Decision
Mr Z and Department of Transport
From Office of the Information Commissioner (OIC)
Case number: OIC-140479-H9K9C3
Published on
From Office of the Information Commissioner (OIC)
Case number: OIC-140479-H9K9C3
Published on
Whether the Department was justified in refusing access to records relating to security breaches at Dublin Airport under sections 33(1)(a), 35(1)(a) and 41(1)(a) of the FOI Act
25 June 2024
In a request dated 28 April 2023, the applicant sought access to the following:
• Correspondence between the DAA and Department of Transport and its Ministers about security breaches at the Airport since January 2023.
• Minutes of meetings between the DAA and the Department of Transport and its Ministers about security breaches at the Airport since January 2023, and
• any related briefing notes, correspondence or documents.
He indicated that the period covered by his request was 1 January 2023 to the date of his request. On 18 May 2023, the Department refused access to the six records it identified as relevant to the request, under section 33(1)(a) of the Act. On 19 May 2023, the applicant sought an internal review of that decision. On 7 July 2023, the Department affirmed its refusal of the request under section 33(1)(a) and also cited 35(1)(a) in support of its refusal of a number of the records. On 13 July 2023, the applicant submitted an application for review to this Office.
During the course of this review, the Department drew this Office’s attention to a recent judgement handed down by the European Court of Justice (CJEU) concerning the confidentiality of information regarding “occurrences” relating to aviation safety in Europe. Having regard to that judgment, the Investigator notified the applicant of the potential relevance of section 41(1)(a) of the Act to the request and invited further submissions, which were duly made.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the correspondence between the applicant and the Department as outlined above and to the correspondence between this Office and both parties on the matter. I have also examined the records at issue. I have decided to conclude this review by way of a formal, binding decision. In referring to the records at issue, I have adopted the numbering system used by the Department in the Schedule of Records it provided with its decisions on the request.
I note that record 6 was created after the applicant submitted his request. Accordingly, I am satisfied that it is not captured by the scope of his request and I will give it no further consideration. Accordingly, this review is concerned solely with whether the Department was justified in refusing access, under sections 33(1)(a), 35(1)(a) and/or 41(1)(a) of the FOI Act, to the five remaining records relating to security breaches at Dublin Airport.
It is important to note that a review by this Office is considered to be “de novo”, which means that in this case, it is based on the circumstances and the law as they pertain at the time of the decision and is not confined to the basis upon which the FOI body reached its decision. Accordingly, in light of the “de novo” nature of our reviews, I deem it appropriate to consider the applicability of section 41(1)(a), notwithstanding the fact that it was not initially relied upon as a ground for refusing access to the records in the Department’s decisions on the request. I am also satisfied that I must have regard to the CJEU judgment identified by the Department during the review, notwithstanding the fact that it was handed down after the applicant had submitted his request to the Department.
Moreover, while I am obliged to give reasons for my decision, section 25(3) of the FOI Act requires me to take all reasonable precautions in the course of a review to prevent the disclosure of information contained in an exempt record. This means that the extent to which I can describe the contents of the records at issue is limited.
The records
Records 1, 2 and 3 contain details of incidents that occurred at Dublin Airport and that were reported to the Department by the Irish Aviation Authority (the IAA). While record 4 is a covering email under which the incidents outlined in records 2 and 3 were reported to the Department by the IAA, it contains brief details of the incidents outlined. I am satisfied that its disclosure would involve the disclosure of certain limited information relating to the incidents. Record 5 is a briefing the Department sent to the Minister outlining the details of the incidents outlined in records 2 and 3. Having regard to the contents of the records, I consider section 41(1)(a) to be the most appropriate exemption to examine first.
Section 41(1)(a)
Section 41(1)(a) of the FOI Act provides for the mandatory refusal of a request if the disclosure of the record concerned is prohibited by law of the European Union or any enactment (other than a provision specified in column (3) of Part 1 or 2 of Schedule 3 of an enactment specified in that Schedule). In essence, the non-disclosure provision overrides any right of access under FOI, unless that particular provision is specified in Schedule 3 of the FOI Act. Moreover, section 41 does not contain a public interest test. If the disclosure of the record is prohibited, that is the end of the matter and no right of access exists under the FOI Act.
As I have outlined above, during the course of the review the Department drew this Office’s attention to a recent CJEU judgement that it considered to be relevant to the review. On 18 January 2024, the CJEU handed down its judgment in Case C 451/22, RTL Nederland and RTL Nieuws, concerning the interpretation of Article 11 of the Charter of Fundamental Rights of the European Union and of Article 15(1) of Regulation (EU) No 376/2014 which is concerned with the reporting, analysis and follow-up of occurrences in civil aviation.
In its judgment, the CJEU found, at paragraph 61, as follows:
“Thus, it is apparent from the wording of Article 15 of Regulation No 376/2014, from the context in which it occurs and from the objectives pursued by the legislation of which it forms part that that provision must be interpreted as meaning that all information that is held by the national competent authorities regarding an ‘occurrence’ relating to aviation safety, as defined by Regulation No 376/2014, is subject to a confidentiality regime the consequences of which is that the public does not have the right to access that information in any form.”
Article 15 of Regulation No 376/201 is not listed in schedule 3 of the FOI Act. The question I must consider, therefore, is whether release of the records sought is prohibited by Article 15 of Regulation No 376/2014 for section 41(1)(a) of the FOI Act to apply.
The Department’s submissions
During the review the Department made submissions on the applicability of sections 33 and 35 of the records which are not relevant to my consideration of the relevant Regulation and section 41 overall. However, it did provide background information in relation to the operation of the confidentiality regime in relation to occurrence reporting, which is in practice by the IAA and the Department.
In summary, the Department explained that in conjunction with the IAA, it has responsibility for the National Civil Aviation Security Programme (NCASP) in Ireland. It said the NCASP is a security sensitive and restricted document which is shared on a need to know basis. It said aviation security is highly regulated at European level and subject to national oversight by the IAA. It said it also a member of the International Civil Aviation Organisation (ICAO).
I understand that the ICAO is responsible for the formulation and adoption of Standards and Recommended Practices (SARPS) for international civil aviation which are incorporated into the 19 technical annexes to the Convention on International Aviation also known as the Chicago Convention. SARPs for international aviation security were first adopted by the ICAO Council in March 1974, and designated as Annex 17 to the Chicago Convention.
The Department said that as a Contracting State, Chapter 3 of Annex 17 in respect of Aviation Security requires each Contracting State to establish a confidential reporting system for analysing security information. It said the NCASP, which takes account of Annex 17, places an obligation on regulated entities to submit occurrence reports when there is a deviation to the existing security programme. It said occurrence reports are made when there is an anomaly identified relative to normal operations and that occurrence reports form a vital part of the IAA regulatory oversight. It said they are used to identify weaknesses and strengths, to identify trends and to improve management systems and internal processes.
The Department added that occurrence reports also have a role in the exposure of vulnerabilities in the aviation security system and may also be used to identify potential or attempted acts of unlawful interference. It said the IAA also uses occurrence reports to both inform the NCASC threat and risk group and for risk assessment purposes. It said the IAA have also been instrumental in advocating a system of ‘Just Culture’ in Ireland. It said just culture is defined as a culture in which front line operators and others are not punished for actions, omissions or decisions taken by them that are commensurate with their experience and training. It said the principle of just culture is applicable to the evaluation, investigation and follow up actions arising from such occurrence reports.
The Applicant’s submissions
The applicant said his FOI request did not seek any records relating to accidents or serious incidents involving aircrafts, but instead specifically referred to security breaches at Dublin Airport. He said the CJEU judgment in question relates to the ‘downing of an aircraft’ and that context of aviation security, or more specifically security on an airplane itself. He said that whilst some of the incidents may have an outcome for flights, the actual security breaches were at the airport itself.
The applicant said the judgment referenced article 5 of Regulation No 996/2010, which provides that “Every accident or serious incident involving aircraft … shall be the subject of a safety investigation…”. He said Article 14 of Regulation No 996/2010 on the protection of sensitive information relate specifically, in the judgement, to the downing of an aircraft and that the judgement, whilst naming Article 14 of Regulation No 996/2010, does not specifically or intendedly make reference to the type of airport security incident as per the information sought by his FOI.
The applicant noted that the judgment cites parts of Article 16 of Regulation No 996/2010, which is concerned with Investigation Reports, as follows:
“The safety investigation authority shall make public the final report in the shortest possible time and if possible within 12 months of the date of the accident or serious incident”, and
“If the final report cannot be made public within 12 months, the safety investigation authority shall release an interim statement at least at each anniversary of the accident or serious incident, detailing the progress of the investigation and any safety issues raised”.
He said that in relation to civil aviation, the judgment also states that;
“The general public should be provided with general aggregated information on the level of aviation safety in Members States and in the Union”
The applicant said it needs to be asked if the ‘occurrence’ (in this case a security breach at the Airport) is subject to confidentiality. He argued that it is not. He noted that Article 5 of Regulation no 996/2010, as amended, provides that every accident or serious incident involving aircraft shall be subject of a safety investigation. He suggested that the disclosure of such information is in the public interest in terms of public safety.
In relation to Article 15 of Regulation No 376/2014, the applicant noted that the judgment states that the Article precludes “media undertakings from having access to that information for the purpose of journalism, in the context of preparatory research, investigation and information-gathering activities which are inherent to the freedom of the media and to the ultimate objective of the journalistic activity, which is to communicate information to the public and to contribute to public debate”. However, he noted that the judgment also states that Article 15 “applies only to information that relates to accidents, serious incidents or other occurrences which may represent a significant risk to aviation safety and that is collected or held by the competent public authorities pursuant to that regulation” and that “It does not therefore preclude the public and media undertakings from seeking information in this connection from other sources or by other means”.
Finally, the applicant again argued that the release of the information is in the public interest. He noted that the Minister has already made public statements about a security breach at the Airport that occurred within the time period of his FOI request.
My Analysis
As I have explained above, section 41 does not contain a public interest test. If Article 15 of Regulation No 376/2014 serves to prohibit the release of the information sought, then the information is exempt from release under section 41(1)(a) of the FOI Act.
The relevant CJEU judgment found that Article 15 must be interpreted as meaning that all information that is held by the national competent authorities regarding an ‘occurrence’ relating to aviation safety, as defined by Regulation No 376/2014, is subject to a confidentiality regime the consequence of which is that the public does not have the right to have access to that information in any form.
Article 15 of Regulation 376/2014 provides as follows:
1. Member States and organisations, in accordance with their national law, and the Agency shall take the necessary measures to ensure the appropriate confidentiality of the details of occurrences received by them pursuant to Articles 4, 5 and 10.
Each Member State, each organisation established in a Member State, or the Agency shall process personal data only to the extent necessary for the purposes of this Regulation and without prejudice to national legal acts implementing Directive 95/46/EC.
2. Without prejudice to the provisions relating to the protection of safety information in Articles 12, 14 and 15 of Regulation (EU) No 996/2010, information derived from occurrence reports shall be used only for the purpose for which it has been collected.
Member States, the Agency and organisations shall not make available or use the information on occurrences:
(a) in order to attribute blame or liability; or
(b) for any purpose other than the maintenance or improvement of aviation safety.
3. The Commission, the Agency and the competent authorities of the Member States, when discharging their obligations under Article 14 in relation to the information contained in the European Central Repository, shall:
(a) ensure the confidentiality of the information; and
(b) limit the use of the information to what is strictly necessary in order to discharge their safety-related obligations without attributing blame or liability; in this respect, the information shall be used in particular for risk management and for analysis of safety trends which may lead to safety recommendations or actions, addressing actual or potential safety deficiencies.
4. Member States shall ensure that their competent authorities referred to in Article 6(3) and their competent authorities for the administration of justice cooperate with each other through advance administrative arrangements. These advance administrative arrangements shall seek to ensure the correct balance between the need for proper administration of justice, on the one hand, and the necessary continued availability of safety information, on the other.
Article 2(7) defines an “occurrence” as follows:
‘occurrence’ means any safety-related event which endangers or which, if not corrected or addressed, could endanger an aircraft, its occupants or any other person and includes in particular an accident or serious incident;
Articles 4 and 5 are concerned with the types of “occurrences” that are subject to mandatory or voluntary reporting respectively. Article 4(1) provides for the mandatory reporting of occurrences which may represent a significant safety risk to aviation safety and which fall into certain defined categories, including
(d) occurrences related to aerodromes and ground services, such as:
(i) occurrences related to aerodrome activities and facilities;
(ii) occurrences related to handling of passengers, baggage, mail and cargo;
(iii) occurrences related to aircraft ground handling and related services.
Article 5(1) provides as follows:
Each organisation established in a Member State shall establish a voluntary reporting system to facilitate the collection of:
(a) details of occurrences that may not be captured by the mandatory reporting system;
(b) other safety-related information which is perceived by the reporter as an actual or potential hazard to aviation safety.
Having regard to the findings of the CJEU, I accept that Article 15 of Regulation No 376/2014 means that information held by the national competent authorities regarding an “occurrence” relating to aviation safety is subject to a confidentiality regime the consequences of which is that neither the public nor even a media undertaking has the right to have access to that information.
In this case, I accept that the incidents referenced in the records comprise ‘occurrences’ as defined by Article 2(7) of Regulation No 376/2014. The fact that Regulation No 996/2010 may not specifically reference the types of airport security incident as was sought by the applicant in his FOI request does not mean that the incidents cannot be deemed to be ‘occurrences’ for the purposes of Article 2(7) of Regulation No 376/2014.
I also note the applicant’s reference to the CJEU finding, at paragraph 74 of its judgment, that Article 15 “applies only to information … that is collected or held by the competent public authorities pursuant to that regulation” and that “It does not therefore preclude the public and media undertakings from seeking information in this connection from other sources or by other means”. Article 15(2) of Regulation No 376/2014 provides that without prejudice to the provisions relating to the protection of safety information in Articles 12, 14 and 15 of Regulation (EU) No 996/2010, information derived from occurrence reports shall be used only for the purpose for which it has been collected. The information contained in records 1, 2, 3, and 5 was provided to the Department by the competent authority, namely the IAA for the purposes of Regulation No 376/2014. I am satisfied that the information was collected by the IAA pursuant to Regulation No 376/2014. I do not interpret paragraph 74 of the CJEU judgment as meaning that the information must be held by the competent authority and that the confidentiality regime provided by Article 15 cannot extend the information that has been passed on to the Department by the IAA. Instead, I interpret the paragraph as meaning that the confidentiality regime provided by Article 15 applies to the information that was collected or held pursuant to Article 15 but not to such information that might be held or collected other than pursuant to Article 15. Moreover, I note that Article 15 places the obligation of confidentiality on the Member States and not just on the competent authority.
Finally, I would note that the fact that certain information concerning occurrences may have made its way into the public domain does not, in my view, mean that Article 15 can no longer apply. Article 15 provides that information derived from occurrence reports shall be used only for the purpose for which it has been collected.
Having carefully considered the matter, I am satisfied that Article 15 of Regulation No 376/2014 prohibits the disclosure of the records at issue and as such, I find that section 41(1)(a) applies to those records. As I have found the records to be exempt from release under section 41(1)(a), there is no requirement for me to consider the other exemptions claimed.
Having carried out a review under section 22(2) of the FOI Act, I hereby affirm the Department’s decision to refuse access, under section 41(1)(a) of the FOI Act, to certain records concerning security breaches at Dublin Airport.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
Stephen Rafferty
Senior Investigator