Response To Foia Request Results In Data Breach

The Financial Conduct Authority (‘FCA’) has recently revealed that it inadvertently published online the personal data of people who made complaints against it, in response to a request made under the Freedom of Information Act 2000 (‘FOIA’).

The information published in response to the request last November, was a spreadsheet which included the names of around 1,600 complainants, along with some addresses and telephone numbers. This incident has highlighted the difficulties which can arise in the interaction between the Freedom of Information and Data Protection regimes, and the pitfalls organisations face when seeking to comply with, on the one hand their transparency obligations under FOIA and on the other their obligations in relation to personal data under Data Protection law.

Freedom Of Information

FOIA applies only to public authorities as defined by the act and allows members of the public to request information from those public authorities. The main principle behind FOIA is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to. Provision of information in response to a FOIA request is to be treated as a disclosure to the public at large and a response to a FOIA request cannot be made confidentially or subject to certain conditions.

This recent data breach by the FCA highlights the conflict which can exist between the two regimes, with FOIA on the one hand requiring disclosure of information and the General Data Protection Regulation (‘GDPR’) on the other hand regulating disclosure of personal data.

The Interaction Between FOI And Data Protection

It is important that public authorities take care to consider their obligations under both pieces of legislation when faced with an FOIA request. The Data Protection Act 2018 (‘DPA’) provides that personal data consisting of information that a data controller is obliged by an enactment to make available to the public can be disclosed.

There is also a presumption in favour of disclosing the information in response to a FOIA request, however the FOIA does include specific exemptions in relation to personal data.

Personal data will be exempt from disclosure in response to an FOI request if:

• the requested information relates to the requester’s own personal data (in which case it should be dealt with under the right of access in Article 15 of the GDPR); or
• where the requested information concerns the personal data of third parties and complying with the request would breach any of the data protection principles now contained in Article 5 of the GDPR.

Disclosing Personal Data In Response To An FOI Request

In relation to third party personal data therefore, the question is whether it is fair and lawful under Article (5)(1)(a) of the GDPR to release the personal data in response to the FOI request.

If the personal data of a third party is included in the information covered by a FOIA request, before it is disclosed, organisations need to be satisfied that there is a legal basis under the GDPR permitting the personal data to be disclosed lawfully.

Public authorities are likely to be relying on performance of a task in the public interest to release personal data under FOIA. It is still however a requirement that the disclosure of the personal data is necessary to perform that task.

An important factor to consider in making this determination will be to assess whether the disclosure would cause an unwarranted interference with the third party’s rights. The Information Commissioner has set out in guidance some relevant factors for public authorities to consider when making this determination:

• What potential harm or distress may disclosure cause?
• Is the information already in the public domain?
• Is the information already known to some individuals?
• Has the individual expressed concern or objected to the disclosure?
• What are the reasonable expectations of the individual?

If an assessment of these factors indicates that it would not be fair and lawful to disclose the third-party personal data then the exemption under the FOIA will apply and the information should be withheld citing that exemption.

The key message to take away from this case is that the usual presumption in favour of disclosure under FOIA will not necessarily apply where the information requested contains third party personal data. In such circumstances, consideration of the application of the exemption relating to personal data is required before the personal data can be lawfully disclosed under data protection law.

If you require further information contact our team below.