On his blog, David Higgerson, the journalist and Digital Publishing director for Trinity Mirror, reports an interesting case from Hackney Council. Rebecca Helmsley made an FOI request to the Council via What Do They Know about the death of a person in a children’s home in the 1980s. During the process, Hackney accidentally appended the wrong document to an email, so instead of providing a proper FOI response, they send Helmsley a short research report into her interests and activities. Hackney apologised and explained that they gather information about FOI applicants’ “research interests” so that they can provide “additional context to an FOI response, hopefully adding to its intrinsic value“.
The definition of personal data is always under debate. The waters have been muddied for ten years by the Durant Case, which found that for data to be covered by the Data Protection Act, it had to be ‘biographically significant‘. This allowed some organisations to take a robust approach to DP, especially when responding to subject access requests. We don’t have to give them this, it’s not biographically significant. I have personally never done this and have little time for anyone who has.
*Harry Hill sideways glance to camera*
Even if you don’t think that a person’s research interests, websites they visit and FOI requests they make are biographically significant, the Durant judgement has been largely and sensibly set aside by the Edem judgement this year, which says that biographical significance is a test only applicable in borderline cases. Post-Edem, the Hackney data is definitely personal data because it identifies a person and distinguishes them from other applicants. I actually think that the level of detail in Hackney’s briefing on Helmsley is biographically significant anyway, but even if it’s not, the briefing was created after the law on this matter was clarified. It’s personal data.
Data Protection’s first principle requires at least three things to justify processing data – the use of personal data must be lawful, fair and according to a set of conditions. For the sake of brevity, I’m going to assume that profiling the research interests of an applicant is lawful because of the methods Hackney say they use to do it (i.e. they used publicly available sources, meaning no breach of privacy or confidentiality was involved).
Fairness can mean a number of things but it always means telling the applicant that their data is being processed unless there is an exemption. The ICO also allows for a measure of ‘reasonable expectations’, where if a data processor is doing something obvious in context, fair processing is not required. There remains a vigourous debate about whether it is reasonable for a public body to share the names of FOI applicants outside the FOI team / officer / person who does FOI alongside eight other things. I think it’s healthier for an organisation’s FOI person to keep applicants’ identities secret from their colleagues unless they fear the request is vexatious etc, but I don’t think it’s a breach of DP and reasonable expectations may possibly apply. But your identity and your research interests are two different things. I am certain that Hackney (and any other organisation that researches its FOI applicants) should inform the applicants that they are doing it.
The third element of the puzzle is the condition, which is fundamentally the question of whether the processing is actually allowed. If you have consent, a contractual obligation, a legal obligation or a legal power, or the need to protect the data subject’s vital interests (any of them), you can use the data. Without that, the Council has to fall back on legitimate interests, a condition which requires them to establish that it is “necessary” for them to create the briefing, that they have a legitimate purpose for doing so, and that doing so does not cause unwarranted harm to the applicant’s interests. Knowing who your applicant is and why they’re asking is, in my view, legitimate. As long as the applicant gets the information they have requested (and any refusal they receive is the same that anyone else would receive), I see no unwarranted harm. However, is it necessary?
I’ll leave that hanging in the air because frankly, it isn’t my problem. If an FOI public authority think that this kind of thing is necessary, that’s for them to decide. But I have no hesitation in saying that personal data is being processed, the Data Protection Act applies, and the least that any organisation that profiles its applicants (even if only their research interests) needs to do is inform those applicants that they are doing so. There is no exemption. If you want to know whether Helmsley reasonably expected this to happen, scroll to the end of her request on What Do They Know.
The worst thing about the perception of DP is the way in which people feel that, once it applies, the use of personal data is forbidden. It is not. The use of personal data is simply regulated by common sense principles, the most common sense of all being that the use of data in secret should be the exception. Hackney say that they are creating these briefings to provide a better service. Good for them. As Higgerson points out, some organisations are more concerned with the PR fallout of an FOI disclosure. I am not ashamed to say that as an FOI officer, I would often tell the PR team (who, of course, outnumbered me) about disclosures to the press and others. They never tried to influence what we disclosed, and they had a job to do. Even if this kind of thing is done purely for the purposes of news management, I am not arguing that the DPA prevents that. I am simply convinced that an organisation that wants to research its FOI applicants has to be transparent about the fact that they are doing so.