FOI, Data Protection and Copyright – Irresolvable Conflicts?

July 12, 2010

The new Coalition Government’s plan for a Freedom (Great Repeal) Bill includes ‘strengthening the accountability of bodies receiving public funding in light of lessons learnt so far from the operation of the Freedom of Information Act.’ One of the first examples of this commitment to openness and accountability has been the publication of the identities of those public servants with salaries in excess of that of the Prime Minister.

So, freedom of information is here to stay, it seems, but for public authorities outside Whitehall, and those private sector bodies working with them, there may remain a temptation to underestimate the practical consequences of the Freedom of Information Act 2000 (FOIA). However, as the whole public sector moves into an era of ‘austerity’, the use of FOIA requests by (current and former) public sector employees, consumers of public services, suppliers, journalists and campaigners is only likely to increase. Statistics produced by the Ministry of Justice analysing FOIA requests received by central government in 2009 ( show an upward trend in relation to numbers of requests received, an experience that sends a clear message to other public sector bodies.

Online methods which facilitate the making and tracking of requests, in particular the not-for-profit web site, have increased visibility of both FOIA related correspondence and the information eventually disclosed. For example, recent information requests to Higher Education bodies made via whatdotheyknow accounts include requests for research into body wraps commissioned by a third party, information about staff terminations and compromise agreements, and the handling of hot water problems in a student hall of residence.

Case law and technological developments have raised two particular legal issues for practitioners in the freedom of information field:

·         The data protection and freedom of information overlap; to what extent do data protection rights preclude personal data held by a public body from being disclosed in response to a FOIA request? Recent cases indicate that those involved in public life, or in providing services to the public sector, cannot assume that all personal data will be exempt from disclosure.

·         The copyright and freedom of information conflict: can the assertion of copyright protect information from disclosure under the FOIA, or from further use after disclosure? A recent Decision Notice issued by the Information Commissioner’s Office involving the web site provides important clarification but perhaps has not fully resolved the conflict.

Although this article will focus on FOIA, reference will be made to the related Environmental Information Regulations 2004 (EIRs), which came into force on the same date (1 January 2005), implementing Council Directive 2003/4/EC on public access to environmental information.

The Law – an overview

General right of access

Under the FOIA, ‘any person’ making a written request for information to a public authority is entitled to two things: (a) to be informed whether the public authority holds the information described (known as ‘the duty to confirm or deny’), and (b) if confirmed, to have that information communicated to him.

The FOIA applies to all public authorities in England, Wales and Northern Ireland, including government departments and agencies, educational bodies, NHS Trusts and local authorities. The Freedom of Information (Scotland) Act 2002 (FOISA) contains similar provisions for public authorities in Scotland.

All recorded information ‘held’ by a public authority is covered by the FOIA. So this includes hard copy and electronic documents, e-mails and other recorded electronic communication, and web site content, whether or not stored centrally or locally within departments or by individual employees or contractors, and including archived material. This therefore imposes a strenuous information retrieval requirement on Chief Information Officers and Senior Information Risk Owners within public bodies.

Information, not documents

The general right of access under the FOIA applies to ‘information’ and not to specific documents. This is a key aspect of the FOIA that is sometimes misunderstood by both requesters and public authorities.

In many cases of course, the easiest way to comply with a request will be to provide a copy of any relevant documents. If a requester has mentioned a document in his request and it is reasonably clear that it is the information contained in that document that he is seeking, then this is likely to be regarded as a valid request.

However, disclosure of a particular document may not always be the best course of action. Extracting the relevant information for communication to the requester may be more appropriate. Redaction from the document of exempt or out-of-scope information is another commonly used method. If this is done electronically however, public authorities need to bear in mind that there are many methods available to allow such electronic deletions to be reversed!

Requester and motive blind

Another key characteristic of the FOIA is that it is requester and motive blind. In terms of the identity of the requestor, anyone, whatever their identity or nationality, is entitled to make a request under the Act. With one exception relating to vexatious requests, the identity of the requester does not, of itself, constitute grounds for refusal of a request.

Neither does the motivation of the requestor constitute grounds for refusal. As the Information Tribunal said in Meunier (EA2006/0059, 5 June 2007), ‘There is no provision for a public authority to decide whether the application merits a response, or to appease what they consider the motive to be behind the request, instead of answering the request itself.’ Public authorities need to take care to assess each FOIA request on the basis of the information itself and whether such information is covered by any of the exemptions in part 11 of the Act, assessing whether prejudice would be caused by releasing the information to the public at large and not just to the requestor. An important proviso is that prevention of embarrassment or avoidance of legitimate scrutiny are not included in that list of exemptions!

Information supplied by third parties

Private sector organisations working with the public sector are often concerned that information that they regard as confidential (for example information provided when tendering) held by a public sector body will be disclosed without their consent (either in response to a particular request or as part of a public authority’s responsibilities under the Information Commissioner Office’s model publication scheme to publish proactively certain types of information).

This is a valid concern. Although generally public authorities will consult with third parties who have supplied information, for example to ascertain their views on the commercial sensitivity of the information or whether the third party considers that release would amount to an actionable breach of confidence, public authorities are not obliged to do so. Ultimately, the decision whether or not to release in response to a FOIA request is down to the public authority. Contractual clauses that attempt to override that statutory duty are likely to be resisted, although third parties can take steps within the contract to highlight the information that they regard as particularly confidential or sensitive, thus providing a starting point for discussion in the event of any request.

Is information exempt from disclosure?

There are 23 exemptions to the right of access to information. Eight exemptions are absolute, for example information supplied by, or relating to, bodies dealing with security matters. The only question to be answered in these cases is whether the information requested falls within the scope of the exemption.

The remaining exemptions, such as information that, if disclosed, would be likely to prejudice the commercial interests of any person, are qualified exemptions. Where a public authority considers that a qualified exemption is engaged, it must consider whether ‘in all the circumstances of the case, the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in disclosing whether the public authority holds the information.’ Consideration of the public interest test can be the most problematical part of handling any request.

In circumstances where even issuing a positive or negative response would of itself reveal whether information is held, it may be necessary for a ‘neither confirm nor deny’ response to be issued (and relevant exemptions permit such a response).

The data protection and freedom of information overlap

The section 40 exemption

In 2009, the exemption most commonly used by central government was s 40 of the FOIA (which concerns personal data as defined by the Data Protection Act 1998), used in 3,853 out of a total of 8,754 requests in which exemptions were engaged.

If a person makes a request under the FOIA for their own personal data, this is exempt under s 40(1) and the person should be advised to make a subject access request under the DPA. Of more interest to practitioners advising both private and public sector clients are requests for personal data about a third party (for example data about an authority’s employee or personnel of a supplier). Such requests are exempt under s 40(2) to (4) if:

·         disclosure would contravene any of the data protection principles;

·         disclosure would contravene the right to prevent processing likely to cause damage or distress, or the information is exempt under the DPA from the data subject’s right of access to his personal data – the public interest balancing test must be considered.

The impact of recent decisions

Requests for personal data, even data that relates to an individual’s public/work life, often engender what might be described as a ‘protective’ reaction, thus creating significant tensions with the public interest in legitimate scrutiny. Genuinely private data, such as that relating to the health or family of the individual, is likely in most cases to remain exempt from disclosure, as is information that, if released, would create a real risk to the individual.

For those directly or indirectly involved in public life however, it should not be assumed that s 40 will protect all personal data from public scrutiny in all circumstances. Following the Leapman decision (EA/2007/0060, 26 February 2008) requiring MP’s expenses to be disclosed, it is difficult to envisage circumstances in which it would be legitimate for a public authority to withhold information about expenses and pay bands (although for less senior employees, consideration will need to be given to whether the data should be anonymised).

However, it is not merely financial information where there may be an overriding public interest in its release. Earlier this year, the First-tier Tribunal (Information Rights) considered a request to the General Medical Council for certain information relating to a lay panellist involved in a fitness-to-practice hearing, and his connection to the Church of Scientology (EA/2009/0063, 23 February 2010). The Tribunal observed that there was no presumption that ‘transparency of the activities of public authorities should take priority over personal privacy.’ Nevertheless, it held that para 6 of sch 2 to the DPA (processing is necessary for ‘legitimate interests’ unless processing is ‘unwarranted’) was fulfilled and therefore that the data in question was not covered by the exemption under s 40 of the FOIA. In making its decision, the Tribunal considered in particular the relative seniority of the panellist and the high standards expected of someone in that role. It gave weight to the possible conflict of interest between Scientology’s published opposition to psychiatrists and the panellist’s role, and that the panellist did not volunteer information about his link to the Church. Therefore the panellist could not have any legitimate expectation that the information would be kept confidential.

And what of personal data relating to third parties, such as consultants? The experience of Vale of Glamorgan Council sends out a clear message (Decision Notice FS50274410, 10 May 2010). The Council had withheld information relating to consultants engaged by it pursuant to ss 40(2) and 43 (prejudice to commercial interests). The Information Commissioner’s Office held that neither of the exemptions was engaged and that disclosure would not breach the data protection principles. The ICO took particular account of the considerations of accountability and transparency, stating that those who enter ‘into a contract with a public authority should be open to scrutiny and accountability because their roles are funded by the public purse and they should therefore expect to have some personal data released.’

The future?

Perhaps it is only a matter of time before the case brought in the German Federal Court of Justice regarding a teacher rating web site is mirrored in the UK. (This case was reported by Andreas Ruhmkon in SCL Vol. 20, Issue 5.) Although the German web site involved user generated content, and not data accessed directly from the public sector, the balancing act performed by the court between (as Ruhmkon commented) ‘the conflicting interests of freedom of expression and right to informational self-determination having regard to the particular facts’ closely reflected the considerations involved in applying the s 40 FOIA exemption. Such a delicate balancing act would be necessary if, for instance, a university received a request for details of its staff-student ratio, or other subject based assessment results on an individual basis.

2010 has also brought with it consideration of this balancing act at a European level: an Opinion by the Advocate General in Volker (Cases C-92/09 and C-93/09, 17 June 2010, reported by SCL on 23 June 2010) which commented that, where publication is intrusive of individual rights in personal data, the public body must be able to show why publication is necessary, appropriate and proportionate to the aim pursued; and by the ECJ in Bavarian Lager (Case C-28/08 P, 29 June 2010) in which the Court emphasised the importance of providing ‘express and legitimate justification’ to demonstrate the necessity for personal data to be disclosed where a right of access to a public document was exercised under the Public Access Regulation (1049/2001/EC).

In any event, it is clear from recent UK Tribunal and ICO decisions (and from the current political and regulatory environment) that the types of personal data that may be disclosable under the FOIA are not limited to the salaries of senior civil servants. As the public service environment changes, authorities may need to prepare for a widening demand for information containing personal data. Both public authorities and private sector suppliers would be well advised to revisit their disclosure policies and to ensure that staff are trained on the implications of the FOIA for the organisation itself and also for themselves. Public authorities should avoid giving guarantees of confidentiality, and ensure that any contractual confidentiality clauses with contractors and suppliers are consistent with obligations under FOIA.

It is worth noting that, from 1 July 2010, central government departments were required to avoid including confidentiality clauses in current and all future ICT contracts, and to seek to publish ICT contracts in as full a set documentation as possible on their web sites (OGC’s Policy Note was reported by SCL on 6 July at  The OGC accepted that redactions of contractual text may be required on a limited number of grounds, including for ‘protection of personal privacy’ but (interestingly) not protection of commercial interests.  The OGC acknowledged that further guidance will be necessary as the commitment is implemented and challenges no doubt arise.

The copyright and freedom of information conflict

In contrast to reg 12(5)(c) of the EIRs (an exemption for ‘intellectual property rights’), the FOIA does not contain a specific exemption regarding copyright and intellectual property. However, information or documents disclosed to a requester may be works qualifying for copyright protection under the Copyright, Designs and Patents Act 1988 (CDPA).

The Ministry of Justice standard response templates ( provide wording that public authorities are advised to include where there are ‘any concerns about the re-use of the information being released, or when copyright rests with a third party.’ The wording advises the requester that he is free to use the information for his own purposes ‘including for private study and non-commercial research, and for any other purpose authorised by an exception in current copyright law…Any other reuse, for example commercial publication, would require the permission of the copyright holder.’

Is the information a copyright work?

The above response wording is optional and will apply only where the information to be disclosed is a copyright work (including Crown or Parliamentary copyright) under CDPA. Some documents, such as reports authored by a third party on behalf of a public authority or an article written on the basis of research, will clearly have the necessary quality of originality to qualify as ‘original literary’ works (CDPA, s 1(1)(a)).

As has been noted however, the FOIA applies to ‘information’ and not documents, and in many cases the most appropriate way to comply with a request will be to extract the relevant information from the public authority’s records, for instance providing specific information about expenditure. It is surely questionable whether such responses would qualify as copyright works. In a recent Decision Notice under the EIRs (Decision Notice FS50163282, 29 March 2010), the ICO reviewed Queen’s University Belfast’s refusal of a request for tree ring research on the basis of a number of exemptions, including intellectual property rights. The ICO was not persuaded that the University held intellectual property rights in the withheld information. ‘Whilst the research that was undertaken and published by QUB using the data as a tool might well attract intellectual property rights, it is unclear to the Commissioner as to how the raw tree ring measurement data itself could attract such rights’.

Overlap with other exemptions

The Queen’s University decision may well cause public bodies and those working with them some concern. However, it is important to keep in mind that other exemptions, in particular ss 22 (information intended for future publication), 41 (information provided in confidence) and 43 (commercial interests) of the FOIA, and the equivalent provisions in the EIRs, may well be engaged when specific research data, information provided by a third party or commercially valuable information are relevant to the request.

Note however that these exemptions will not be a panacea. Commenting on reg 12(4)(d) of the EIRs (information that is unfinished or in the course of completion), the ICO said ‘QUB has advised that the raw data was collected over a period of 40 years, and is now being used for research. This does not suggest to the Commissioner that the data is unfinished or incomplete, rather that, whilst the research utilising this data is ongoing i.e. analysis of the data, the data itself has already been collected and is therefore not unfinished or incomplete’. Neither was the ICO convinced that that the raw data had the necessary quality of confidence to be exempt under reg 12(5)(e) (commercially confidential information).

Re-publication by the requester

Although disclosure by a public authority in accordance with its duties under the FOIA will not breach the CDPA (ss 47(1) to (3) and 50(1)), the copyright owner retains its right to control use of the work in ways that would infringe copyright, including issuing copies or communication of the work to the public. New online methods of facilitating and tracking FOIA requests, such as, enable information to be published instantly and thus made available publicly. Some public authorities have expressed concern that such web site re-publication infringes copyright and have attempted to resist disclosure via the site or impose additional terms on both the requestor and the web site operator as a condition of disclosure.

A case in point was the request to the House of Commons for electronic copies of any documents discussing or evaluating the possible deployment of electronic petitioning systems in Parliament. In response, the House stated that it was not ‘reasonably practicable’ to provide the information (which it regarded as covered by Parliamentary copyright) to the whatdotheyknow e-mail address, because this would have the effect of causing the material to be republished without consent of the House. A licence to republish was offered to the publishers of, based substantially on the Office of Public Sector Information’s standard licence to reproduce Parliamentary copyright information. However, a significant change from the standard text was the insertion of an obligation on not to use the information ‘for the purposes of disparaging either House or bringing it into disrepute.’

Unsurprisingly, declined to enter into the licence as it stood and the request was referred to the ICO. On 7 June 2010, the ICO found in favour of the complainant (Decision Notice FS50276715), deciding that the House should provide the information to the whatdotheyknow e-mail address. The e-mail address was a valid ‘address for correspondence’ and the issue of how an e-mail was connected to a publishing mechanism was not relevant to this finding. Relying on s 50 of the CDPA, the ICO found that ‘responding to a valid address, in compliance with [FOIA] is not a breach of copyright.’

Neither was the ICO convinced by the House’s arguments under s 43 of the FOIA (prejudice to commercial interests). The House relied on this exemption only as regards disclosure to the whatdotheyknow e-mail address, arguing that this would deprive the House of its copyright to prevent publication. However, the House was willing to provide the information to another e-mail address or in hard copy and did not attempt to argue that disclosure per se would be prejudicial. The ICO considered that ‘an exemption may only apply to the specific information in question and that the same conclusion must be reached regardless of the intended address for correspondence.’ It will be interesting to see if this decision is appealed.

The ICO did not comment on the terms of the licence proposed by the House, finding the subsequent publication of the information by the web site automatically was a matter that ‘can still be addressed separately by the House as a copyright issue, outside of the FOI jurisdiction.’ So the question of how far a public body can go in imposing usage terms that may conflict with the aims of the FOIA remains to be resolved. However, an attempt to impose the above ‘non-disparagement’ obligation could, perhaps, indicate a disregard of the requestor and motive blind principles underlying the FOIA. Where information disclosed is a copyright work, it is clear that the owner’s rights continue to be protected. However, not all licence or other conditions will be necessary for the protection of copyright. Authorities should perhaps take care if certain conditions could be seen to have the aim or effect of restricting legitimate scrutiny of the information requested.


Faced with a FOIA request where complex legal, commercial or reputational issues may be at stake, often the initial reaction is to withhold the information. But it is clear that always doing things in secret is no longer viable.

The advice of in-house or consultant legal practitioners can be crucial in ensuring that such requests are dealt with objectively and in accordance with the legal process, thus minimising the risk of successful challenge and reputational damage. Recent developments in the area of personal data and copyright provide further proof that freedom of information is here to stay. For the public sector, and organisations in the private sector working with them, consideration of the implications of the FOIA before an important project or contract is entered into can only help avoid unwanted future surprises. 

Marion Oswald is a solicitor and a Senior Lecturer in Law at the University of Winchester: