The Information Commissioner's Office (ICO) has recently published a new guidance note on the issues that need to be considered by public authorities when responding to a request for information which includes personal data about employees. (See Related links).
Public authorities may be subject to a request for information under terms of either the Freedom of Information Act 2000 (FOIA) or Environmental Information Regulations 2004 (EIR) – with the provisions in the EIR corresponding closely with those found in the FOIA. Though these pieces of legislation provide individuals with a right to access information held by public authorities, there are a number of exemptions to the requirement for public bodies to disclose such information. One of these exemptions applies where the information requested includes personal data related to the public body's employees. In such circumstances, the public body must decide whether disclosure of such information would lead to it being in breach of its obligations under the Data Protection Act.
The new guidance from the ICO indicates that whether disclosure of personal data should be permitted will be based on whether such disclosure is fair and lawful. Factors influencing this decision include the following:
- Does the request concern sensitive personal data? If information contains details relating to an employees health or sexual life, for example, it is unlikely that the information should be disclosed.
- What would be the consequences of disclosure? In considering this issue, public authorities should look into the likelihood that the employees concerned would regard the disclosure as an invasion of their privacy.
- What are the reasonable expectations of the employees concerned? This factor requires the public body to look at the employee's level of seniority within the authority, and whether their role is public facing.
- As an overall consideration, how will the disclosure of employees' personal data affect the balance between the requesting individual's legitimate interest in the disclosure, and the rights and freedoms of the employees affected by the disclosure.
The ICO has also provided information on how public bodies should deal with requests for particular types of information relating to employees, such as information relating to salaries and bonuses for public officials, details of severance payments made to employees and organisational charts showing employment structures within public bodies. The ICO has recommended that public authorities establish an internal policy on the disclosure of personal data, to which it can refer when considering requests for information, and which can be reviewed by employees interested in forming a view on what information may be released about them. The guidance also provides a reminder that any requests by employees for their own information should be dealt with as subject access requests under the Data Protection Act.