissioner can then seek information from the data controller
and make a determination under section 45. It is a criminal offence to fail to comply
with a ruing from the Information Commissioner under section 47.
However the data controller has a right of appeal under section 48 to the Information
Tribunal whose powers are set out in Schedule 6 and which operates under the
Information Tribunal (Enforcement Appeals) Rules 2005.
The Information Tribunal, formerly known as the Data Protection Tribunal, hears
appeals from notices issued by the Information Commissioner under:
• Freedom of Information Act 2000 (FOIA)
• Data Protection Act 1998 (DPA)
• The Privacy and Electronic Communications Regulation 2003 (PECR)
• The Environmental Information Regulations 2004 (EIR)
20
When a Minister of the Crown issues a certificate on grounds of national security, a
special panel of the Information Tribunal called the National Security Appeals Panel
(NSAP), manages and hears any appeals. Except for NSAP cases, a panel
composed of the Chairman or a Deputy Chairman along with two Non Legal
Members, all appointed by the Lord Chancellor, hears appeals at venues across the
United Kingdom. The oral hearings are open to the public. Details can be found at
http://www.informationtribunal.gov.uk.
The Act contains many “grey” areas where the judgment of the data controller is
called upon before a decision needs to be made about whether to process
information in a particular way under the Act. There is a limited amount of guidance
from the Information Commissioner’s office which can be useful although there is a
tendency for the Information Commissioner to err on the side of retention of personal
information (as well as erring on the side of disclosure of public information) and
some decisions of the Information Tribunal. However in the end it is often a case of
“taking a view” on an unreported area. In taking such a view the structure of the Act,
the principles under the Directive which underlies it and previous decisions in other
areas are all relevant.
The Freedom of Information Act 2000.
The other major piece of legislation which governs information management is the
Freedom of Information Act 2000 (FOIA). This Act was brought in to put the
disclosure of official information by public bodies on a statutory footing. It has proved
to be very helpful to journalists in extracting official information that public bodies
would prefer to keep secret and has been a busy-bodies’ charter. However the
extent to which it has changed the behaviour of government bodies and made them
more open in their dealings with the public is probably unproven at this stage.
A White Paper was published by the new Labour government in 1998 called “Your
Right to Know: The Government's proposals for a Freedom of Information Act”. The
opening to that White Paper explained the reasoning as follows:
“Unnecessary secrecy in government leads to arrogance in governance and
defective decision-making. The perception of excessive secrecy has become
21
a corrosive influence in the decline of public confidence in government.
Moreover, the climate of public opinion has changed: people expect much
greater openness and accountability from government than they used to”
At the heart of the Act was a commitment that any member of the public was, subject
to the exemptions under the Act, entitled to see any government document. This
was explained as follows:
“2.6 This is at the heart of the Act. The Government sees it as taking the
general form of a right, exercisable by any individual, company or other body
to records or information of any date held by the public authority concerned in
connection with its public functions.
"... by any individual, company or other body"

2.7 Anybody can apply for information. Applicants will not need to
demonstrate or state their purpose in applying for information. All requests will
be considered equally on their contents, not on the stated or presumed
intentions of the applicant.
"... to records or information ..."
However when the draft Freedom of Information Bill was eventually published many
of the commitments made in the Bill had been substantially watered down by the
Whitehall machine (and as the new government realised that making information
open to the public could become a political liability for the incumbent government).
The passage of the Bill was stormy and amendment after amendment was conceded
to bring the Bill back to nearly the set of commitments in the White Paper. However
the result was a Bill that is not easy to use because it has a complex architecture.
The primary right is in section 1(1) which provides:
“(1) Any person making a request for information to a public authority is
entitled—
(a) to be informed in writing by the public authority whether it holds information
of the description specified in the request, and
22
(b) if that is the case, to have that information communicated to him”
Hence there are 2 separate rights here – the right to be told whether a government
body has information and then to obtain copies of the information.
Section 1(4) defines the extent of the duty as follows:
“The information—
(a) in respect of which the applicant is to be informed under subsection
(1)(a), or
(b) which is to be communicated under subsection (1)(b),
is the information in question held at the time when the request is received,
except that account may be taken of any amendment or deletion made
between that time and the time when the information is to be communicated
under subsection (1)(b), being an amendment or deletion that would have
been made regardless of the receipt of the request”
Thus there is no duty to obtain information from other bodies or create information for
the purpose of the Act.
Types of exemption under FOIA
There are two types of exemption under the Act – absolute exemptions and qualified
exemptions. This comes from section 2(1) which provides:
“Where any provision of Part II states that the duty to confirm or deny does not
arise in relation to any information, the effect of the provision is that where
either—
(a) the provision confers absolute exemption, or
(b) in all the circumstances of the case, the public interest in
maintaining the exclusion of the duty to confirm or deny outweighs the
public interest in disclosing whether the public authority holds the
information,
23
section 1(1)(a) does not apply”
Section 2(1)(b) contains the “public interest test”. It is clear that there is a
presumption in the test in favour of disclosure because the duty to make the case for
withholding the information in the public interest lies on the public body which is
seeking to withhold the information.
Section 2(3) then lists the absolute exemptions and by implication all others are
qualified exemptions. These are:
• section 21: Information accessible to applicant by other means
• section 23: Information supplied by, or relating to, bodies dealing with
security matters
• section 32: Court records, etc
• section 34 Parliamentary privilege
• section 36 so far as relating to information held by the House of
Commons or the House of Lords: Information where the release would
be prejudicial to effective conduct of public affairs
• section 40: Personal information (but see below)
• section 41: Information provided in confidence, and
• section 44: Other prohibitions on disclosure
Thus all other information held by public bodies is subject to a public interest test.
This includes information which is subject to legal professional privilege.
Section 16 places a duty on public bodies to help those who are trying to extract
information from the public body in the following form:
“(1) It shall be the duty of a public authority to provide advice and assistance,
so far as it would be reasonable to expect the authority to do so, to persons
who propose to make, or have made, requests for information to it.
(2) Any public authority which, in relation to the provision of advice or
assistance in any case, conforms with the code of practice under section 45 is
to be taken to comply with the duty imposed by subsection (1) in relation to
that case”
24
The appropriate limit and how to apply it.
There is a limit on what public authorities are required to do under FOIA. If the
request is for a large amount of information, public bodies should consider if
complying with the request would exceed the 'appropriate limit' of £600 for central
government, Parliament and the armed forces or £450 for other public authorities
under the fees regulations. If complying with a request would exceed the appropriate
limit, public bodies can refuse the request. However, they should help the requester
to try to narrow or refine the request.
As an alternative public bodies can also consider charging. If complying with the
request would exceed the appropriate limit (so public bodies do not have a duty to
provide the information) they can still charge for, for example, the costs of
photocopying, printing and posting
2
.
The activities that public bodies should assess when assessing whether the
appropriate limit will be exceeded are limited to those that an authority can
reasonably expect to incur in:
• determining whether it holds the information requested
• locating the information or documents containing the information
• retrieving such information or documents
• extracting the information from the document containing it (including editing or
redacting information)
£25 is the standard hourly rate that all authorities must use to calculate the staff costs
of answering requests.
Vexatious and Repeated Requests
Section 14 provides for vexatious requests. It states:
“(1) Section 1(1) does not oblige a public authority to comply with a request for
information if the request is vexatious.

2
Taken from the government guide at http://www.justice.gov.uk/guidance/foi-step-by-step.htm
25
(2) Where a public authority has previously complied with a request for
information which was made by any person, it is not obliged to comply with a
subsequent identical or substantially similar request from that person unless a
reasonable interval has elapsed between compliance with the previous
request and the making of the current request”
The Ministry of J ustice Guide states that a request may be vexatious if it seeks
information of a frivolous nature, if it is likely to cause distress or irritation without
justification or if it is aimed at disrupting the work of an authority or harassing
individuals in it.
Repeated requests is one which is identical or substantially similar to a previous
request from the same person (with which the public authority has complied) may be
refused under section 14, unless a reasonable interval has elapsed between it and
the previous response.
Whether a request is vexatious is determined by the information requested, not the
person making the request. An individual can make as many requests for information
as he or she wishes. Each of their requests must be considered on a case-by-case
basis (although it may be appropriate to reject substantially similar requests under
section 14(2).
Vexatiousness needs to be assessed with reference to all the circumstances of an
individual case. However, if a request is not a genuine endeavour to access
information for its own sake, but is aimed at disrupting the work of an authority, or
harassing individuals in it, then it may well be vexatious.
The Information Tribunal has found that the history and context of a request are
important in assessing if it is vexatious, taking account of such matters as:
• the requester already being in possession of the information requested
• the use of tendentious language, suggesting that the requester's true purpose
is to argue rather than to seek information
• the requester seeking to reopen issues already visited
• the lack of justification for a request likely to cause distress or irritation. (A
distinction was drawn between unjustified distress or irritation caused by a
26
vexatious freedom of information request and the justified distress or irritation
which might be caused by the issue of a parking ticket.)
The Tribunal found that a request that on its face is reasonable but forms part of a
wider trend of vexatious behaviour can be vexatious.
The Information Commissioner's Office has also issued guidance on vexatious
requests. It agrees that history and context are important and it has published a set
of criteria that form a suggested general approach. This is contained in the ICO
freedom of information 'Awareness Guidance 22: Vexatious and repeated requests'.
Making a decision on whether to release the information.
Information is required to be released within 20 working days of the request unless
an exemption in the Freedom of Information Act applies, for example if:
• any of the information is personal information
• the information is now, or will soon be publicly available
• any of the other exemptions in the Act apply - for example, for reasons
relating to defence, the economy or the effective conduct of public affairs
Some of these exemptions are absolute exemptions. This means that if information
is covered by the exemption in question you are not required to release it (and, in
some cases, are not permitted to release it).
Other exemptions are subject to the public interest test. If the information in
question falls under such an exemption, you must consider whether the public
interest factors in favour of withholding the information outweigh those in favour of
release. If they do not, you must release the information; if they do, you must release
it.
The Ministry Guide sets out some working assumptions
3
but this is Guidance and
must be treated with some care.

3
http://www.justice.gov.uk/guidance/foi-assumptions.htm
27
Personal Data under the DPA
The section on Personal Data requires a little analysis. It starts with section 40(1)
which provides:
“Any information to which a request for information relates is exempt
information if it constitutes personal data of which the applicant is the data
subject”
Hence the applicant must apply under the DPA (where there is a fee) and not the
FOIA (where data is free) for information about themselves.
The interaction between the 2 Acts is shown in sections 40(2) and (3) of FOIA which
provide:
(2) Any information to which a request for information relates is also exempt
information if—
(a) it constitutes personal data which do not fall within subsection (1),
and
(b) either the first or the second condition below is satisfied.
(3) The first condition is—
(a) in a case where the information falls within any of paragraphs (a) to
(d) of the definition of “data” in section 1(1) of the Data Protection Act
1998, that the disclosure of the information to a member of the public
otherwise than under this Act would contravene—
(i) any of the data protection principles, or
(ii) section 10 of that Act (right to prevent processing likely to
cause damage or distress), and
(b) in any other case, that the disclosure of the information to a member
of the public otherwise than under this Act would contravene any of the
data protection principles if the exemptions in section 33A(1) of the
Data Protection Act 1998 (which relate to manual data held by public
authorities) were disregarded.
28
(4) The second condition is that by virtue of any provision of Part IV of the
Data Protection Act 1998 the information is exempt from section 7(1)(c) of that
Act (data subject’s right of access to personal data).
The definition of data is at page 6 above. The key issue here is that if a public body
holds personal data about an individual where the concept of personal data is
defined by the DPA, there is an exemption from disclosure under FOIA.
However it is only an absolute exemption under FOIA in respect of personal
information of which the individual is the data subject or
“under subsection (2) so far as relating to cases where the first condition
referred to in that subsection is satisfied by virtue of subsection (3)(a)(i) or (b)
of that section”
The ICO has published Guidance about these confusing sections
4
which looks at
what is considered “fair” for the processing of personal data held by public bodies. It
states:
“The concept of “fairness” is harder to define, although in practice it ought not
to be difficult to judge whether it would be unfair to someone to pass on their
information without consent. The sorts of questions which should be asked
include:

•Would the disclosure cause unnecessary or unjustified distress or damage to
the person who the information is about?
•Would the third party expect that his or her information might be disclosed to
others? Is disclosure incompatible with the purposes for which it was
obtained?
•Had the person been led to believe that his or her information would be kept
secret?
•Has the third party expressly refused consent to disclosure of the
information?

4

http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/awareness
_guidance%20_1_%20personal_information_v2.pdf
29
•Does the legitimate interest of a member of the public seeking information
about a public authority, including personal information, outweigh the rights,
freedoms and legitimate interests of the data subject?”
This Guidance looks at the hard issues of what can be disclosed about public officials
and advises:
“An issue which will often arise is whether the Data Protection Act prevents
the disclosure of information about members of staff. Applying the criteria
suggested above, if the information requested consists of job functions,
grades or decisions which they have made in their official capacities, then
disclosure would normally be made. On the other hand, information such as
home addresses or internal disciplinary matters would not normally be
disclosed. While it would be wrong to disclose bank account details of staff, it
would be unlikely to be unfair to publish details of expenses incurred in the
course of official business, information about pay bands, or, in the case of
senior staff, details of salaries and other benefits. While this information clearly
does relate to staff personally, there is a strong public interest in provision of
information about how a public authority has spent public money”
There are a host of other specific exemptions which we can of course discuss in
detail at a later stage but I hope that this provides an overview of information
governance.



David Lock – 21 August 2008
No5 Chambers
0870 203 5555
st
[email protected]
www.no5.com
30