James Combes – Court Ruling (United Kingdom, 2026)

On November 2024, a person (the requestee) made a request under the Freedom of Information Act 2000 to Kent County Council, the controller, concerning candidates who sat the Kent Test in September 2024. The requestee requested, for each candidate, the raw scores and standardised scores in English, Maths and Reasoning, together with the candidate’s date of birth. The request included anonymisation safeguards. In particular, the requestee asked the controller to exclude any results where fewer than five children shared the same date of birth and to remove candidates outside the normal cohort age range. The controller refused the request. It relied on section 40(2) FOIA, arguing that disclosure would involve the unlawful processing of third-party personal data. In particular, the controller considered that the combination of scores and dates of birth could allow the data subjects to be identified, including by parents or children who already knew some information about a candidate’s score or date of birth. The apellant requested an internal review. The controller upheld its refusal, stating that many combinations of raw scores, standardised scores and dates of birth were unique or occurred very infrequently. It concluded that disclosure would breach the principle of lawfulness, fairness and transparency under Article 5(1)(a) UK GDPR. The apellant then complained to the Information Commissioner, the DPA. The DPA found that the controller was entitled to rely on section 40(2) FOIA. The DPA considered that the requested information could constitute personal data because, when combined with existing knowledge held by certain individuals, it could allow individual children to be identified. The DPA further found that, although there was a legitimate interest in transparency and oversight of the Kent Test, disclosure would be an unwarranted interference with the rights and freedoms of the data subjects. It therefore concluded that Article 6(1)(f) UK GDPR could not be relied