Directorate for Deputy Chief Executive
Legal and Democratic Services
Service Director: Lisa Marie Williams
Buckinghamshire Council
Council Offices
Walton Street
Aylesbury
Buckinghamshire
HP20 1YU
Sarah Leighton
xx@xx.xxxxxxxxxxxxxxx.xxx.xx
Sent by email only
01296 585 858
www.buckinghamshire.gov.uk
Reference: 6395933
1 May 2024
Dear Sarah
Internal Review
I write in response to your email, received on 11 April 2024 for a review of Buckinghamshire Council’s
response to your request detailed below. The purpose of the review is to allow a fresh independent
look at your request by a person who has had no previous association with the request.
Your Original Request Re:Whistleblowing report
Please can you confirm all the recommendations in the report were actioned. Please confirm which
reports they were and the outcomes. I was not requested further information and was not permitted
to speak with the IIO which was not best practice.
Our Original Response Section 1(1)(a) of FOIA states that anyone who requests information from a public authority is
entitled to be told whether the authority holds that information.
However, section 40(5B)(a)(i) of FOIA allows a public authority to refuse to confirm or deny if it holds
information if that information would (if it existed) be the personal data of a third party.
Disclosure under FOIA is effectively an unlimited disclosure to the public. We must therefore consider
the wider public interest issues and general fairness when deciding whether to confirm or deny the
information is held.
We must also determine whether such a confirmation or denial would contravene any of the data
protection principles.
In that instance, if information were held, disclosure would cause a significant invasion of privacy.
There is insufficient legitimate interest to outweigh any data subjects’ fundamental rights and
freedoms, and that confirming whether the requested information is held would not be lawful.
Your Request for an Internal Review
I wish to raise an internal review towards your reply that you can neither confirm or deny that
recommendations have been followed.
[Personal data redacted]
Please can you confirm all the recommendations in the report were actioned. Please confirm which
reports they were and the outcomes. I was not requested further information and was not permitted
to speak with the IIO which was not best practice.
Consideration The Information Commissioner advises: “The starting point, and main focus for NCND [neither
confirm nor deny] in most cases, will be theoretical considerations about the consequences of
confirming or denying whether or not a particular type of information is held.”
The purpose of this Internal Review is not to focus on whether the information is held but to ascertain
whether the Council was entitled to neither confirm nor deny whether it holds the information you
have requested.
Section 40(5B)(a)(i) of FOIA provides that the duty to confirm or deny whether information is held
does not arise if it would contravene any of the principles relating to the processing of personal data
set out in Article 5 of the UK General Data Protection Regulation (‘UK GDPR’) to provide that
confirmation or denial.
The Commissioner's guidance on personal data explains that merely confirming or denying that a
public authority holds information about an individual or individuals, can itself reveal something
about that individual/those individuals to the wider public.
For the Council to be entitled to rely on section 40(5B)(a)(i) of the FOIA to refuse to confirm or deny
whether it holds information falling within the scope of the request, the following two criteria must
be met:
• Confirming or denying whether the requested information is held would constitute the
disclosure of a third party’s personal data;
And
• Providing this confirmation or denial would contravene one of the data protection principles.
To confirm or deny that the Council holds information on which recommendations were actioned and
the outcomes would amount to a release into the public domain of personal information about an
individual or individuals involved in a whistleblowing investigation. The individual’s / individuals’
rights under the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation
(GDPR) would therefore be breached, even if any names were redacted.
The FOIA only allows the processing of personal data if that processing would be compliant with the
Data Protection principles. These principles are outlined under section 34 of the DPA 2018 and under
Article 5 of the UK GDPR.
In this instance, processing this information (by issuing a confirmation or denial) would breach the
first principle, that of ‘lawful, fair and transparent’ processing. When balancing the legitimate
interests of the public against the interests of the individual(s) and the harm and distress that would
be caused by a confirmation or denial, the processing of information in this way becomes unlawful.
I have also considered: would the confirmation or denial that the requested information if held
constitute the disclosure of a third party’s personal data?
Section 3(2) of the DPA 2018 defines personal data “as any information relating to an identified or
identifiable living individual”.
The two main elements of personal data are that the information must relate to a living person and
that the person must be identifiable.
Information will relate to a person if it is about them, linked to them, has biographical significance for
them, is used to inform decisions affecting them or has them as its main focus.
As previously mentioned, ascertaining whether the use of ‘NCND’ is correct involves theoretical
considerations – I can conclude that information on recommendations/outcomes of a whistleblowing
report (if held) would hypothetically involve personal data.
For the reasons explained above, I concur with the original response that the information would (if it
existed) be the personal data of a third party and that it was correct to conclude that there was
insufficient legitimate interest to outweigh any data subjects’ fundamental rights and freedoms.
Decision
The final decision of this review is that we are upholding our original response.
If you are not content with the outcome of this Internal Review you have the right to apply directly to
the Information Commissioner’s Office for a further decision. The Information Commissioner can be
contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
http://www.ico.gov.uk/complaints/freedon_of_information.aspx
Helpline on 0303 123 1113
Yours sincerely
Francisca Harpur
Senior Information Governance Officer