Category Archives: Freedom of Information

November 29, 2025 · 6:41 am

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR

Tagged as , ,

November 7, 2025 · 12:15 pm

MoD: “too costly” to find out if there have been further spreadsheet data breaches

Response to FOI request says it would take 237 hours to find out. How can ICO have confidence lessons have been learnt?

Anyone who’s ever had been responsible for compiling or overseeing a data breach log will know that one of the commonest incidents is the inadvertent disclosure of personal data. And since the time spreadsheets could first be sent via, or uploaded to, the internet people have mistakenly left personal data in them which should have been removed or otherwise masked. It’s not a new phenomenon: as long ago as 2013 I wrote for the Guardian about the risks, and what I perceived then as a lack of urgency by the Information Commissioner’s Office in addressing, and educating about, those risks.

So it might be found surprising that, two years after the most catastrophic data breach in UK history, in which the information of thousands of Afghan citizens was mistakenly disclosed, putting many lives directly at risk, the Ministry of Defence appears to have no process for identifying when or whether there have been recurrences of the issue.

Section 12 of the Freedom of Information Act 2000 permits a government department not to comply with a request where locating and retrieving any information held would take more than 24 hours. It’s not uncommon for it to be invoked where requests are formulated in too general a manner.

But when I made a request to the MoD for

the number of personal data breaches recorded between April 2023 to date which involved: a) disclosure of personal data to the wrong recipient; b) inadvertent disclosure of personal data contained in a spreadsheet

I imagined that this would be relatively easily located and extracted. Most data breach logs I’ve seen would be categorised in such a way as to enable this. However, the MoD instead informed me that it would take over 237 hours to do so.

Helpfully, the MoD said that if I restricted my request just to the first part (“disclosure of personal data to the wrong recipient”) they might be able to comply. But what this appears to indicate is that no, or no clear, record is being taken of whether there have been repeats of the spreadsheet error involving Afghan citizens.

The Information Commissioner’s Office (ICO) has come under some criticism – including from the leading academics, the Science, Innovation and Technology Committee, and me – for failing even to conduct a formal investigation into the Afghan spreadsheet data breach. Justifying that decision, the Commissioner himself said that

MoD has briefed us on the measures it has adopted since the breach, which seek to mitigate risk of such an incident occurring in future

But if the MoD cannot say (without it taking more than 237 hours) whether there have been further such incidents, how can they reassure themselves that the risk has been indicated?

And perhaps more pertinently, how can the ICO be satisfied of this?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under Data Protection, data security, Freedom of Information, Information Commissioner, Ministry of Defence, personal data breach

Tagged as , , ,

October 12, 2025 · 9:50 am

Tribunal: unincorporated associations are not companies for the purposes of FOIA

The question of whether a body is a public authority for the purposes of the Freedom of Information Act 2000 (FOIA) is determined by asking (up to) three questions:

1: is it listed in Schedule 1 to FOIA?
2: has it been designated as a public authority by order by the Secretary of State or Minister for the Cabinet Office?
3: is it a company wholly owned by the wider public sector, or by the Crown (or by both of those)?

If the answer to all of those is “no”, then the body is not a public authority, and it is not obliged to comply with FOIA, no matter how much it might seem or look like a public authority.

These issues arose in a recent case in the First-tier Tribunal, following a decision by the Information Commissioner’s Office that the Conference of Colleges of the University of Oxford (the “Conference”) – an unincorporated association – was not a FOIA public authority.

It is accepted that the University of Oxford is a public authority, as is each of the colleges of the University (see paragraph 53 of Schedule 1 FOIA). The appeal to the Tribunal was based on argument by the appellant (“The Association Of Precarious Postdoctoral Researchers Ltd”) that the Conference, being a body created by the constituent colleges, met the definition of a “company” wholly owned by those colleges. Although FOIA does not define “company”, certain other legislative provisions do, including section 1121 of the Corporation Tax Act 2010, pursuant to which it is defined as meaning “any body corporate or unincorporated association…”.

That argument, however – held the Tribunal – actually counted against the appellant, because in the absence of clear legislative intent to broaden the term for the purposes of FOIA, it should take its ordinary English use: “unincorporated associations are not considered to be caught by the normal definition of a ‘company’ and…Parliament will make express provision to include them where it intends to do”.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , ,

May 27, 2025 · 7:42 am

Liz Truss leadership election not amenable to JR

Was the leadership election in which Liz Truss was elected as leader of the Conservative Party (and as a result of which she was recommended to the Queen by the outgoing Boris Johnson, and appointed by the Queen as her Prime Minister) a decision amenable to judicial review?

Whether a person is a public authority for the purposes of the Freedom of Information Act 2000 is, in principle, a relatively straightforward issue: is it listed in Schedule 1 to FOIA?; or has it been designated as such by order under section 5?; or is it wholly owned by the public sector?

Whether a person is a public authority under section 6 of the Human Rights Act 1998, or whether a person is a public authority amenable to judicial review, are more complex questions.

It was the last of these that the Court of Appeal had primarily to consider in Tortoise Media Ltd, R (On the Application Of) v Conservative and Unionist Party [2025] EWCA Civ 673. Tortoise Media had written to the Party seeking certain information in relation to the leadership election process, and argued that the public effects of the leadership election meant that, in those circumstances, the Party was exercising a public function for the purposes of CPR 54.1(2). The follow-on argument was that the judgment of the ECtHR in Magyar Helsinki Bizottság v Hungary meant that the domestic courts should read down Article 10 of the ECHR (as incorporated in domestic law in the HRA) as imposing, in some cases, a positive obligation on a body to provide information to the media, who act as “watchdogs” in the public interest.

Perhaps unsurprisingly, though, the Court of Appeal did not accept that the effects and circumstances of the Party leadership election made the decision of the Party amenable to JR:

the nature of the act of electing a party leader…is at all times a private act. The fact that it has important, indirect consequences for the public does not transform a private act into a public one.

For that reason, the Court did not need to consider the Article 10/Magyar arguments (but on which, one feels – having regard to the submissions on behalf of the Duchy of Lancaster, as intervener, which argued that the Supreme Court’s decisions in Sugar and in Kennedy (which did not follow the reasoning in Magyar) bound all inferior courts – the claimants would have in any case lost).

It’s an interesting read, even if it was – to put it mildly – an ambitious case to bring.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Article 10, Freedom of Information, human rights, judgments, judicial review

Tagged as ,

May 7, 2025 · 7:17 am

FOIA contempt proceedings against University of Exeter

Non-compliance by a public authority with the provisions of the Freedom of Information Act 2000 is rarely a particularly serious matter for the public authority: a delay in responding, or a failure to disclose what should be disclosed, or wrong reliance on exemptions will at most normally only result in a public decision notice by the Information Commissioner’s Office (ICO), and there are hundreds of those issued each year, which pass with barely any attention.

Where it can get serious is where the public authority fails to comply with an order by the ICO, or where, upon a case having been appealed to the First-tier Tribunal (FTT), the FTT has made an order for disclosure. Sections 54 and 61, respectively, of FOIA, empower the ICO and the FTT to treat the failure to comply as offence of contempt of court, and certify the offence to the Upper Tribunal, which has the power to commit for contempt. In principle, as I understand it, the Upper Tribunal could, if it agreed there was a contempt, impose a period of imprisonment or a fine (the powers here are not contained in the Upper Tribunal Rules, but in YSA (Committal for contempt by media) [2023] UKUT 00075 (IAC), the Upper Tribunal (in a non-FOIA case) said that as the Upper Tribunal Rules do not expressly deal with contempt certifications, then the Upper Tribunal should, so far as it can, adopt the contempt provisions of part 81 of the Civil Procedure Rules.

I’m not aware of any FOIA case where the Upper Tribunal (or the High Court, which had the jurisdiction until the Data Protection Act 2018 amended FOIA and conferred jurisdiction on the Upper Tribunal) has actually made a contempt committal. But the latest case to make its way to the Upper Tribunal, to consider whether to do so, involves the University of Exeter. The University was asked under FOIA for the names of attendees, and the organisations they represented, at two University groups – the Exeter Community Panel and the Resident Liaison Group. The University refused, citing data protection concerns (and relying on the exemption at section 40(2) FOIA), and the ICO agreed. However, the FTT disagreed (these were public facing groups and attendees would have had no reasonable expectation that their names would be kept private) and ordered disclosure. This, however, the University did not do, and upon being chased by the applicant, indicated that at least some of the information no longer existed, because of (undocumented) oral right to be forgotten requests made by attendees after the FTT had ordered disclosure (which raised s77 FOIA questions). As the FTT pointed out, the University had supplied the withheld information to the ICO and to the FTT itself for the purposes of the original proceedings, and it was “less than credible that the Respondent cannot recover that information and provide it to the Applicant”.

The FTT was satisfied therefore, that this was a “wilful”, “flagrant” and continuing failure to comply with its order – “a contrived and persistent failure that is still ongoing”.

The FTT nonetheless still urged the University to fully comply with the order, as doing say “may mitigate any action taken by the Upper Tribunal”.

Compliance with FOIA is not voluntary for a public authority. Still less so is compliance with orders of a court.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under contempt, FOIA, Freedom of Information, Information Tribunal, Upper Tribunal

Tagged as

April 17, 2025 · 7:17 am

FOIA s11 – All or nothing or a sliding scale?

When a public authority receives a request for information it must, under the Freedom of Information Act 2000, determine and communicate whether the information is held (subject to any exemption which removes the obligation to confirm or deny whether it is held), and then determine whether any exemptions to disclosure apply. These latter exemptions include the procedural ones at ss12 and 14 of FOIA (costs grounds and vexatiousness or repeatedness) and the substantive ones at Part II (ss21 to 44). It is only then that, if the requester has requested the information in a specific format (such as a specific software format) the public authority must, under s11, consider whether it must “so far as reasonably practicable” give effect to that preference.

That this is the correct order of things is confirmed by an important (albeit quite niche) judgment of the Upper Tribunal, in Walawalker v The Information Commissioner & Anor [2023] UKFTT 1084 (GRC). Both the ICO, and the First Tier Tribunal, had elided/confused the staged process above, with the result that the appeal before the Upper Tribunal was on the meaning of s11, despite prior findings not having been fully made on the application of exemptions.

Nonetheless, what the Upper Tribunal had to decide was, where (for instance as was the case here) a request was for transcripts of a 50-odd audio recordings of distress calls at sea, and the act of transcribing them would be very resource-heavy, did the obligation to give effect to the preference for transcripts “so far as reasonably practicable” impose an “all or nothing” or a “sliding scale duty”? In this example, did the Maritime and Coast Agency have to transcribe as many of the calls as it could before it became no longer reasonably practicable, or did the exercise as a whole constitute something that was not reasonably practicable?

It was the latter, said the judge: s11 applies to “the information” requested (what the ICO in its submissions, described as being a “unitary concept” – and the judge said this was a “helpful perspective”) not a subset of extract of the information. What Mr Walaker had requested was “all calls”, and it was that “unitary concept” which as at issue in the s11 analysis. It was not reasonably practicable to transcribe all calls, and so the s11 duty did not apply.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judgments, Section 11, UK GDPR

Tagged as ,

April 16, 2025 · 6:25 am

The Emperor has no clothes!

[reposted from my LinkedIn account]

When a public authority receives a Freedom of Information Act request and the requested information contains personal data (of someone other than the requester) it must first consider whether it can even confirm or deny that the information is held. For instance “Dear NHS Hospital Trust – please say whether you hold a list of embarrassing ailments suffered by Jon Baines, and if you do, disclose the list to me”. To confirm (or deny) even holding the information would tell the requester something private about me, and would contravene the data protection principles at Article 5(1) of the UK GDPR. Therefore, the exemption at s40 of FOIA kicks in – specifically, the exemption at s40(5A): the hospital can refuse to confirm or deny whether the information is held.

But suppose that, mistakenly, the hospital had perhaps confirmed it held the information, but refused to disclose it? The cork, surely, is for ever out of the bottle.

Upon appeal by the requester (this requester really has it in for me) to the ICO, I could understand the latter saying that the hospital should have applied s40(5A) and failure to do so was a failure to comply with FOIA. However, certainly of late, the ICO has engaged in what to me is a strange fiction: it says in these circumstances that it will “retrospectively apply s40(5A)” itself. It will pretend to put the cork back in the bottle, after the wine has been consumed.

And now, the Information Tribunal has upheld an ICO decision to do so, albeit with no argument or analysis as to whether it’s the correct approach. But even more bizarre it says

We are satisfied that the Commissioner was correct to apply section 40(5B) FOIA proactively, notwithstanding the information that has previously been provided by the Trust, to prevent the Trust from providing confirmation or denial that the information is held.

But the Trust had already done so! It can’t retrospectively be prevented from doing something it has already done. The cork is out, the wine all gone.

Am I missing something? Please excuse the sudden mix of metaphor, but can no one else see that the Emperor has no clothes?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

13 Comments

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, UK GDPR

Tagged as , ,

March 13, 2025 · 6:32 am

Cabinet Office unsuccessfully appeals FOIA information notices

When a public authority relies on an exemption to refuse to disclose information in response to a Freedom of Information Act request, the requester can ask the Information Commissioner’s Office for a decision as to whether the refusal was in accordance with the law. In order to make such a decision, the ICO may often need to see the information withheld by the public authority. Where the public authority is unwilling to provide this, or perhaps drags its heels over it, the ICO may serve, under section 51 of FOIA, an “information notice”, requiring the information to be provided. Failure to comply with an Information Notice can be certified as contempt of court, but there is a right of appeal to the First-tier Tribunal.

And so it was that the Tribunal recently found itself hearing appeals by the Cabinet Office in relation to two Information Notices served on it by the ICO, who is investigating whether FOIA requests for information relating to Rishi Sunak’s declarations of interest when he was Prime Minister.

The Cabinet Office sought to argue, among other things, that access by the ICO was not necessary, was unfair and damaging to the process of handling ministerial declarations of interest, and would constitute unlawful processing of personal data. All of these arguments got short shrift from the Tribunal – ultimately, it held that it would not be possible to determine whether any of the exemptions prayed in aid by the Cabinet Office were made out without an examination of the material, and the appeals were dismissed.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, Freedom of Information, Information Commissioner, information notice, Information Tribunal, judgments

Tagged as ,

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as