Decision 213/2014 | Scottish Information Commissioner

Home Decisions

Decision 213/2014

Decision 213/2014 Mr John Mauger and Her Majesty's Inspectors of Constabulary

Interim review report

Reference No: 201400490
Decision Date: 10 October 2014

Summary

On 22 December 2013, Mr Mauger asked Her Majesty's Inspectors of Constabulary (HMICS) for a copy of the interim investigation report (the report) conducted by HMICS into circumstances surrounding senior police officers and the former Central Scotland Joint Police Board (CSJPB).

HMICS initially withheld the report on the basis that it comprised personal data and was exempt from disclosure in terms of section 38 of FOISA.

The Commissioner investigated and found that HMICS had partially failed to respond to Mr Mauger's request for information in accordance with Part 1 of FOISA. The Commissioner found that some of the withheld information did not comprise personal data and required HMICS to disclose it to Mr Mauger. In respect of the information that did comprise personal data, the Commissioner accepted that some of it comprised Mr Mauger's personal data and was exempt from disclosure under section 38(1)(a) of FOISA. The Commissioner accepted that HMICS was entitled to withhold some of the information under section 38(1)(b) of FOISA, but ordered disclosure of other personal information wrongly withheld under that exemption. She also required HMICS to disclose information to which no exemption had been applied.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e) (Effect of exemptions); 38(1)(a) and (b), (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections sections 1(1) (Basic interpretative provisions) (definition of personal data); 2 (Sensitive personal data); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for the purposes of the first principle: processing of any personal data: condition 6(1)); Schedule 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1. On 22 December 2013, Mr Mauger emailed HMICS via the whatdotheyknow website[1] requesting a copy of the report conducted by HMICS into circumstances surrounding senior police officers and the former CSJPB. Mr Mauger also requested other information that is not the subject of this decision.

2. HMICS responded on 5 February 2014. HMICS informed Mr Mauger that the report was exempt from disclosure in terms of section 38(1)(a) of FOISA (on the basis that the information comprised Mr Mauger's own personal data).

3. On 5 February 2014, Mr Mauger emailed HMICS requesting a review of their decision. Mr Mauger considered that HMICS could have offered to provide the report in a redacted form including those parts that were no longer subject to any ongoing process.

4. HMICS notified Mr Mauger of the outcome of their review on 3 March 2014. HMICS decided that some parts of the report were not exempt from disclosure under FOISA and disclosed these parts to Mr Mauger. HMICS upheld its previous decision in respect of the remainder of the information, reaffirming that the information was exempt from disclosure under section 38(1)(a) of FOISA.

5. On 5 March 2014, Mr Mauger applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Mauger stated he was dissatisfied with the outcome of HMICS's review and that there was a public and private interest in the information being disclosed.

Investigation

6. The application was accepted as valid. On 6 March 2014, HMICS were notified in writing that Mr Mauger had made a valid application. HMICS were asked to send the Commissioner the information withheld from him. HMICS provided the information requested and the case was then allocated to an investigating officer.

7. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. HMICS were invited to comment on Mr Mauger's application including justifying their reliance on any provisions of FOISA they considered applicable to the information requested.

8. At this stage, the investigating officer pointed out that some of the information withheld under section 38(1)(a) of FOISA did not appear to comprise Mr Mauger's personal data. The investigating officer asked HMICS for their views on this and whether they now considered that some of this information could be disclosed to Mr Mauger. Additionally, the investigating officer asked HMICS to provide the Commissioner with a marked up copy of the withheld information indicating the parts which they considered to be personal data.

9. In response, HMICS agreed that some of the information did not comprise Mr Mauger's personal data. They provided the investigating officer with a copy of the withheld information indicating the information which they now considered did not comprise Mr Mauger's personal data. HMICS indicated that they would be prepared to disclose this information to Mr Mauger.

10. Some of the information that HMICS had highlighted, whilst not comprising Mr Mauger's personal data, did comprise the personal data of other individuals. The investigating officer asked HMICS to confirm whether they wished to apply the exemption in section 38(1)(b) of FOISA to this specific information and, if so, to provide submissions on their application of that exemption.

11. The investigating officer also noted that HMICS had redacted the header from the withheld information and asked HMICS to clarify whether they still wished to withhold this specific information. If so, HMICS were asked to provide submissions on any exemption(s) they considered applicable to this information.

12. In response, HMICS provided submissions on their application of the exemption in section 38(1)(b) of FOISA. HMICS did not cite any exemptions in relation to the header on the withheld information.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Mauger and HMICS. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(a) of FOISA - Mr Mauger's own personal data

14. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.

15. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data (commonly known as a "subject access request") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to their own personal data. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

16. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified: a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

17. HMICS have withheld all of the information that they consider comprises Mr Mauger's personal data under this exemption.

18. Having considered this information, the Commissioner is satisfied that the majority of it does comprise Mr Mauger's personal data. It relates to Mr Mauger as an individual and he can be identified from those data. It concerns matters relating to his employment and the information is biographical in relation to - and focussing on - Mr Mauger.

19. The Commissioner is not satisfied that all of the information highlighted by HMICS is Mr Mauger's personal data. This is considered later in the decision.

20. In relation to the information that is Mr Mauger's own personal data, the Commissioner finds that HMICS are entitled to withhold the information under section 38(1)(a) of FOISA.

21. As noted above, the exemption in section 38(1)(a) is an absolute one and the Commissioner is therefore not required to go on to consider whether the public interest lies in the information being released or withheld.

Section 38(1)(b) of FOISA - third party personal data

22. HMICS applied the exemption in section 38(1)(b) to information which comprised the personal data of individuals other than Mr Mauger. HMICS considered that the disclosure of this information would breach the first data protection principle of the DPA.

23. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

24. In order to rely on this exemption, HMICS must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.

Is the information under consideration personal data?

25. As noted above, the definition of personal data is set out in the Appendix below. In this case, HMICS argued that the information comprised the personal data of various individuals.

26. The Commissioner is satisfied that the majority of the information highlighted by HMICS is third party personal data, in line with the definition in part (a) of section 1(1) of the DPA. Living individuals, i.e. those named and referenced within the information, can be identified from this information. In this case, the information would clearly allow those individuals to be identified and reveal that they had been named or referenced within the information.

27. The Commissioner is not satisfied that some of the information to which this exemption has been applied actually comprises personal data. In the Commissioner's view, some of the information is not capable of identifying living individuals. As such, the Commissioner is not satisfied that this information is exempt from disclosure in terms of section 38(1)(b) of FOISA and finds that it was incorrectly withheld by HMICS. The Commissioner now requires HMICS to disclose this information to Mr Mauger.

Is the information under consideration sensitive personal data?

28. The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA. This provides that some types of information are "sensitive personal data" and affords additional protection to such data.

29. In this case, the Commissioner is satisfied that some of the withheld information comprises sensitive personal data for the purposes of section 2. The Commissioner is unable to confirm the specific types of sensitive personal data which are included as to do so could risk revealing the data itself.

30. The Commissioner will now consider whether disclosure of the personal data would breach the first data protection principle, as HMICS have argued.

Would disclosure of the personal data contravene the first data protection principle?

31. As noted above, HMICS argued that making this information available would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met. The processing in this case would comprise making the information publicly available in response to Mr Mauger's request.

32. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. However, these three aspects are interlinked. For example, if there is a specific condition which permits the personal data to be disclosed, it is likely that disclosure would also be fair and lawful.

33. The Commissioner has considered this in respect of both sensitive and non-sensitive personal data.

Withheld sensitive personal data

34. The Commissioner will first consider whether there are any conditions in Schedule 3 to the DPA which would allow the data to be disclosed.

35. The conditions listed in Schedule 3 to the DPA have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

36. The Commissioner's guidance on section 38(1)(b)[2] notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

37. Condition 1 allows sensitive personal data to be processed where the data subject has given explicit consent to the processing.

38. In this case, the Commissioner is unaware of any explicit consent having been provided. Accordingly, the Commissioner has concluded that condition 1 of Schedule 3 cannot be met.

39. Condition 5 allows sensitive personal data to be processed where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

40. In this case, the Commissioner is not aware of any steps having been taken deliberately in order to make the specific information public. Therefore condition 5 cannot apply.

41. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed.

42. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data contained within the withheld information would contravene the first data protection principle. The information is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Withheld non-sensitive personal data

43. The Commissioner will now consider whether there are any conditions in Schedule 2 to the DPA which would permit the withheld non-sensitive personal data to be disclosed. Where a Schedule 2 condition can be met, she will then go on to consider whether disclosure of the personal data would otherwise be fair and lawful.

44. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[3] (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

Can any schedule 2 conditions be met?

45. The Commissioner considers that the only condition in Schedule 2 to the DPA which might apply in this case is condition 6. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects.

46. In line with the view of Lady Hale in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (paragraph 14), there are three tests which have to be satisfied before condition 6 can be met. These are:

i. Does Mr Mauger have a legitimate interest in obtaining the personal data?

ii. If yes, is the processing (in this case, the disclosure of the information) necessary to achieve those legitimate aims and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject?

iii. Even if the processing is necessary for Mr Mauger's legitimate purposes, would the disclosure nevertheless cause unwarranted prejudiced to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the CSA case, given that there is no presumption in favour of the release of personal data, the legitimate interests of Mr Mauger must outweigh the rights, freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that HMICS were correct to refuse to disclose the personal data to Mr Mauger.

Is Mr Mauger pursuing a legitimate interest in obtaining the personal data?

47. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's published guidance on section 38 of FOISA[4] states:

"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

48. In his application to the Commissioner, Mr Mauger stated that the report was matter of both public interest and private interest to him personally. He also stated that the report might contain evidence relating to a civil action and for other quasi-judicial processes.

49. HMICS argued that Mr Mauger's legitimate interest was met by the information previously disclosed to him. They also submitted that matters about which an individual has an interest should be distinguished from matters about which they are merely inquisitive. In HMICS's view, neither Mr Mauger, nor the wider public, had a legitimate interest in these data.

50. In this case, given the personal interest that Mr Mauger has in the contents of the report and the wider matters that he has identified, the Commissioner is satisfied that he has a legitimate interest in obtaining the personal data contained within the information. Obtaining the information would allow him to obtain a fuller understanding of the scope of the review, and form a view on the nature of the investigation conducted by HMICS.

Is the processing necessary to achieve those legitimate aims?

51. Having concluded that Mr Mauger has a legitimate interest in obtaining the personal data under consideration, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims and fairly balanced as to ends, or whether these legitimate aims be achieved by means which interfere less with the privacy of the data subject. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

52. HMICS submitted that alternative means were available, such as to wait for the final report to be published. HMICS stated that it intended doing so within twelve weeks and the report would be laid before Parliament and published on the HMICS website. However, the Commissioner understands that the published report will not contain all of the information included in the interim report. Consequently, she has been able to give only very limited weight to the fact that the report will be published in the relatively near future.

53. Having reviewed the information that has been withheld, the Commissioner cannot identify any other viable means of meeting Mr Mauger's interests which would interfere less with the privacy of the data subjects than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr Mauger's legitimate interests.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

54. The Commissioner is satisfied that disclosure of the withheld personal data would be necessary to fulfil Mr Mauger's legitimate interests, but must now consider whether that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr Mauger and the data subjects in question. Only if the legitimate interests of Mr Mauger outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

55. In the Commissioner's briefing on personal information, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

? whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

? the potential harm or distress that may be caused by disclosure

? whether the individual objected to the disclosure

? the reasonable expectations of the individual as to whether the information should be disclosed.

56. HMICS submitted that the data subjects would have no expectation that the information recorded about them would be disclosed. In their view, the legitimate interest of Mr Mauger did not outweigh those of the data subjects.

57. Mr Mauger submitted that the individuals who participated in the report were "officials". In his view, these individuals were giving evidence in a quasi-judicial, criminal and complaints process. In Mr Mauger's view, this gave rise to an expectation and understanding that anything said could be examined in a court or hearing.

58. Mr Mauger argued that withholding the identities of those who contributed to the report would breach natural justice, openness and transparency. He considered there was a much wider public interest and there was a reasonable expectation that the public should know what had happened (in relation to the subject of the report) given the expense incurred. He also considered there was a public interest in the operation of a public body and its employees.

59. Mr Mauger also submitted that public officials should always have an expectation that they would be quoted and identified from what they said. In his view, if such information were withheld, nothing would ever be released under FOISA.

60. The Commissioner has considered all of the submissions made by Mr Mauger and HMICS when balancing the legitimate interests in this case.

61. The Commissioner considers that senior officers and senior officials should have some expectation that information relating to their public lives might be disclosed into the public domain. In the circumstances of this case - an investigation into a high-profile case involving allegations of misconduct by senior police officers - the Commissioner believes that those officials and officers could not reasonably have expected that their involvement in the investigation would not be disclosed into the public domain. Similarly, the Commissioner considers that the independent solicitor appointed by CSJPB could not reasonably have expected that their involvement in the investigation would not be disclosed into the public domain.

62. In the Commissioner's view, where the report makes passing reference to officials, senior police officers and the independent solicitor, or where they have been mentioned purely in relation to their administrative involvement in the investigation, the disclosure of the information would not appear to carry any significant risk of harm or distress. The report does not mention the views or statements of these individuals. As a result, the Commissioner has determined that disclosure would not be unwarranted in such circumstances.

63. Having drawn these conclusions, the Commissioner finds that condition 6 in Schedule 2 to the DPA can be met in this case in relation to disclosure of this category of withheld personal data.

64. As the Commissioner has not accepted that disclosure of the personal data would lead to unwarranted prejudice to the rights, freedoms or legitimate interests of the data subjects, the Commissioner also concludes, for the same reasons, that disclosure of the withheld information would not be unfair.

65. In the absence of any other reason for finding disclosure to be unlawful, and given that she is satisfied that condition 6 can be met, the Commissioner must find that disclosure would be lawful. The Commissioner therefore finds that disclosure of this category of withheld information would not breach the first data protection principle, and so this information was not properly withheld under the exemption in section 38(1)(b) of FOISA. She now requires HMICS to disclose this information to Mr Mauger.

66. The Commissioner has reached a different conclusion where the report relates to allegations of misconduct by or against individuals. In such circumstances, the Commissioner considers there would be no expectation on the part of the data subjects that their personal data would be disclosed into the public domain as a consequence of Mr Mauger's information request. She accepts that the information relates to the individuals' public lives, but also, given the nature of that information, to their private lives as well.

67. On balance, while the Commissioner accepts that the disclosure of such information would be necessary to fulfil Mr Mauger's legitimate interests, she does not agree that this outweighs the prejudice that would be caused to these data subjects' rights, freedoms and legitimate interests. She considers that such prejudice would be unwarranted in relation to these individuals. Consequently, the Commissioner is satisfied that condition 6 of Schedule 2 is not met in this case in relation to these individuals in relation to this type of information.

68. Having concluded that disclosure of the withheld information would lead to unwarranted prejudice to the rights, freedoms and legitimate interests of these data subjects, the Commissioner must also conclude that disclosure would be unfair. As condition 6 cannot be met, she would also regard disclosure as unlawful. In all the circumstances, therefore, she finds that disclosure would breach the first data protection principle and that this information was properly withheld under section 38(1)(b) of FOISA.

Other withheld information

69. As noted above, HMICS withheld the header on the report. Also as noted above, HMICS did not cite any exemption(s) in relation to this specific information.

70. In the absence of any submissions from HMICS explaining why this information should be withheld, the Commissioner now requires HMICS to disclose it to Mr Mauger.

Conclusion

71. The Commissioner requires HMICS to disclose the information that does not comprise the personal data of any individual (see paragraph 27 above).

72. The Commissioner requires HMICS to disclose the personal data of officials, police officers and the independent solicitor referenced within the report, as outlined at paragraph 65 above.

73. The Commissioner accepts that HMICS was entitled to withhold the personal data of individuals where the information concerns allegations of misconduct (see paragraph 68 above).

74. The Commissioner requires HMICS to disclose the header on the report (see paragraph 70 above).

75. With this decision, the Commissioner will provide HMICS with a marked up copy of the report, indicating the information that should be redacted and the information that should be provided.

Decision

The Commissioner finds that Her Majesty's Inspectors of Constabulary (HMICS) partially failed to comply with Mr Mauger's request for information in accordance with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA). The Commissioner finds that:

? by failing to disclose information that did not comprise personal data, HMICS failed to comply with section 1(1) of FOISA

? HMICS was entitled to withhold information comprising Mr Mauger's own personal data under section 38(1)(a) of FOISA

? HMICS was entitled to withhold some of the personal information under the exemption in section 38(1)(b) of FOISA

? HMICS was not entitled to withhold some of the personal information under the exemption in section 38(1)(b) of FOISA

The Commissioner therefore requires HMICS to disclose to Mr Mauger the information specified in paragraphs 27, 65 and 70 above by 24 November 2014.

Appeal

Should either Mr Mauger or Her Majesty's Inspectors of Constabulary wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If her Majesty's Inspectors of Constabulary fail to comply with this decision, the Commissioner has the right to certify to the Court of Session that her Majesty's Inspectors of Constabulary have failed to comply. The Court has the right to inquire into the matter and may deal with Her Majesty's Inspectors of Constabulary as if they had committed a contempt of court.

Margaret Keyse
Head of Enforcement
10 October 2014

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

[1] www.whatdotheyknow.com

[2]

[3]

[4]