How a simple FOI request resulted in having to appear in court

Claire Miller, deputy head of Reach’s Data Unit and an expert on journalistic uses of the Freedom of Information Act, recently won a landmark FOI case after representing herself in court. Here she tells the full story for the first time — and explains why her victory matters.

Every time you send a Freedom of Information (FOI) request, you’ve probably convinced yourself that this one can’t be too complicated for the public body to sort out.

I thought asking the Department for Communities and Local Government (now the Ministry of Housing, Communities and Local Government) for some older spreadsheets of data it publishes on homelessness applications at local authority level would be fairly simple.

Two-and-a-half years and a court appearance later — turns out it wasn’t.

However, it does show why it’s worth appealing refusals. If my legal battles proved nothing else, they at least established that public bodies can’t just refuse to send you information because it involves small numbers. They actually have to properly consider whether that information is personal data under the terms of the act.

The request

Back in December 2015, I sent the request and got a refusal. The initial refusal was under Section 12 Costs — otherwise known as “It’ll take too long to find the data”.

This led to about a month of emails back and forth trying to find a way to get the data within the cost limits. The DCLG claimed that there was no problem, really — they were going to publish the information anyway, “any day now”.

I asked for an internal review of the original rejection. This was not wholly successfully. The review agreed it wasn’t actually going to take more than 24 hours to find the data (the government limit for FOI requests). But, as they were definitely going to publish the information in the future, and had always planned to publish it (honest), they were still refusing my request under Section 22 (information intended for future publication).

Homelessness is an issue many public bodies don’t seem to want to talk about

Oh, and they couldn’t possibly speed up publication, as they needed to suppress small numbers because they constituted “personal data” (exempt under Section 40(2)).

It’s always worth asking for an internal review if the refusal sounds a bit vague — the Section 12 exemption requires some evidence that it will take too long to answer the request, while Section 22 needs a settled intention that pre-dates the request. If those things are missing, or emails suggest it only occurred to them to release the data once you started asking for it, send over a request for an internal review.

The Information Commissioner’s Office (ICO)

I wasn’t in the least bit convinced that the DCLG was planning to release the data any time soon — and the next step after the internal review is to complain to the ICO.

This is easy: you just fill in a form on the ICO website, mostly repeating your internal review request and specifying how the public body hasn’t addressed any of your important points.

In this case, the ICO ruled against me on Section 22. They agreed it was reasonable for the DCLG to redact the information first.

First Tier Tribunal (FTT)

At this point it may have been sensible to give up. But the ICO decision notice was a mess — it involved a confusing argument that I’d made two requests for different information, ignored that the cost refusal for the first one had been overturned, and said that between the two requests the DCLG had decided to publish the information asked for in the second request anyway.

Plus, they hadn’t really addressed the issue of redacting small numbers.

So I appealed the decision notice to the First Tier Tribunal, which involves more form-filling.

The ICO then gets a chance to respond, and you then get a chance to respond to its response (this is also the point at which the solicitors get properly involved, and people get really keen on the legal framework).

The FTT was decided on papers, which meant all of the documents go to the panel. The ICO gets responsibility for putting the bundle together, which is usually the case if the other person is an individual representing themselves. Then the tribunal comes to a decision.

The FTT ruled that the DCLG had wrongly relied on both Section 22 (as there was no evidence the DCLG was planning to release the information when I first made my request), and Section 40 as well.

This is the point at which we leave the Section 22 issue as settled, and the case became an argument about Section 40.

My argument about Section 40 that individuals could not be identified from small numbers in the data. I pointed out — based on other published disclosure risk assessments — that it would be impossible for anyone to identify an individual from the numbers, unless they already had very detailed knowledge of a person’s homelessness application. Not only that, but this was historical data — and any risk of identification could only become more remote with the passage of time.

The FTT largely agreed with this approach. The ICO — even after the first tribunal — did not.

Upper Tier Tribunal (UTT)

The ICO appealed the FTT decision to the Upper Tier Tribunal in relation to Section 40.

Their argument was that the FTT had failed to apply the proper legal test when considering Section 40 — basically looking at whether or not the data was personal information per the definition in the Data Protection Act. They also said the FTT should have considered all of the data, and not just an extract, before making a decision; and that it should have asked for further submissions from the Commissioner and/or the DCLG before deciding on Section 40.

The appeal to the UTT involved more argument-making and document-sending. The big difference? Barristers were now involved. And instead of being decided on papers, this one was to be heard in person.

This involved a trip to London to a civil court to argue my case in front of a judge — with a barrister representing the ICO, and me representing myself.

Mostly, this involved listening to the ICOs arguments — which by now I knew back to front — and then making relevant counter-arguments.

Ultimately the UTT’s decision was to dismiss all of the ICO’s grounds for appeal.

It agreed that the FTT had been correct in how it had dealt with the Section 40 exemption; correct in how it considered the legal test; and correct in not requiring more argument from the ICO before reaching its decision.

It took two-and-a-half years, but I won.

Why does this matter?

While decision notices and FTT decisions are useful as a basis for looking at how the FOI act should be applied, it is UTT decisions that set legal precedent.

These type of cases are therefore a guide to how the act is applied in future.

The ruling in my case doesn’t change the test on what is and isn’t personal data — but it does affect how public bodies should apply the test.

For a start, it establishes that they do have to apply a test. They can’t simply suppress small numbers just because it is “policy”, or because of some blanket assumption that any number under five will automatically identify an individual.

They also need to work out whether someone could actually use the data in question, along with other information they have, to identify an individual.

If the chances of someone being identified are “so remote as to be negligible” — as in this case — then the information isn’t personal data.

This is useful for arguing some Section 40 refusals where the information requested is far too unspecific to identify anyone, and there is no other information to allow “jigsaw” identification.

The case also considered how authorities apply a “motivated intruder test”. The previous assumption seems to have been if there was even the slightest possibility of people being identifiable from a dataset, crack investigators would be all over it trying to root them out (and possibly succeeding). Therefore, it was best not to take any risks, and to simply apply Section 40.

The UTT decision suggests that sometimes the “intruder” just isn’t going to be motivated to try — and that if the chances of identifying someone from data is very remote indeed, arguing that a journalist just might pull it off isn’t likely to be enough for Section 40 to apply.

*Claire is still waiting for the MHCLG to send her the data she requested (or for the Commissioner to appeal to the Court of Appeal).