Liam Harron v The Information Commissioner & Anor

This is an appeal against the Information Commissioner’s (IC) decision notice (DN) IC-171466-X0Q8 dated 8 February 2023, which found that Rotherham Metropolitan Borough Council (RMBC) was entitled to rely on s.40(5B) (personal information) of the Freedom of Information Act 2000 (FOIA) to refuse to confirm or deny whether any information is held. The IC did not require RMBC to take any further steps.

The Respondents made an application to strike out the appeal on the basis it had no reasonable prospects of success. The application was refused by the First Tier Tribunal on 11 August 2023.

We gave permission for the Appellant to call T, a Child Sexual Exploitation victim, to give evidence. We ruled that T’s identity was to be anonymised and they would be identified as T in our decision and any transcript of the hearing. That part of the hearing in which T gave evidence was heard in private. A separate case management order has been made to this effect.

On 1 February 2022, the Appellant made the following request to RMBC for information:

On 11 February 2022, RMBC refused to confirm or deny holding the requested information relying on the exemption under s.40(5B) FOIA.

The Appellant requested an internal review and set out his understanding of the legislation, which was that i) the UK General Data Protection Regulation (GDPR) does not prohibit all disclosures relating to individuals, only that any disclosures must be fair and appropriate, and ii) senior public or senior civil servants are not exempt and this includes all persons who are considered to be in a “front-facing” position. He said he was not seeking any personal information.

The review dated 11 March 2023, upheld the original refusal and explained that stating whether RMBC does or does not hold anything in regard to a “bundle for the defence of” the named individual would be disclosing information about that person.

The Appellant complained to the IC, who found on 8 February 2023 that RBMC was entitled to rely on the exemption under s.40(5B) of FOIA. The reasons were that confirmation would reveal whether a defence bundle relating to the Data Subject exists; the Data Subject would have a reasonable expectation that such information would not be disclosed; and there was an insufficient legitimate interest to outweigh the Data Subject's rights and freedoms. Accordingly, it was not possible to satisfy the condition in Article 6(1)(f) of the GDPR.

The Appellant appealed to this Tribunal. The grounds of appeal, in summary, are:

The Tribunal’s remit is governed by s.58 FOIA. This requires the Tribunal to consider whether the decision made by the IC is in accordance with the law or, where the IC’s decision involved exercising discretion, whether he should have exercised it differently. The Tribunal may receive evidence that was not before the IC and may make different findings of fact from the IC.

FOIA provides a general duty to disclose information.

The relevant parts of section 1 FOIA provide:

The relevant parts of s.40 provide:

The relevant parts of Article 4 provide:

The relevant parts of Article 6 provide:

The relevant parts of Article 10 provide:

The relevant parts of the DPA provide:

The relevant parts of the schedule provide:

Whether RMBC, by confirming or denying whether the requested information is held, would contravene any of the data protection principles.

The Appellant provided a lot of background documents relating to various requests for information that he had made. However, they do not address the exemption relied upon and do not assist his case.

There were no submissions from RMBC before us.

Confirming or denying whether information is held would identify third party personal data, because doing so would reveal whether a defence bundle relating to a named individual exists.

On reviewing the DN it was noted that at the time of the request it had been publicly reported that the Data Subject had been convicted and sentenced for two separate criminal offences. The Appellant also attached a Local Ombudsman Report and email chain in which the Data Subject’s public convictions had been noted in media articles. Although not explicitly confirmed, it is likely that the defence bundle referred to is in respect of the convictions that have been made public.

In such circumstances, the IC considers that it may be possible to satisfy Article 6(1)(f) GDPR, albeit the terms of the request are not clear as to which defence bundle is being referenced.

However, the very existence of a defence bundle would reveal that an allegation of the commission of an offence has been made, and a prosecution has been brought. Such information amounts to criminal offence data.

Criminal offence data is given special protection under Article 10 GDPR. It can only be lawfully processed if it satisfies both a condition under Article 6 GDPR, and it is authorised by Member State law providing for appropriate safeguards for the rights and freedoms of the Data Subject.

The DPA (s10.5) provides that processing is lawful for the purposes of Article 10 GDPR if it is carried out under the control of official authority (which is not the position in this case), or it complies with a condition under DPA Schedule 1, Parts 1, 2, or 3.

The only two conditions which could apply to this appeal are in Schedule 3, namely:

There is no evidence that the Data Subject gave his consent to disclosure, nor that he, himself, made the existence of any prosecution clearly available to the public. The legislation makes clear that he must have made the personal data public himself.

Accordingly, regardless of the position concerning compliance with Article 6(1)(f) GDPR, it would not be possible to satisfy a condition for processing in respect of Article 10 GDPR, given that any confirmation or denial would reveal criminal offence data.

The reason given for neither confirming nor denying is a technical one. Whilst we note the Appellant’s submitted documents and arguments, which provide background to his requests for information from RMBC, they do not address the issue in this appeal of whether confirming or denying that the requested information is held would contravene any of the data protection principles.

We have considered the Appellant’s grounds of appeal. However, they do not assist him. There is no error on the part of the IC. Scrutinizing RMBC’s responses would make no difference to the outcome and, whilst the Appellant may not think he was seeking personal data, the mere confirmation or denial of correspondence on whether the report was in the defence bundle, is itself personal information.

The IC has set out clearly the legal reasons why RMBC cannot confirm or deny whether it holds the requested information. Our understanding of the law accords with that of the IC and we can do no better than to endorse the IC’s reasoning.

In summary, the legal position is:

The duty to confirm or deny does not arise if it would contravene any of the data protection principles (s40(5B) FOIA).

Processing shall only be lawful if it is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Article 6(1)(f) GDPR).

Processing of personal data relating to criminal convictions or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10(1) GDPR).

The processing meets the requirements in Article 10 GDPR for authorisation by the law of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1 DPA (s.10(5) DPA).

The only conditions which are relevant are condition 29 (consent) and condition 32 (where the personal data is manifestly made public by the data subject). There is no evidence that either condition has been met.

Therefore, if RMBC confirmed or denied the information requested, it would contravene the data protection principles of Article 10(1) GDPR.

Consequently, RMBC is entitled to rely on s.40(5B) FOIA, which exempts it from the duty to confirm or deny in these circumstances.

For the reasons set out above, we find that RMBC is entitled to rely on s.40(5B) of FOIA to refuse to confirm or deny whether it holds the requested information.