Information Tribunal Rules on Personal Data
The Financial Services Authority (FSA) has recently been ordered to disclose the names of three of its employees pursuant to a Freedom of Information Act (FOIA) request as the exemption for personal data did not apply. Piers Leigh-Pollitt explains why this is good news for employers dealing with subject access requests.
In Edem v Information Commissioner, E requested information under the FOIA from the FSA about himself and complaints he had made that the FSA had failed to regulate Egg plc properly. Amongst the information requested was the names of the employees at the FSA who dealt with his complaint. The FSA refused to disclose their names, arguing that this information was personal data and therefore exempt from disclosure under an exemption in the FOIA.
The Information Rights Tribunal disagreed. The information was not personal data. Although the names, taken with the information that they were employed by the FSA at a certain date and the positions they held, meant that the individuals could be identified, this alone did not mean it was personal data. In order to be personal data, the information had to be such as to affect their privacy in their personal or family life, business or professional capacity. The information simply disclosed that they had been employed by the FSA and had been engaged in the regulation of a certain financial institution. It did not adversely affect their privacy and so was not personal data. It therefore had to be disclosed.
Commenting on the decision Piers Leigh-Pollitt said:
“While this is no doubt an unwelcome decision for public bodies dealing with FOIA requests, the flip side is that it can be useful for private sector employers dealing with subject access requests from employees or ex-employees for their personal data. The same definition of personal data applies in this context.
Once again, personal data is being given a narrow interpretation by the courts, giving scope for employers to argue that documentation that simply refers to the data subject (and nothing more) does not contain their personal data and so does not have to be disclosed. Likewise, if the information does not adversely affect the individual’s privacy there is no obligation to disclose it. Whilst this case goes no further than the established position under previous case law, it is a helpful reminder of the law on personal data and the arguments that can be used when responding to subject access requests.”
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.