UK: Upper Tribunal Says "Small Data" Is Not Exempt Under FOIA

The Upper Tribunal (Administrative Appeals Chamber) in IC v Miller [2018] UKUT 229 (AAC) has rejected an appeal brought by the Information Commissioner (IC), which was in relation to a First-Tier Tribunal (FTT) decision finding that "small data" (i.e., data concerning five or fewer individuals or households) was not exempt from disclosure under the Freedom of Information Act 2000 (FOIA).

The FTT decision

A request for disclosure under FOIA was made to the Ministry of Housing, Communities and Local Government (MHCLG) (then named Department for Communities and Local Government (DCLG)). The request for information concerned data held by local authorities with regards to homelessness between 2009 and 2012, which had not been published by the MHCLG. The MHCLG refused to disclose the data.

The matter went to the FTT, which found that the small data did not constitute "personal data", as defined by section 1(1) of the DPA 1998, and it was not exempt from disclosure under section 40(2) of FOIA.

The IC appealed the FTT's decision on various grounds, including that in relation to small data, the information was exempt from disclosure under section 40(2) of FOIA.

The Upper Tribunal decision

The IC appealed to the Upper Tribunal arguing two key points, which were both rejected by the Upper Tribunal:

(i) Fail to consummate legal test

The IC argued that by concluding small data did not constitute personal data, the FTT had failed to apply the correct legal test, had erred in its reasoning and had failed to provide adequate reasoning.

The Upper Tribunal disagreed, finding that the FTT had correctly ascertained that the data was in anonymous form, and therefore it was not possible to identify a living individual from the data, nor was it possible to identify individuals from other information "which is in the possession of, or likely to come into the possession of, the data controller".

The Upper Tribunal had found that the FTT had also properly assessed the risk around publication of the data, including the possibility of a member of the public identifying any individual on the basis of that data along with other publicly available data (but not data which was in the possession of the data controller). The Upper Tribunal considered that the FTT had addressed the correct question. In making this finding, the Upper Tribunal cited the IC's own Code of Guidance, which provided, "the risk of identification must be greater than remote and reasonably likely".

The Upper Tribunal was also satisfied that the FTT had applied appropriate scrutiny to the materials. The FTT had not specifically referred to a "motivated intruder", but considered exactly what a person would need to access in order to identify an individual; including that they would also need access to "very specific details about their circumstances at that point in time".

(ii) Identification by cross-referencing

Further, the Upper Tribunal rejected the argument that individuals could be identified by combining the small data with other information contained in the spreadsheets. It was decided that the chance of a member of the public being able to identify the household and its members from the data was "so remote as to be negligible".

In the Upper Tribunal's view, it was "quite fantastical" to suppose that, several years later, there would be anyone sufficiently motivated to try to identify an individual from the data being requested. Thus, even if there might have been some interest in the data at the time it was requested, there was no basis for thinking that it would be of interest to anyone several years later.

Comment

It is interesting to see that the court's determination of what amounts to personal data will very much depend on the circumstances of each case. In this case, the Upper Tribunal were of a differing view to the IC. What was particularly significant in the Miller judgement is that despite finding against the IC, the IC's issued guidance was cited in the findings to dismiss the appeal.

It seems from the decision made in this case that the Tribunal is more likely to apply a narrower interpretation that the Information Commission of what amounts to "personal data". Public authorities will have to, therefore, carefully consider the application of section 40(2) of FOIA when responding to FOIA requests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.