[reposted from my LinkedIn account]
When a public authority receives a Freedom of Information Act request and the requested information contains personal data (of someone other than the requester) it must first consider whether it can even confirm or deny that the information is held. For instance “Dear NHS Hospital Trust – please say whether you hold a list of embarrassing ailments suffered by Jon Baines, and if you do, disclose the list to me”. To confirm (or deny) even holding the information would tell the requester something private about me, and would contravene the data protection principles at Article 5(1) of the UK GDPR. Therefore, the exemption at s40 of FOIA kicks in – specifically, the exemption at s40(5A): the hospital can refuse to confirm or deny whether the information is held.
But suppose that, mistakenly, the hospital had perhaps confirmed it held the information, but refused to disclose it? The cork, surely, is for ever out of the bottle.
Upon appeal by the requester (this requester really has it in for me) to the ICO, I could understand the latter saying that the hospital should have applied s40(5A) and failure to do so was a failure to comply with FOIA. However, certainly of late, the ICO has engaged in what to me is a strange fiction: it says in these circumstances that it will “retrospectively apply s40(5A)” itself. It will pretend to put the cork back in the bottle, after the wine has been consumed.
And now, the Information Tribunal has upheld an ICO decision to do so, albeit with no argument or analysis as to whether it’s the correct approach. But even more bizarre it says
We are satisfied that the Commissioner was correct to apply section 40(5B) FOIA proactively, notwithstanding the information that has previously been provided by the Trust, to prevent the Trust from providing confirmation or denial that the information is held.
But the Trust had already done so! It can’t retrospectively be prevented from doing something it has already done. The cork is out, the wine all gone.
Am I missing something? Please excuse the sudden mix of metaphor, but can no one else see that the Emperor has no clothes?
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
While it’s obviously ineffective at one level, it does clearly lay down “here’s how this should have been handled”.
The same scenario can come up in lots of cases where information has been previously been wrongly disclosed whether through FOI or not. Are you arguing that a future FOI request for the same information should also lead to a confirmation that it’s held? Or that the PSNI should release the names of all their staff since they already did it once by mistake?
The whole “proactive application” thing is rather confusing in itself. While there is Tribunal caselaw supporting it, I have my doubts it was really intended by Parliament and it makes a real mess of the requirements around refusal etc. Also, no exemption *prevents* an authority from releasing something. Only other legislation (e.g. GDPR) can do that.
No, I specifically say in the post “I could understand [the ICO] saying that the hospital *should have* applied s40(5A)“, but what I should have said was that failure to do so was an infringement of the UK GDPR (instead of an infringement of FOIA).
So if the ICO thinks they should have applied it, and the ICO has a power to forcibly/proactively/retroactively apply it, what’s the argument against doing that?
And would the argument be different depending on whether the disclosure happened during the course of this specific request or in a previous request?
The argument is a) it’s ridiculous, for the reasons I’ve given, and b) on further reflection, I’m very far from sure they do have a power – if they do, it doesn’t lie in s50(1) or 50(4).
I don’t follow your final question.
If I now make a fresh request to the Trust for the same information, should they NCND or not?
Yes. And of course that’s absurd, but that would be the same absurdity that would have obtained even if the ICO had not “proactively” applied s40(5A), so I don’t see the relevance.
The power to proactively apply an exemption was stated in “DEFRA v IC and Birkett [2011] UKUT 39 (AAC)” para 47 btw.
https://www.bailii.org/uk/cases/UKUT/AAC/2011/39.html
As I said above I don’t think it was actually Parliament’s intention but it’s binding case law as things stand.
Yes, I now recall – thanks. Although on rereading it’s not entirely clear what the judge was saying – he was certainly saying though that it might be incumbent on the ICO to consider exemptions that the public authority might not. But I would be minded to read that as conferring/confirming a power for the Commissioner to identify a potential exemption and draw it to the public authority’s attention, and, perhaps, where necessary to specify steps that must be taken.
That para explicitly states the ICO’s powers go beyond just “She also recognised that in limited circumstances the Commissioner might identify a possible new exemption and invite the parties to consider whether it applied. That is too limited a role for the Commissioner under this section”
I guess you could argue that the only way to proactively apply an exemption is for the Commissioner to issued a DN saying “apply this exemption” and then for the authority to do it. But that’s certainly not the way it’s getting interpreted.
I think the correct legal approach would be as I describe in my previous message.
In any case, the post was about the absurdity in the case of an NCND matter.
Is the point here not that they released the name to the applicant as part of a combined information request/complaints scenario but that they didn’t release it to the wider world? The handling was messy as it often will be in an under-funded NHS, but the ICO’s job was to take the correct legal approach?
I’m sorry, I don’t follow. My point is that it is plain nonsense for the public authority to say “yes we hold the information” and for the ICO then to say “we are saying that the the public authority neither confirms nor denies holding the information”.
I get that. But the point is that they shouldn’t have and it’s arguable that they didn’t do so under FOIA.