Home Decisions

Decision 046/2017

Decision 046/2017: Mr Amir Aryan Manesh and Glasgow City Council

Information regarding a named property

Reference No: 201601899
Decision Date: 27 March 2017

Summary

Glasgow City Council (the Council) was asked for information about a named property. The Council disclosed information. It withheld part of one document, considering the information to be personal data and exempt from disclosure.

The Commissioner found that the Council had failed to disclose all the information it held that fell within scope of the request, when it responded to the request and request for review. She was satisfied that, by the end of the investigation, the Council had identified and disclosed all relevant information falling in scope of the request. The Commissioner accepted that the Council was entitled to withhold the majority of the personal data. However, she required the Council to disclose personal data which had been wrongly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and 2(e) (Effect of exemptions); 38(1)(a) and (b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 6 January 2015, Mr Aryan Manesh made a request for information to the Council, as follows:

"I have a flat at [named address]. My neighbour, who occupies flat [number redacted] [has] been flooding my flat regularly every few months since I bought this flat in 2010. I have reported this several times to environmental services public health to deal with this issue. I would like as much information as possible that is available, regarding the requests and correspondence I have made. Including any information on the property prior to 2010."

2. The Council's handling of this request was originally considered in Decision 111/2016: Mr Amir Aryan Manesh and Glasgow City Council[1]. In that decision, the Commissioner found that the request should have been considered under FOISA, not the EIRs, and required the Council to issue a new review outcome to Mr Aryan Manesh which complied with Part 1 of FOISA.

3. On 23 June 2016, the Council issued its review response. The Council disclosed further information to Mr Aryan Manesh. It withheld some information under section 38(1)(a) of FOISA, stating that it considered the information to be personal data.

4. On 5 July 2016, the Council provided an updated review response to Mr Aryan Manesh. The Council explained that, in its 23 June 2016 review response, it had disclosed information to him which was his own personal data, and confirmed that it would not have disclosed this information to another applicant under FOISA. The Council also explained that the reference in that letter to section 38(1)(a) of FOISA should have been to section 38(1)(b) of FOISA.

5. On 24 August 2016, the Council wrote again to Mr Aryan Manesh. It had found additional information falling within scope of the request, which it disclosed. The Council explained that (although it was not required to do so) it had employed an IT specialist to retrieve the email account of a former member of staff after the email account had been removed from its system. The Council had identified additional information that fell within the scope of his request from the retrieved email account. The Council explained that by performing the additional searches, it had identified other departments which had corresponded with Mr Aryan Manesh, and decided to carry out additional searches of these departments. This had identified three emails and a complaints pro forma which should have been passed to him in response to his request of 6 January 2015. The Council apologised that this information had not been located previously.

6. On 16 October 2016, Mr Aryan Manesh applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Aryan Manesh was dissatisfied with the outcome of the Council's review because he did not believe that the Council had identified all of the information he had requested. He identified specific information which the Council had not yet disclosed to him.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr Aryan Manesh made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

8. On 23 November 2016, the Council was notified in writing that Mr Aryan Manesh had made a valid application and the case was allocated to an investigating officer.

9. In discussion with Mr Aryan Manesh, it was agreed to focus the Commissioner's investigation and decision on a series of questions that related to his request and which covered the information he believed had not been provided by the Council. In relation to one of these questions, he sought an unredacted copy of an email dated 24 December 2014. The Council had withheld some information in this email under section 38(1)(b) of FOISA as it considered it to be personal information of a third party and disclosure would breach the first data protection principle.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including describing the searches it had undertaken, explaining whether it held information falling within scope of the questions and justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

11. The Council responded on 27 January 2017. It addressed each of the questions relating to information which Mr Aryan Manesh still required, and stated whether it held information falling in scope or not. The Council explained that any information it held had been disclosed to Mr Aryan Manesh previously.

12. During the investigation, the Council confirmed that it considered some of the information in the email of 24 December 2014 to be Mr Aryan Manesh's own personal data and exempt under section 38(1)(a) of FOISA. Other information was third party personal data and exempt from disclosure under section 38(1)(b) of FOISA.

13. At the Commissioner's request, the Council provided Mr Aryan Manesh with the answers it had given to each of the questions under consideration in the investigation. It continued to withhold parts of the email of 24 December 2014.

14. During the investigation, Mr Aryan Manesh raised a further question about his neighbour's flat, to which the Council responded.

Commissioner's analysis and findings

15. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Aryan Manesh and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 1(1) - information falling within scope of the request

16. Section 1(1) of FOISA creates a general entitlement to be given information held by a Scottish public authority when it receives the applicant's request, subject to the application of any exemptions in Part 2 of FOISA and any other relevant provision in Part 1.

The Council's submissions

17. The Council summarised the searches it had conducted following receipt of Mr Aryan Manesh's request in January 2015.

18. The Council explained that it has an EDRMS system (electronic documents management), which is the Council's main file management system. The Council stated that the Environmental Health section of the EDRMS was searched for information falling in scope of Mr Aryan Manesh's request.

19. The Council also searched the database used by its Land and Environmental Services (LES) to store information on various home addresses and any actions that have been raised in respect of those properties. The Council explained that LES records information against a property address.

20. The Council provided details of five staff members and one staff group who had searched their email records for any information falling within scope of the request.

21. The Council explained why it had found additional information falling in scope of the request during the current investigation and after the Commissioner had issued her first decision on its handling of Mr Aryan Manesh's request. In summary, the reasons related to the inclusion of internal communications in its searches (these had been excepted in response to the first request); the catastrophic IT failure which the Council had experienced; the partial reinstatement of some emails and retrieval of deleted emails from a former employee's email account.

22. The Council provided copies of internal correspondence and correspondence with the Commissioner's office about the process of retrieving information falling in scope. This correspondence included an explanation of the terms it had used to search for the requested information and an account of the IT issues it had experienced.

23. As part of its submissions, the Council addressed each of the questions identified by Mr Aryan Manesh at the start of this investigation. The Council was asked to explain some of its responses, especially where it had not clearly indicated whether recorded information was held or not.

The Commissioner's Findings

24. The Commissioner would emphasise that her remit is to assess and decide whether the Council complied with FOISA in responding to Mr Aryan Manesh's request. The Commissioner does not have the power to consider whether the Council should have recorded more information than it did, in relation to the leak in Mr Aryan Manesh's flat, or conducted further investigation as to the cause of the leak. She can only reach a decision on whether all information covered by his request has been identified and considered, and whether it should be disclosed.

25. The Commissioner is disappointed that it has taken a considerable time, and two investigations, for the Council to identify all relevant information falling in scope of the request. The delay and the piecemeal disclosure of information to Mr Aryan Manesh has led him to question whether there is more information which the Council has not provided. However, the Commissioner accepts that the Council was subject to a catastrophic IT failure, which led to difficulties in carrying out a complete search, and she is satisfied that all relevant information held by the Council has now been identified.

26. The Commissioner acknowledges the positive steps taken by the Council to engage with the Commissioner's investigation, such as its agreement to provide Mr Aryan Manesh with its responses to questions even where this did not involve the provision of recorded information covered by his request. These answers should provide him with some insight into the actions taken by the Council regarding the flooding of his flat.

27. Having considered all the relevant submissions, and the answers provided to Mr Aryan Manesh, the Commissioner is satisfied that the Council has taken adequate and proportionate steps to establish the information it held which fell within the scope of Mr Aryan Manesh's request, and that it does not hold any other information covered by that request.

28. As the Council failed to identify and disclose all relevant recorded information when it responded to Mr Aryan Manesh's request and request for review, the Commissioner finds that the Council failed to comply fully with section 1(1) of FOISA.

Section 38(1)(a) of FOISA - Personal data of the requester

29. During the investigation, the Council submitted that some of the information contained within the email of 24 December 2014 was Mr Aryan Manesh's own personal data and exempt from disclosure under section 38(1)(a) of FOISA.

30. The Council informed Mr Aryan Manesh, on 5 July 2016, that it had disclosed his personal data to him solely and this information would not be disclosed to another applicant under FOISA.

31. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.

32. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data (commonly known as a "subject access request") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to request their own personal data, and govern the exercise of that right. Crucially, it provides for access by the data subject (the person to whom the data relate) alone, rather than (as under FOISA) to the world at large. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

33. Personal data is defined in section 1(1) of the DPA as data which relates to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in Appendix 1).

34. Having considered the withheld information and the submissions received from the Council, the Commissioner is satisfied that parts of the withheld email are indeed Mr Aryan Manesh's own personal data, as the information relates to him (by discussing his complaint) and he is identifiable from the information.

35. In the circumstances, the Commissioner is satisfied that the Council was entitled to withhold information which is Mr Aryan Manesh's personal data under section 38(1)(a) of FOISA.

Section 38(1)(b) of FOISA - Personal data of third parties

36. The Council withheld some information from the email of 24 December 2014 under section 38(1)(b) of FOISA.

37. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

38. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

39. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA. The Council considered disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

40. The Commissioner will firstly consider whether the information withheld is personal data. (The full definition is set out in Appendix 1.)

41. The Council submitted that the email contains the personal data of Mr Aryan Manesh's neighbours and took the view that disclosure of the information would contravene the first data protection principle in Schedule 1 of the DPA.

42. The Commissioner is satisfied that living individuals could be identified from the information in the email, either by itself or with other information likely to be reasonably accessible to Mr Aryan Manesh (and others). The Commissioner concludes that the withheld information clearly relates to identifiable living individuals, including the occupants of the flat from which the flooding came and the Council employees whose names were withheld in the email. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA.

43. The Commissioner considered whether the email could be redacted in such a way that it could be disclosed without identifying the neighbours, but concluded that it could not, given Mr Aryan Manesh's (and others') knowledge of the property.

The first data protection principle

44. The Council submitted that making available the personal data in the email would breach the first data protection principle.

45. This principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing in this case would be making the information publicly available in response to Mr Aryan Manesh's request.

46. In the case of sensitive personal data (as defined by section 2 of the DPA), at least one of the conditions in Schedule 3 to the DPA must also be met. The Commissioner is satisfied that the personal data in question are not sensitive personal data for the purposes of section 2 of the DPA, so it is not necessary for her to consider the conditions in Schedule 3.

Can any of the conditions in Schedule 2 be met?

47. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[2] (the CSA case), that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

48. The Council considered it was not appropriate to ask Mr Aryan Manesh's neighbours to give their consent to the disclosure of their personal information, given the circumstances of this case and their previous lack of engagement with the Council. In the circumstances, the Commissioner agrees that seeking the neighbours' consent would not have been appropriate.

49. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure of the personal data to Mr Aryan Manesh.

50. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

51. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

· Does Mr Aryan Manesh have a legitimate interest in obtaining the personal data?

· If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subjects?

· Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects? As noted by Lord Hope in the above judgment, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr Aryan Manesh must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.

Does Mr Aryan Manesh have a legitimate interest in obtaining the personal data?

52. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[3] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

53. The Council acknowledged that Mr Aryan Manesh has a legitimate interest in the information as it relates to information relating to investigative works into the cause of a leak into his flat.

54. The Commissioner agrees that Mr Aryan Manesh has a legitimate interest in obtaining the withheld personal data. Disclosure of the withheld information would provide insight into the Council's investigation of the cause of the flooding from the flat above his.

Is disclosure necessary to achieve those legitimate interests?

55. Having concluded that Mr Aryan Manesh has a legitimate interest in obtaining the withheld personal data, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims. In doing so, she must consider whether these interests might reasonably be met by any alternative means, interfering less with the privacy of the individuals concerned.

56. In the Council's view, the redacted version of the email that it had provided to Mr Aryan Manesh contained sufficient information to allow him to take appropriate action to resolve his difficulties with his neighbours. The Council was satisfied that the parts of the email that have been provided to Mr Aryan Manesh have met his legitimate interests in this case.

57. The Commissioner accepts that the disclosed information goes some way towards meeting the legitimate interests of Mr Aryan Manesh, but takes the view that full disclosure would meet those interests more completely. She cannot identify any other viable means of fully meeting Mr Aryan Manesh's interests which would interfere less with the privacy of the data subjects than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr Aryan Manesh's legitimate interests.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

58. The Commissioner is satisfied that disclosure of the withheld personal data is necessary to fulfil Mr Aryan Manesh's legitimate interests, but she must now consider whether that disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. This involves a balancing exercise between the legitimate interests of Mr Aryan Manesh and the data subjects. Only if the legitimate interests of Mr Aryan Manesh outweigh those of the data subjects can the data be disclosed without breaching the first data protection principle.

59. In the Commissioner's briefing on the personal information exemption[4], she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

· whether the information relates to an individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

· the potential harm or distress that might be caused by disclosure

· whether the individual objected to the disclosure

· the reasonable expectations of the individual as to whether the information should be disclosed.

The Council's submissions

60. In its submissions the Council made reference to the Commissioner's briefing on section 38(1)(b) of FOISA and submitted that the information in this case relates to the home life of Mr Aryan Manesh's neighbours.

61. The Council submitted that disclosure into the public domain of information about their home lives could cause harm or distress to the neighbours. The Council notes that the Commissioner's briefing states that the exemption in section 38(1)(b) of FOISA must be interpreted in line with Article 8 of the European Convention of Human Rights, which states that everyone has a right to respect for his private and family life, his home and his correspondence. The Council submitted that disclosure of the requested information would have the potential to breach Article 8 and is likely to be unwarranted.

62. The Council considered that a further factor (also identified in the Commissioner's briefing) is that the reasonable expectations of the individual must be considered. The neighbours would have no expectation that this information would be disclosed into the public domain. The information recorded in the email was obtained as the result of the Council obtaining a warrant to gain entry to their flat. The Council stated that it is not information which the neighbours freely provided to the Council.

63. The Council stated that the legitimate interests of Mr Aryan Manesh did not outweigh the prejudice to Mr Aryan Manesh's neighbours' rights, freedoms and legitimate interests that would follow disclosure.

64. The Council referred to the 'fairness' test in relation to potential disclosure of the personal data. The Council considered that disclosure of the information would be likely to cause distress or damage to the data subject (for the reasons outlined above). The Council submitted that the information relates to the data subject's private life, rather than their public life, and therefore requires a higher level of protection.

The Commissioner's view

65. The Commissioner recognises that the information which is the neighbours' personal data was acquired as a result of the Council's actions and was not provided directly by Mr Aryan Manesh's neighbours themselves.

66. While the Commissioner is acutely aware of Mr Aryan Manesh's interest in the withheld information, she is satisfied that the information withheld from the body of the email relates entirely to the neighbours' home life and is information which the neighbours would have no reasonable expectation would be disclosed into the public domain.

67. The Commissioner is satisfied that disclosure of this information would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. She therefore concludes, on balance, that disclosure would be unfair. In the absence of a condition permitting disclosure, she would also regard disclosure as unlawful.

68. The Commissioner therefore finds that disclosure of the neighbours' personal data would breach the first data protection principle and, accordingly, this information was properly withheld under the exemption in section 38(1)(b) of FOISA.

69. The Commissioner notes that the Council also withheld details of the sender and recipient of the email (Council employees). She accepts that these details are the personal data of identifiable individuals. The Council has not provided any arguments as to effect of disclosure on the sender and receiver of the email.

70. The Commissioner notes that these individuals' names have been disclosed in other correspondence to Mr Aryan Manesh and she is satisfied that disclosure in this instance would not cause these individuals distress or harm.

71. The Commissioner has not received any argument from the Council which would persuade her that disclosure of its employees' personal data (in response to Mr Aryan Manesh's request) would substantially prejudice the rights and freedoms or legitimate interests of the individuals. If any prejudice was likely to occur, she would not consider it sufficient, on balance, to outweigh the legitimate interest in disclosure, given that the names have already been disclosed to Mr Aryan Manesh.

72. The Commissioner is aware of no reason why disclosure of the Council employees' names should be otherwise unfair or unlawful and therefore has concluded that disclosure of the information would not breach the first data protection principle. Consequently, she finds that the information is not exempt under section 38(1)(b) of FOISA, and requires the Council to disclose this information to Mr Aryan Manesh.

Decision

The Commissioner finds that Glasgow City Council (the Council) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Aryan Manesh.

The Council complied with Part 1 of FOISA by withholding Mr Aryan Manesh's own personal data under section 38(1)(a) of FOISA and withholding the personal data of his neighbours under section 38(1)(b) of FOISA.

However, by failing to disclose all relevant information when responding to the request and request for review, the Council failed to comply fully with section 1(1) of FOISA. The Council also wrongly withheld the remaining personal data (Council employee names) under section 38(1)(b) of FOISA.

The Commissioner therefore requires the Council to disclose the information identified in the last paragraph of the decision by 11 May 2017.

Appeal

Should either Mr Aryan Manesh or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Council fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Council has failed to comply. The Court has the right to inquire into the matter and may deal with the Council as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

27 March 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

 

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998


1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2016/201501065.aspx

[2] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[3] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

[4] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx