First-tier Tribunal (General Regulatory Chamber)

[2025] UKFTT 01129 (GRC)

Fecha: 25-Sep-2025

Legal framework

Legal framework

Personal data

20.

The relevant parts of s 40 of FOIA (in force at the relevant time) provide:

“(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies –
(a)
giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) -
(i)
would (apart from this Act) contravene any of the data protection principles, ...
…
(7)
In this section –
“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the UK GDPR, and
(b)
section 34(1) of the Data Protection Act 2018;”

21.

Section 40(5B) relates to an absolute exemption (section 40(3A)(a)) and the public interest balance accordingly does not apply.

22.

Personal data is defined in section 3 of the Data Protection Act 2018 (DPA):

“(2)
‘Personal data’ means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3)
‘Identifiable living individual’ means a living individual who can be identified, directly or indirectly, in particular by reference to—
(a)
an identifier such as a name, an identification number, location data or an online identifier, or
(b)
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

23.

The definition of "personal data" consists of two limbs:

Whether the data in question "relate to" a living individual and

ii)

Whether the individual is identified or identifiable, directly or indirectly, from those data.

24.

The data protection principles are set out Article 5(1) UK GDPR. The first principle provides that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 6(1) UK GDPR provides that processing shall be lawful only if and to the extent that at least one of the lawful bases for processing listed in the Article applies.

25.

The most relevant basis here is article 6(1)(f):

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child.

26.

The case law on article 6(1)(f)’s predecessor established that it required three questions to be answered, which we consider are still appropriate if reworded as follows:

26.1.

Is the data controller or a third party pursuing a legitimate interest or interests?

26.2.

Is the processing involved necessary for the purposes of those interests?

26.3.

Are the above interests overridden by the interests or fundamental rights and freedoms of the data subject?

27.

Lady Hale said the following in South Lanarkshire Council v Scottish Information Commissioner [2013] 1 WLR 2421 about article 6(f)’s slightly differently worded predecessor:

27.

... It is well established in community law that, at least in the context of justification rather than derogation, ‘necessary’ means ‘reasonably’ rather than absolutely or strictly necessary .... The proposition advanced by Advocate General Poiares Maduro in Huber is uncontroversial: necessity is well established in community law as part of the proportionality test. A measure which interferes with a right protected by community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less. ...