Does data protection law prevent the disclosure under the FOI Act of the identities of prisoners who have absconded?
The Mail reported recently that the Ministry of Justice (MoJ) had refused to disclose, in response to a request made under the Freedom of Information Act 2000 (FOIA), a list of prisoners who have absconded from open prisons. The MoJ are reported to have claimed that
under Freedom of Information laws, there is a blanket ban on releasing the criminals’ identities because it is their own ‘personal data’
but the Justice Secretary Chris Grayling was reported to be
furious with the decision, which was taken without his knowledge. He is now intending to over-rule his own department and publish a list of all on-the-run criminals within days
and sure enough a few days later the Mail was able to report, in its usual style, the names of the majority of the prisoners after Grayling
intervened to end the ‘nonsense’ of their names being kept secret…[and stated] that data protection laws will not be used to protect them, arguing: “They are wanted men and should be treated as such. That’s why on my watch we will not hold back their names, unless the police ask us not to for operational reasons”
Regarding the initial article, and in fairness to the MoJ, the Mail does not publish either the FOI request, nor the response itself, so it is difficult to know whether the latter was more nuanced than the article suggests (I suspect it was), but is it correct that disclosure of this information was prevented by data protection law?
More information was given in a follow-up piece on the Press Gazette website which cited a spokeswoman from the MoJ’s National Offender Management Service’s Security Group:
She said the department was “not obliged” to provide information that would contravene the Data Protection Act, adding, “for example, if disclosure is unfair”, which also meant that it did not have to consider “whether or not it would be in the public interest” to release the information
This is technically correct: FOIA provides an exemption to disclosure if the information requested constitutes personal data and disclosure would be in contravention of the Data Protection Act 1998 (DPA), there is no “public interest test” under this exemption, and whether disclosure is unfair is a key question. The reference to “fairness” relates to the first data protection principle in Schedule One to the DPA. This provides that
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a)at least one of the conditions in Schedule 2 is met, and
(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
As the Information Commissioner’s Office says (page 13 of this guidance) “fairness can be a difficult concept to define”, and assessing it in a FOIA context will involve whether the information is “sensitive personal data” (it is in this instance – section 2 of the DPA explains in terms that data about prison sentences is included in this category); what the possible consequences of disclosure are on the individual; what the individual’s reasonable expectations are; and the balance of the interests of the public against the rights of the individual (this last example shows that there is, in effect, if not in actuality, there is a kind of public interest test for the FOIA personal data exemption).
With this in mind, would it really have been “unfair” to disclose the identities of on-the-run prisoners? The consequences of disclosure might be recapture (although I concede there might also be exposure to risk of attack by members of the public), but does an absconder really have a reasonable expectation that their identity will not be disclosed? I would argue they have quite the opposite – a reasonable expectation (even if they don’t desire it) that their identity will be disclosed. And the balance of public interest against the absconders’ rights surely tips in favour of the former – society has a compelling interest in recapturing absconders.
But this doesn’t quite take us to the point of permitting disclosure of this information under FOIA. If we look back to the wording of the first data protection principle we note that a condition in both Schedule Two (and, this being sensitive personal data) Schedule Three must be met. And here we note that most of those conditions require that the processing (and FOIA disclosure would be a form of processing) must be “necessary”. The particular conditions which seem to me most to be engaged are the identically worded 5(a) in Schedule Two, and 7(1)(a) in Schedule Three:
The processing is necessary for the administration of justice
What “necessary” means, in the context of a balance between the FOIA access rights and the privacy rights of individual has been given much judicial analysis, notably in the MPs’ expenses case (Corporate Officer of the House of Commons v The Information Commissioner & Ors  EWHC 1084 (Admin)), where it was said that “necessary”
should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends
In this way “necessary” in the DPA, accords with the test in Article 8 of the European Convention on Human Rights, which provides that any interference with the right to respect for private and family life etc. must be
necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others [emphasis added]
Deciding whether there was a “pressing social need” to disclose, under FOIA, the absconders’ identities to the Mail was not straightforward, and no doubt the civil servants at MoJ erred on the side of caution. I can imagine them thinking that, if it was necessary in a democratic society to publish these names, they already would be published as routine, and the fact that they hadn’t meant that it would not be proportionate to disclose under FOIA (I happen to think that would be wrong, but that’s not strictly relevant). But this is an interesting case in which the subsequent intervention by the Justice Secretary created the justification which perhaps did not exist when the FOIA request was being handled: after all, if the Justice Secretary feels so strongly about publishing the names, then doing so must be necessary in the interests of public safety etc.
As it was, five of the names (out of eighteen) were not disclosed, no doubt for the police operational reasons that were alluded to by Grayling. And this, of course, points to the most likely, and the most strong, exemptions to disclosure of this sort of information – those relating to likely prejudice to law enforcement (section 31 FOIA).
p.s. I am given to understand that the Information Commissioner’s Office may be contacting the MoJ to discuss this issue.
2 responses to “Data Protection rights of on-the-run prisoners”
This is so helpful that I have made it required reading for my team – we knew this, but have not seen it set out so clearly before. Thanks Jon.
That’s very kind. My invoice is in the post 😉