Ministry of Defence – Dismissed (United Kingdom, 2019)

The complainant submitted a request to the Ministry of Defence (MOD) under the UK Freedom of Information Act (FOIA) seeking access to a fax cover sheet sent to the Veterans Welfare Service regarding a claim for payment following the death in service of the complainant’s son. The MOD provided the complainant with a redacted version of the document in question, but sought to withhold the redacted information on the basis of section 40(2) of FOIA, which The complainant challenged the decision before the ICO, in the ICO's capacity under the Freedom of Information Act. Is the information personal data within the meaning of Article 4(1) GDPR? Does a disclosure of personal data under the FOIA fall under Article 6(1)(f) GDPR? The ICO first held, that "the two main elements of personal data are that the information must relate to a living person and that the person must be identifiable." On the "legitimate interest" the ICO applied a three-part test: *Legitimate interest test: Whether a legitimate interest is being pursued in the request for information; *Necessity test: Whether disclosure of the information is necessary to meet the legitimate interest in question; *Balancing test: Whether the above interests override the legitimate interest(s) or fundamental rights and freedoms of the data subject. While balancing legitimate interest in disclosure against data subject’s interest and fundamental rights and freedoms, the Commissioner considered that the public authority would have infringed Articles 5(1)(a) and 6(1)(f) of the GDPR in disclosing this information. It found that the disclosure was not necessary to pursue a legitimate interest and it would have caused unjustified harm to the data subjects. Overall, the interests and rights of the data subjects were likely to override legitimate interest in disclosure. Therefore, the ICO decided that the redacted information is exempt from disclosure on the basis of section 40(2) of FOIA.