ICO issues guidance on disclosing employee personal data under FOI

Out-Law News | 29 Aug 2012 | 4:39 pm | 3 min. read

Local authorities and other public bodies must ensure that disclosing personal data about their employees under UK freedom of information (FOI) laws is "necessary" even if they have established that it is "fair" to do so, a watchdog has said.

The Information Commissioner's Office (ICO) said that public sector bodies must assess whether they could avoid disclosing some information about employees whilst still ensuring that "the legitimate interests" of those requesting the information are observed.

"For example, could the legitimate interests be met by other means that interfere less with the employee’s rights and freedoms?" the ICO said in new guidance. (32-page / 155KB PDF) "Is it necessary to provide all of the information requested? If not, full disclosure is not necessary, and the additional information is thereby exempt."

Under the Freedom of Information Act (FOIA) individuals have a general ‘right to know’, which entitles them to be provided with information held by Government departments and public bodies. However, those bodies can legitimately withhold information requested in some circumstances. Information can be held back under qualified and absolute exemptions, although in the case of qualified exemptions organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed – the presumption being in favour of that disclosure.

One absolute exemption in FOI laws allows public authorities to refuse to disclose information they hold when the information amounts to personal data and to do so would be a breach of the Data Protection Act (DPA). The DPA requires organisations to process personal data fairly and lawfully. In determining whether it is fair to process the information organisations must consider the method by which it obtained the data and whether its purpose of processing would deceive or mislead the person from whom the information was obtained.

However, personal data can be legitimately disclosed in some cases under the DPA. For the data protection exemption, a slightly different public interest test applies for which FOIA's presumption in favour of disclosure is reversed. Here, the legitimate interests of the public in the disclosure need to be balanced against the rights of the individual whose personal data would be disclosed. 

However, this "fairness" test is only one consideration in determining whether information should be disclosed. The ICO said that public bodies are also likely to be required to show that disclosure is "necessary" in order to meet the public interest in disclosure. It said that, generally, organisations will be justified in disclosing more information about staff in senior positions rather than more junior ones.

"There is a general social need for transparency about the policies, decisions and actions of public bodies and this is the purpose of FOIA," the ICO said. "In order to meet the condition and disclose the personal data in question, it may also be necessary to show that there is some more specific social need that would be met by disclosure of the personal data in question. It is likely to be easier to demonstrate a need to release personal information about more senior decision makers than about more junior staff."

The ICO said that it is less "likely" that sensitive personal data can be justifiably disclosed under FOIA. Sensitive personal data is defined under the DPA and refers to information that includes details of individuals' physical or mental health, their religious beliefs and whether or not they are a member of a trade union.

The ICO said that organisations must ensure that they would be acting lawfully, and not in breach of confidence or contract for example, to disclose personal data or sensitive personal that they had deemed could otherwise be provided to those requesting information under FOIA.

The guidance sets out examples of how public bodies should assess FOI requests about specific employee personal data, including salaries and bonuses, the circumstances in which employees left organisations and whether they had recorded any outside business, shareholdings or other interests on an internal 'register of interests'.

"As data controllers under the DPA, public authorities have a duty to ensure that employee data is adequately protected, but they also have a duty to respond to requests under FOIA," the guidance said. "They should not create unreasonable expectations amongst their employees as to what data will be withheld."

"Authorities should have a general policy on releasing employee information in response to FOIA requests. Such a policy should be reasonably constructed, avoiding, for example, a simple cut-off point based solely on grade or seniority and should take account of the move towards greater transparency. While they must consider each request on its own terms, having a general policy will help employees to form a reasonable expectation of what information may be released about them. It will also assist potential requesters to see what information is likely to be released," it said.