Everybody needs good neighbours

The one thing about being a council FOI Officer that I really miss is dealing with unhinged elected members, seeing the results of my work being misreported in the local press, FOI requests about the fact that ticket machines in council car parks do not give change (seriously, Man Who Made These Requests, just carry some change, you loser) neighbour disputes. I loved them. Very possibly the thing that was furthest away from the minds of the doughty campaigners who championed the cause of transparency, the neighbour dispute request is almost a parody of what FOI is for.

I do not want to know how much money you have spent on X or Y. I do not want to understand why you are closing the school. I do not want to interrogate how you maintain our roads. I want to know who complained about my patio (everybody who saw it complained about your patio). I want to know what you’re going to do about the fact that my neighbour parks his car on the grass (it’s a private road, so we’re not going to do anything). I want to know who made the anonymous complaint (Your mum). There is nothing more fascinating that seeing how annoyed, how OUTRAGED people can get over the smallest thing.

It was therefore with some disappointment that I read James Henderson v IC EA/2013/0055, a Tribunal decision published at the start of September. The opening line is auspicious: “The Appellant, Mr Henderson, is the owner of a terraced house in Brentwood, Essex.” I mean, come on! There’s going to be a conservatory or a gravel drive, and definitely some fighting.  But as it happens, Mr Henderson turns out to have a perfectly reasonable grievance and FOI isn’t an unreasonable way of settling it.

Henderson’s neighbour was carrying out renovations on the other side of their shared wall, works which had resulted in cracks on his side of the wall, followed by a steel beam coming through the wall. Henderson asked Brentwood Council for details of the works, as a Building Control application had been made to them. Details of the application would allow Henderson the opportunity to assess whether what was going on next door went further than what was expected.

Brentwood made a basic mistake by relying on an established policy to refuse access to building control applications rather than deciding Henderson’s request on its merits. They also failed to identify the need for a proper internal review (forgivable because Henderson was complaining about the Council’s actions as well as challenging their FOI refusal).

However, in dealing with and rejecting Mr Henderson’s complaint, the Information Commissioner’s Office made a much more fundamental mistake, and one which once again raises the question of whether the ‘Silver Standard’ FOI service is any kind of service at all. Put on your anorak and take my hand, gentle reader, we’re going to visit the First Data Protection Principle.

FOI and EIR both defer entirely to Data Protection in the matter of third party personal data. Section 40 is an absolute exemption with no public interest test – it states that personal data about anyone but the applicant is exempt unless disclosure will not breach the Data Protection Principles. For neatness’ sake, the Information Commissioner sensibly focuses on the first principle, thus requiring every disclosure of third party data under FOI to clear three consecutive hurdles. Miss one, and the data is exempt.

1)   The disclosure must be lawful – it must not breach any relevant law, the two most obvious being Human Rights Privacy and the common law duty of confidentiality

2)   The disclosure must be fair – the subject must either know that their data is being disclosed, or they should have a reasonable expectation that this will happen

3)   The disclosure must meet one of a set of conditions. There are six conditions, but again, the ICO neatens things off by concentrating on two – either there must be consent, or a legitimate interest causing no warranted harm to the subject

The ICO and Tribunal agree that the works on the neighbour’s house are his personal data. I’d be willing to kick that idea around a bit, but given that nobody else disputed it, we’ll let it lie. The ICO accepted that the disclosure is lawful and fair, especially given the low level of harm to the neighbour if details of the works were disclosed.

And then it all goes wrong. The ICO focussed on the final condition, legitimate interests. This is what the condition says:

The processing is necessary for the purposes of legitimate interests pursued … by the third party … to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject

Section 40 is not applicant blind – one applicant (the third party mentioned above) may not have a legitimate interest, whereas another might. The legitimate interests of one applicant may not trump the prejudice to the subject’s rights and freedoms of another, while that of another may completely eclipse them.

The ICO’s mistake comes as soon as the Decision Notice looks at the condition. It says this: “Turning to the question of whether there is legitimate public interest in the disclosure of this information..”. Erm, sorry? Run that by me again? What the Graham Smith is a ‘legitimate public interest’? Given that Mr Henderson’s property shares a party wall with the one being renovated, the notice recognises that “the interest of the complainant in this information is legitimate”. So that’s that. The next question is whether disclosure of the personal data to meet Mr Henderson’s legitimate interest is unwarranted because of the prejudice to the neighbour’s rights and freedoms or legitimate interests. But that’s not what happens. Again, we hit the perceived problem of ‘legitimate public interest’:

In this case he [the Commissioner] does not believe that the legitimate private interest of the complainant in this information means that there is also a wider public interest in disclosure

This is nonsense. Section 40 is clear – there is no public interest test, no need to establish a wider public interest. The ICO has invented a spurious public interest test because it is dealing with an FOI request, even though FOI doesn’t ask for it. Mr Henderson’s FOI request really is just a neighbour dispute. It is vital to assess whether disclosing details of the works will cause unwarranted prejudice or harm to the neighbour’s interests, because otherwise, the condition isn’t met. Nevertheless, the request should be resolved on the competing merits of Mr Henderson’s need for the data versus the effect on the neighbour. That’s what Data Protection requires, and it is to Data Protection that FOI completely defers in these situations.

As I am increasingly happy to say, it doesn’t matter if you don’t agree with me, because enter the Tribunal: “there is nothing in paragraph 6 to suggest that the “legitimate interest” of the person to whom the data is to be disclosed has to be of a public nature”. The ICO’s decision is dismissed in sensible short order, and Brentwood are ordered

It’s weird, certainly, for FOI to be dragged away from the big questions of how we are governed, but it’s not complicated. Especially if your job is to regulate both Data Protection and FOI, this is pretty basic stuff. I don’t know which possibility is worse. Either those involved in this decision don’t know enough about DP and its relationship with FOI to know that the public interest is irrelevant to DP decisions, or they are deliberately rewriting the legislation so that their Section 40 decisions fit more comfortably with their other FOI work. Neither is acceptable. A person who doesn’t understand the legislation shouldn’t be trusted to make decisions about its applications. Whoever wrote the notice and the manager who signed it have a lot of explaining to do. It’s  revealing that the ICO didn’t even turn up at the Tribunal to defend their hopeless decision.

In any case, while the ICO relentlessly pursues Silver (i.e. coming in second), FOI applicants and public authorities cannot rely on them to even understand their own legislation, and the Tribunal becomes much more of an essential stage to get the right answer.

Comments

  1. Hi Tim,

    I disagree you with slightly on whether it was unreasonable of the ICO to introduce a quasi-public interest, on the basis that the FOI Act does not entirely defer to the DPA in Section 40.

    FOI relies on the principle of being purpose and applicant blind and that the response is made to the public at large – it is the public who have a right to know, not just the individual applicant, hence the concept of a public interest test in the qualified exemptions rather than an assessment of the requestors individual right to know.

    As you rightly say, Section 40(2) is not qualified, but in the wording of Section 40 the test is still that info is exempt if its ‘disclosure to a member of the public otherwise than under this Act’ would contravene any of the data protection principles. As such the proper test for Condition 6 of Schedule 1 of the DPA is not whether the legitimate interests of the specific requestor outweigh those of the data subject, but whether the legitimate interests of disclosure to ‘a (generic) member of the public’ whoever he may be and regardless of purpose or identity outweigh those of the data subject, because it is the public at large who are held to be making the request.

    This is how the ICO (and as far as I am aware every other differently constituted tribunal) have always interpreted Condition 6, and it has never been called into question in the past, so I don’t think its unreasonable for the ICO to have done so here. However, what is poor is that their silver standard wording did not make this clear but rather served to confuse the issue. One could also question whether the Council could not have found some other way to provide the requested info, in which the applicant had a legitimate interest, but outside of the FOI mechanism of disclosure to the public at large.

%d bloggers like this: