Information Rights
Appeal Reference: EA/2023/0406
Decided without a hearing
On 20 March 2024
Before
JUDGE ANTHONY SNELSON
TRIBUNAL MEMBER KERRY PEPPERELL
TRIBUNAL MEMBER DAVE SIVERS
Between
JOHNNA REEDER
Appellant
and
THE INFORMATION COMMISSIONER
Respondent
Decision
On considering the written representations of the parties and other documents tabled, the Tribunal unanimously dismisses the appeal.
Reasons
Introduction
Cardiff Bus is the principal operator of bus services in Cardiff and the surrounding area. The company is wholly owned by Cardiff Council.
On the evening of 24 June 2023 the Appellant was involved in an unpleasant episode on a Cardiff Bus vehicle. On her case, she was abused by a drunken man who called her a ‘fucking American’ and when she challenged him and an altercation ensued, the driver treated her as the culprit (or at least a culprit) and attempted to force her (as well as the drunken man) to leave the bus.
The Appellant then complained to Cardiff Bus but the complaint was rejected by a representative of the company on 4 July 2023. That individual exonerated the driver, stating in reliance upon CCTV footage, that he had tried to calm the situation down and, in the end, taken appropriate action to safeguard the passengers.
Later on 4 July 2023 the Appellant wrote to the Managing Director of Cardiff Bus, challenging the decision to reject her complaint and requesting a copy of the CCTV footage, pursuant to the Freedom of Information Act 2000 (‘FOIA’).
Cardiff Bus responded on at least two occasions, the second being on 4 August 2023, refusing to disclose the CCTV footage as requested, on the grounds that doing so would contravene FOIA and the UK General Data Protection Regulation (‘GDPR’), but offering to provide a redacted copy (which would protect the privacy of all those shown on the footage other than the Appellant).
The Appellant replied at least twice, unequivocally rejecting the offer of a redacted copy of the footage.
On 24 August 2023 the Appellant wrote to the Company Secretary of Cardiff Bus seeking an internal review of the decision not to supply her with a copy of the unedited CCTV footage. In the same communication, she stated that she would be happy to view the footage within the Cardiff Bus office.
On 4 September 2023 Cardiff Bus responded to the internal review application through Bus Users UK, an intermediary organisation, standing by its position that the request could not be granted as it sought disclosure of the personal data of third parties.
On 11 September 2023 Cardiff Bus gave a formal decision, rejecting the review application on the basis that the request been correctly refused on data protection grounds. The company did not address the possibility of the appellant viewing the footage at its office.
The Appellant then complained to the Information Commissioner (‘the Commissioner’). An investigation followed.
By a decision notice dated 14 September 2023 the Commissioner determined that Cardiff Bus had correctly applied FOIA, s40(2) (personal information) and dismissed the Appellant’s complaint. He did not consider the Appellant’s separate suggestion that she be shown the CCTV footage at the Cardiff Bus office.
By a notice of appeal dated 18 September 2023, the Appellant challenged the Commissioner’s adjudication on a variety of grounds. The nub of her complaint was that the Commissioner had misapplied the law and failed to give the concept of personal data a ‘common sense’ meaning. In box 6 of the appeal form, the Appellant said this:
I need to view the unedited CCTV footage … I am willing to watch it once during a meeting with the general manager of the bus company. I am making this reasonable request so that public safety can be improved. My concern is that the bus driver mishandled the situation. This can be proven with a viewing of the CCTV footage. It must be unedited to prove my concerns are valid.
The appeal was resisted in a response dated 11 December 2023 prepared on behalf of the Commissioner.
The matter came before us for consideration on paper, the parties being content for it to be determined without a hearing. We were satisfied that it was just and in keeping with the overriding objective (Footnote: 1) to proceed in that manner.
The applicable law
The freedom of information legislation
FOIA, s1 includes:
Any person making a request for information to a public authority is entitled–
to be informed in writing by the public authority whether it holds information of the description specified in the request, and
if that is the case, to have that information communicated to him.
‘Information’ means information recorded in any form (s84).
The general right under s1 is subject to a number of exemptions. By s40 it is provided, so far as material, as follows:
Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
Any information to which a request for information relates is also exempt information if—
it constitutes personal data which doesnot fall within subsection (1), and
the first, second or third condition below is satisfied.
(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
would contravene any of the data protection principles …
The language and concepts of the data protection legislation are translated into the section (subsection (7)). The exemptions under s40 are unqualified under FOIA and the familiar public interest balancing test has no application. Rather, the reach of the exemptions is, in some circumstances, limited by the data protection regime.
The data protection legislation
The data protection regime under the Data Protection Act 2018 (‘DPA 2018’) and GDPR applies to this case.
DPA 2018, s3 includes:
“Personal data” means any information relating to an identified or identifiable living individual ...
“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to —
an identifier such as a name, an identification number, location data or an online identifier …
“Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as —
…
disclosure by transmission, dissemination or otherwise making available …
“Data subject” means the identified or identifiable living individual to whom personal data relates.
GDPR, Article 5 sets out the data protection principles. It includes:
Personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject …
Article 6, so far as material, provides:
Processing shall be lawful only if and to the extent that at least one of the following applies:
…
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
The Tribunal’s powers
The appeal is brought pursuant to the FOIA, s57. The Tribunal’s powers in determining the appeal are delineated in s58 as follows:
If on an appeal under section 57 the Tribunal consider –
that the notice against which the appeal is brought is not in accordance with the law; or
to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,
the Tribunal shall allow the appeal or substitute such other notice as could have been served by the Commissioner, and in any other case the tribunal shall dismiss the appeal.
On such an appeal, the Tribunal may review any finding of fact on which the notice in question was based.
Case-law
Unlike the general run of information rights cases, the starting-point for the purposes of s40 is that, where they intersect, privacy rights hold pride of place over information rights. In Common Services Agency v Scottish Information Commissioner [2008] 1 WLR 1550 HL, Lord Hope reviewed the legislation, including the EU Directive on which the domestic data protection legislation is founded. At para 7 he commented:
In my opinion there is no presumption in favour of release of personal data under the general obligation that FOISA (Footnote: 2) lays out. The references which that Act makes to provisions of [the Data Protection Act] 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data …
It is well-established that case-law under the pre-2018 data protection regime can safely be treated as a guide to interpreting the new law. Three principles are noteworthy in the present context. First, ‘necessary’ means reasonably necessary and not absolutely necessary: South Lanarkshire Council v Scottish IC [2013] UKSC 55. But in order for something to be ‘necessary’ there must be no other reasonable means of achieving it: IC v Halpin [2020] UKUT 29 (AAC). Second, ‘necessity’ is part of the proportionality test and requires the minimum interference with the privacy rights of the data subject that will achieve the legitimate aim in question: R (Ali & another) v Minister for the Cabinet Office & another [2012] EWHC 1943 (Admin), para 76. Third, in carrying out the balancing exercise, it is important to take account of the fact that disclosure under freedom of information legislation would be to the whole world and so, necessarily, free of any duty of confidence: Rodriguez-Noza v IC and Nursing & Midwifery Council [2015] UKUT 449 (AAC), para 23.
It is legitimate to consider at the outset the first part of (what is now) the Article 6 test (lawful processing), before addressing (if need be) the further elements of the test (see Farrand v Information Commissioner [2014] UKUT 310 (AAC), para 20).
The Commissioner’s Guidance
In current Guidance on Requests for Personal Data about Public Authority Employees (Footnote: 3), the Commissioner states (p13):
The data protection exercise of balancing the rights and freedoms of the employees against the legitimate interest in disclosure is different to the public interest test that is required for the qualified exemptions listed in section 2(3) of FOIA.
In the FOI public interest test, there is an assumption in favour of disclosure because you must disclose the information unless the public interest in maintaining the exemption outweighs the public interest in disclosure.
In the case of section 40(2), the interaction with the DPA means the assumption is reversed and a justification is needed for disclosure.
Analysis and conclusions
It is necessary to start by considering the scope of the appeal. Here we agree with the Commissioner (response, paras 20-25) that the Appellant’s suggestion in the internal review application (and reiterated in the notice of appeal) that her request could be resolved by permitting her to view the CCTV footage once at the Cardiff Bus office is, for our purposes, a red herring. It was no part of the Commissioner’s function to enquire into the way in which the public authority dealt with the internal review application. His role was limited to considering its response to the original request (see Montague v Information Commissioner and Department for International Trade [2022] UKUT 104 AAC). The original request was unambiguously for disclosure of a copy of the CCTV footage. Our role is to determine whether the Commissioner’s decision-making in relation to that request was correct.
The first question is whether the information sought amounts to personal data. The answer is yes. It relates to the Appellant, the other passengers on the bus and the driver, all identifiable, living individuals.
In so far as the information relates to the Appellant, it is absolutely exempt under FOIA, s40(1)(a), being personal data of which she is the data subject.
In so far as the information relates to the other passengers and the driver, it is the personal data of those individuals, and so exempt under FOIA, s40(2) if any of the three ‘conditions’ referred to in that subsection applies.
The only relevant condition is that disclosure would contravene any of the data protection principles (subsection (3A)(a)). The relevant data protection principles here are those provided for under GDPR, Article 5, para 1 and Article 6, para 1(f). The duty of ‘lawful’ processing imports the requirement of ‘necessity’. In our judgment, there is no question of the processing of the personal data of third parties being ‘necessary’ in this case. The Appellant has been able to engage with Cardiff Bus concerning her grievance and her complaint has been considered in an appropriate fashion. She remains aggrieved because she thinks that the company did not reach the right conclusion, but that is not an arguable basis for saying that it is ‘necessary’ to compromise the privacy of third parties in order to allow her an opportunity to pursue her complaint afresh. In the circumstances, there is much to be said of the view that her legitimate interests have already been fully met (notwithstanding, from her point of view, the disappointing outcome). At all events, we are satisfied that it cannot possibly be said that her legitimate interests can only be met by processing the personal data of third parties (see the Halpin case cited above). We do not begin to see why sight of the redacted CCTV footage would not amply meet any residual unsatisfied legitimate interest and we regret that the Appellant did not take up the public authority’s offer to share that material with her. In addition, the public authority may (or may not) be amenable to her proposal to view the CCTV footage once at its office. But whether or not that possibility remains does not affect our assessment. Either way, the Appellant falls a long way short of establishing the requisite ‘necessity’.
The statutory bias favouring privacy rights over information rights makes this a very clear case. The processing of personal data for which the Appellant contends would plainly be unlawful. Accordingly, the request is for information which is exempt and the Commissioner was right to dismiss the complaint.
Disposal
It follows that the appeal must be dismissed.
(Signed) Anthony Snelson
Judge of the First-tier Tribunal
Dated: 30 April 2024