If you have decided that the first condition is not satisfied, you must go on to consider the second condition.
The second condition is set out at section 40(3B) of FOIA and regulation 13(2B)(a) of the EIR.
This condition is met if disclosing third-party personal data “otherwise than” under FOIA or the EIR would contravene an objection to processing made under Article 21 of the UK GDPR.
Under the EIR, the Intelligence Services must also consider an objection to processing made under section 99 of Part 4 of the DPA18.
The exemption and exception setting out the second condition are not absolute. This means that, even though you show that the second condition is met, you must do a public interest test to decide if you can maintain the exemption or exception.
As explained before, you must first consider if confirming or denying would contravene the right to object before looking at whether a disclosure would do so.
What is the right to object under Article 21 of the UK GDPR?
Article 21(1) of the UK GDPR says that if the individual has exercised their right to object, the controller shall no longer process the personal data unless:
- it can demonstrate compelling legitimate grounds for the processing; and
- these override the interests, rights and freedoms of the individual.
An individual can exercise their right to object at any time.
However, you can only accept an objection if the lawful basis for processing is either:
- lawful basis (e) public task – performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- lawful basis (f) legitimate interest.
As explained in Part 3, if you are responding to an FOI or EIR request, you are most likely to be relying on lawful basis (f) to process an individual’s personal data.
You should inform them of their right to object at the time you collect their data. You should also ensure you explain in your privacy notice that you are subject to FOIA and the EIR.
You must inform people about their right to object in your privacy notice. This should also explain that you are subject to FOIA and the EIR.
We have explained about privacy notices in this section of the guidance.
Once you have received an FOI or EIR request, you do not have to contact individuals proactively to give them the opportunity to object. You could contact the data subject to seek their views. However, this must not delay your response to the request.
Did the data subject object before you received the request?
If you have accepted an objection as valid under the UK GDPR before you receive a FOIA or EIR request, the second condition will be met. This is because disclosure otherwise than under FOIA or the EIR would contravene the Article 21 right to object.
The second condition is subject to the public interest test.
Therefore, you must consider if the public interest in disclosure outweighs the public interest in maintaining the exemption. The factors you considered when doing the legitimate interest assessment for the purpose of the first condition may be relevant.
As part of the public interest test, you could take into account if circumstances and the data subject’s expectations have changed since you originally accepted the Article 21 objection.
If you decide that the public interest test favours disclosure, then the second condition is not satisfied. If disclosure does not contravene the data protection principles and the third condition is not satisfied, you can release the information under FOIA or the EIR.
If you decide that the public interest test favours maintaining the exemption, you must issue a valid refusal notice to inform the requester about the outcome of their request.
For further information on the public interest test see our guidance on The public interest test.
Did the data subject object when you received the request?
If an individual objects to the processing of their personal data when you have already received a FOIA or EIR request, the objection will not apply under Article 21. This is because you are under a legal obligation to respond. The right to object does not apply when the data controller can rely on legal obligation as its lawful basis for processing.
As explained before, you can consider the person’s reasons for objecting as part of the legitimate interests test under the first condition.
For more information about this, please read the section on the balancing test.
What is the right to object under section 99 of Part 4 of the DPA18?
Section 99 of Part 4 of the DPA18 says that people can object to the processing of their personal data by the Intelligence Services when this processing is an unwarranted interference with their interests or rights.
The Intelligence Services are subject to the EIR.
Therefore, when receiving a request for environmental information, the Intelligence Services must also consider the right to object under section 99 of Part 4 of the DPA for the purpose of the second condition.
The right to object under section 99 of the DPA18 is broader than the Article 21 right under UK GDPR.
If you are an Intelligence Service agency and have received such an objection, you must consider if the processing is an unwarranted interference with the individual’s interests or rights. People can exercise this right at any time, including at the time of the EIR request.
If you accept the objection as valid, the exception under regulation 13(2B)(b) applies. The exception is qualified. You must conduct a public interest test to decide if you can still disclose the information.
The Intelligence Services are not subject to FOIA. This is why there is no equivalent to 13(2B)(b) under the Act.
Further reading
Data protection resources: