Information Comissioner – Court Ruling (United Kingdom, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A UK tribunal ruled that a local council was right to deny a request for the name of an employee involved in a public cycle route project. The council argued that sharing the name would violate data protection rules since the employee did not consent to the disclosure. This decision reinforces the importance of protecting personal information even in public projects.
What happened
The tribunal upheld a local council's decision to refuse a Freedom of Information request for an employee's name.
Who was affected
The individual who requested the information about the employee from the Doncaster Metropolitan Borough Council.
What the authority found
The tribunal decided that disclosing the employee's name would violate data protection principles, as it was considered personal data that required consent.
Why this matters
This ruling emphasizes that personal data must be protected, even when it relates to public information. Organizations should be cautious about sharing employee details to comply with data protection laws.
GDPR Articles Cited
National Law Articles
An individual (“appellant”) made a request to their local council (Doncaster Metropolitan Borough Council - “controller”) under the Freedom of Information Act 2000 (“FOIA”) seeking information on the individual who was responsible for drawing a proposed cycle route. The controller rejected the request for information pursuant to section 40(2) FOIA, stating that the disclosure of information would contravene one of the data protection principles as the employee had not consented to the disclosure and the data would not have been processed in a fair and lawful way pursuant to Article 5(1)(a) GDPR. The appellant sought to argue that the name of the individual who created the public drawing was not considered personal data per Article 4(1) GDPR. The Tribunal held that the controller was correct to rely on the exemption provided in section 40(2) FOIA. Per the Tribunal, a disclosure of personal data following a FOIA request for information would be transmission, dissemination or otherwise making it available and is therefore processing for the purposes of Article 4(2) GDPR. Responses to requests for information under FOIA are published and, as such, are available for the whole world to view; they would not be exclusive to the appellant. To be lawful in accordance with Article 5(1) GDPR, publication must be necessary in the pursuit of the legitimate interest. In Goldsmith International Business School -v- The Information Commissioner and the Home Office [2014] UKUT 563 (ACC); (a) “necessary” means being more than desirable but less than indispensable or absolute necessity and can be summarised as “reasonably necessary”, (b) the test for necessity must be satisfied before consideration of whether the interests or fundamental rights or freedoms of the data subject should override the necessary disclosure and (c) the test of reasonable necessity itself involves the consideration of alternative measures and so a measure would not be necessary if the legitimate aim could
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Information Comissioner in UK
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Information Comissioner - United Kingdom (2023). Retrieved from cookiefines.eu
Last updated: