MLAs Salaries

Information Standards Freedom of Information Response

Our Ref: FoI 30-20

06 August 2020

Freedom of Information Act 2000

I refer to your request under the above legislation:

“For each month since January 2020, please disclose the following:

(1) The names of the MLAs who had some of their salary placed in the 'consolidated fund'; and for each MLA, the amount they placed in that consolidated fund, and

(2) The names of the MLAs who opted to donate to charitable sources through a 'give-as-you-earn scheme'; and for each MLA, the amount donated through this scheme, and the names of the charities/groups/organisations they donated to.”

I am writing to confirm that the Northern Ireland Assembly Commission (“the Assembly Commission”) holds some of the information that you have requested.

The information held cannot be provided for the reasons set out in Appendices A & B. 

You have the right to request that the Assembly Commission formally reviews this decision and if you wish to do so, please write to me at the above address.

If after such an internal review you are still unhappy with the response, you have the right to appeal to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, who will undertake an independent review.

Yours sincerely

Information Standards and Data Protection Officer

Appendix A

REASON FOR NON-DISCLOSURE

Your request is as to the monthly amounts which may have been paid by Members of the Assembly (MLAs) to the Consolidated Fund from the salaries payable to them, and as to charitable donations which may have been made by MLAs from the salaries payable to them.

The information which you requested is personal data as defined by the Data Protection Act 2018 (2018 Act) and the General Data Protection Regulation (GDPR).[1]  The information which you requested is personal data because it is information relating to one or more identifiable living individuals.

Under section 40 of the Freedom of Information Act 2000 (FOIA) personal data is exempt from disclosure in certain circumstances.[2]

Section 40(2) of the FOIA provides that any information is exempt information if it constitutes personal data of which the applicant is not the data subject and satisfies one of three conditions.

The Assembly Commission is satisfied that one such condition is satisfied.  It is not therefore necessary to consider the other potentially applicable conditions.  The relevant condition is set out at section 40(3A) of the FOIA, and is that:

“… disclosure of the information to a member of the public otherwise than under this Act—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the [2018 Act] (manual unstructured data held by public authorities) were disregarded.

Section 40(3A)(b) is not relevant to your request.  The information requested can therefore be disclosed only if to do so would not contravene “any of the data protection principles”.

The relevant data protection principles are set out in Article 5 of the GDPR.  The Assembly Commission is satisfied that only the first principle need be considered in this case.  The first principle, set out at Article 5(1)(a) GDPR, is that:

“Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).

Article 6 GDPR provides more detail on the “lawfulness” principle which is part of Article 5(1)(a).  Article 6 GDPR provides that processing is lawful only if, and to the extent, that one or more of six conditions set out in the Article is satisfied.   Article 6(1) GDPR is modified in respect of requests made under section 40 of the FOIA by subsection 40(8) of that Act.

The Assembly Commission does not consider that your request can be processed in accordance with Article 5(1)(a) GDPR, read with Article 6(1) GDPR as modified by the FOIA.

In particular, the Assembly Commission considers that none of the conditions set out in Article 6(1) GDPR as modified is met in this case. To disclose the information would therefore contravene the first data protection principle.  The Assembly Commission consequently does not consider that the processing of personal data required by your request would be lawful under Article 5(1)(a) GDPR. 

The above analysis may be summarised as follows:  The information sought is personal information of which you are not the data subject. A condition set out at sections 40(3A) – 40(4A) of the FOIA is satisfied.  Pursuant to section 40(2) of the FOIA, the information to which your request relates is exempt information.  

Appendix B

Freedom of Information Act 2000 Extract from Section 40:

“Personal information.

(1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.

(2) Any information to which a request for information relates is also exempt information if—

(a) it constitutes personal data which does not fall within subsection (1), and

(b) the first, second or third condition below is satisfied.

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).]”

Freedom of Information Act 2000 Extract from Section 40:

“(7) In this section—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act).

(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.]”

Extract from Article 4 of General Data Protection Regulations:

For the purposes of this Regulation:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Extract from Article 5 of General Data Protection Regulations:

“1.  Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.  The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”

Extract from Article 6 of General Data Protection Regulations:

“1.  Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”