Correspondence exchanged between the Compliance Officer and complainants

On a small introductory point, please note that the current version of the procedures is the Third Edition January 2015, although this does not make any material difference to the passage you have quoted.

The information that you have requested is almost entirely personal data under the terms of the Data Protection Act 1998 (DPA), as it is information about MPs, their staff, family members, the complainants themselves and/or other third parties. As such, we are required by the DPA to consider whether or not it would be fair and lawful to disclose this information. We do not believe it would be ‘fair’ – as required by the 1st Data Protection Principle under the DPA – to disclose this information. We have briefly outlined our views for this conclusion below.

In handling complaints we must act in accordance with the Parliamentary Standards Act 2009 (PSA). The Act requires IPSA to set procedures for the Compliance Officer’s handling of investigations (section 9A of PSA), including what information to publish. These are the “Procedures for Investigations by the Compliance Officer for IPSA”, as referred to above and a copy of which can be found on our website. The procedures balance the legitimate interests of the public in transparency and accountability with the rights and freedoms (including as to data protection and privacy) of MPs and other third parties whom the Compliance Officer receives personal information about.

The procedures provide that upon receiving a complaint the Compliance Officer should carry out an assessment of the circumstances to determine whether or not an investigation should be conducted (paragraph 8). Paragraphs 9 and 10 of the procedures then state:

9. Where the Compliance Officer decides that a request or complaint is not valid or not to initiate an investigation, he or she shall notify the person making the complaint or request of this decision. Unless there are exceptional reasons not to, the Compliance Officer shall include in this notification the reasons for the decision not to proceed. Where appropriate, the Compliance Officer shall send a copy of this notification to the MP concerned and IPSA.

10. Where the Compliance Officer decides to initiate an investigation, he or she shall notify the MP concerned, IPSA and the complainant (if any). The notification shall set out a summary of the scope of the matters to be investigated and be sent to all persons at the same time.

Where the Compliance Officer considers that an investigation should be conducted, paragraph 27 of the procedures specifies the documents from the investigation that must be published (which include the notification provided for in paragraph 10 above). The procedures only specify that information shall be published where an investigation is conducted. They do not state that any information will be published where an assessment is carried out which concludes that an investigation is not warranted. The PSA also does not provide for any information to be published where no investigation is conducted. Consequently it is not in the reasonable expectations of MPs or any other third parties involved in a complaint as data subjects that their personal data will be disclosed under FOIA to the world at large.

It is recognised that there is a legitimate interest in the public knowing about the operation of the regulation of the MPs’ expenses Scheme, given the public profile of the individuals involved, their public and civic duties and the recent publicised concerns as to MPs expenses. However, in our view, the potential prejudice incurred is likely to outweigh any legitimate interests in disclosure. Such interests are largely or entirely satisfied by the information that is published in accordance with the procedures, in our annual report and in the anonymised information we publish about complaints, which we will now be routinely publishing on a quarterly basis. This anonymised information includes summaries of the allegations made in the complaint and of the Compliance Officer’s reasons for not opening an investigation. Any person may review this summary complaint information, and if he or she wishes ask follow up questions and/or make freedom of information requests of the Compliance Officer about a specific complaint. If in doing so they, for example, provide fresh reasons as to why there is a particular public interest in further information being published about the complaint then the Compliance Officer would of course consider the merit or otherwise of those reasons as against the privacy and data protection rights of individuals and may determine that they gave sufficient cause to provide some or all of the information requested (either in accordance with the provisions of FOIA or separately if the request is outside FOIA). This mechanism provides an appropriate balance between transparency and accountability in relation to the Compliance Officer’s exercise of his complaint handling function, and the data protection and privacy rights of third parties that the Compliance Officer receives personal information about.

In our view, the exemption at section 40(2) of FOIA applies to almost all of the information requested. As you will appreciate, a material amount of information is already in the public domain with regard to MPs’ personal and professional circumstances, either nationally or locally in their constituencies. We have taken into account therefore that publically available information would enable identification of one or more individuals from the requested information even if we were to redact the names of MPs or other third parties. We have also considered whether it would be possible to provide the small amount of information that is not personal data, in an anonymised form by partial redaction. In our view, however, there would be so little unredacted as to render that disclosed meaningless and of no real benefit. In our view, it would be unfair to the data subjects to disclose the personal data, which constitutes the correspondence requested. Section 40(2) provides that personal information about third parties is exempt information if disclosure would breach any of the data protection principles in the DPA. This includes the fair processing principle (Principle 1) of the DPA, where it would be unfair to those persons.

For your reference, further information on personal data and its relationship with FOIA can be found via ICO guidance.

Further information

Download the original PDF version of this Freedom of Information response.