Introduction

The case of The Information Commissioner v. Miller ([2018] UKUT 229 (AAC)) addressed critical issues concerning the application of the Freedom of Information Act 2000 (FOIA) in the context of personal data exemptions. This judgment, delivered by Upper Tribunal Judge K Markus QC, examined whether certain homelessness-related data held by the Department for Communities and Local Government (DCLG) could be disclosed under FOIA or whether it fell under absolute exemptions due to personal data protections.

The appellant, Ms. Miller, sought access to historical homelessness data for the financial years 2009/10, 2010/11, and 2011/12. The DCLG refused her request, invoking FOIA sections 12, 22, and notably section 40(2), which concerns exemptions related to personal data. Ms. Miller challenged this refusal, leading to an appellate process that ultimately culminated in the dismissal of her appeal by the Upper Tribunal.

Summary of the Judgment

The Upper Tribunal upheld the First-tier Tribunal's decision to dismiss Ms. Miller's appeal against the DCLG's refusal to disclose the requested homelessness data. The core issue revolved around whether the data constituted "personal data" under the Data Protection Act 1998 (DPA) and, consequently, fell under the absolute exemption provided by FOIA section 40(2).

The First-tier Tribunal (FTT) concluded that the requested "small data"—data concerning five or fewer individuals or households—did not amount to personal data as defined by the DPA. Consequently, it was not exempt from disclosure under section 40(2). However, the Information Commissioner appealed this aspect to the Upper Tribunal, challenging the FTT's interpretation and application of the legal tests for anonymisation and personal data classification.

Upon review, the Upper Tribunal affirmed the FTT's reasoning, rejecting the Information Commissioner's arguments. The Tribunal emphasized the adequacy of the anonymisation measures employed by the DCLG and concluded that the risk of identifying individuals from the disclosed data was negligible.

Analysis

Precedents Cited

The judgment extensively referenced pivotal cases and legal frameworks that informed the Tribunal's reasoning:

• Common Services Agency v Scottish Information Commissioner [2008]: This case established key principles regarding the anonymisation of data and the conditions under which information remains classified as personal data.
• R (Department of Health) v Information Commissioner [2011]: Here, the court delved into the application of anonymisation standards, emphasizing the public's ability to identify individuals using disclosed data.
• Information Commissioner v Magherafelt District Council [2013]: Reinforced the "motivated intruder" test, assessing whether a determined individual could feasibly identify persons from anonymised data.
• Craigdale Housing Association v The Scottish Information Commissioner [2010]: Highlighted the robustness required in anonymisation processes to prevent identification by investigative parties.

These precedents collectively underscored the necessity of rigorous anonymisation to protect individual identities while balancing the public's right to access information.

Legal Reasoning

The Tribunal applied a multi-faceted legal analysis to determine whether the DCLG's refusal to disclose the requested data was justified:

• Definition of Personal Data: Under section 1(1) of the DPA, personal data pertains to information that can identify a living individual directly or indirectly. The FTT evaluated whether the "small data" requested by Ms. Miller met this criterion.
• Motivated Intruder Test: Borrowed from the Information Commissioner's Code of Practice, this test assesses whether a reasonably competent individual with resources could identify persons from the disclosed data combined with other available information.
• Anonymisation Adequacy: The Tribunal scrutinized the DCLG's anonymisation methods, determining whether they sufficiently mitigated the risk of identification.

The FTT, supported by the Upper Tribunal, found that the DCLG's data was adequately anonymised. The presence of small numbers (fewer than five responses) was not enough to render the data personal if additional safeguards prevent identification. The absence of sensitive personal data and the temporal gap further diminished any potential identification risks.

Impact

This judgment sets a significant precedent for future FOIA requests involving anonymised data. By affirming that adequately anonymised data, even when involving small numbers, does not constitute personal data under section 40(2), the Tribunal:

• Clarifies the boundaries of FOIA exemptions concerning personal data.
• Strengthens the standards and expectations for data anonymisation within public bodies.
• Provides clarity on the application of the "motivated intruder" test, reinforcing the need for a balanced approach between transparency and privacy.
• Guides public authorities in formulating their data disclosure policies, ensuring compliance with both FOIA and data protection laws.

Consequently, public authorities may be more confident in releasing anonymised datasets, provided they adhere to the stringent standards affirmed in this case, thereby promoting transparency without compromising individual privacy.

Complex Concepts Simplified

Freedom of Information Act (FOIA) Section 40(2)

FOIA section 40(2) provides absolute exemptions for personal data, meaning such information cannot be disclosed under any circumstances. This protects individuals' privacy by withholding data that could potentially identify them.

Personal Data

Under the Data Protection Act 1998, personal data is any information relating to an identifiable individual. This can include direct identifiers like names or indirect identifiers that, when combined with other data, can reveal an individual's identity.

Anonymisation

Anonymisation involves removing or altering personal identifiers from data sets so that individuals cannot be readily identified. Effective anonymisation ensures that even motivated individuals cannot deduce the identities of those to whom the data pertains.

"Motivated Intruder" Test

This test assesses whether a determined person with reasonable resources could identify individuals from a data set. If such identification is possible, even indirectly, the data is considered personal data and thus falls under FOIA section 40(2) exemptions.

Conclusion

The Upper Tribunal's decision in Information Commissioner v Miller reinforces the importance of robust anonymisation practices in the context of public data requests. By upholding the dismissal of Ms. Miller's appeal, the Tribunal clarified the application of FOIA section 40(2), emphasizing that adequately anonymised data, even in small numbers, does not qualify as personal data exempt from disclosure.

This judgment serves as a critical reference for both public authorities and individuals seeking access to information. It delineates the boundaries between transparency and privacy, ensuring that while the public's right to information is respected, individuals' privacy remains safeguarded. Moving forward, entities subject to FOIA must diligently apply anonymisation standards to facilitate data sharing without infringing on personal privacy rights.