FOI cases involving NCND for personal data are qualified, not absolute exemptions

A blog article by Jon Baines considers a recent ruling by the First-tier Tribunal (FTT) in a Freedom of Information Act (FOIA) case, in which the FTT dismantled the argument used by the Information Commissioner's Office (ICO) concerning the application of the "neither confirm nor deny" (NCND) provision. The case involved a FOIA request from journalist Lawrence Dunhill to Bolton NHS Foundation Trust for reviews of its governance and management, including a PWC review. 

The FTT identified two fundamental errors in the ICO's handling of the case.

In the first instance, the Tribunal noted an elementary error of fact in the ICO's decision notice. The ICO treated the Trust as having applied an NCND response to the entirety of the FOIA request, when in fact the Trust had only applied NCND to the request for the PWC report while confirming that it held other reviews. The FTT also noted that the Trust's submissions in the appeal failed to address this factual error. 

Secondly, and more significantly, the FTT found a fundamental error of law in the ICO's approach to the NCND provision in the context of personal data, specifically under FOIA, section 40(5B). The ICO has long operated under the premise that this section provides an absolute exemption from confirming or denying whether information is held if that information is personal data. The FTT held that the ICO's long-standing approach is "simply wrong." The Tribunal confirmed that the exemption under FOIA, section 40(5B)(a)(i) is qualified and therefore requires a public interest balancing test. The FTT stated that had the ICO not made this error of law, it might have reached a different conclusion in the case.

Ultimately, the FTT applied the legitimate interests balancing test under Article 6(1)(f) of the UK General Data Protection Regulation (GDPR) and found that merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when weighed against the requester's legitimate interests.

Baines concludes that this ruling puts the ICO in a difficult position. Given the level of criticism, an appeal might be seen as somewhat bold. However, the alternative is that the ICO will need to rewrite its guidance on FOIA, section 40(5), and fundamentally rethink its established interpretation of that part of the law.

Training Announcement: The BCS Practitioner Certificate in Freedom of Information offers an in-depth examination of the legislation, codes of practice, frameworks, standards, and ethics concerning the right to request recorded information held by public authorities in England, Wales and Northern Ireland. Find out more.