Download original attachment
(PDF file)
This is an HTML version of an attachment to the Freedom of Information request 'Reimbursements at Oriel Maths and Computing College'.
 
 
 
 
 
 
IN THE FIRST-TIER TRIBUNAL   
 
       Case No.  EA/2009/0047 
GENERAL REGULATORY CHAMBER 
[INFORMATION RIGHTS] 
                                                                    
ON APPEAL  FROM: 
 
Information Commissioner’s 
 
Decision Notice No:  FS50203810 
Dated: 19 May 2009    
 
 
 
Appellant: 
 Magherafelt District Council                  
 
Respondent: 
 Information Commissioner 
  
 
Heard at: The Court House, Belfast and on the papers 
 
Date of hearing:  
16th November 2009 and 11th January 2010 
 
Date of decision: 
 3 February 2010 
 
 
 
 
Before 
 
Melanie Carter (Judge) 
Tony Stoller 
and 
Pieter de Waal 
 
 
 
 
 
Attendances:  
For the Appellant: Jason Coppel 
For the Respondent: Joanne Clement 
 
Appeal No. EA/2009/0047 
 
 
 
Subject matter:  
FOIA s. 17 Refusal of request  
s. 40 Personal data  
DPA   s.1(1) Personal data  
 
 
 
Cases:                      
 
 
Common Services Agency v Scottish IC [2008] UKHL 47; [2008] 1 WLR 1550 
Campbell v MGN [2002] EWCA Civ 1373, [2003] QB 633. [2003] 1 All ER 224 
Department of Health v IC EA/2008/0074 
Corporate Officer of the House of Commons v IC EA/2006/15 & 16 
Bowbrick v IC EA/2005/0006 
Appeal No. EA/2009/0047 
 
 
DECISION OF THE FIRST-TIER TRIBUNAL 
 
The Tribunal allows the appeal and substitutes the following decision notice in 
place of the decision notice dated 19 May 2009.  
 
 
 
SUBSTITUTED DECISION NOTICE 
 
 
Dated  3 February 2010 
 
Public authority: Magherafelt District Council 
 
Address of Public authority: 50 Ballyronan Road, Magherafelt, County 
Londonderry, Northern Ireland 
 
Name of Complainant: Mr Connla Young  
 
The Substituted Decision 
For the reasons set out in the Tribunal’s determination, the substituted 
decision is as follows. 
a) The disputed information consisting of the summarised schedule 
constitutes personal data pursuant to section 1(1)(b) of the Data 
Protection Act 1998.  
b) The summarised schedule is exempt from disclosure under section 
40(2) of the Freedom of Information Act 2000 (FOIA) on the grounds 
that disclosure would breach the First Data Protection Principle of the 
Data Protection Act 1998. 
c) The Magherafelt District Council was not in breach of section 17 
FOIA in failing to cite section 38 FOIA as an applicable exemption in 
the letter of refusal. 
d) The Council was however in breach of section 17 FOIA in failing to 
explain why the section 40(2) FOIA exemption applied to the 
summarised schedule. 
 
 
Appeal No. EA/2009/0047 
Action Required 
No steps are required to be taken. 
Dated this 3rd day of February 2010 
Signed 
 
Melanie Carter 
Judge 
 
Appeal No. EA/2009/0047 
 
 
REASONS FOR DECISION 
 
 
Introduction 
1. 
This appeal concerns a request under the Freedom of Information Act 
2000 (FOIA) to the Appellant, Magherafelt District Council (the Council) 
for information on the disciplinary records of Council employees.  The 
Council has appealed the Information Commissioner’s (IC) decision 
requiring it to disclose certain information.  
The request for information 
2. 
By email dated 22 February 2008 the complainant, a local journalist, 
made a request for information to the Council in the following terms –  
“How many members of council staff have been disciplined in 
the last three years? 
Give details of the discipline. 
How many members of council staff have been suspended from 
their posts in the last three years? 
List the reasons why the person was suspended. 
How many members of staff have been dismissed from their 
posts in the last three years? 
Give reasons why the person was dismissed.  
Personal information about any individual is not required. ”  
3. 
The Council replied to the requester by email dated 19 March 2008 as 
follows –  
“1. 15 members of staff, currently employed, were disciplined 
during the period 1 April 2003 – 31 March 2007. 
3. No members of staff were suspended during the above 
period. 
5. 3 members were dismissed.” 
4. 
The Council further advised the requester that it would not disclose 
details of the disciplinary action taken against the 15 members of staff 
or the reasons for the 3 dismissals in accordance with section 40 FOIA 
(absolute exemption with regard to personal data). 
5. 
The requester asked for an internal review of the Council’s decision by 
email dated 19 March 2008.  The Council responded on 16 April 2008 
Appeal No. EA/2009/0047 
upholding its decision to withhold the disputed information under 
section 40(2) FOIA.  In addition, the Council asserted that the disputed 
information was also exempt under section 38 FOIA (qualified 
exemption in relation to health & safety).  
The complaint to the IC 
6. 
The requester complained to the Respondent, the IC, by email dated 5 
June 2008.  
7. 
By letter dated 13 November 2008 the Council provided the IC with a 
document consisting of details of the disciplinary action taken against 
the 15 employees.  This is referred to in the Decision Notice and 
throughout this Tribunal’s decision as “the original schedule”.  The 
original schedule contained the following information: the date of the 
disciplinary action; the gender, job title and department of the 
employee concerned; the penalty issued and the reason for the action 
taken. 
8. 
Shortly afterwards, the Council provided the IC with a revised schedule 
containing details of the disciplinary action taken against the 15 
employees which, at that time, it said it was prepared to release to the 
requester.  This schedule is referred to in the Decision Notice and 
throughout this Tribunal’s decision as “the summarised schedule”.  The 
summarised schedule contained only the penalty issued and reason for 
the action taken.  It did not include the date of the disciplinary action or 
the gender, job title and department of the employee concerned.  
9. 
Shortly thereafter the Council became aware of a House of Lords 
authority,  Common Services Agency v Scottish Information IC [2008] 
UKHL 47; [2008] 1 WLR 1550 (“the CSA case”) and, after taking legal 
advice and in light of this case, it decided that it was no longer 
prepared to release the summarised schedule.  
10. 
The IC served a Decision Notice dated 19 May 2009 in accordance 
with section 50 FOIA.  The IC decided that the information contained in 
the original schedule was personal data.  Further, the IC considered 
that disclosure of the original schedule would contravene the First Data 
Protection principle and that it was therefore exempt under section 
40(2) FOIA.  
11.  However, the IC decided that the information contained in the 
summarised schedule was “fully anonymous” and did not therefore 
amount to personal data.  He therefore found that the summarised 
schedule was not exempt under section 40(2) FOIA.  
12. 
The IC went on to consider whether the summarised schedule was 
exempt under section 38(1) FOIA; he concluded that it was not.  
13. 
In addition the IC found that in failing to cite the specific subsection of 
section 40 FOIA relied upon or to explain why the exemption applied 
Appeal No. EA/2009/0047 
the Council had contravened sections 17(1)(b) and 17(1)(c) FOIA 
respectively.  Further, in failing to cite section 38 FOIA in its refusal 
notice, the Council had contravened section 10(1) FOIA.  
14. 
In light of the above, the IC ordered the Council to disclose a copy of 
the summarised schedule to the requester.  
The appeal to the Tribunal 
15. 
The Council’s grounds of appeal are appended to a Notice of Appeal 
dated 16 June 2009.  Those grounds may be summarised as follows –  
1. 
The IC erred in deciding that the summarised schedule did not 
contain personal data.  
2. 
The summarised schedule did not fall within the scope of the 
request.  
3. 
The IC erred in criticising the Council for failing to disclose the 
summarised schedule by way of informal resolution.  
4. 
The IC erred in deciding that the Council had contravened 
section 17 FOIA by failing to specify which subsection of 
section 40 FOIA it relied upon.  
5. 
The IC erred in deciding that the Council had contravened 
section 17(1) FOIA by failing to cite section 38 FOIA in its 
refusal notice.  
6. 
The IC erred in concluding that the Council had contravened 
section 10(1) FOIA. 
16. 
The Tribunal adopted the above as the questions for it to address, 
adding only that, if it decided under ground 1 that the summarised 
schedule did contain personal data, it would need to proceed to 
consider whether disclosure would breach the Data Protection 
Principles and thereby fall within the absolute exemption in section 
40(2) of FOIA.  
The Tribunal’s powers and relevant law 
17. 
The Tribunal’s jurisdiction on appeal is governed by section 58 of 
FOIA.  As it applies to this matter it entitles the Tribunal to allow the 
Appeal if it considers that the Decision Notice is not in accordance with 
the law or, to the extent that it involved an exercise of discretion, the IC 
ought to have exercised his discretion differently.  
18. 
The starting point for the Tribunal is the Decision Notice of the IC but 
the Tribunal also receives evidence, which is not limited to the material 
that was before the IC.  The Tribunal, having considered the evidence 
(and it is not bound by strict rules of evidence), may make different 
findings of fact from the IC and come to the conclusion that the 
Appeal No. EA/2009/0047 
Decision Notice is not in accordance with the law because of those 
different facts.  
19. 
Under section 1 of FOIA, any person who has made a request for 
information to a public authority is entitled to be informed if the public 
authority holds that information, and if it does, to be provided with that 
information.  Under section 2, the duty on the public authority to 
provide the information requested does not arise if the information is 
exempt under Part II of FOIA.  
20. 
The exemptions under Part II are either qualified exemptions or 
absolute exemptions.  Information that is subject to a qualified 
exemption is only exempt from disclosure if, in all the circumstances of 
the case, the public interest in maintaining the exemption outweighs 
the public interest in disclosing the information.  Where, however, the 
information requested is subject to an absolute exemption, then, as the 
term suggests, it is exempt from disclosure. 
21. 
Section 40 FOIA, an absolute exemption, provides in the relevant 
parts:  
“(1) Any information to which a request for information relates is 
exempt information if it constitutes personal data of which the 
applicant is the data subject.  
(2) Any information to which a request for information relates is 
also exempt information if -  
(a) it constitutes personal data which do not all within 
subsection (1), and 
(b) either the first or the second condition below is 
satisfied.  
(3) The first condition is –  
(a) in a case where the information falls within any of the 
paragraphs (a) to (d) of the definition of ‘data’ in section 
1(1) of the Data Protection Act 1998, that the disclosure 
of the information to a member of the public otherwise 
than under this Act would contravene –  
(i) any of the data protection principles 
 …  
(7) In this section— 
... 
‘data subject’ has the same meaning as in section 1(1) of 
[the Data Protection Act 1998]; 
Appeal No. EA/2009/0047 
‘personal data’ has the same meaning as in section 1(1) 
of that Act.” 
 
Evidence 
22. 
The documentary evidence before the Tribunal consisted of the original 
and the summarised schedules, the correspondence between the 
parties and a witness statement from Mr Tohill, the Director of Finance 
and Administration of the Council.  The summarised schedule, being 
the disputed information, was not part of the open bundle or considered 
in the public part of the hearing.  Mr Tohill gave his evidence in public, 
save for the parts in which he was questioned on the contents of the 
disputed information.  
23. 
Mr Tohill told the Tribunal that the Council was a small authority with 
only 150 employees.  All staff were known to each other and, he said, 
to a significant proportion of the local population.  Magherafelt District 
Council has a population of 39,500. 
24. 
Mr Tohill told the Tribunal that staff were generally aware of what 
disciplinary action was being taken and against whom, such that it 
would be easy for a journalist armed with the summarised schedule to 
approach employees and former employees, to ask questions with a 
view to identifying the people who committed the disciplinary offences 
on the list in the summarised schedule.  The nature of some of the 
offences on the list would be such as to lead to an easy identification 
given the restricted number of persons carrying out each role in the 
authority. 
25. 
Whilst the individuals themselves would be unlikely to divulge the 
information that they had been disciplined, it was likely that close 
working colleagues would be aware of a sanction where this involved a 
removal or temporary suspension from duties.  In some circumstances, 
the person being disciplined would have asked a work colleague to 
support them through the process. 
26. 
He claimed that as a result of the small size of the Council, there was a 
high level of knowledge amongst staff as to each others’ affairs.  He 
likened it to a ‘family’.  In such a small working environment, Mr Tohill 
claimed, it would be easy for a journalist, such as the requester, to 
make enquiries based on the summarised schedule and to find out the 
identities of the individuals involved.  
Legal submissions and analysis 
 
Did the summarised schedule consist of “personal data”? 
Appeal No. EA/2009/0047 
27. 
The Council had refused to disclose the summarised schedule on the 
basis that it was personal data and that disclosure would breach the 
First Data Protection Principle.  Thus, it was relying upon the absolute 
exemption in section 40(2) of FOIA.  Under section 40(2), personal 
data of third parties is exempt if disclosure would breach any of the 
Data Protection Principles set out in Part I of Schedule 1 of the DPA 
(as interpreted in accordance with Part II of Schedule 1).  
28. 
Clearly, if the summarised schedule did not consist of personal data 
then this exemption could not apply and as found by the IC in the 
Decision Notice, it would (subject to being within the scope of the 
request) need to be disclosed to the requester.  
29. 
The Council’s primary submission was that the IC had erred in finding 
that the summarised schedule was not personal data, arguing that the 
information in that document fell within limb (b) of the definition of 
“personal data” in the DPA.  Section 1(1) of the Data Protection Act 
1998 (“DPA”) states –  
“’Personal data’ means data which relate to a living individual 
who can be identified –  
(a) from those data, or 
(b) from those data and other information which is in the 
possession of, or is likely to come into the possession of, 
the data controller .”   
Thus the Council argued that, as the data controller, it had in its 
possession “other information” (the original schedule) which, read with 
“those data” (the summarised schedule), would enable the 
identification of the individuals who had committed the offences on the 
list in the summarised schedule. 
30. 
The IC submitted in contrast that it was only where “those data” (the 
summarised schedule) played an operative role in the identification of 
the individuals that it would amount to “personal data” under limb (b) of 
the definition.  In other words, if the summarised schedule was “fully 
anonymised” when read on its own and therefore added nothing to the 
process of identification when taken with the original schedule, then it 
was not “personal data”.  The Tribunal understood this submission, in 
effect, to be that the summarised schedule would only be “personal 
data” within limb (b) of the definition if it was like a piece of the jigsaw 
without which identification from either set of information could not be 
made.  Also, where “those data” was in effect a subset of “the other 
information” the former would never be “personal data” within the 
meaning of the DPA.  The Tribunal noted that this was a particularly 
narrow interpretation of the scope of “personal data” and thereby the 
application of the DPA as a whole.   
 
Appeal No. EA/2009/0047 
31. 
Both parties drew support from the CSA case claiming that their 
interpretation was the true effect of this House of Lords authority.  The 
differing interpretations of the CSA case and indeed the same point of 
law had arisen in a recent Tribunal case, the Department of Health v 
Information IC [EA/2008/0074], which is on appeal to the High Court.  
That case concerned statistics held by the Department of Health about 
abortions.  The statistics were derived from information contained upon 
so-called forms HSA4 containing detailed information about the doctors 
and patients involved.  The Department published annual abortion 
statistics and in the year in question certain statistics had been 
suppressed.  The appeal in that case concerned the suppressed 
statistics which the IC had ordered to be disclosed on the basis that it 
was not “personal data” even when read with the forms HSA4.  The 
Tribunal in that case found that limb (b) operated in such a way as to 
render the suppressed statistics “personal data” within the meaning of 
the DPA.  It considered in detail the effect of the CSA case. 
The Tribunal in this appeal listened carefully to the submissions of both 
parties and found itself in agreement with the differently constituted 
Tribunal in the Department of Health case.  This Tribunal adopts the 
reasoning put forward in the Department of Health case (substituting in 
the extract below the summarised schedule and original schedule for 
the statistics and the forms HSA4 respectively). 
“33. Both parties rely upon the Common Services Agency v 
Scottish Information Commissioner [2008] UKHL 47 (CSA case) 
in support of their arguments. This was a case where a request 
was made for the incidences of childhood leukemia by year for 
the Dumfries and Galloway postal area by census ward. The 
Scottish Information Commissioner had ordered the disclosure 
of the data in “Barnardised” form to prevent identification. This 
involved adjusting low cell count figures that were not 0 by + / – 
1 or 2.  
34. In the leading judgment Lord Hope of Craighead noted that 
the Scottish Commissioner “did not ask himself whether the 
Barnardised data would be personal data within the meaning of 
section 1(1) of the 1998 Act and if so, whether its disclosure ... 
would satisfy the disclosure principles”. For this reason the case 
was remitted back to the Scottish Commissioner to enable him 
to undertake that exercise.  
35. Lord Hope found that the Scottish Commissioner had made 
an error in law in ordering the disclosure in Barnardised form:  
“18. ...Its release would only have been appropriate if he 
was satisfied that it was not personal data in the hands of 
the agency to which the [section 40(2) equivalent] applied 
or, if it was that disclosure of the information in this form 
would not contravene any of the data protection 
principles”  
Appeal No. EA/2009/0047 
36. When considering the duty of the data controller Lord Hope 
said at paragraph 22:  
“He cannot exclude personal data from the duty to 
comply with the data protection principles simply by 
editing the data so that, if the edited part were to be 
disclosed to a third party, the third party would not find it 
possible from that part alone without the assistance of 
other information to identify a living individual. Paragraph 
(b) of the definition of “personal data” prevents this. It 
requires account to be taken of other information which is 
in, or is likely to come into, the possession of the data 
controller.”  
37. The Information Commissioner argues that rendering the 
disputed information anonymous to a third party would enable 
the information to be released without having to apply the data 
protection principles. He relies upon paragraphs 24 and 25 of 
Lord Hope’s judgment. Paragraph 24 considers the definition of 
1(1)(b) DPA and concludes that “The formula which this part of 
the definition uses indicates that each of these two components 
must have a contribution to make to the result.” He then outlines 
2 scenarios:  
1. “... Clearly, if the “other information” is incapable of 
adding anything and “those data” by themselves cannot 
lead to identification, the definition will not be satisfied. 
The “other information” will have no part to play in the 
identification.”  
The Tribunal is satisfied that this scenario does not apply here 
since the “other information” (the HSA4 forms) would add 
something to the data (the statistics), at the least, the identity of 
the data subjects.   
2. “ The same result would seem to follow if “those data” 
have been put into a form from which the individual or 
individuals to whom they relate cannot be identified at all, 
even with the assistance of the other information from 
which they were derived.”   
The Tribunal is satisfied that this scenario does not apply here, 
since, with the assistance of the HSA4 forms, the data subjects 
can be identified.  
38. Lord Hope goes on to add that in relation to the second 
scenario:  
“In that situation a person who has access to both sets of 
information will find nothing in “those data” that will 
enable him to make the identification. It will be the other 
Appeal No. EA/2009/0047 
information only, and not anything in “those data", that will 
lead him to this result.”  
The Commissioner argues that if the statistics are 
anonymous to a third party, there is nothing in “those 
data” to lead to identification and it is the other 
information only which would lead to identification. The 
Tribunal is satisfied that what is being referred to here is 
a situation where the statistical information can no longer 
be cross referenced to the other information by the data 
controller, and not a situation where the data is 
anonymous to a third party but can still be cross 
referenced using the forms retained by the DOH.  
39. Lord Hope relied upon the wording of recital 26 of the 
preamble to the Directive [95/46/EC] in support of his approach. 
Recital 26 provides:  
“Whereas the principles of protection must apply to any 
information concerning an identified or identifiable 
person; whereas, to determine whether a person is 
identifiable, account should be taken of all the means 
likely reasonably to be used either by the controller or by 
any other person to identify the said person; whereas the 
principles of protection shall not apply to data rendered 
anonymous in such a way that the data subject is no 
longer identifiable.”   
40. In paragraph 25 of his judgment he notes that section 1(1)(a) 
and (b) DPA gives effect to the first 2 phrases of recital 26.  
“The third phrase casts further light on what Member 
States were expected to achieve when implementing the 
Directive. Rendering data anonymous in such a way that 
the individual to whom the information from which they 
are derived refers is no longer identifiable would enable 
the information to be released without having to apply the 
principles of protection. Read in the light of the Directive, 
therefore, the definition in section 1(1) DPA 1998 must be 
taken to permit the release of information which meets 
this test without having to subject the process to the 
rigour of the data protection principles”.  
41. The Commissioner argues that this is authority for the 
release of information which is anonymised in the hands of a 
third party without recourse to the DPA. However, this could only 
apply in the context which recital 26 permits: where there are no 
means by which the data controller or another person may 
identify the data subject.  
Appeal No. EA/2009/0047 
42. Lord Hope did not decide whether Barnardisation would 
make the information anonymous in the hands of the data 
controller. He stated:  
“23. ... Barnardisation is a method of rendering the 
information so far as it is possible to do so, anonymous. 
...  
27. In this case it is not disputed that the Agency itself 
holds the key to identifying the children that the 
Barnardised information would relate to, as it holds or has 
access to all the statistical information about the 
incidence of the disease in the Health Board’s area from 
which the Barnardised information would be derived. But 
in my opinion the fact that the Agency has access to this 
information does not disable it from processing it in such 
a way, consistently with recital 26 of the Directive, that it 
becomes data from which a living individual can no longer 
be identified. If Barnardisation can achieve this, the way 
will be then open for the information to be released in that 
form because it will no longer be personal data. Whether 
it can do this is a question of fact for the respondent on 
which he must make a finding.  
43. The Commissioner argues that what is being envisaged here 
is the question of whether the statistics are anonymous to a third 
party. The Tribunal is satisfied however that the question of fact 
for the Scottish Commissioner was whether the process of 
Barnardisation would mean that the data could not be 
reconstituted to its original form by the Agency, in which case it 
could be released without further reference to the DPA. 
Consequently the Tribunal is satisfied that for the purposes of 
section 40(2)(a) FOIA, the statistics derived from the HSA4 
forms constitute personal data pursuant to section 1(1)(b) DPA 
in the hands of the DOH, because the data relate to individuals 
who may be identified from those data and other information 
held in the HSA4 forms.”. 
32. 
It was argued before this Tribunal that the previously constituted 
Tribunal in the Department of Health case had misunderstood the 
question of fact that had been remitted by the House of Lords in the 
CSA case back to the Scottish Information Commissioner.  It was 
argued that the reference in paragraph 27 by Lord Hope to “the Agency 
itself holds the key to identifying the children that the Barnardised 
information would relate to” made it clear that the question being 
remitted back could not be the one identified by the Tribunal in the 
Department of Health case in the last paragraph of the quotation 
above.  It was not, the IC submitted, whether the process of 
Barnardisation would mean that the data could not be reconstituted to 
its original form by the Agency.  The IC argued that the fact that the 
Agency held “the key” made it clear that the data could be so 
Appeal No. EA/2009/0047 
reconstituted.  The correct question was whether it is the “other 
information” only that leads to the identification, or whether there is 
anything in “those data” that will enable the identification.  
33. 
The Tribunal, however, was not persuaded by this submission as it 
appeared from the terms of the House of Lords judgment that the 
Barnadisation of the statistics had not yet actually taken place and as 
such the actual Barnadised data was not before the House of Lords.  
Thus, the House of Lords was not in a position to conclude that post-
Barnadisation the Agency would still hold “the key” in the way 
suggested.  There would have been no evidence before it for the 
House of Lords so to conclude.  There had moreover been some 
suggestion that the process of Barnadisation could be carried out in 
such a way as to indeed render the data “fully anonymous” both in the 
hands of third parties and the data controller (ie: once barnadised the 
public authority would not be able to trace back to the original data and 
to thereby unlock the identities of the individuals from the statistics). 
34. 
The Tribunal agrees with the Tribunal in the Department of Health 
case, that the question remitted back in the CSA case was whether 
Barnadisation would render it impossible for the Common Services 
Agency, subsequently, to identify the individuals to which the statistics 
related, even when read with other information held by the Agency.  
This conclusion as to the finding of fact remitted back to the Scottish IC 
was consistent with the broader interpretation of limb (b) of the 
definition of “personal data” being argued for by the Council in this 
case.  
35. 
The Tribunal was moreover mindful of the potential absurdity of the 
consequences that might flow from an interpretation of “personal data” 
and limb (b) of the definition as argued by the IC.  In this appeal, it 
would mean that the Council had only to comply with the Data 
Protection Principles in relation to the original schedule and not the 
summarised schedule.  Thus, whilst the Council would be fully aware of 
the individuals to whom the summarised schedule related and would 
hold other information which, if read together with the summarised 
schedule would identify the particular individuals, it would not have to 
provide the equivalent level of data protection to the two different 
documents.  So, for example, the Council would be obliged under the 
Data Protection Principles not to keep the information in the original 
schedule for a disproportionate amount of time and to maintain certain 
levels of security, but none of these safeguards would apply to the 
summarised schedule despite the fact that the data controller could 
identify the individuals from that document.  This appeared anomalous 
and difficult to defend given that in reality the two sets of information 
taken together would enable anyone to identify the data subjects.  
36. 
The Tribunal was mindful that FOIA did not create a presumption in 
favour of disclosure when dealing with the personal data of individuals.  
As Lord Hope said in paragraphs 4 and 7 of the CSA case :  
Appeal No. EA/2009/0047 
“4.There is much force in Lord Marnoch’s observation in the 
Inner House, 2007 SC, para 32 that, as the whole purpose of 
the 2002 Act [the Scottish equivalent of FOIA]  is the release of 
information , it should be construed in as liberal a manner as 
possible.  But that proposition must not be applied too widely, 
without regard to the way the Act was designed to operate in 
conjunction with the 1998 Act.   
………………….. 
7.In my opinion there is no presumption in favour of the release 
of personal data under the general obligation that the 2002 Act 
lays down.  The references which that Act makes to provisions 
of the 1998 Act must be understood in the light of the legislative 
purpose of that Act, which was to implement Council Directive 
95/46/EC. 
 The guiding principle is the protection of the 
fundamental rights and freedoms of persons, and in particular 
their right to privacy with respect to the processing of personal 
data: see recital 2 of the preamble to, and article 1(1) of the 
Directive.” 
37. 
The Tribunal reminded itself that given that the DPA was implementing 
an EC Directive aimed at the protection of the privacy of data subjects’ 
personal information, it was appropriate to adopt a purposive approach 
to construction. As Lord Phillips of Worth Matravers, MR, said at para. 
96 of Campbell v MGN [2002] EWCA Civ 1373, [2003] QB 633, [2003] 
1 All ER 224, CA,:  
“In interpreting the Act it is appropriate to look to the Directive for 
assistance. The Act should, if possible, be interpreted in a 
manner that is consistent with the Directive. Furthermore, 
because the Act has, in large measure, adopted the wording of 
the Directive, it is not appropriate to look for the precision in the 
use of language that is usually to be expected from the 
parliamentary draftsman. A purposive approach to making 
sense of the provisions is called for.” 
38. 
Following the CSA authority and taking a purposive interpretation of 
section 1(1)(b) the Tribunal concluded that the summarised schedule 
did consist of “personal data” in the hands of the Council under limb (b) 
of the definition.  As the IC had found to the contrary in the Decision 
Notice, it followed that, in the Tribunal’s view, it had not been in 
accordance with law.  
39. 
The Council argued that if the Tribunal was not minded to find the 
summarised schedule to be “personal data” under limb (b) of the 
definition, it should, in the alternative, so find on account of the direct 
identifiability of the individual employees from that document alone.  In 
other words the summarised schedule was “personal data” under limb 
(a) of the definition.  The Tribunal was of the view however that no 
individual could be identified by members of the public from the limited 
Appeal No. EA/2009/0047 
information in the summarised schedule alone.  It would need to be 
linked with other information.  There was no evidence before the 
Tribunal that any of the disciplinary offences referred to in the 
summarised schedule and which might have amounted to criminal 
offences had led to convictions in the courts (let alone any evidence 
that there had been any publicity following any such conviction).  Nor 
was there any evidence before the Tribunal of any other wide spread 
public knowledge of particular disciplinary offences such that 
identification of the individuals to which the summarised schedule 
related would be possible.  Whilst individual employees of the Council 
and indeed members of the public (e.g. friends and family of the 
disciplined staff) may have sufficient private knowledge to enable 
identification, the Tribunal was of the view that this was not the correct 
way to approach this issue.  The information in the summarised 
schedule had to be viewed in the light of widespread public knowledge.  
In the absence of any evidence other than conjecture on the part of Mr 
Tohill as to the ease by which further investigations would uncover the 
identities, the Tribunal did not find itself able to find that there was a 
direct risk of identifiability from the summarised schedule alone.  It 
followed that, in the Tribunal’s view, limb (a) of the definition of 
“personal data” did not apply. 
40. 
Given however the finding that limb (b) did, the next logical step in 
considering whether the section 40(2) exemption applied, would have 
been to ask whether disclosure of the summarised schedule would 
breach any of the Data Protection Principles.  Before doing so 
however, the Tribunal was obliged to turn to what was a live issue in 
this appeal, namely whether the summarised schedule, being personal 
data, was within the scope of the request.  If not, section 40(2) would 
not apply but the Council would not need to make disclosure in any 
event.  
Was the summarised schedule within the scope of request?  
41. 
It was argued by the Council that if the Tribunal found the summarised 
schedule to be personal data (which it has) then the correct approach 
would be to find that this information fell outside of the scope of the 
request.   It was pointed out to the Tribunal that the letter of request 
had stated that “personal information about any individual is not 
required” and then subsequently the letter of complaint to the IC had 
stated  “Given that the paper has no interest in obtaining personal 
information or the identities of those involved it becomes less relevant”.  
Thus, the Council submitted that the Tribunal should go on to 
determine that the requester was not seeking anything that amounted 
to “personal data” within the scope of the DPA and that the request 
therefore did not include the summarised schedule.  In support of this, 
the Council suggested that as the requester was a journalist he would 
be a knowledgeable and sophisticated user of FOIA and could be 
taken to have intended this to be the scope of his request.  
Appeal No. EA/2009/0047 
42. 
As the IC had found in his Decision Notice that the summarised 
schedule was not personal data, it was perhaps not surprising that he 
did not consider this aspect of the appeal.  The IC representative 
submitted at the hearing however that given the complexities and 
indeed difficulties of interpreting the definition of “personal data” and 
the effect of the CSA case, it would be wrong to read the request as 
being this technical in intent.  The IC also invited the Tribunal to read 
the words from the subsequent letter in the paragraph above to mean 
that the requester’s reference to both “personal information” and “the 
identities of those involved” must be taken to have meant that his 
intention was to differentiate between the two and that “personal 
information” was intended to have a wider meaning than the direct 
identification of persons. 
43. 
The Tribunal was initially attracted by the Council’s argument.  Reading 
the letter of request objectively, it was open to an interpretation that the 
request sought only relevant information not excluded under section 
40(2).  The requester was, after all, a journalist, who belongs to a 
profession which in the Tribunal’s experience generally has a detailed 
and technical understanding of FOIA.  It was however mindful of the 
legal issues behind the definition of “personal data” and was of the 
view that even the most sophisticated user of FOIA, if not a lawyer 
versed in information law, would be perplexed and possibly lost by 
such a technical analysis of the request. 
44. 
As the Tribunal had some doubt on this point it considered that the fair 
way to proceed would be to give the letter of request a broader 
interpretation to include the summarised schedule within its scope.  
Thus, being personal data and within the scope of the request, the 
Tribunal proceeded to the next step, that is, to consider whether 
disclosure would breach any of the Data Protection Principles.  
Would disclosure of the summarised schedule contravene any of the Data 
Protection Principles?  
45. 
The Council argued that the two Data Protection Principles relevant to 
this question were the first and second. The first data protection 
principle (which is found in Schedule 1 of the DPA) states:  
“(1) Personal data shall be processed fairly and lawfully, and in 
particular, shall not be processed unless –  
a) at least one of the conditions in Schedule 2 is met, and  
b) in the case of sensitive personal data, at least one of the 
conditions in Schedule 3 is also met, ……”   
46. 
The parties agreed that the only condition in Schedule 2 relevant to this 
appeal would be paragraph 6(1) which provides:  
“6.(1)The processing is necessary for the purposes of legitimate 
interests pursued by the data controller or by the third party or 
Appeal No. EA/2009/0047 
parties to whom the data are disclosed, except where the 
processing is unwarranted in any particular case by reason of 
prejudice to the rights and freedoms or legitimate interests of the 
data subject.” 
47. 
In considering first whether the disclosure would be fair, the Tribunal 
had regard to the expectations of the employees who were subject to 
the disciplinary processes.  Mr Tohill had told the Tribunal that the 
Council employees and indeed the Council would have had an 
expectation that their disciplinary record details would be kept 
confidential.  Integral to the question whether disclosure despite this 
expectation was fair, was the related question whether there was a real 
risk of identification by the public if the summarised schedule were to 
be disclosed. If not, then despite the reasonable expectation that 
disciplinary details would remain confidential, it might have been fair to 
disclose the summarised schedule.  
48. 
It was argued by the Council that it would be easy for a journalist, 
speaking to other members of the Council’s staff, to identify the 
individuals referred to in the summarised schedule.  The Tribunal, 
whilst clear that  read on its own the summarised schedule would not 
identify particular individuals, did accept (given the small size of the 
authority and indeed the local population) that it would not be hard for a 
journalist to take steps to identify the individuals in question.  This 
could then lead to wide spread publication of the names of the 
individuals, the disciplinary offences they had committed and the 
sanctions received.  This was not the same as concluding that the 
summarised schedule on its own enabled identification (which would 
bring the information within limb (a) of the definition of “personal data”).  
Further investigative steps would need to be taken, but given that these 
did not appear to be onerous or unlikely, it would be artificial for the 
Tribunal to ignore what appeared to be a very real risk. 
49.  The Tribunal concluded therefore that public disclosure of the 
summarised schedule would be unfair to the data subjects (the 
employees in question) such that disclosure would be in breach of the 
First Data Protection Principle.  For completeness, the Tribunal also 
considered whether the conditions for processing (public disclosure in 
this case), would meet the tests in paragraph 6, Schedule 2 to the 
DPA.  
50. 
The first part of condition 6 can only be satisfied where the disclosure 
is ‘necessary’ for the purposes identified.  The second part of condition 
6 is an exception: even where the disclosure is necessary, the Tribunal 
must still go on to consider whether the processing is unwarranted in 
the particular case by reason of prejudice to the rights and freedoms or 
legitimate interests of the data subjects.  
51. 
In relation to the first part of condition 6, whether disclosure is 
necessary  for the purposes of legitimate interests” of the requester, 
the test described in the case of Corporate Officer of the House of 
Appeal No. EA/2009/0047 
Commons v Information Commissioner EA/2006/15 & 16 , adopted by 
this Tribunal and applied to this case, is:  
a. Whether the legitimate aims pursued by the requester could 
be achieved by means that interfere less with the privacy of the 
employees in question; and 
b. If the aims could not be achieved by means that involved less 
interference, whether the disclosure would have an excessive or 
disproportionate adverse effect on the legitimate interests of 
those employees. 
52. 
With regard to the enquiry under subparagraph (a), the Tribunal 
considered the possible “legitimate aims” of the requester.  They could 
include accountability in relation to the Council’s handling of 
disciplinary matters and enhancing transparency in decision making.  
The Tribunal noted that the requester had already received certain 
information with regard to the disciplinary offences of the Council 
employees in the relevant period (see paragraph 3 above).  In the 
Tribunal’s view, the “legitimate aims” of the requester could thereby be 
said to have been reasonably achieved by a means that interfered less 
with the privacy of the employees.  In this regard, the Tribunal was of 
the view that the degree of accountability called for in these 
circumstances was limited on the basis that the primary need for 
accountability in staff disciplinary matters was a matter between 
employees and the employer, the Council.  The public interest in these 
matters could be met by information at a lower level of detail than was 
to be found in the summarised schedule.  Further, the Tribunal did not 
consider that provision of the further details contained in the 
summarised schedule, being only a partial part of the picture (there 
was no information as to failed disciplinary proceedings or 
circumstances in which there had been transgressions but no 
disciplinary action taken), would greatly enhance public understanding 
beyond that which could already be gained from the information made 
available. 
53. 
Given these considerations, the Tribunal concluded that it was not 
“necessary” within the terms of paragraph 6 of Schedule 2 for there to 
be disclosure of the summarised schedule.  The legitimate interests in 
disclosure of information about disciplinary offences, such as they 
were, had already been met by a means that interfered less with the 
data subjects’ interests, that is, by the previous release of information 
about numbers and types of offences and sanctions.  
54. 
In light of the above, the Tribunal concluded that disclosure of the 
summarised schedule would be in breach of the First Data Protection 
Principle and that the absolute exemption under section 40(2) FOIA 
applied. 
 
Appeal No. EA/2009/0047 
55. 
Having come to this view, it was not necessary for the Tribunal to 
consider the second limb of the test in paragraph 6, Schedule 2 or 
whether disclosure would be in breach of the Second Data Protection 
Principle.  It was also not strictly necessary for the Tribunal to consider 
the claim by the Council that the information contained within the 
summarised schedule was “sensitive personal data”. 
Whether the Council had contravened section 17 FOIA by failing to specify 
which subsection of section 40 FOIA it relied upon 
56. 
The Council argued that the IC had erred in finding that it had breached 
section 17 FOIA in failing to specify that it was relying specifically upon 
subsection (2) of section 40.  In the letter of refusal, the Council had 
only referred to section 40.  The Tribunal noted however that it would 
have been abundantly clear from the request (and therefore to the 
requester) that he was not seeking his own personal data and that this 
could not have been a refusal under section 40 subsection (2).  
Moreover, it would have been clear that the request related to third 
party individuals.  The Tribunal took into account also that the Council 
had referred to subsection (2) in the letter following the internal review.  
57. 
The Tribunal was concerned however that the Council had made no 
mention whatsoever of the Data Protection Principles or how they 
might be breached in this case, thereby justifying in their eyes the 
refusal under section 40(2).  Section 17 requires the public authority to 
specify in the letter of refusal any exemption relied upon and why it 
applies.  The Council ought to have made reference to the First Data 
Protection Principle (and possibly the Second), the fact that this did 
not, in their view, satisfy the paragraph 6, Schedule 2 test and, as they 
believed it was sensitive personal data, that none of the conditions in 
Schedule 3 applied.  This would have gone some way to explaining 
why the Council was saying the exemption applied.  The Council failed 
to do so and the IC had been correct in finding this to be a breach of 
section 17 of FOIA. 
Whether the Council had contravened section 17(1) FOIA by failing to cite 
section 38 FOIA in its refusal notice 
58. 
The Council argued that the IC had erred in finding against it on the 
grounds that it had failed to cite the section 38 exemption at the time of 
the letter of refusal.  In particular the Council pointed to the terms of 
section 17 which applies where “a public authority, which in relation to 
any request for information, is to any extent relying on a claim….that 
information is exempt information must, within the time for complying 
with section 1(1), give the applicant a notice which…(b) specifies the 
exemption in question” [emphasis supplied].  The Council’s point is a 
simple one – the Council was not relying upon section 38(1) when it 
issued the original refusal notice, but decided to do so subsequently. 
59.  The Tribunal was mindful of the decision in Bowbrick v IC 
(EA/2005/0006) in which a previously constituted Tribunal did find that 
Appeal No. EA/2009/0047 
reliance upon an exemption late in the process amounted to a breach 
of section 17.  This Tribunal noted however that this had been an early 
decision in the life of the Tribunal and subsequent appeals had not 
always found there to be such a breach.  The jurisprudence of the 
Tribunal had developed to allow the reliance upon late exemptions 
subject always to there being good cause for so doing. 
60. 
In this case, the Council decided to seek to rely upon section 38 FOIA 
on internal review.  In many ways, this showed that the internal review 
had been a proper one, and not just a ‘rubber stamping exercise’.  The 
internal review, if carried out properly should identify any mistakes 
made, including having overlooked a relevant exemption on which the 
public authority considered on reflection it should seek to rely.  The 
Tribunal did not consider that Parliament would have intended to 
impose an automatic breach and thereby castigate an authority for so 
acting.  To interpret section 17 in this way, could in fact, provide a 
disincentive to public authorities to be as thorough as possible in the 
way in which it carried out its internal reviews. 
61. 
The plain English meaning of the words in section 17 allowed an 
interpretation that the exemptions to be cited in the section 17 notice 
were the ones relied upon at the time of the original refusal.  To find a 
breach in this case would be to find a hollow technical breach, an 
approach which the Tribunal considered inappropriate. 
62. 
The Tribunal reminded itself that it only allowed late exemptions to be 
claimed with good cause.  Moreover a public authority would not be 
able to comply with section 17 by an empty reference to any 
exemption, simply as a ‘holding position’.  The authority had to comply 
with the substantive requirements of section 17, that is and as 
illustrated above, the provision of an explanation of why the exemption 
applied in the particular case.  
Whether the Council had contravened section 10(1) FOIA 
63. 
In light of the Tribunal’s conclusion that the Council did fail to explain 
how the section 40(2) exemption applied in its section 17 notice, it 
followed that the Council had contravened the time limit in section 
10(1) FOIA.  The Act required a letter of refusal that met the 
requirements of section 17 to be provided to the requester within the 
time limit of 20 days. 
The IC’s criticisms of the Council 
64. 
The Council’s remaining ground of appeal had been with regard to the 
criticisms made by the IC in the Decision Notice for not agreeing to 
release the summarised schedule.  This was not a matter strictly within 
the jurisdiction of the Tribunal.  However, given the difficulties and 
complexity in interpreting the exact effect of the CSA decision, the 
Tribunal was of the view that the Council had been fully entitled to take 
the stance it had.   
Appeal No. EA/2009/0047 
Conclusion 
65. 
The Tribunal finds that the summarised schedule consists of personal 
data and that its release would breach the First Data Protection 
Principle.  As such, the section 40(2) exemption applies and the 
Council is entitled to refuse disclosure.  As this is contrary to the 
findings of the IC, the Decision Notice is not in accordance with law.  
66.  The Tribunal orders that the Substituted Decision Notice at the 
beginning of this decision stand in place of the Decision Notice dated 
19 May 2009.  
67. 
Our decision is unanimous.  
 
Signed 
 
Melanie Carter 
Judge 
3 February 2010 

Document Outline