Tuesday, December 24, 2013

How to tell if the FOI response you have received is bullshit. Part 3: personal data, section 40

I am going to concentrate on information about employees of public authorities. When it comes to information about members of the public, you have, quite rightly, pretty much no chance of getting it. After all, what information that you gave your local authority, NHS, police, social care provider, etc, would you be happy with being released into the public domain? None, right? Damn right.

The safeguards on personal data are in the Data Protection Act (DPA), not the FOI Act. S40 of the FOIA is best thought of as pretty much saying 'refer to the DPA'.

The DPA is complicated. People will talk about sections, schedules and prinicples. For the requestor (at this point, all practitioners look away), it is best to think of them as the same sort of thing - they are just bits of, in this case, the DPA.

The DPA says that there are two kinds of information relating to people: personal data and sensitive personal data.

Sensitive personal data is listed in the DPA as race/ethnicity; political opinions; religious belief; membership of a trade union; physical or mental health; sexual life; offences; proceedings relating to an offence.

Personal data is any information that relates to an identifiable individual. This is sometimes harder to spot as it is not so nestly categorised. Almost anything can be personal data (it's not just names). Saying 'a London-based tweeter and blogger on FOI who works in London, who attended a conference on FOI and scientific archives in Rio in 2013' ends up being personal data. This is because although it does not name me, it does give enough unique information about me to identify me. Every element in it can be recombined with information in the public domain (Twitter, my blog) so that a super sleuth, or just you, my dear attentive reader, can work out that this can only refer to me. This is why more than just a name is often redacted redacted.

Two sections are used: s40(2) and, far more rarely, s40(5).

Let's concentrate on s40(2) by looking at examples:

Question: can I please have a list of all staff job titles?

Ok, often an organisation has only 1 strategic head of intelligence training. But the key here is to realise that people can be replaced. A job title does not specifically and indefinitely refer to one person. So, the BBC reply at https://www.whatdotheyknow.com/request/health_staff#incoming-378738 is patently absurd. Job titles, no matter what, cannot be withheld. Unless they relate to a security organisation, where it will simply not be released, you should get this information. Most attempts to withhold this are pretty much nonsense.

Question: can I please have the names of all staff working at your organisation?

Ok, even this can be complicated. The DPA does not list names or the fact that a person works at a particular place as being sensitive personal data. By and large, names are not personal data (although the true story is fiendishly complicated).

So, now you look to two things:

Whether release is 'fair' and whether a schedule 2 condition of the DPA has been satisfied. So, look for a fairness argument and a schedule 2 argument.

Fairness has something to do with the expectations of the employees. Seniority might have something to do with this. Whether staff are already public facing (it would be silly to argue that it would be unfair to release the name of the FOI officer when his/her name is likely already splashed all over Whatdotheyknow.com.

Then there needs to an examination of schedule 2 conditions. Most of the time, this means consent (which public authorities do not have to ask for, so there is almost never consent).

So, mostly, you cannot have the names of everyone.

The key is that staff who are senior or important will have their names released. If you are asking about senior staff (and the definitions vary - generally, it is people earning about £40k and over), they can have few expectations of privacy when it comes to simply being named.

So, if ALL of the information is being withheld, it is likely to be bullshit.

Question: can I have the salaries of all staff at your organisation?

The ICO guidance is that you get these in bands of £5k. That is enough to ensure transparency. After all, if someone is on £70000-£74,999, that is enough to know whether they are paid an appropriate amount. Personally, I cannot see why people might want more.

There was a lovely decision notice against NHS Surrey in Dicker vs ICO there was a question about a NHS senior exec that might have been paid more than the national guidelines, where the Tribunal set out that such senior staff can have pretty much no expectations of privacy. But this is rare (and i still don't agree with it). On the whole, you should get the information.

Question: can I have the numbers of Buddhists at your organsiations?

This is sensitive personal data. But only if you can identify the individuals from the answer. Imagine the answer is 20. If you knew, for example that FOIston Council, which has 20,000 employees has 20 people who have self-identified as Buddhists, this is only personal data if knowing the fact that it employs 20 Buddhists can be recombined with other data that is either in the public domain or might end up in the public domain to work out exactly who they are. Often, the organisation will be risk averse and not release. But if the answer does not provide you with a decent argument about how the data is personal data, how it can be used to work out who the individuals are, then it the answer is likely not to be strong enough (a.k.a., it is bullshit). But, imagine that FOIston Council only has one member of staff who is a Buddhist. Now what? Well, this is more dangerous, but similarly, the council must provide you with a decent argument explaining how it is personal data and how such inormation could be used to identify an individual.

Question: can I have the names of staff against whom there has been more than one complaint?

I guess that the purpose of this question is to see if FOIston Council is carrying any dead weight. Whether it takes people screwing up seriously and gets rid of them.

Going back to our definitions, sensitive personal data, which is more difficult to release, refers to 'offences'. You would, presumably, have to be thought of as committing an alleged offence to get complained about. But we have to bear in mind that complaints are often not proporitionate to a person's competence - often, they are about how difficult the cases are that they are handling, etc. Would every internal review request be a complaint against a FOI officer's decision?

This information should not be released. It simply does not tell you anything about a person's competence. It would be better to ask for the procedure for dealing with staff against whom there have been lots of complaints to see how such people were dealt with.

If the request had been for numbers of people against whom there had been more than one complaint, then again, we come back to whether the figures can be deanonymised.


I have only looked at one aspect of personal data, but I think that this is the most common. If the request is about data belonging to non-council employees, then similar tests must be applied.

S40 replies often look very convoluted. But make sure they tell a coherent story. If not, everyone asking for internal reviews will eventually force organisations to use plain English.

The forthcoming PDP FOI Journal will contain an article from me about the horrors of trying to work out what is personal data in things such as reports and emails.

No comments: