UK case law

Lawrence Dunhill v The Information Commissioner & Anor

[2025] UKFTT GRC 1433 · First-tier Tribunal (General Regulatory Chamber) – Information Rights · 2025

Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this UK judgment. Sourced directly from The National Archives Find Case Law. Not an AI summary, not a paraphrase — every word below is the original ruling, under Crown copyright and the Open Government Licence v3.0.

Full judgment

On considering the written representations of the parties and other documents tabled, the Tribunal unanimously determines that: (1) The appeal is allowed. (2) A substituted Decision Notice is given in the following terms: (i) To the extent that it declined to confirm or deny whether it held information within the scope of the Appellant’s request dated 19 October 2023 (‘the Request’) citing FOIA, ss 40(5B)(a)(i) and 41(2), the Second Respondent was not entitled to do so. (ii) Accordingly, in so far as the Request sought information relating to ‘the PWC review’, the Second Respondent shall, no later than 28 days after the date of promulgation of this substituted Decision Notice, deliver a fresh response satisfying the requirements of FOIA, s1(1)(a). Reasons Introduction and Procedural History

1. We will refer to the Appellant by name, the First Respondent as ‘the Commissioner’ and the Second Respondent as ‘the Trust’.

2. Mr Dunhill is a journalist.

3. On 22 May 2023 the Health Service Journal, an online publication based in London aimed at ‘healthcare leaders’, published a four-page article about the Trust written by Mr Dunhill entitled ‘Exclusive: Trust execs accused of creating a “cult of the individual”’ (‘the HSJ article’). It began with this: Regulators probe series of claims about the leadership culture at Bolton FT Claims include bullying and intimidation of people who raise freedom to speak up Freedom to Speak Up (‘FTSU’) is the Trust’s ‘whistle-blowing’ procedure. concerns Whistleblowers also claim a ‘cult of the individual’ has developed in the executive team Trust says it is working to understand the issues raised The article referred to ‘specific allegations’ about the leadership style of a named senior executive. It also mentioned ‘concerns about governance processes’ which, it was understood, were already the subject of a ‘lessons learned’ review by PwC, a consultancy firm, noting that one matter being reviewed was the handling of the departure of an unnamed senior individual the previous autumn. Another stated concern related to the process of appointing the new Chair (named), who had joined the Trust in April 2024. The point was explicitly made that no findings on the allegations had yet been made. The article went on to set out some comments on behalf of the Trust and quoted from what was said to be a recent message from the CEO to staff stating that allegations had been referred to NHS England and the Care Quality Commission and drawing attention to employees’ right to raise concerns under the FTSU procedure. In these proceedings, Mr Dunhill identified the message as an email of 16 May 2023. It seems that the Trust does not admit the authenticity of the document (although making no positive case to the contrary) and says that even if it is genuine it was leaked unlawfully to him.

4. On 19 October 2023 Mr Dunhill submitted to the Trust a request for information under the Freedom of Information Act 2000 (‘FOIA’) in the following terms: Copies of all reviews into governance concerns raised by some directors and governing body members since June 2022. These should include a review conducted by PwC, commissioned by the trust. If any words/personal info within the documents are deemed to trigger an exemption, then please redact them and provide the rest of the document, providing a specific justification for each exemption. We will refer to it as ‘the Request’.

5. On 16 November 2023 the Trust responded to the request in the following terms: The Trust confirms that it holds information falling within the scope of this request. However, the Trust is unable to confirm or deny whether any review conducted by PwC is held, on the basis that to do so would be likely to result in the release of personal data about an identifiable individual in breach of the data protection principles contained within Article 5 of the UK GDPR, and the Trust is therefore exempt from the obligation to confirm or deny whether such information is held, pursuant to section 40 (5B)(a)(i) of the Freedom of Information Act 2000 . Likewise, the Trust is also exempt from the duty to confirm or deny whether this review is held by virtue of section 41(2) of the Freedom of Information Act. In particular, the Trust refers to the article “Exclusive: Trust execs accused of creating a “cult of the individual”” published by the Health Service Journal on 22 May 2023. This refers to a PwC report in the context of a number of matters which would amount to the personal data of identifiable individuals and matters where the Trust would owe an obligation of confidentiality to individuals, and confirming whether any such PwC report as requested was held would be likely to be seen as verification of the matters contained within that article. More generally, the reviews requested are exempt from disclosure on the basis that the subject matter of the reviews is closely connected to specific individuals to the extent that release of the reports would amount to a disclosure of personal data relating to third parties into the public domain and would also involve releasing information where the Trust owes the individuals concerned a duty of confidentiality. Accordingly, the Trust has concluded that release of the information requested would result in a breach of the data protection principles and a breach of the duty of confidence owed to individuals and therefore the information is exempt pursuant to sections 40(2) and (3A) and 41(1) of the Freedom of Information Act. In reaching this conclusion, the Trust has considered whether disclosure of the information about individuals would be fair and lawful and when making this assessment, has considered the increased duties of transparency and accountability and the reduced expectations of privacy that apply with increasing seniority within the organisation, and the public interest in transparency and accountability in the Trust’s management of its affairs. As part of this, the Trust has considered whether it would have a public interest defence to any allegations of breach of confidence that might be made following release of the requested information. However, the nature of the information is such that the Trust is satisfied that disclosure would still be a breach of the data protection principles and that it would not have a defence to a claim for breach of confidence by others.

6. On 19 November 2023 Mr Dunhill challenged the response and invited the Trust to review it, submitting in support what purports to be a copy of the email of 16 May 2023 (already mentioned). On 13 December 2023 the Trust maintained its position.

7. On 7 January 2024 Mr Dunhill complained to the Commissioner.

8. Following an investigation, the Commissioner issued a Decision Notice dated 25 April 2024 (‘the DN’), upholding what he characterised as the Trust’s reliance on s40 (5B)(a)(i) to neither confirm nor deny that the information sought was held. In light of that ruling, he did not address the question whether the information requested was itself exempt.

9. On 25 April 2024 Mr Dunhill presented a notice of appeal challenging the Commissioner’s adjudication.

10. Having been joined as Second Respondent, the Trust served open and closed responses to the appeal on 5 June 2024.

11. On 6 June 2024 the Commissioner presented a response to the appeal.

12. Pursuant to an Order of Judge Buckley dated 8 August 2024, the Trust on 19 August 2024 delivered an open summary or gist of its confidential submissions to the Commissioner of 17 April 2024. The document records in terms that: ‘Copies of the information falling within the scope of the request were supplied to the Commissioner’.

13. Also in conformity with the Order of Judge Buckley of 8 August 2024, the Commissioner delivered brief submissions dated 23 August 2024 on the scope of the appeal, which stressed that the sole issue for decision was whether confirmation or denial that the requested information was held by the Trust would constitute disclosure of third party personal data in breach of the first data protection principle, and that the Tribunal was not being asked to determine whether disclosure of the requested information, if held, would be unlawful.

14. The appeal came before us for consideration on paper, the parties being content for it to be determined without a hearing. We were satisfied that it was just and in keeping with the overriding objective to proceed in that manner. See the First-tier Tribunal (General Regulatory Chamber) Rules 2009 (as amended), rule 2.

15. We had before us open and closed bundles of 79 and 110 pages respectively. These included open and closed witness statements in the name of Sharon Emmah Katema, the Trust’s Director of Corporate Governance and Trust Secretary, both dated 20 September 2024. No other witness evidence was produced. The Law The right to information

16. FOIA, s1 includes: Unless otherwise stated, all references to section numbers hereafter are references to FOIA. (1) Any person making a request for information to a public authority is entitled– (a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and (b) if that is the case, to have that information communicated to him. ‘Information’ means information recorded in any form (s84).

17. The obligation under s1(1)(a) is known as ‘the duty to confirm or deny’ (s1(6)). Personal information – s40

18. By s40 it is provided, so far as material, as follows: (1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject. (2) Any information to which a request for information relates is also exempt information if – (a) it constitutes personal data which does not fall within subsection (1), and (b) the first, second or third condition below is satisfied. (3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act – (a) would contravene any of the data protection principles … … (5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies – (a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) – (i) would (apart from this Act ) contravene any of the data protection principles … The language and concepts of the data protection legislation are translated into the section ( s40(7) ).

19. The exemption under s40(2) is unqualified where the first condition under s40 (3A)(a) is satisfied. Accordingly, no public interest balancing test applies. Rather, the reach of the exemption is, in some circumstances, limited by the data protection regime. See FOIA, s2(3)(fa).

20. By contrast, the exemption under s40 (5B) is qualified and accordingly subject to the public interest balancing test in accordance with s2(2)(b) (see s2(3)(f) and (fa), which identify the only s40 exemptions which are absolute). In our view, the legislation is entirely clear. See also Coppel on Information Rights , 6 th Ed (2023), at 33-027, f/n 156. The contrary argument on behalf of the Commissioner (response to the appeal, para 36) cites no authority and we reject it.

21. The data protection regime under the Data Protection Act 2018 (‘DPA’) and the General Data Protection Regulation (‘GDPR’) applies to this case.

22. DPA, s3 includes: (2) “Personal data” means any information relating to an identified or identifiable living individual ... (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to — (a) an identifier such as a name, an identification number, location data or an online identifier … (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as — … (d) disclosure by transmission, dissemination or otherwise making available … (5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

23. GDPR, Article 5 sets out the data protection principles. It includes: Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject …

24. Article 6, so far as material, provides:

1. Processing shall be lawful only if and to the extent that at least one of the following applies: … (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

25. The starting-point for the purposes of s40 is that, where they intersect, privacy rights hold pride of place over information rights. In Common Services Agency v Scottish Information Commissioner [2008] 1 WLR 1550 HL, Lord Hope reviewed the legislation, including the EU Directive on which the domestic data protection legislation is founded. At para 7 he commented: In my opinion there is no presumption in favour of release of personal data under the general obligation that FOISA The proceedings were brought under the Freedom of Information ( Scotland) Act 2000 , but its material provisions do not differ from those of FOIA. lays out. The references which that Act makes to provisions of [the Data Protection Act] 1998 must be understood in the light of the legislative purpose of that Act , which was to implement Trust Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data …

26. It is well-established that case-law under the pre-2018 data protection regime can safely be treated as a guide to interpreting the new law. Three principles are noteworthy in the present context. First, ‘necessary’ means reasonably necessary and not absolutely necessary: South Lanarkshire Trust v Scottish IC [2013] UKSC 55 . But in order for something to be ‘necessary’ there must be no other reasonable means of achieving it: IC v Halpin [2020] UKUT 29 (AAC) . Second, ‘necessity’ is part of the proportionality test and requires the minimum interference with the privacy rights of the data subject that will achieve the legitimate aim in question: R (Ali & another) v Minister for the Cabinet Office & another [2012] EWHC 1943 (Admin) , para 76. Third, in carrying out the balancing exercise, it is important to take account of the fact that disclosure under freedom of information legislation would be to the whole world and so, necessarily, free of any duty of confidence: Rodriguez-Noza v IC and Nursing & Midwifery Trust [2015] UKUT 449 (AAC) , para 23. Information provided in confidence – s 41

27. FOIA, s41 provides (materially): (1) Information is exempt information if – (a) It was obtained by the public authority from any other person … and (b) the disclosure of the information to the public (otherwise than under this Act ) by the public authority holding it would constitute a breach of confidence actionable by that or any other person. (2) The duty to confirm or deny does not arise if, or to the extent that, the confirmation or denial that would have to be given to comply with section 1(1) (a) would (apart from this Act ) constitute an actionable breach of confidence. The Tribunal’s powers

28. The appeals are brought pursuant to FOIA, s57. The Tribunal’s powers in determining the appeal are delineated in s58 as follows: (1) If on an appeal under section 57 the Tribunal consider – (a) that the notice against which the appeal is brought is not in accordance with the law; or (b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently, the Tribunal shall allow the appeal or substitute such other notice as could have been served by the Commissioner, and in any other case the tribunal shall dismiss the appeal. (2) On such an appeal, the Tribunal may review any finding of fact on which the notice in question was based. Analysis The Request for information other than information relating to the PWC review Here and below we refer to ‘the PwC review’ purely for brevity and convenience. In doing so, we should not be taken to imply a finding that PwC was commissioned to carry out a review, that a review was carried out, that a report resulted, or that a report was held by the Trust, on the date of the Request or on any other date.

29. This is an unusual appeal. The Commissioner’s case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing. As we have recorded, it accepted in terms in the first sentence of its response that it held some of the information requested. The information requested was ‘all reviews into governance concerns raised … since June 2022’. The NCND response was limited to the PwC review. In other words, the response unambiguously admitted that it held relevant material save that, in relation to the PwC review alone, it gave an NCND response.

30. Two consequences flow from the Commissioner’s error. First, he did not engage with the Trust’s grounds for resisting disclosure of so much information as it admitted holding. Second, much of his written case on the validity (or invalidity) of the plea of NCND makes little sense because it is based on the mistaken premise that the Trust applied it to the totality of the Request rather than to just one element of it.

31. Instead of engaging with the Commissioner’s error and seeking to correct it, the Trust, in its written case, ignored it. We do not speculate on whether that omission was accidental or tactical.

32. Mr Dunhill is not to be faulted for being (unlike the other parties) without professional representation, but the consequence is that his case largely misses the point that the Commissioner has not grappled with the substantive grounds put forward by the Trust for resisting disclosure. The appeal is against the DN and, given the Commissioner’s approach, there is no decision relating to the merits of the request with which we can engage. The Request in so far as it relates to the PWC review: the Trust’s position

33. In relation to the request for disclosure of the PwC review, the Trust’s response is clear in refusing to confirm or deny whether that information was held by it on 16 November 2023. Its justification is that any answer other than NCND ‘would be likely to result in verification of the accuracy of the [HJS article]’ (response to the appeal, para 2(c)).

34. The Trust’s argument that a ‘confirm or deny’ answer would ‘result in verification of the accuracy of the HJS article’ is, in our view, entirely unconvincing. Engaging consultants does not imply admission of wrongdoing. The report (if one exists) might acquit the organisation entirely. It might find serious problems and recommend root and branch changes. It might alight somewhere in the middle ground. But making public the bare fact (if it is a fact) that a report had been received not later than about five months after it was ordered would reveal nothing apart from the fact that an unremarkable administrative process appeared to have been followed in response to certain complaints and allegations against the Trust and its leadership. The Request in so far as it relates to the PWC review: the Commissioner’s position

35. In the DN, paras 31-34, the Commissioner listed three grounds for upholding the Trust’s plea of NCND. First, a ‘confirm or deny’ response would reveal that an identifiable individual had (or had not) been subject to a review. Second, disclosure would reveal personal data which the data subject would have been entitled to expect to be treated as confidential. Third, the exemption is absolute and the public interest balancing test is not applicable. Accordingly, the (admitted) legitimate interest of the Appellant is not sufficient to outweigh the data subjects’ fundamental rights and freedoms. In his response to the appeal, the Commissioner also adopted the Trust’s argument that a ‘confirm or deny’ response would convey implicit verification of the allegations on which the HSJ article was based (para 34).

36. The Commissioner’s first point is valid as far as it goes. But, as we will endeavour to show in setting out our own analysis, it does not go very far. The second point seems to us unfounded. We do not accept that any identifiable individual would have had an expectation that the Trust would keep confidential the fact that, on a particular date, it did, or did not, hold a particular report. The third point is, we think, simply wrong. As we have said, on our understanding of the law, the exemption under FOIA, s40 (5B)(a)(i) is qualified and the public interest balancing test applies. It may well be that, applying the correct legal test, the Commissioner would have reached a different conclusion. As to the ‘implicit verification’ argument, we cannot usefully add to what we have already said above. The Request in so far as it relates to the PWC review: the Tribunal’s analysis

37. The first question is whether the information in issue (if held) amounted to personal data (DPA, s3(2)). The answer is yes. The information is that which would be divulged by a reply to the Request which confirmed or denied that the Trust held the PwC review concerning governance of the Trust and at least one member of its senior leadership, who would probably be identifiable given in particular the context of the published HSJ article.

38. Would providing a ‘confirm or deny’ response be unlawful as contravening any of the data protection principles ( s40 (5A)(a)(i))? The relevant data protection principles are those provided for under GDPR, Article 5.1 and Article 6.1(f). The legislation sets a three-part test (see the judgment of Baroness Hale DP in the South Lanarkshire Trust case, para 18), which we will consider in stages.

39. The threshold question is whether, at the time of the request, Mr Dunhill was pursuing a ‘legitimate interest’. In agreement with the Commissioner (DN, paras 23-27), we are in no doubt that he was. He was seeking to investigate a matter of general interest and concern relating to the inner workings of an important public body. In doing so, he was promoting the broad public interest in transparency and accountability in the nation’s public services. His request to be told if the PwC review was held was a rational step in pursuit of these interests.

40. Given a legitimate interest, the question whether any processing of personal data is ‘lawful’ next engages the issue of ‘necessity’. Since we are faced with a challenge to a NCND response, the question is whether confirmation that the PwC review was or was not held at the time of the request, was necessary ( ie reasonably necessary) for the purposes of the legitimate interests which Mr Dunhill has established. Here again, we find ourselves in agreement with the Commissioner. Provision of a ‘confirm or deny’ answer is ‘necessary’ for the purposes of the legitimate interest being pursued. It has not been suggested that there was any less intrusive means of furthering the relevant interest and, as we will shortly explain, we consider compliance with the s1(1) (a) duty far from intrusive in any event.

41. The third stage of the test requires us to inquire whether processing would be unwarranted because of overriding interests or fundamental rights of the data subject(s) which require protection. Although (as we have noted above) there is a natural bias in favour of privacy rights in this context, we are in no doubt that the balance comes down in favour of Mr Dunhill. We have several reasons.

42. In the first place, we think it important to repeat that we are concerned only with the NCND response. To what extent would a requirement to answer the question whether the PwC review was held be liable to prejudice the privacy rights of relevant individuals? In our view, given our reasoning (already explained) that, as a matter of principle, the fact of an investigation having been commissioned carries with it no implicit verification of any complaint or allegation, we are not persuaded that any realistic risk of prejudice is made out.

43. Second, the weakness of the Respondents’ protestations about prejudice becomes all the more obvious when one reflects on the facts and information already admitted or otherwise in the public domain (in particular, that complaints and allegations have been raised, ‘reviews’ (plural) have been conducted and relevant recorded information was held at the time of the request). In this context it is not at all easy to discern a risk of prejudice arising from a requirement for the Trust to disclose the small detail of whether, at the date of the Request, it held, or did not hold, recorded information relating to one particular review.

44. Third, the elementary point is made that disclosure under FOIA is disclosure to the whole world. But the potential reach of disclosure is of very little consequence here. What matters, in the context of a debate limited to the legitimacy of a plea of NCND, is how narrow the area of dispute is. The focus needs to be on the value of the disputed information (only the answer to the question whether the PwC review was held on the relevant date) and the potential prejudice to privacy rights which its release to the world might occasion. We struggle to think of information less calculated to prejudice privacy rights.

45. Fourth, we have looked to the two Respondents in vain for any convincing arguments on prejudice. The Commissioner weighs Mr Dunhill’s arguments and (rightly, we think) finds substance in his points on ‘legitimate interest’ and ‘necessity’ but ends with the bald assertion that privacy interests prevail, seemingly relying wholly or in large part on the erroneous contention that the exemption under s40 (5B(a)(i) is absolute rather than qualified. The Trust’s sparse response to the appeal rests its resistance very largely on the ‘implicit verification’ argument, to which we do not need to return.

46. In conclusion, we are satisfied to a high standard that, despite the structural bias in favour of privacy rights over information rights in any interplay between the two, the proper application of s40 (5B)(a)(i) read alongside GDPR, Articles 5.1 and 6.1(f) in the instant case dictates that the exemption under the former yields to the powerful competing factors under the latter.

47. This being our view, we prefer not to engage with the intellectual gymnastics which would be involved in factoring in the public interest balancing test under s2(1)(b) which, if it added anything in the present context, would tilt the balance further in Mr Dunhill’s favour. The Trust’s reliance on s41 – information provided in confidence

48. It seems to us that, for present purposes, the subject of s41 falls away at once because we are seized of an appeal against a decision of the Commissioner and he made no adjudication relating to s41.

49. In any event, we place on record that, although the Trust did, in its response, cite s41(2) (an absolute exemption) as a further ground entitling it to plead NCND, its bare case before us contained no legal argument, let alone evidential foundation, on which to rest the implicit contention that confirmation or denial that it held material relating to the PwC review would constitute an actionable breach of confidence. In these circumstances, if the issue had been before us we would have held that the exemption was not engaged.

50. Of course, this leaves the Trust free to rely on s41 in any substantive response to the Request relating to the PwC review and to continue to do so in respect of the other information which it has already admitted to holding. Disposal

51. What, then, is the proper outcome of the appeal? In our judgment, the appeal must succeed in relation to the Commissioner’s decision under s40 (5B)(a)(i) so far as it concerns the requested information other than the PwC review. His finding is made in error of law because, quite simply, it does not correspond with the response actually given to the Request. And his startling finding (repeated several times in the DN and in his written case) that the Trust pleaded NCND in respect of all the requested information must be treated as reviewed and reversed under s58(2).

52. As to the Commissioner’s finding that the Trust was entitled to plead NCND to so much of the Request as related to the PwC review, we hold that the Commissioner reached a conclusion which was contrary to law because he misapplied s40 (5B)(a)(i), for the reasons we have given.

53. Where does that leave Mr Dunhill and the Trust? Sadly, more or less where they started over two years ago. The real issue, as to whether the internal reviews should be made public, is still before them. If we may state the obvious, they would be well-advised to get together urgently to find a pragmatic way of resolving this stale and wasteful dispute. We would hope that both sides would approach the matter realistically. We have no view about the underlying merits of the Request and/or response. The fact that Mr Dunhill will very soon have got over the s1(1) (a) hurdle implies nothing about his prospects under s1(1) (b).

54. Failing a private resolution, the Trust must now present a substantive response to the Request in so far as it concerns the PwC review, in accordance with our substituted Decision Notice. If the Trust takes the line it took on 16 November 2023, presumably the contest will resume on the substance of the entirety of the Request and, in the absence of agreement, a further complaint will reach the Commissioner in 2026 and the Tribunal in 2027 (at the earliest). (Signed) Anthony Snelson Judge of the First-tier Tribunal Dated: 28 November 2025