Insights Upper Tribunal finds that “small data” was not exempt from disclosure under s 40(2) of Data Protection Act 1998 in relation to a freedom of information request

The Upper Tribunal Administrative Appeals Chamber has rejected an appeal brought by the Information Commissioner in relation to a First Tier Tribunal (FTT) decision, which found that “small data”, i.e. data concerning five or fewer individuals or households, was not exempt from disclosure under s 40(2) of the DPA in respect of a freedom of information request made under the Freedom of Information Act 2000.

The data in question concerned evidence about homelessness between 2009 and 2012, which had not been published by the Department for Communities and Local Government (DCLG).

A request for disclosure under the FOI Act was made, but the DCLG refused to disclose it. The matter went to the FTT, which found that the “small data” information did not constitute “personal data”, as defined by s 1(1) of the DPA, and so was not exempt from disclosure under s 40(2). The Information Commissioner appealed to the Upper Tribunal.

The Information Commissioner argued, amongst other things, that in concluding that the small numbers information did not constitute personal data the FTT had failed to apply the correct legal test, made a number of errors of analysis in its reasoning and had failed to give adequate reasons.

The Upper Tribunal disagreed, finding that the FTT had identified the relevant issue, which was whether the data was in a sufficiently anonymous form that it would not be possible to identify a living individual from not only the data in question, but also other information “which is in the possession of, or likely to come into the possession of, the data controller”. The FTT had also assessed the risk, on publication of the data, of a member of the public identifying any individual on the basis of that data along with data other than that which was in the possession of the data controller.

The FTT had therefore addressed substantively the correct question: what were the chances of an individual being identified? This was the correct focus, the Upper Tribunal said, particularly given the relevant case law and the approach in the Information Commissioner’s Code of Guidance that “the risk of identification must be greater than remote and reasonably likely”.

The Upper Tribunal was satisfied that the FTT had subjected the materials to appropriate scrutiny. The FTT did not specifically mention the “motivated intruder”, but it had considered exactly what a person would need to know in order to identify an individual. It had found that, given the passage of time, they would also need to know “very specific details about their circumstances at that point in time”.

The Upper Tribunal also rejected the Information Commissioner’s argument that individuals could be identified by cross-referencing the “small data” in two sections of the spreadsheets, finding that the chance of a member of the public being able to identify the household and its members from the data was “so remote as to be negligible”. In the Upper Tribunal’s view, it was “quite fantastical” to suppose that, several years later, there would be anyone sufficiently motivated to try to identify an individual to which the data related. Even if, which was unlikely, there might have been some interest in the data at the time, there was no basis for thinking that it would be of interest to anyone several years later. The appeal was dismissed. (The Information Commissioner v Miller [2018] UKUT 229 (AAC) (12 July 2018) — to read the judgment in full, click here).

Expertise