ICO – Complaint Upheld (United Kingdom, 2020)

The complainant has requested information relating to the data analysis reports produced for the Pay Consistency Panel (PCP) and the pay progression assessments that were revised. The ICO disclosed some information but refused to disclose the remainder, citing sections 22 and 40 of the FOIA. he complainant requested an internal review on 12 September 2019in relation to question. He stated that he asked for each interation of the report produced for the PCP, not each one presented to it. Therefore, all three interations fall within the scope of his request. The complainant also disputed the application of the exemptions cited. During the Commissioner investigation, the ICO withdrew its application of section 22 and disclosed the withheld information to the complainant. It however still remained of the opinion that section 40 applied to a small amount of information. Did the ICO lawfully withhold the information falling within section 40 FOIA? The Commissioner revoked the GDPR and went through some steps to assess the lawfulness. First, it found that the requested information constitutes personal data according to Section 3(a) of the DPA. Then, it said that in order for the processing to be lawful according to Article 5(1)(a) GDPR, then one of the legal basis of Article 6 GDPR should apply. It considered that the most applicable basis is legitimate interests of Article 6(1)(f) and it carried out the common three-step-test (legitimate interest-necessity-balance). While acknowledging that there is legitimate interest for the disclosure and that it can be considered "necessary", this cannot outweigh the data subjects’ fundamental rights and freedoms. The Commissioner therefore considers that there is no Article 6 basis for processing and so the disclosure would not be lawful. Thus, the Commissioner considers that she does not need to go on to separately consider whether disclosure would be fair or transparent. Finally, the Commissioner’s decision is that the ICO