Category Archives: personal data

August 31, 2024 · 7:41 am

JR judgment, and the lack of third party rights under FOIA

[reposted from LinkedIn]

The Freedom of Information Act 2000 (FOIA) confers rights on those requesting information, and obligations on public authorities (it also confers duties and powers on the Information Commissioner). What it does not do is confer any rights on someone whose information is held by a public authority and requested to be disclosed: if someone asks for that third party’s information and the public authority discloses, or is minded to disclose, the third party can do little or nothing to stop it.

That appears to be illustrated by a case in the High Court of Northern Ireland. I say “appears” because there doesn’t seem to be a judgment yet, and so I’ve had to piece together what seems to have been at issue.

FOIA requests were made by three unionist MPs to the Legal Services Agency (LSA) for funding for legal cases brought by victims’ campaigner Raymond McCord. It appears that the LSA proposed to disclose the information, and Mr McCord (because he has no rights as a third party under the FOIA regime itself) brought judicial review proceedings to prevent disclosure.

According to the media reports, those proceedings have failed, with the judge saying

There is a legitimate public interest in the openness and accountability of the LSA as a public authority responsible for the expenditure of substantial public funds…[Mr McCord’s] contention that he is a private individual sits uneasily with his own description as a ‘peace campaigner’ and his various interviews with the media, including when he challenged the public claims made by Mr Allister about the appropriateness of him being granted legal aid…Self-evidently, the applicant has injected himself into the public discourse on a number of high-profile cases which are of obvious and manifest interest to the public. This is particularly so in relation to Brexit litigation.

It also appears that at some stage the ICO was involved, and indicated its view that disclosure would “likely be unfair and unlawful”. I imagine that this was because Mr McCord made a data protection complaint. In any event, the ICO said that its view was not legally binding (an interesting side note: could the ICO have issued an enforcement notice under section 149 of the Data Protection Act 2018 to prevent a public authority releasing personal data under FOIA?)

This issue of “third party rights” (or lack thereof) under FOIA is a very interesting one. The section 45 Code recommends that public authorities consult with third parties where necessary, and have regard to their representations, but this still doesn’t confer a direct right.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, judgments, judicial review, personal data

Tagged as , ,

May 9, 2023 · 2:30 pm

ICO: powers to enforce over dead people’s information?

The Information Commissioner’s Office (ICO) has announced that it will not be taking action against Lancashire Police in relation to their disclosure of private information during their investigation into the tragic case of Nicola Bulley.

This is unsurprising, and, objectively, reassuring, because if the ICO had brought enforcement proceedings it would almost certainly have been unlawful to do so. In blunt terms, the ICO’s relevant powers are under laws which deal with “personal data” (data relating to a living individual) and when the police disclosed information about Nicola, she was not living.

There is no discretion in these matters, and no grey areas – a dead person (in the UK, at least) does not have data protection rights because information relating to a dead person is, simply, not personal data. Even if the police thought, at the time of the disclosure, that Nicola was alive, it appears that, as a matter of fact, she was not. (I note that the ICO says it will be able to provide further details about its decision following the inquest into Nicola’s death, so it is just possible that there is further information which might elucidate the position.)

Unless the ICO was going to try to take enforcement action in relation to a general policy, or the operation of a general policy, about disclosure of information about missing people (for instance under Article 24 of the UK GDPR), then there was simply no legal power to take action in respect of this specific incident.

That is not to say that the ICO was not entitled to comment on the general issues, or publish the guidance it has published, but it seems to be either an empty statement to say “we don’t consider this case requires enforcement action”, or a statement that reveals a failure to apply core legal principles to the situation.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, personal data, police

Tagged as , ,