Line to take - LTT56 - Second data protection principle
- FOI/EIR: FOI, EIR
- Section/Regulation: s40(2), reg 13
- Issue: Second data protection principle
- Source: Information Tribunal, Data Protection Practice
- Details: House of Commons / Baker (16 January2007)
- Related Lines to Take: LTT57, LTT58, LTT59
- Related Documents: EA/2006/0015 and EA/2006/0016, FS50072319, FS50071194, Awareness Guidance 1
- Contact: RM
- Date: 16/12/2008
- Policy Reference: LTT56
- © Copyright Information Commissioner's Office, re-used with permission
- Original source linked from here: LTT
Line to take
The second data protection principle relates to the business purposes for which a data controller intends to process personal data. Public authorities do not collect personal data in order to respond to FOI/EIR requests and therefore there is no need for them to specify such disclosures as a purpose for which they are processing the data.
A disclosure of personal data that would not breach any of the remaining data protection principles or would not involve the disclosure of information that would be exempt under any other exemption/exception of the Act or EIR will not be incompatible with the business purposes that have been specified.
The second data protection principle only needs to be considered when raised by the public authority as a reason for withholding information.
Further Information
The Second Data Protection Principle states that;
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” (emphasis added)
The second principle in context
The second principle should only be considered if it has been raised by the public authority and it should be interpreted in the broader context of the Data Protection Act (DPA) i.e. the protection of the privacy rights of individuals. It is important to remember that the most important means for protecting these privacy rights is the first data protection principle and that this should be our focus when considering 40(2).
The problem
Some public authorities have argued that as they have not specified that they will disclose personal data in response to a request under either the Act or EIR, then to do so would breach the second principle or that such disclosures would be incompatible with the purposes they have specified. Such arguments should be rejected and this LTT sets out our approach to this problem.
Policy Rationale
Bearing in mind the aim of the DPA, i.e. protecting the privacy of individuals, it would be a very odd result if, after satisfying ourselves that a disclosure complied with the first principle and that therefore no privacy rights would be prejudiced, a disclosure could be blocked by the second principle because such disclosures had not been specified by the public authority or because the disclosure would somehow interfere with the business purposes of the data controller.
To allow these arguments would mean the second principle became an artificial barrier to disclosures that do not impact on the privacy of data subjects. It would allow public authorities to frustrate disclosures by omitting to specify such disclosures as a purpose for which information was obtained. Furthermore where a public authority is concerned that a disclosure is incompatible with their business purposes then this should be addressed through the application of one of the other exemptions / exceptions available under the Act/EIR, not by the use of an exemption / exception designed to protect individual privacy.
Our approach
This line now breaks the second principle down into its two elements and considers how a disclosure under the Act would comply with each element in turn. First it will look at the requirement for data controllers to obtain information only for specified purposes and then considers whether a disclosure under the Act would be compatible with those purposes.
Obtained only for one or more specified purposes.
The second principle provides that data controllers must specify the purposes for which they are processing personal data. This can be achieved either through a fair processing notice provided directly to data subjects (see LTT59 for further details) or by including the purpose in its entry on the Register of Data Controllers, a public register available for inspection on the ICO’s website.
Public authorities need to collect personal data in order to pursue their business objectives. It is only these purposes which the public authority has to specify. Public authorities do not obtain personal data so that they can then provide it in response to a request. This is not one of their business purposes. It follows that there is no requirement to specify that disclosures may be made under the Act or EIR in either a fair processing notice or the Register of Data Controllers.
Shall not be processed in any manner incompatible with that purpose or purposes.
Even though public authorities are not required to specify that they may disclose personal data under the Act/EIR, the second principle still prohibits them from further processing personal data (including in response to requests) in any manner that would be incompatible with the purposes it has specified i.e. a disclosure in response to a request still needs to be compatible with the public authority’s business purposes.
The Commissioner’s view is that in order to consider this issue properly we have to take account of the ethos behind the Freedom of Information Act which aims to promote the public’s understanding of, and confidence in, the public authorities that serve them, which in turn will drive up standards within the public sector.
On this basis it is difficult to see how a disclosure of personal information which would not breach any of the remaining data protection principles, and would not involve the disclosure of information that is covered by another exemption/exception, could possibly be incompatible with the public authority’s business purposes. In fact such a disclosure should actually support the specified business purposes of the public authority by promoting confidence, driving up standards etc.
Further support for this approach can be taken by consideration of the second principle in the broader context of the DPA i.e. the protection of the privacy of individuals. There is an argument that we should interpret the second principle in a way that focuses on whether any further processing would be incompatible with the privacy rights of the data subject rather than on the business purposes of the data controller, despite this approach straying away from a literal interpretation of the principle. Such an approach would mean that if, in all other respects, the disclosure is compatible with the remaining data protection principles then it would not contravene the second principle.
Where a public authority anticipates disclosing personal data under the Act.
It should be remembered that there will be occasions where a public authority has anticipated that some of the personal data it holds will be the focus of requests and therefore expressly advises data subjects that some personal data may be disclosed under the Act/EIR. Where this has happened it is important to recognise that any notice advising data subjects what information the public authority intends to disclose cannot be used to effectively limit the disclosure to only that information specified in the notice.
In the Information Tribunal case of House of Commons v ICO & Norman Baker MP the HoC appealed the Commissioner’s decision that further details of the travel allowances claimed by MPs should be released in response to requests from Norman Baker MP and the Sunday Times. The overall amount claimed by each MP was already published. Norman Baker had requested a break down of those costs into the different modes of transport, e.g. how much each MP claimed in respect of cars, trains, planes. The HoC had withheld the information on the basis that the disclosure would breach the data protection principles.
The HoC had advised MPs that with the advent of FOIA it would publish the total figure claimed by each MP for travel expenses. It argued that to now disclose additional details, such as a breakdown of the modes of transport, would be a widening of this purpose and could amount to a new purpose. Disclosing this information, it argued, would therefore be unfair to MPs and might breach the second data protection principle.
The Tribunal found that, as the HoC was already publishing some information on expenses, one of the purposes for which the information was processed was to publish/disclose data on allowances to comply with FOIA. Therefore publishing the details of the mode of transport was not incompatible with that original purpose and was certainly not a new purpose.
The Tribunal decision appears to have been based principally on its finding that the broader disclosure would not be unfair to MPs. The Tribunal did not examine the second principle in any great detail.
What we can take from this decision is that where a public authority has already raised awareness amongst data subjects that their personal data may be disclosed in response to an FOI request (such as be including the required statement as to its status as a public authority in its DPA notification) then it will be easier to find that the FOI disclosure does not breach the 2nd principle.
It should be noted that in its consideration of the first principle the Tribunal made the point that simply because a public authority fails to advise data subjects that other disclosures were possible, this does not itself mean a disclosure is unfair. The Tribunal was concerned that, if it were to find otherwise, a disclosure that in all other respects was fair could effectively be blocked by the data controller arranging data collection in such as way as to render the disclosure unfair (see paragraph 76 of the Baker case).