Guidance Note 2: The Interaction between the Freedom of Information Act and the Data Protection Act

The aim of the Freedom of Information Act is to encourage openness and accountability in Government and public authorities. It is not intended to provide people with a tool to access other individuals' personal data*.

There is an exemption (s40) in the Freedom of Information Act that controls access to personal information. It can be summarised as follows:

1. Applicant is the data subject

If the personal data is about the person requesting the information , then it is absolutely exempt under the FOI Act.

BUT, because the applicant does not need to mention legislation in their request, it automatically becomes a Subject Access Request under the Data Protection Act, and must be treated as such.

The applicant has a right to his or her own personal information under the Data Protection Act, subject to exemptions. The request must be made in writing, and the applicant must show a form of identification (e.g. passport, driving license, staff/student ID card). The University Data Protection Officer will provide advice and assistance to ensure such requests are dealt with appropriately, and within 40 calendar days.

2. Applicant is not the data subject

If the personal data is about somebody else, not the applicant , (third-party data), the exemption becomes non-absolute.

This means that some information may be disclosed if it is the public interest to do so, and providing this would not breach any of the 8 Data Protection Principles.

For example, the first Data Protection principle states that personal data must be processed fairly and lawfully:

  • Unlawful disclosure would include a breach of confidence, whereby personal information had been provided in the expectation that it would not be disclosed. Some examples include home addresses, medical information, personal financial details, or internal disciplinary matters.
  • When considering fairness, it is necessary to assess whether the information relates to the private or public life of the individual. Information would normally be provided to a third-party, if there was a strong public interest, and the information related to that individual acting in an official work capacity. Some examples include pay bands and expenses incurred in the course of official business. While this information does relate to staff personally, there is a strong public interest in provision of information about how a public authority has spent public money, and it is arguable, that the more senior a person is, the less likely it will be unfair to disclose information about him or her acting in an official capacity.

*Personal data covers a wide range of information and is defined in the DP Act as “data which relate to a living individual who can be identified from those data”. The definition includes expressions of opinion of, and/or an organisation’s intentions with regard to, the individual. It should be noted that the Data Protection Act covers personal data held in any format, electronic (including websites and emails), paper-based, photographic, or any other means from which the individuals information can be readily extracted.

Take care when releasing personal information, and refer to the University Data Protection Policy and Guidance for more information about the Data Protection Act.