The Information Commissioner’s Office (“the ICO”) has published new guidance on requests for personal data about public authority employees and the application of section 40 of the Freedom of Information Act 2000 (“FOIA”). This is a particularly tricky area for public authorities, who must strike a balance between the interests of the public in disclosure and the rights of the individual whose personal data would be disclosed.
The current state of the economy has made public expenditure something of a hot topic, and everyone wants to know what public money is being spent on. There has been particular interest in the salaries and bonuses of senior officials in the public sector, a good example being the controversy over RBS bonuses after becoming partly state-owned. The best tool for the public to get this information is to exercise their rights under freedom of information legislation. But what does this mean for public sector employees?
Well, public authorities must disclose employees’ personal information if the disclosure would be both “fair and lawful” and “necessary” for one of the reasons set out in Schedule 2 (and if applicable Schedule 3) of the Data Protection Act 1998. The ICO’s guidance sets out how this can be done, and sets out a careful balancing act between public authorities’ duty to protect employee data and the duty to provide information under FOI.
While each FOI request must be assessed on its own circumstances it is generally accepted, and indeed is stated in the ICO’s guidance, that the more senior the individual the more likely that it will be fair to release their personal information. The guidance also states that disclosure of sensitive personal data is unlikely to be fair and so would be protected from disclosure, as employees “would have a reasonable expectation that this data would not be made public”. The ICO also recommends that public authorities have a general policy on releasing employee information in response to FOI requests. This would give employees a reasonable expectation of what types of personal information might be released.
The Freedom of Information (Scotland) Act 2002 contains a similar provision on personal information, at section 38. While the ICO’s guidance is not directly applicable in Scotland, it is certainly likely to be influential where issues relating to employee personal data arise (particularly since the ICO’s jurisdiction in Data Protection Act matters is UK-wide). Indeed, a recent decision of the Scottish Information Commissioner (“SIC”) highlighted that, when considering a request for the personal data of a public sector employee, the seniority of the employee will be a key factor in deciding whether the information should be released. In that case the SIC decided that it was fair and lawful, and necessary under condition 6 of Schedule 2 of the DPA, to release the names and initials of the organisation’s more senior employees. The SIC concluded that the requester’s legitimate interests in obtaining the information outweighed the legitimate interests of the senior staff in keeping it confidential, and therefore it was fair to release the information.
On September 30, 2012