There is no single FoI exemption which covers such reports, and often they will be disclosable in their entirety because they will contain no specific information about surveillance operations. However, where this is the case, or the request is for wider information about surveillance activity, the section 31 exemption (law enforcement) may be claimed if disclosure is likely to prejudice the prevention or detection of crime.

In an information commissioner decision involving the BBC (Ref: FS50188663 06/05/2010), the complainant requested a copy of the BBC’s 2006 OSC inspection report. He also requested a copy of the OSC’s covering letter and the BBC’s response to the report.

The BBC disclosed a redacted copy of the report citing the exemption in section 31. The redactions covered the information about the BBC’s enforcement activity against those who do not hold a TV licence. This included details of the number of RIPA authorisations granted for the use of equipment in 2006, the process undertaken when investigating unlicensed premises and the type of detection equipment used.

The commissioner considered that the withheld information, in the context of TV licensing, is extremely sensitive and was satisfied that disclosure would be likely to undermine the tactical advantage and ability of the BBC’s monitoring officers effectively to use covert surveillance. He was therefore satisfied with the exemption in section 31(1)(a) (prevention or detection of crime). He went on to rule that the public interest in maintaining the exemption outweighed the public interest in disclosure.

Personal dataSection 40 provides an exemption from disclosure of personal data about the requester as well as that of third parties. With regard to the latter, the public authority must show that disclosure would breach one of the data protection principles. In Bryce v IC and Cambridgeshire Constabulary (EA/2009/0083), the request concerned a report that had been produced following an inquiry undertaken after the appellant and two other individuals raised concerns about the way in which the police had investigated the death of the appellant’s sister, who had been killed by her husband in September 1996. The report addressed the adequacy of the criminal investigation, as well as the way in which the complainants had been treated. This judgment is important because of the definition of personal data it applies, as well as because it gives guidance on the approach to adopt when a request contains personal data about more than one person.

Durant decisionThe first question is whether the information being requested is personal data. Much has been written over the years about the significance of the Durant decision (Durant v Financial Services Authority [2003] EWCA Civ 1746), which seems to have substantially narrowed the definition of personal data. In the words of Auld J: ‘Not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the act… It seems to me that there are two notions which may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured…’

The tribunal followed the Durant approach to the concept of ‘personal data’ in this case rather than the arguably more liberal approach embodied in the information commissioner’s guidance entitled ‘Determining what is personal data’. It concluded that not all the information in the report was personal data, for example the glossary, executive summary or background information.

The next question for the tribunal was whether disclosure of the personal data would be fair and lawful in accordance with the first data protection principle. The tribunal approached this question by analysing each different person’s personal data separately and deciding whether disclosure would breach the first data protection principle. It is clear from the tribunal’s analysis that it was of the view that very different considerations applied, for example, in respect of police officers’ data as compared with data relating to the husband’s family. In the light of this decision it seems that, to avoid a challenge before the tribunal, a public authority cannot simply adopt a blanket ‘one size fits all’ approach to information comprising different types of personal data.

Data protection The tribunal’s second decision in the case of Alasdair Roberts v IC and Department for Business, Innovation and Skills (EA/2009/0035) also provides more guidance on considering the first data protection principle. The two main points are as follows. First, when considering whether the processing would be fair, senior civil servants (grade 5 or above) do not have a reasonable expectation of anonymity in respect of any document, no matter how sensitive. More junior civil servants might have such an expectation, but this will be less cogent where the job is ‘public facing’ (for example, job centre manager), and more cogent where the information is controversial (for example, animal testing information).

Second, when considering whether there is justification to disclose under a schedule 2 condition, paragraph 6 allows disclosure where it is in the legitimate interests of ‘parties to whom the data are disclosed’. The tribunal found that the requester’s strong individual interest (for research purposes) was not sufficient to override the fact that this information was of very little interest to the world at large to whom an FoI disclosure is always said to be made.

The section 40 exemption continues to be the subject of many commissioner and tribunal decisions. It will be interesting to see the outcome of the recent Ministry of Justice call for evidence on the operation of the Data Protection Act, and whether it has any impact on the application of this exemption.

Actionable breachSection 41 exempts information where disclosure would lead to an actionable breach of confidence. When it comes to a request for commercial information it is often used in conjunction with the section 43 exemption (commercial interests). These exemptions were invoked by Mid Yorkshire Hospitals NHS Trust (Ref: FS50236080 04/05/2010) when it received a request for a private finance initiative (PFI) project agreement including the financial model. The complainant later explained that he would be satisfied if he could have the cashflows which related to published internal rates of return.

The commissioner was satisfied that the trust applied the section 41 exemption appropriately to both the financial model and the cashflows. He gave weight to the sensitivity of the information, the existence of a confidentiality clause in the project agreement, the usefulness of the information to competitors, the fact that the information was still current and that the information would not be of great assistance to the public when assessing value for money. Interestingly, the commissioner drew assistance from a number of decisions on the same issues made by the Scottish information commissioner under the Freedom of Information (Scotland) Act 2002. Of course these are not binding on the information commissioner, but they do seem to be persuasive in similar fact cases. This decision notice is currently under appeal to the tribunal. The outcome should provide more guidance on the application of section 41 to financial information about PFI projects.

Ibrahim Hasan is also a director of Act Now Training.