University of Leicester – Dismissed (United Kingdom, 2019)

The complainant has requested information from University of Leicester about external examiners for the department of engineering between the years 2010 to 2018. The University withheld the information, citing section 40(2) (personal information) of the FOIA. The complainant challenged the decision before the ICO. The Commissioner considers the scope of her investigation to be to establish whether the Universityis entitled to withhold the requested information under section 40(2) of the FOIA. As per the applicability of Article Articles 40(2) FOIA, it must be determined whether the withheld information constitutes personal data and, in the affirmative, whether disclosure of that data would breach any of the data protection principles under the Data Protection Act. According to the ICO the information at stake is personal data. The fact that information constitutes the personal data of identifiable living individuals does not automatically exclude it from disclosure under the FOIA. The second element of the test is to determine whether disclosure would contravene any of the data protection principles. In the present case, the most relevant principle is the one protected under Article 5(1)(a) GDPR: "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject". The Commissioner considers that the most likely applicable lawful bases is the legitimate interest of the controller under Article 6(1)(f) GDPR. In considering the application of Article 6(1)(f) GDPR in the context of a request for information under FOIA it is necessary to consider the three-part test: (i) legitimate interest, (ii) necessity and (iii) balancing of conflicting interests. The Commissioner accepts that the complainant has (i) a legitimate interest in seeing the requested information and that the disclosure is (ii) necessary for meeting a legitimate public interest. Such interest is to be (iii) balanced against the data subjects’ interest