The ICO exists to empower you through information.

Once you’re satisfied that you can confirm holding the requested third-party personal data, you can move on to consider if you can disclose it in response to the request.

You can only disclose third-party personal data in response to an FOI or EIR request when you can demonstrate that the three conditions set out in the exemption and exception are not satisfied.

The first condition is set out at section 40(3A) of FOIA and regulation 13(2A) of the EIR.

The first condition is satisfied if disclosing third-party personal data to a member of the public ‘otherwise than’ under FOIA or the EIR would contravene any of the data protection principles set out in Article 5 of the UK GDPR.

In practice, this means you must assess under data protection legislation if a disclosure to a general member of the public would be legitimate when responding to an FOI or EIR request.

This also applies to requests capturing manual unstructured personal data you hold. Under section 24(1) of the DPA18, this type of personal data is exempt from most of the data protection principles. However, you can disregard this under section 40(3A)(b) of FOIA and regulation 13(2A)(b) of the EIR. This means that, if you receive a request for manual unstructured personal data, you should consider whether disclosing it would contravene the data protection principles.

If the first condition is satisfied, the exemption and exception are absolute. You don’t have to conduct a public interest test.

Under FOIA, section 2(3) says that section 40(2) is absolute in cases where the first condition is satisfied. Under the EIR, regulation 13(1)(a) is clear that you don’t have to apply the public interest test.

For the purpose of the first condition, principle (a) is most likely to be relevant when you are considering the disclosure of third-party personal data under FOIA or the EIR.

This is because it’s unlikely that responding to a FOIA or EIR request would contravene any of the other data protection principles, which are about the purpose of the processing or the quality and storage of the data.

In particular, principle (b) would not be contravened by a disclosure under FOIA or the EIR. This principle states that data should be processed for “specified, explicit and legitimate purposes” and should not be further processed in a manner that is incompatible with those purposes.

Responding to a request under FOIA or the EIR is compatible with a public authority’s business purposes. An FOI or EIR disclosure that complies with the UK GDPR and the DPA in other respects is therefore unlikely to contravene principle (b).

Would disclosure contravene principle (a)?

Principle (a) says:

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

In the context of FOIA and the EIR, personal data is “processed” when it is disclosed in response to the request. This includes providing confirmation or denial that you hold the information.

To decide whether disclosure would contravene principle (a), you need to determine if disclosing third-party personal data to a member of the public would be lawful, fair and transparent. You must satisfy all three elements.

If you are dealing with a request for special category or criminal offence data, you will need to consider additional tests.

You should consider the following questions in turn:

Would disclosure be lawful?

For the purpose of principle (a), the first question you must consider is if the processing you are doing is lawful.

Processing is lawful when you can demonstrate that you have a legitimate ground for processing the personal information you hold. That is, you have a “lawful basis”.

For the purpose of responding to an FOI or EIR request, the relevant processing activity you are doing is the one set out in section 3(4)(d) of the DPA18. That is, “disclosure by transmission, dissemination or otherwise making available”.

Therefore, the relevant question to consider is – do you have a lawful basis under data protection legislation to disclose third-party personal data to a member of the public?

As explained before, the use of “otherwise than” in section 40(3A) and regulation 13(2A) makes clear that the relevant test is dictated by data protection. This means you cannot use FOIA or the EIR as a lawful basis for the disclosure.

Do you have an article 6 lawful basis for processing the personal data?

Your processing will be lawful when you can show that you have a lawful basis for processing the requested personal information.

Article 6 of the UK GDPR sets out the six lawful bases.

If you are dealing with an FOI or EIR request, the most relevant lawful bases you can rely on are:

  • Article 6(1)(a) – consent of the data subject; and
  • Article 6(1)(f) – legitimate interests.

As explained above, you cannot use FOIA or the EIR as a lawful basis for the disclosure. This is because the relevant test for the personal information exemption is whether disclosure “otherwise than under” these laws would contravene the data protection principles.

We don’t recommend relying on consent as your lawful basis because this can be impractical. However, you can do so if you wish.

In addition to having a lawful basis, your processing must also be lawful more generally. That is, it must not breach other statutes or common law obligations.

For more information on lawful bases under the UK GDPR, please read our data protection guidance on lawful basis for processing.

Does lawful basis (a) – consent – apply?

You can rely on lawful basis (a) if the individual concerned has given their consent to the processing of their personal data.

Article 4 of the UK GDPR defines consent as:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

You can only rely on consent if the individual has given it freely for the specific disclosure. They need to understand that their personal data will be disclosed to the requester under FOIA and the EIR. You also need to explain to them that this means a disclosure to the world at large.

If a request under FOIA or the EIR captures the personal information of multiple data subjects, to rely on lawful basis (a) you need the consent of all the individuals whose personal data falls within the scope of the request.

In most circumstances, relying on consent is unlikely to be practical. This is because consent:

  • may be difficult to obtain in the first place; and
  • can be withdrawn at any time.

Therefore, we recommend you start by considering Article 6(1)(f) as the relevant lawful basis for processing.

Does lawful basis (f) - legitimate interests – apply?

Article 6(1)(f) provides a lawful basis if the processing is:

“… necessary for the purposes of legitimate interests pursued by the controller or by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child”.

There is a three-part test which helps you decide if you can rely on Article 6(1)(f) as your lawful basis. This is commonly described as the “legitimate interests assessment”.

In the Supreme Court’s judgement in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55, Lady Hale explained that this involved considering three questions [para. 18].

These are:

1. Legitimate interest test: are you, or the third party seeking access to the information, pursuing a legitimate interest?

2. Necessity test: is disclosure necessary to meet those interests?

3. Balancing test: do the legitimate interests outweigh the interests and rights of the individual?

The Supreme Court judgement applied the Data Protection Act 1998. However, it is only the wording of the balancing assessment that has changed. The substance of the three-part test has remained the same.

It’s important to work through these questions in order. If you cannot meet the legitimate interest test or the necessity test, there is no need to go on to the balancing test.

1. Legitimate interest test: are you, or the third-party seeking access to the information, pursuing a legitimate interest?

The first part of the test is to consider if there are any legitimate interests in disclosing the information.

These can be both your own legitimate interests as well as those of the third party to whom you would disclose the personal information.

FOIA and the EIR are generally motive and purpose-blind.

However, as explained, the test under section 40 and regulation 13 is to consider disclosure “otherwise than under” FOIA and the EIR. Therefore, you must consider the legitimate interest in disclosing the requested information and what purpose this serves.

As the processing you would be doing is disclosure of personal information in response to an FOI or EIR request, public interest arguments could be relevant legitimate interests.

The UK GDPR requires a broad consideration of legitimate interests, which may be public or private. However, they must relate to disclosure of the requested information. Examples of legitimate interests include:

  • someone may request information to support a complaint they have made;
  • a residents’ association may request information to understand or challenge a decision or inform a response to a consultation exercise; or
  • a journalist may request the expenses claims of a senior public official to scrutinise the spending of public funds and increase accountability.

The requester may inform you of their personal or private interest in requesting the information. You do not have to ask them to give you details of their legitimate interest, and you cannot extend the time for compliance to consult with the requester for this reason.

However, if the requester tells you about their personal or private interest, you should take this into account when considering disclosure.

In some cases, there will be a direct link between a personal or private interest and a wider legitimate interest in disclosure. For example, someone’s request to a hospital about the care of a family member may inform public debate about hospital standards, as well as satisfying the requester’s personal interest.

If you are dealing with a request where the legitimate interest in disclosure is only based on the requester’s private concerns, you need to bear in mind that:

  • disclosure under FOIA or the EIR is a disclosure to the world at large; and
  • information released under FOIA or the EIR is free from any duty of confidence.

If the requester’s interest is clearly trivial, then it is less likely to be acceptable as a legitimate interest in disclosure.

Example: legitimate interest test not met Example: legitimate interest test met

In MOJ & Williams v IC EA/2019/0132 and EA/2019/0144, the First-tier Tribunal concluded that the requester was not pursuing a legitimate interest.

The request was for the name of an individual who had authorised an inaccurate press release. The requester had said that their aim in making the request was:

“… to catch a senior civil servant, or better still a politician, in the request net.”

However, the Tribunal found that there was no serious underlying concern or objective in the request. The error in the press release which prompted the request was minor and was voluntarily corrected and explained.

Therefore, the Tribunal found that the requester was not pursuing a legitimate interest [para. 35].

The legitimate interest test is not met.

In Bevis Durham v IC EA/2019/0346, the First-tier Tribunal accepted as valid legitimate interests the requester’s personal interest in building control files about applications for barn conversions.

The requester was concerned about the structural safety of barn conversions. They wanted to check whether a local authority was properly enforcing the relevant building regulations.

The Tribunal found that this was a valid legitimate interest.


The legitimate interest test was met in this case.

If you cannot identify a legitimate interest in disclosure of the requested information, the first part of the legitimate interest assessment is not met. This means that disclosure would contravene principle (a) as the legitimate interest lawful basis for processing would not apply.

In turn, this means that the first condition is met and the exemption is engaged.

You must explain to the requester how you have considered the relevant legitimate interests. This is particularly important if you cannot identify a legitimate interest and reached the conclusion that the exemption is engaged.

If you offer an internal review, you could offer the requester the opportunity to give you further details of any wider legitimate interests they are pursuing or any further relevant information.

If you can identify a legitimate interest, you can move on to the second part of the legitimate interest assessment. This is the necessity test.

2. Necessity test: is disclosure necessary to meet those interests?

Once you are satisfied that there is a legitimate interest in the disclosure, you must consider whether disclosure of the requested information under FOIA or the EIR is necessary to achieve the legitimate interests you have identified.

Necessary means more than desirable but less than indispensable. It involves considering alternative measures which can meet the relevant legitimate interests and therefore make disclosure of the requested information unnecessary.

Example

In Goldsmith International Business School v Information Commissioner and the Home Office [2014] UKUT 563 (AAC), the Upper Tribunal said that the test is one of “reasonable” necessity.

The Upper Tribunal explained [para. 39]:

“The test of reasonable necessity itself involves the consideration of alternative measures, and so “a measure would not be necessary if the legitimate aim could be achieved by something less”; accordingly, the measure must be the “least restrictive” means of achieving the legitimate aim in question.”

When you are responding to an FOI or EIR request, the key question to ask under the necessity test is – is disclosing the information under FOIA or the EIR the least intrusive means of achieving the legitimate interests you have identified?

Example: the necessity test

In Kendall v Information Commissioner and General Medical Council (EA/2019/0203), the First-tier Tribunal (‘FtT’) decided that confirming or denying whether a complaint had been made against a doctor was not reasonably necessary for pursuing the legitimate interests identified.

The requester had asked if a named doctor had been investigated following complaints made against them.

The FtT accepted that there was a legitimate interest in the public knowing this.

However, the FtT also found that confirming that the named doctor had been investigated was not necessary to meet those legitimate interests because there were less intrusive means to do so.

At para. 26, the Tribunal said:

“The public interest is based on knowing whether a treating doctor is the subject of serious complaints and so fit to be treating them. We find that confirmation or denial by the GMC as to whether there were complaints under investigation against the named doctor under FOIA is not reasonably necessary for pursuing this interest.

The existence of a complaint which is under investigation by the GMC provides no information about the doctor’s actual fitness to practise. The GMC receives many complaints, and only a minority proceed to a finding that the doctor is not fit to practise. The GMC publishes decisions by the relevant Tribunals and Investigation Committees, and undertakings agreed with individual doctors. Tribunal hearings are also public.

These steps provide the public with information about enforcement actions and sanctions that have actually taken place. This furthers the public interest in knowing whether the GMC has found a problem with a doctor’s fitness to practise, or has sufficient concerns for the matter to progress to a public Tribunal hearing.

This is a more accurate way of providing such information to the public than disclosure of the existence of investigations into complaints which have not resulted in action by the GMC.”

The above example is about neither confirming nor denying. However, the same approach applies when you are considering if disclosing the requested third-party personal data is necessary for meeting the identified legitimate interests.

If you cannot demonstrate that disclosure is necessary and you can show that there is a less intrusive way to achieve the legitimate interests, the second limb of the legitimate interest assessment is not met.

This would mean that you don’t have a legitimate interest lawful basis and disclosure would therefore contravene principle (a). You do not need to continue to the balancing test.

You must issue a refusal notice explaining to the requester why you have reached the conclusion that the personal information exemption applies to the requested information.

If you decide that disclosing the information is necessary to meet the identified legitimate interests, then you need to carry out the balancing test.

3. Balancing test: do the legitimate interests outweigh the interests and rights of the individual?

The balancing test involves considering whether the legitimate interests served by the disclosure outweigh “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data”.

The balancing test helps you decide if the disclosure would have an excessive or disproportionate adverse effect on the legitimate interests and rights of the individual concerned.

Example

In Kol v Information Commissioner and Reigate and Banstead Borough Council [2022] UKUT 74 (AAC), the Upper Tribunal said that the need to do a balancing test arises only when:

“it is necessary to resolve a conflict between the interests of the person who requested the information and the person to whom it relates.” [para. 28]

When conducting the balancing test, you should consider:

  • the potential harm or distress that disclosure would cause;
  • the extent to which the information is already in the public domain;
  • the extent to which the information is already known to some people;
  • whether the individual has expressed concern or objected to the disclosure; and
  • the data subject’s reasonable expectations of privacy.

These factors are often interlinked. For example, what other information is available in the public domain may have a bearing on the consequences of disclosure or on the person’s reasonable expectations.

What potential harm or distress would disclosure cause?

Personal data must not be used in ways that have unjustified adverse effects on the data subject. You must consider the likely consequences of disclosure in each case.

In some cases, the consequences are clear. For example, disclosure of:

  • someone’s bank details may lead to them being the target of fraud or identity theft;
  • the identity of a person who made a complaint could lead to them experiencing threats and harassment.

In other cases, the extent of distress or damage a disclosure would cause may be less obvious. For example, disclosing:

  • the personal information of participants in a public consultation could be distressing for them and may discourage others from participating in future consultations;
  • a compromise agreement or job application may adversely affect an individual’s chances of promotion or employment.

You should evidence the connection between the disclosure of the requested information and the adverse consequences on the individual’s privacy rights. This is often called the “causal effect”.

You must consider the nature of the information and judge the level of distress or damage disclosing that information is likely to cause. The greater this is, the more likely that the interests of the person concerned will override any legitimate interests in disclosure. You must give extra weight to the person’s interests if they are a child or a vulnerable adult.

Is the information already in the public domain?

The consequences of disclosure could be less serious if the same or similar information is already in the public domain.

The following factors can help you decide:

  • Is the information realistically accessible to a member of the general public or only known to the requester?
  • How authoritative is the source of the information? Information confirmed in an official capacity is weightier than information made public in unreliable sources.
  • Is the information still public knowledge? Even though information was previously published, it does not mean it remains in the public domain indefinitely. For example, details of a local news story from several years ago may be forgotten over time, unless the information is permanently and easily accessible.

Example

In Kayode vs Information Commissioner and the General Medical Council [2021] UKUT 86 (AAC), the Upper Tribunal said:

“as a result of that uncontested finding [ie information was not in the public domain at the time of the request] it was simply not relevant whether the requested information had been in the public domain at some point in the past” [para. 27].

The case concerned a request for a copy of a determination about a doctor’s fitness to practice. The public authority was the General Medical Council (GMC).

The authority refused the request as the determination contained personal information and disclosing it would breach the data protection principles.

GMC also had a policy in place saying a doctor’s removal from the medical register was available for 10 years. This period had already passed when the applicant submitted the request about the doctor.

For this reason, the authority was correct in deciding that the doctor would have a reasonable expectation of privacy at this time because the information was no longer in the public domain.

You should also consider if the data subject consented to or contributed through their actions to making the information public. This is particularly relevant if they published the information on social media on a public profile.

People are increasingly choosing to put their personal information into the public domain via social media. However, the fact that the information is available on a publicly accessible page on social media does not necessarily mean that the person concerned has put it there or has given informed consent about it being there.

Therefore, you should not presume that making a disclosure under FOIA or the EIR would not have harmful consequences, just because there is information on social media about the data subject.

In these situations, you should consider:

  • Is it available to anyone, or just to members of a closed group?
  • Did the individual intend to publish it, or was it done maliciously or without their knowledge?
  • Did the individual intend to make it generally available, rather than available only to a restricted group?

The UK GDPR explicitly states that children’s personal data requires specific protection. If the information is about a child, you must take extra care when considering the above points. In the UK, a child is anyone under the age of 18.

The fact that information is in the public domain is also relevant when you are considering the reasonable expectations of the data subject.

You don’t have to carry out an exhaustive search of all possible public domain sources to establish what information is already publicly available. You should take a proportionate approach in cases where a large number of names and personal data could be disclosed. In these cases, you should err on the side of privacy and assume that this personal information has not been widely publicised on the internet. This also helps you to avoid a disproportionate effort in investigating such cases.

However, in cases involving fewer people, you could carry out more detailed checks to establish what personal data is already in the public domain.

Is the information already known to some people?

There may be situations where a requester could identify someone from the requested information, even if an average member of the general public can’t. In these cases, you should consider whether the requested information is actually in the wider public domain, rather than only known to a few people.

Once you are satisfied that some people could identify the person in question, you should consider:

  • the extent to which this would be detrimental to them; and
  • if those people would learn anything new from the disclosure of the information in question and the impact of this on the person.

Has the individual expressed concern or objected to the disclosure?

You do not have to consult the relevant data subject(s) to decide if you can disclose their personal information in response to a request made under FOIA or the EIR. You could do so if you wish. However, you cannot delay your response to the request to do so. You must respond as soon as you can or no later than 20 working days. You cannot extend this time to consult the data subject(s).

However, if an individual has expressed concern about the disclosure of their personal information, you should consider their concerns objectively. You should decide whether they are reasonable in the circumstances. In particular, you should consider if they had a reasonable expectation their personal data would not be disclosed. Remember that a disclosure under FOIA or the EIR is a disclosure to the world at large. The requester’s identity is not relevant, nor is the fact that a requester has no intention to share the information further.

You can take into account the data subject’s reasonable concerns when conducting the balance test.

Ultimately, you are responsible for deciding whether or not to disclose information in response to a request, not the data subject. If the outcome of your legitimate interests assessment justifies disclosing the personal information, then you can disclose. This applies even if the individual does not consent or has expressed concerns about the disclosure.

However, the UK GDPR gives people the right to object to the processing of their personal information, including disclosure. If the person has objected to the processing, this is relevant when assessing if the second condition is satisfied. For more information on this, please read Part 4 of this guidance: The second condition – the right to object.

What are the data subject’s reasonable expectations of privacy?

The individual’s reasonable expectations of privacy are an important consideration in the balancing test. You should take into account the person’s expectations at the time their information was collected, and their expectations at the time of the request. This is because people’s expectations can change over time.

There are a range of factors that help you determine a person’s privacy expectations, such as:

  • Privacy rights’ awareness;
  • Private versus public life;
  • the nature or content of the information;
  • the circumstances in which you obtained the personal data;
  • any specific assurances given to the data subject;
  • privacy notices; and
  • your existing policy or standard practice as a public authority.

Privacy rights’ awareness

People are increasingly aware of their privacy rights. However, freedom of information legislation has introduced greater expectations of transparency and accountability about public authorities and senior public figures.

Disclosing personal information always involves some intrusion into privacy. However, there are situations when the intrusion is warranted. For example, disclosure of personal information relating to public senior officials may be justified if it is about the performance of their public duties or expenditure of public money. You must consider all the circumstances of each case.

Private versus public life

Someone’s expectations will be influenced by the distinction between their public and private life.

Example

In The Corporate Officer of the House of Commons v Information Commissioner and Norman Baker MP (EA/2006/0015 & 0016), the Information Tribunal (now called First-tier Tribunal) confirmed that:

“where data subjects carry out public functions, hold elective office or spend public funds they must have the expectation that their public actions will be subject to greater scrutiny than would be the case in respect of their private lives.” [para. 78]

When the information relates to an individual’s public life, it is less likely that their interests outweigh the legitimate interests in disclosure.

Example

In decision notice IC-96056-F5J7, the Information Commissioner did not accept the public authority’s argument that the information was about the data subject’s public life “on a superficial level”.

The requester had asked for a copy of an investigation report into allegations of bullying at Imperial College London against named individuals.

During the Commissioner’s investigation, the public authority said that the report was about the private social interactions within the workplace, rather than about the named individuals in their public duties.

The Information Commissioner rejected this argument. At para. 53, the Commissioner said that the information related to:

“their behaviour at work and their leadership of the College. Whilst these might not be “public-facing” duties, they are clearly duties that are associated with the individuals’ roles at the College. The Commissioner has seen minimal references, in the withheld information, to the private life of either of these individuals.”

However, even where an individual holds public office, they may have a reasonable expectation of privacy about information associated with their public life. Their reasonable expectation depends on multiple factors, including:

  • the seniority of their role;
  • whether their role is public facing, ie whether they have responsibility for explaining the policies or actions of their organisation to the outside world;
  • whether they have responsibility for making decisions on how public money is spent; and
  • the nature of the information.

Public figures must expect a degree of scrutiny about their functions in office. For example, elected public officials must expect to be held accountable to the electorate.

However, even officials in senior posts may have a reasonable expectation that certain information about purely personal matters is not disclosed.

If you need more information about how to assess the reasonable expectations of your employees, please read our guidance on requests for personal data about public authority employees.

The nature or content of the information

Often, people will have a strong expectation that information of a certain nature is not disclosed. For example, information about confidential, sensitive or private matters.

This includes expectations about:

In many cases, someone’s rights are likely to override the legitimate interests in disclosing these types of information.

Circumstances in which you obtained the personal information

Someone’s expectations will also be influenced by the circumstances in which you initially obtained the personal data. For example, take a scenario where you are a local authority, and someone makes a complaint about a shop selling alcohol to under 18s. In this scenario, the complainant would not normally expect you to reveal their identity to the world, including to the shopkeeper.

Likewise, job applicants can have a legitimate expectation that you would not make the information you collected during the interview process public, such as their score against the interview questions or notes about how well they performed.

You should take into account whether the person provided the information with an expectation of confidence, including by considering the nature of their relationship with your organisation.

People’s expectations can change over time because of a change in circumstance. There is now an established expectation of transparency in government policy and your actions as a public authority. This means that, in some circumstances, any initial assumptions of privacy held by public officials can be outweighed by legitimate interests in their openness and accountability.

Any specific assurances given to the individual

You should also consider whether you gave the individual specific assurances of confidentiality, taking into account the nature and reasonableness of any assurances.

For example, promises of confidentiality will carry less weight if:

  • the person is in a senior and public-facing role;
  • there are issues concerning the spending of public money; or
  • any new facts emerged after you gave assurance which suggest those assurances are no longer reasonable.

Privacy notices

Privacy notices can help you manage people’s expectations of privacy. They allow you to explain how you use people’s personal information for your business purposes. When you are a public authority, this includes fulfilling your legal obligations under FOIA and the EIR.

You can reasonably assume that people, especially public officials, are aware of your FOIA and EIR obligations, even though your privacy notice is not explicit about them.

However, as a public authority, your privacy notice should explain that you may receive FOIA and EIR requests for third-party personal data. You should provide the lawful basis you rely on under UK GDPR for this type of processing. You should also make it clear in your notice that you have a legal obligation to process any personal data you hold for the purpose of responding to an FOI or EIR request.

An inadequate privacy notice will not prevent a disclosure that would otherwise be lawful.

Having a privacy notice will also help you to show that your processing is transparent for the purpose of principle (a) and fulfil the general transparency requirements of the UK GDPR. It also confirms the widely accepted purpose of FOIA and the EIR to promote transparency and accountability in the affairs of public authorities.

Your privacy notice should inform people when they have the right to object to the processing of their personal information. If someone has objected to the processing, this is relevant if you have to decide if the second condition is satisfied.

For more information on privacy notices, please read our data protection guidance on the right to be informed.

Your existing policy or standard practice as a public authority

Your existing policy or standard practice can also have an impact on people’s expectations about particular types of disclosure.

For example, your policies may make it clear that you would disclose the details of senior employees’ expenses in response to an FOI or EIR request. Similarly, public officials are expected to follow certain standards of behaviour. For example, any public office-holder must follow the seven principles of public life, which include openness and accountability.

You should always balance the expectations set out in existing policies and practices against a consideration of the specific rights and interests of the individuals concerned. For example, even though you expect senior employees to disclose their expenses, junior members of staff may have a reasonable expectation that their expense details are not made public.

How do you reach a conclusion on the balancing test?

The balancing test involves weighing the legitimate interests in disclosure against the privacy rights and interests of the data subject. You should consider each case on its own merits.

The balancing test is not the same as the public interest test you conduct when relying on qualified exemptions under FOIA and exceptions under the EIR. You conduct the balancing test to decide if the first condition is met.

Example

In Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC), the Upper Tribunal said:

“ the balancing process (…) “is different from the balance that has to be applied under, for example, section 2(1)(b) of FOIA” (…) Furthermore FOIA stipulates that the section 40(2) exemption applies if disclosure would contravene the data protection principles enshrined in the DPA, so it is the DPA regime which must be applied.” [para. 42]

You should take a proportionate approach. There are circumstances where the legitimate interests may be met by disclosure of personal data. The necessity test can help you decide this.

If you decide the legitimate interests served by the disclosure does not outweigh the individual’s interests and rights, you cannot use the legitimate interests lawful basis. Without a basis for processing, disclosure would be unlawful and would therefore contravene principle (a). This means that the first condition is met and section 40(2) is engaged. You must not disclose the information. You must issue a refusal notice to explain to the requester why you are refusing the request.

If you decide that the legitimate interest does outweigh the person’s rights and interests, you must consider if disclosure would be generally lawful.

Would disclosure be generally lawful?

As well as having a lawful basis under data protection, you must also show that your processing is lawful more generally.

General lawfulness means that the disclosure must not breach statute or common law, whether criminal or civil. This includes industry-specific legislation or regulations.

A disclosure can be unlawful if it would breach:

  • an implied or explicit duty of confidence;
  • an enforceable contractual agreement;
  • the Human Rights Act 1998 (HRA), and in particular Article 8 of the European Convention on Human Rights on the right to respect for private and family life.

The considerations involved in assessing the data protection legitimate interests assessment are similar when assessing whether an interference with a right in the HRA is necessary. Therefore, if the legitimate interests assessment is met, then disclosure is unlikely to contravene the HRA.

If you believe that disclosure would be unlawful, you could consider applying other exemptions or exceptions. For example, FOIA section 44 (statutory prohibitions), section 41 (breach of confidentiality) or EIR regulation 12(5)(e) (confidentiality of commercial or industrial information).

Your obligation to provide information under FOIA or the EIR does not make a disclosure lawful. As mentioned, section 40(2)(3A) and 13(1)(2A) require you to decide if you can disclose to a member of the public “otherwise than under” FOIA or the EIR. To be lawful under FOIA or the EIR, a disclosure must not contravene a data protection principle.

If disclosure would not be generally lawful, the first condition is met and section 40(2) or regulation 13(1)(2A) is engaged.

If you decide that a disclosure is lawful, you must go on to consider if it is also fair and transparent.

Would disclosure be fair and transparent?

If you decide disclosure would be lawful, you must go on to consider if it would comply with the remaining requirements of principle (a). That is, if disclosure would also be fair and transparent.

If the disclosure passes the legitimate interest assessment, it is likely that disclosure will also be generally fair for the same reasons.

One way to meet the transparency requirement is by explaining your FOIA and EIR obligations in your privacy notice.

If you have not done so, you can also explain this to the data subject when you receive the FOI or EIR request.

If you decide that disclosure would not be fair or transparent, it means the disclosure would contravene data protection principle (a). The first condition is satisfied and section 40(2) or regulation 13(1)(2A) is engaged. You must not disclose the information.

Conclusion: would disclosure contravene data protection principle (a)?

If the requested information is third-party personal data but its disclosure would be lawful, fair and transparent, then the first condition is not satisfied. This is because disclosure does not contravene principle (a) of the UK GDPR. This means that you can disclose the requested personal information under FOIA or the EIR.

If disclosing the personal information would contravene principle (a), then the first condition is satisfied. You must not disclose the information under FOIA or the EIR. You must issue a valid refusal notice and explain to the requester why you cannot release the information.

As explained before, processing personal information for the purpose of responding to an FOI or EIR request is unlikely to contravene the other data protection principles listed in article 5 of the UK GDPR.

Do you meet the additional conditions for processing special category data?

If you are responding to an FOI or EIR request asking for special category data, you must meet one of the conditions required for processing this type of data. This is in addition to having a lawful basis under article 6.

Don’t forget to first consider if you can confirm or deny holding this type of personal information before looking at whether you can disclose it.

Article 9 of the UK GDPR defines special category data:

‘Special category data’ is personal data about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes); health, sex life or sexual orientation.

Generally, the processing of special category data is prohibited unless you meet the conditions set out in Article 9(2) of the UK GDPR. Some of these conditions are supplemented by additional conditions set out in Schedule 1 of the DPA18.

Special category data is particularly sensitive, so the conditions for processing it are very restrictive and generally concern specific and stated purposes.

Only two conditions are likely to be relevant if you are dealing with a request under FOIA or the EIR asking for this type of data. These are:

  • Article 9(2)(a) – explicit consent of the data subject; or
  • Article 9(2)(e) – the processing relates to personal data which has clearly been made public by the individual concerned.

You can only rely on explicit consent if you can demonstrate that the data subject concerned has explicitly and specifically consented to their data being disclosed to the world in response to a FOIA or EIR request.

Likewise, to rely on article 9(2)(e) you must show that the data subject has voluntarily and clearly made their personal information public.

Example: special category data where the article 9(2)(e) condition is not met

A defendant in a criminal trial discloses medical information about themselves in open court, in order to plead mitigating circumstances. This information is likely to be special category data since it relates to their health.

In this case, the defendant has clearly made that personal information public. However, they have not deliberately made it so. Their intention is to use it as part of their defence, and they have no choice but to give it in open court.

Therefore, the condition for processing would not be met.

In the scenario outlined above, you would also need to consider if the information was still in the public domain at the relevant time. This is because information once disclosed in open court doesn’t remain in the public domain forever. At the same time, the person’s expectations of privacy are stronger as more time has passed since the personal information was made public. 

If you do not have a lawful basis for processing under article 6 and you do not meet an article 9 condition as supplemented by a DPA18 condition where relevant, disclosure would be unlawful and would contravene principle (a). The first condition is satisfied. Therefore, you must not disclose the information and must issue a refusal notice under FOIA or the EIR.  

For more information, see our guidance on special category data.

Do you meet the additional conditions for processing criminal offence data?

If you are responding to an FOI or EIR request asking for criminal offence data, you must meet one of the conditions required for processing this type of data. This is in addition to having a lawful basis under article 6.

Don’t forget to first consider if you can confirm or deny holding this type of personal information before looking at whether you can disclose it.

Article 10 of the UK GDPR and section 11(2) of the DPA defines criminal offence data. It includes the following:

  • criminal convictions and offences or related security measures;
  • the alleged commission of offences by the data subject; and
  • proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Article 10 of the UK GDPR says that you can only process criminal offence data lawfully if the processing:

  • is carried out under the control of official authority; or
  • meets a specific condition in Schedule 1 of the DPA18.

Processing under the control of official authority will not apply in the context of FOIA or the EIR.

Likewise, if you are a “competent authority” under Part 3 of the DPA you may process personal data for law enforcement purposes. However, this will not be relevant in the context of responding to an FOI or EIR request. This is because, in this scenario, you are acting as a public authority carrying out the processing activity set out in section 3(4)(d) of the DPA18. That is, “disclosure by transmission, dissemination or otherwise making available”. You are not acting as a competent authority for law enforcement purposes.

Therefore, you must consider whether any of the conditions in Schedule 1 of the DPA18 apply.

As with special category data, criminal offence data is also sensitive. The conditions for processing it are very restrictive and generally concern specific and stated purposes.

Only two conditions are likely to be relevant if you are dealing with a request under FOIA or the EIR asking for this type of data. They are similar to those identified above for special category data:

  • Schedule 1, Part 3, paragraph 29 – consent from the data subject; or
  • Schedule 1, Part 3, paragraph 32 – the processing relates to personal data which has clearly been made public by the individual concerned.

Example

In Ian Driver vs Information Commissioner (EA/2022/0184, 22 February 2023), the Fist-tier Tribunal (‘FtT’) decided that it would be unlawful for the public authority to confirm or deny under FOIA holding criminal offence data.

The requester was a journalist. They had a submitted a request for information under FOIA asking Thanet District Council to confirm or deny if a named councillor had behaved unlawfully. The unlawful act was fly-tipping.

If held, this information would constitute criminal offence data.

The council refused to confirm or deny holding the information on the basis that section 40(5B) applied. That is, confirming or denying would contravene the data protection principles.

On appeal, the applicant disputed this, arguing section 40(5B) was not engaged. The applicant claimed the Council was able to rely on article 6(1)(f) as the relevant lawful basis for processing. They further argued that the relevant Schedule 1 conditions were also met, specifically those set out at para. 10, 11, 12 and 13 of Part 2 of the DPA18.

The FtT rejected these arguments. It found that none of the relevant Schedule 1 conditions necessary for the processing of criminal offence data were met. Therefore, if the council were to confirm or deny to a member of the public holding this type of data, that would contravene the data protection principles. Confirmation or denial would be unlawful and section 40(5B) was engaged.

This example is about confirming or denying. However, a similar approach applies if you are considering if you can disclose the requested criminal offence data.

If you do not have a lawful basis for processing under article 6 and you do not meet a relevant condition in Schedule 1 of the DPA, disclosure would be unlawful and would contravene principle (a). Again, the first condition is satisfied. You must not disclose the information and must issue a refusal notice under FOIA or the EIR.

For more information, see our guidance on criminal offence data.