Guide to DPA and FOIA information requests

12 May 2010

Ruth Boardman, Laura Acreman

For many organisations, a key problem with data protection and freedom of information legislation is handling requests for access to information

Under the Data Protection Act 1998 (DPA) individuals are entitled to access the information which an organisation holds about them. This is an important right in data protection legislation, but can have a significant impact on businesses. Businesses must carry out detailed searches quickly within a deadline of 40 days from receipt of the request. The searching can expand to cover emails, databases, paper records and CCTV records. In addition, businesses must provide the information for a very low charge, when compared to the cost of searching. In general the maximum charge paid by the individual is £10, with the cost of searching vastly exceeding this. In some cases, we have seen the cost of searches running to tens of thousands of pounds. Although there are some exceptions to the right of access, businesses are often concerned as embarrassing information must be disclosed, against the wishes of the business

The Freedom of Information Act 2000 (FOIA) gives anyone the right to make a request for information held by a public authority, regardless of subject matter of the request (i.e. the applicant does not have to be the subject of the information requested unlike under the DPA). There are numerous examples of information disclosed under FOIA being published in the media. While only public authorities may receive requests for information under FOIA, other entities that work or have dealings with public authorities can be indirectly affected if they have shared information with that public authority. Private organisations may not wish their business information to be made publicly available but do not have standing to prevent disclosure under FOIA. All organisations should be aware of how FOIA works and how the response to a request for information can be managed.

The first part of this guide outlines the key actions which an organisation should take when receiving a request for access to personal information, in order to comply with the DPA and minimise impact on the business. The second part summarises the steps to be taken to deal with requests for access to information under FOIA.

DPA subject access requests

Does the information held fall under the DPA?
Is it in a relevant filing system?
The DPA only applies to personal data contained in electronic form or held in a “relevant filing system”. The Information Commissioner's guidance suggests that in most cases, information held on a manual file would not amount to a relevant filing system for the purposes of the DPA. If an organisation does not have an organised system for holding paper records of personal data it should consider whether the information falls under the DPA.

Does the organisation process personal data?
The fact that an individual is named in a document does not mean that that document contains personal data. The leading case relating to access requests and personal data is Durant. [1] Durant suggested that, for information to be personal data it had to be “biographical in a significant sense” and the individual making the request had to be the focus of the information. In Durant, information about the FSA’s enquiry into Mr Durant's complaint against Barclays bank was not personal data to Mr Durant. This case has been followed by a number of cases in the Information Tribunal (now the First Tier Tribunal (Information Rights)).

A note on automated decision-taking
If an organisation is engaged in automated decision-taking, it has additional obligations under the DPA. If an organisation makes decisions electronically without human intervention (e.g. automatic scoring after biometric testing in graduate recruitment), an individual has a right to ask for information about any automated processing that has taken place (trade-secret information is, however, exempt). Additionally they can ask that the decision is retaken without the use of electronic means.

If an individual does not ask for information about automated processing, the organisation is not obliged to provide it.

What to do when a request is received
1. Ensure the request is logged and complied with promptly
Individuals do not have to say that they are making a subject access request or make reference to the DPA for it to be a valid request. Consequently, personnel who might receive such requests should be trained in data protection compliance so they can recognise a request for what it is and ensure it is dealt with promptly, within the 40 day deadline (as required by the DPA). If an organisation does not comply with a request either promptly or fully, an individual can complain to the Information Commissioner who can take enforcement action.

2. Check that there is sufficient information to respond to the request
The organisation does not have to respond to a request until it has all of the information which it reasonably requires and has requested to be able to locate the information sought. The 40-day time limit for responding to the request will not start until this information, if requested, has been obtained. If the access request is not clear, the organisation is entitled to go back to the individual for more information.

3. Ensure that the individual making the request is entitled to the requested information
If the organisation is not sure about the identity of the requestor, it can ask them to provide evidence of their identity. If an individual is writing on behalf of a spouse, or a legal representative on behalf of their client, an organisation should not assume that they have authority to act on behalf of the client/individual. The organisation should ask for written evidence of authority.

4. Carry out a search for the information requested
Once satisfied that it has enough information to carry out the search, the organisation should search for any relevant information which it may hold. A helpful court decision (Ezsias v Welsh Ministers [2]) has suggested that any searches made in response to access requests must be reasonable and proportionate. To work out what is reasonable and proportionate, the court in Ezsias considered that the following factors could be relevant:

  • the cost of providing the information;

  • the length of time it may take to provide the information;

  • how difficult it would be to provide the information; and

  • the size of the organisation.

All of these factors should be balanced against the effect of not disclosing the information on the individual making the request.

The Ezsias guidance is helpful if it is difficult and costly for an organisation to retrieve archived information or if the information is held on many sites. It should be noted that the Ezsias case has been criticised for applying guidance and legislation out of context. However, the Ezsias case is the leading case in this area so despite the criticism it remains a good test to follow in the UK.

What exemptions may be relevant?
If the organisation is processing personal data, not all information must be disclosed under the DPA. The DPA lists a number of exemptions; a summary of the most relevant of which is set out below:


















ExemptionExplanation
Legal Privilege

Documents that are subject to legal professional privilege do not have to be disclosed.

Third Party Information

If the information refers to other individuals the information does not always have to be disclosed. The organisation can disclose the information if it has the other individual's consent to disclose the information, or if it is reasonable in the circumstances to disclose without consent.

Prevention or detection of crime

If release of the information would prejudice:

1. the prevention or detection of crime;

2. the apprehension or prosecution of offenders; or

3. the assessment or collection of any tax or duty or of any imposition of a similar nature, the organisation does not have to release it.

Negotiations with the individual

Information which relates to ongoing negotiations between the organisation and the individual requesting the information does not need to be disclosed, where this would prejudice those negotiations.

The response letter
There is no set wording for the response letter. However, it is important to ensure that the letter sets out all of the information that must be provided. In particular, the response should state:

  • What personal data is processed;

  • The sources of that personal data

  • The purposes for which their personal data is processed; and

  • The recipients of that personal data.
     

Freedom of information requests

Does the information fall under FOIA?
FOIA applies to information “held” by a public authority, which includes any information passed on to the public authority by private organisations and information held by a private organisation on behalf of the public authority. FOIA therefore applies to contract documents, meeting minutes, emails and other correspondence shared with a public authority. The remainder of this note focuses on how a public authority should deal with FOIA requests but private organisations should also be aware of the requirements under FOIA and the exemptions that apply because of the indirect effect FOIA may have on them.

What to do when a request is received
Only public authorities or other publicly-owned organisations (e.g. Royal Mail) need to comply with information requests under FOIA. If a request is received by a private organisation that is not caught by FOIA, it does not have to respond to the request. The entities that are considered public authorities are listed in Schedule 1 of FOIA.

1. Ensure a request is logged and complied with promptly
Anyone can make a request for information under FOIA, but the request does not have to say that it is a request under FOIA for it to be valid. Consequently, personnel who might receive such requests should be trained in FOIA compliance so they can recognise a request for what it is and ensure it is dealt with promptly, and within the 20 day deadline (as required by the FOIA, extended to 40 days where the public interest test applies). If the public authority does not comply with a request either promptly or fully, the requestor can complain to the Information Commissioner and the Commissioner can take enforcement action.

The public authority should consider whether it is required to comply with the request. It does not need to do so where:
• the cost of complying would exceed the limit set out in the applicable regulations, currently £450 (£600 for central government or Parliament); or
• the request is vexatious, e.g. the same or similar requests have been received on a number of previous occasions by the same person.

2. Consultation
Where a FOIA request is received, the public authority should ordinarily consult with any other parties that have shared requested information with them, in order for the other parties to object or consent to the release of their information and to put forward arguments as to why certain exemptions should apply (where relevant). However, there is no obligation on the public authority to do so.

What exemptions may be relied upon?
Even where the public authority holds information, not all information must be disclosed under FOIA. FOIA lists a number of exemptions. We have set out a summary of the most relevant exemptions below:















ExemptionExplanation
Personal Data

Absolute exemption
If the information relates to the requestor, it is a subject access request and should be dealt with under the DPA (see guidance on DPA subject access requests).
If the information refers to other individuals, the information does not have to be disclosed if it would breach the data protection principles to do so. In effect, the public authority can disclose the information if it has the other individual's consent to disclose the information or if it is reasonable in the circumstances to disclose without consent.

Confidential Information

Absolute exemption
Disclosure would be an actionable breach of confidence.

Trade Secret or commercially sensitive information

Qualified exemption
Disclosure would or would be likely to prejudice the commercial interests of the public authority or any other person.

‘Absolute’ exemptions apply if the exemption test is satisfied. There is no need to separately apply the public interest test.
‘Qualified’ exemptions apply if the exemption test and the public interest test are satisfied in favour of the organisation.






 Public InterestApplies to all qualified exemptions.
Given all of the circumstances, does the public interest in disclosing this information outweigh the public interest in maintaining the exemption?

The response letter
As FOIA applies to “information” not “documents”, any information provided to the requestor does not need to be in its original form. Any irrelevant or exempt information may be redacted or the relevant and non-exempt information extracted and set out in an alternative format (e.g. a table) before it is presented to the requestor.

There is no set wording for a response letter. However, it is important to ensure that the letter sets out all of the information that must be provided. In particular, the response should state

  • Whether the information requested is held by the public authority (unless to do so would be in breach of an exemption);

  • Whether any information is being withheld; and

  • (If information is withheld) what exemptions apply and why.

Summary

To minimise the impact on the business and to ensure relevant steps, organisations should:
1. Implement staff training – Organisations should have in place a process for handling both subject access and freedom of information requests. When a request is received, it should automatically be passed on to an appropriate person within the organisation and reviewed carefully.

2. Put in place systems to collate information – Organisations should know or be able to readily find out what information is stored and where.

3. Consult – Consultations internal to the organisation and external (if the request is based on FOIA) should be carried out before responding to the request.

4. Document all decision making – It is important that each step taken to reach a disclosure decision is properly documented in case the organisation is later required to evidence the measures taken to comply with its obligations.

Without planning, we have seen considerable expenditure on compliance in both of these areas and, in some cases, disclosure of too much information or information to the wrong recipient. With some foresight, it is possible to ensure that the organisation complies with both the DPA and FOIA, where relevant taking advantage of any exemptions and limits on searching or disclosure of data and reducing the effort required to comply.

_______________________________

[1]  Michael John Durant v Financial Services, Authority [2003] EWCA Civ 1746

[2] [2007] All ER (D) 65 

Authors