Decision 004/2020: Communications concerning Hyndford Quarry
Public authority: South Lanarkshire Council
Case Ref: 201900244
Summary
The Council was asked for communications with councillors concerning a called-in planning application for the extension of Hyndford Quarry.
The Council considered the request under the EIRs. It refused to provide the internal communications requested, believing the public interest lay in officers being able to share information and proposals in a free and frank manner, to allow issues to be resolved effectively.
During the investigation, the Council changed its position and disclosed all of the internal communications with personal data redacted.
The Commissioner investigated and found that the Council had wrongly withheld some information under regulations 10(4)(e) and 11(2) of the EIRs. He required the Council to disclose the information found to have been wrongly withheld under regulation 11(2).
Relevant statutory provisions
The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of "the data protection principles", "data subject", "the GDPR" and "personal data" and paragraphs (a), (b) and (c) of "environmental information") and (3A) (Interpretation); 5(1) and (2)(b) (Duty to make available environmental information on request); 10(1), (2), (3) and (4)(e) (Exceptions from duty to make environmental information available); 11(1), (2)(a), (3A)(a) and (7) (Personal data)
General Data Protection Regulation (the GDPR) Articles 4(1) and (11) (definitions of "personal data" and "consent") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5) (Terms relating to the processing of personal data); Schedule 20 (Transitional provision etc - paragraph 61)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 18 April 2018, the Applicant made a request for information to South Lanarkshire Council (the Council). He asked for communications between officers and councillors relating to a called-in planning application by Cemex for the extension of Hyndford Quarry (current DPEA reference NOD?SLS?001?1) since 1 January 2017.
2. The Council responded on 18 May 2018. It considered the request under the EIRs and refused to provide the information requested. The Council deemed the information to be excepted from disclosure under regulation 10(4)(e) of the EIRs (Internal communications), and concluded that the public interest favoured non-disclosure.
3. On 16 July 2018, the Applicant wrote to the Council, requesting a review of its decision. He disagreed with the exception applied, highlighting the presumption in favour of disclosure and arguing that the public interest lay in making the information available. The Applicant also raised further dissatisfaction concerning technical aspects of the Council's handling of his request.
4. The Council notified the Applicant of the outcome of its review on 14 August 2018, fully upholding its decision to withhold the information under regulation 10(4)(e) with further explanation in support of its decision to do so. It provided the Applicant with more detailed reasoning of why it considered the public interest favoured non-disclosure of the information. The Council also addressed the technical aspects of its handling of the request, as raised by the Applicant.
5. On 7 February 2019, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of the Freedom of Information (Scotland) Act 2002 (FOISA). By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. The Applicant stated he was dissatisfied with the outcome of the Council's review because he believed there was a substantial public interest favouring disclosure.
Investigation
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 25 February 2019, the Council was notified in writing that the Applicant had made a valid application. The Council was asked to send the Commissioner the information withheld from the Applicant. The Council provided the information and the case was allocated to an investigating officer.
8. In providing the withheld information, the Council informed the Commissioner that it now also wished to rely on regulation 11(2) of the EIRs to withhold any personal information.
9. The Applicant subsequently confirmed to the Commissioner that he was raising no dissatisfaction with any personal information withheld under regulation 11(2), where that information comprised names, contact addresses and telephone numbers.
10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These focused on the Council's justification for withholding the information under the exception in regulation 10(4)(e), and consideration of the public interest test.
11. The Applicant was also asked for his views on the public interest in disclosure of the information.
12. Both parties provided submissions to the Commissioner. At that point, the Council informed the Commissioner that it now also wished to rely on the exception in regulation 11(1) to withhold any personal data relating to the Applicant.
13. During the investigation, on 4 July 2019, the Council informed the Commissioner that it no longer wished to rely on regulation 10(4)(e) of the EIRs to withhold any information.
14. On 9 July 2019, the Council wrote to the Applicant, informing him that it had changed its position. It withdrew reliance on regulation 10(4)(e) and disclosed all of the correspondence previously withheld under that exception, with the exception of some personal data which the Council also considered to be excepted from disclosure under regulation 11 of the EIRs.
15. The Applicant subsequently informed the Commissioner that he was dissatisfied with the level of redactions applied by the Council to the personal data when disclosing the correspondence. While he had no objection to the names of junior or clerical officers being redacted, he could see no justification for the redaction of the names of senior officers. He also confirmed he had no objection to his own name being disclosed.
16. The Council was subsequently invited to provide further submissions, focusing on the application of data protection legislation to the withheld personal data.
17. The Applicant was also invited to comment on his legitimate interest in obtaining the withheld personal data.
18. Both parties provided further submissions to the Commissioner.
Commissioner's analysis and findings
19. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.
Handling in terms of the EIRs
20. The Council considered the Applicant's request under the EIRs, having concluded that the information requested was environmental information as defined in regulation 2(1) of the EIRs.
21. Where information falls within the scope of this definition, a person has a right to access it (and the public authority has a corresponding obligation to respond) under the EIRs, subject to the various restrictions and exceptions contained in the EIRs.
22. The Council submitted that the information requested by the Applicant related to consideration of a planning application in respect of an extension to a quarry. Consequently, the Council considered the subject matter fell within the definition of environmental information as set out in regulation 2(1) of the EIRs. The Commissioner accepts this as a reasonable description and, in the circumstances, is satisfied that the information requested by the Applicant falls within that definition of environmental information, in particular paragraphs (a), (b) and (c) of the definition. The Applicant has not challenged the Council's decision to deal with the information as environmental information and the Commissioner will consider the handling of the request in what follows solely in terms of the EIRs.
Regulation 5(1) - Duty to make environmental information available
23. Regulation 5(1) of the EIRs requires a Scottish public authority which holds environmental information to make it available when requested to do so by any Applicant. This obligation relates to information that is held by the authority when it receives a request.
24. On receipt of a request for environmental information, therefore, the authority must ascertain what information it holds falling within the scope of the request. Having done so, regulation 5(1) requires the authority to provide that information to the requester, unless a qualification in regulations 6 to 12 applies (regulation 5(2)(b)).
Information held
25. In providing the withheld information to the Commissioner, the Council included additional information which, initially, had not been considered to fall within scope when the Council carried out its review. Following discussions with the investigation officer, the Council subsequently agreed that this additional correspondence did, in fact, fall within the scope of the Applicant's request.
26. In order to ascertain whether all relevant information had been identified, the Council was asked to explain the steps it took to establish what information it held and which fell within the terms of the Applicant's request. The Council explained, and provided evidence of, the searches carried out to identify information held within its Planning Service. These included searches of:
- the Council's electronic document records management system (Meridio) and its planning system (M3) using search terms including "Hyndford", "Cemex" and the names of specified correspondents.
- the email accounts of the Council's Planning HQ Manager (both current and retired), Team Leader (Planning HQ) and Planning Officer (Planning HQ) with responsibility for this particular application, using the same search terms.
27. The Council submitted that these searches, carried out by officers with knowledge of where to look within the Council's systems, resulted in the identification of the information provided to the Commissioner as withheld information.
28. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.
29. Having considered all the relevant submissions and the terms of the request, the Commissioner is satisfied that the information held by the Council and falling within the scope of the Applicant's request was capable of being identified by the searches carried out by the Council. As such, he is satisfied that, by the end of the investigation, the Council had taken adequate, proportionate steps to establish the extent of information held that was relevant to the request.
30. However, the information referred to in paragraph 25 should clearly have been identified as falling within scope by the close of the Council's review, at the latest. In failing to do this, the Council failed to deal with the request fully in accordance with regulation 5(1) of the EIRs.
Regulation 10(4)(e) - Internal communications
31. At both initial response and review stages, and in its initial submissions to the Commissioner, the Council maintained that the information identified was excepted from disclosure by virtue of regulation 10(4)(e) of the EIRs.
32. Regulation 10(4)(e) provides that a Scottish public authority may refuse to make environmental information available to the extent that the request involves making available internal communications.
33. As with all of the exceptions contained within regulation 10, a Scottish public authority applying this exception must interpret it in a restrictive way (regulation 10(2)(a)) and apply a presumption in favour of disclosure (regulation 10(2)(b)). Even where the exception applies, the information must be disclosed unless, in all the circumstances, the public interest in making the information available is outweighed by that in maintaining the exception (regulation 10(1)(b)).
34. As stated above, during the investigation, the Council confirmed that, following further consideration, it had revised its position and withdrew reliance on regulation 10(4)(e) to withhold the information requested.
35. The Council provided the Commissioner with a copy of its further response to the Applicant on 9 July 2019, in which it informed him of its change of position and disclosed the information initially withheld under regulation 10(4)(e) (with some personal data redacted).
36. Having considered the Council's submissions, and bearing in mind that its disclosure to the Applicant during the investigation made no suggestion that the information should have been withheld earlier, the Commissioner has no option but to find that the Council wrongly applied regulation 10(4)(e) when it responded to the Applicant's request and requirement for review. Having reached this conclusion, he is not required to go on to consider the public interest in regulation 10(1)(b) of the EIRs.
37. The Commissioner concludes, therefore, that the Council was not entitled to rely on regulation 10(4)(e) of the EIRs to withhold the information the Applicant requested and, by so doing, it breached regulation 5(1) of the EIRs.
38. Given that, by the conclusion of the investigation, the Council had issued the Applicant with a revised review outcome, effectively withdrawing its reliance on regulation 10(4)(e) of the EIRs and disclosing the information previously withheld under that exception (with some personal data redacted), he does not require the Council to take any specific action in relation to this failure.
39. However, the Commissioner would urge the Council, and indeed all Scottish public authorities, to ensure that, when responding to information requests, thorough consideration is given to whether any applicable tests can actually be met in the circumstances.
Personal data
40. During the investigation, the Council also sought to rely on regulation 11 of the EIRs to withhold some personal data.
41. As explained above, the Applicant initially confirmed he was raising no dissatisfaction with any withheld personal data that did not relate to names, contact addresses or telephone numbers.
42. Following a full examination of the withheld information by the Investigating Officer, it was established (with one exception) that none of the withheld personal data extended beyond the description above.
43. In relation to the one exception, as this information related to the personal circumstances of a correspondent, and did not relate in any way to the subject matter of the Applicant's request, the Commissioner does not consider this information falls within the scope of the request and so need not be considered further.
44. As explained previously, on 9 July 2019 the Council disclosed to the Applicant the information originally withheld under regulation 10(4)(e), with some personal data redacted.
45. Following this, the Applicant confirmed to the Commissioner that he was dissatisfied with the level of redactions applied by the Council. In his view, he had only agreed to personal data being redacted where this information related to junior or clerical staff. He could see no justification for almost every name, including those of (persons he believed to be) senior officers, being redacted. The Applicant argued that doing so made the correspondence difficult to follow and reduced its meaning. He believed it was in the public interest for a decision to be issued in this case.
46. In proceeding to take his investigation further on this aspect, the Commissioner has borne in mind that the Applicant could not be fully aware of the nature and extent of the Council's redaction of personal data until the bulk of information previously withheld had been disclosed to him.
47. Regulation 10(3) of the EIRs provides that where the environmental information requested includes personal data, a Scottish public authority shall not make those personal data available otherwise than in accordance with regulation 11.
Regulation 11(1) of the EIRs
48. The exception in Regulation 11(1) of the EIRs provides that, to the extent that environmental information requested includes personal data of which the Applicant is the data subject, then the duty to make it available under regulation 5(1) shall not apply to those personal data.
49. This exception exists in the EIRs as individuals have a separate right to make a request for their own personal data under the GDPR/DPA 2018. This route is more appropriate for individuals accessing their personal data, as it ensures the data are disclosed only to that individual and not into the public domain.
50. Regulation 11(1) does not deny individuals a right to access information about themselves, but ensures that the right is exercised under the correct legislation (the GDPR/DPA 2018) and not under the EIRs.
51. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:
"… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,"
The definition of personal data is set out in full in Appendix 1.
52. In its submissions to the Commissioner, the Council stated that some of the information in the withheld correspondence comprised the Applicant's own personal data. It submitted that the information clearly identified and related to him. As such, the Council argued that, in terms of regulation 11(1) of the EIRs, this information could not be disclosed under the EIRs.
53. The Council recognised, however, that the Applicant had a right of access to his own personal information under Article 15 of the GPDR, and informed him of this when disclosing the withheld information to him on 9 July 2019.
54. As explained above, the Applicant confirmed to the Commissioner that he had no objection to his own personal data being disclosed.
55. The Commissioner has considered the information that falls within the scope of the Applicant's request and the submissions received. It is apparent that any information held referring to the Applicant's connection with the planning application relates to his own personal circumstances and therefore would be his own personal data.
56. Notwithstanding the Applicant's confirmation that he had no objection to his own personal data being disclosed, the Commissioner cannot order the disclosure of any information which comprises the personal data of the Applicant.
57. Having considered the information in question, the Commissioner is satisfied that the Council was entitled to withhold the information under regulation 11(1) of the EIRs.
Regulation 11(2) of the EIRs
58. As explained above, during the investigation, in providing the Applicant with the information originally withheld, the Council redacted some information which it considered excepted from disclosure under regulation 11(2) of the EIRs, as it comprised the personal data of persons other than the Applicant and the relevant conditions applied.
Data Protection Act 2018 (Transitional provisions)
59. On 25 May 2018, the Data Protection Act 1998 was repealed by the DPA 2018. The DPA 2018 amended regulation 11(2) of the EIRs and also introduced a set of transitional provisions, which set out what should happen where a public authority dealt with an information request before the EIRs were amended on 25 May 2018 but the matter is being considered by the Commissioner after that date.
60. In line with paragraph 61 of Schedule 20 of the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018, the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with the EIRs.
61. The Council responded to the Applicant's request on 18 May 2018, but did not issue its review outcome until 14 August 2018. In this decision, the Commissioner is considering the Council's position as set out in its review outcome, which post-dates 25 May 2018: only at that point did the Council finish dealing with the Applicant's request. The Commissioner will therefore consider whether the Council was entitled to apply the exception in regulation 11(2) of the EIRs, as amended by the DPA 2018.
62. Regulation 11(2) states that, to the extent that environmental information includes personal data of which the Applicant is not the data subject, a public authority can only make it available where one of three conditions is satisfied. The first condition (set out in regulation 11(3A)) is that disclosure would not contravene any of the data protection principles in Article 5(1) of the GDPR.
63. The Council's arguments in this case relate to those parts of the first condition that would apply, where making the information available would contravene any of the data protection principles. In order for a Scottish public authority to rely on this exception, it must show that:
(i) the information is personal data for the purposes of the DPA 2018, and
(ii) making it available would contravene at least one of the data protection principles laid down in the GDPR or (where relevant) the DPA 2018.
Is the withheld information personal data?
64. The Commissioner must first consider whether the information is personal data in terms of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual, as set out in paragraph 51 above.
65. In its submissions to the Commissioner, the Council stated that information relating to the names, roles and contact details of these individuals amounted to their personal data as defined by the GPDR.
66. The information under consideration here variously comprises the names, job titles and contact details of Council employees (past and present). It identifies the parties involved in the email correspondence and the individuals referred to in the body of that correspondence.
67. The Commissioner has considered the submissions received from the Council on this point, along with the withheld information. He accepts that living individuals can be identified from the data, either directly by their names, or indirectly by their job titles.
68. Information will "relate to" a living individual if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus. Given the information comprises correspondence from and to individuals in the course of their Council duties, the Commissioner accepts it relates to them.
69. The Commissioner is therefore satisfied that the information which has been redacted comprises personal data.
Which of the data protection principles would be contravened by disclosure?
70. The Council argued that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. This requires personal data to be processed lawfully, fairly and in a transparent manner in relation to the data subject. Under section 3(4)(d) of the DPA 2018, disclosure is a form of processing. Personal data can only be disclosed, therefore, if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.
Lawful processing: Articles 6(1)(a) and (f) of the GDPR
71. The Commissioner must consider, among other questions, if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the personal data to be disclosed. The Council took the view that conditions (a) and (f) of Article 6(1) of the GDPR were the only ones that could apply in the circumstances of this case.
Condition (a): consent
72. Condition (a) would allow the Council to disclose personal data if the data subject has consented to the processing of his or her personal data for one or more specific purposes.
73. "Consent" is defined in Article 4 of the GDPR as:
"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
74. The Council confirmed that it had not sought the consent of the individuals concerned in relation to the disclosure of their personal data into the public domain. Therefore, these individuals had not had an opportunity to object to the disclosure of their personal data.
75. In the circumstances, the Commissioner is satisfied that condition (a) does not apply to the information. He can identify no obligation to seek the consent in question, in the circumstances.
Condition (f): legitimate interests
76. Under condition (f), the disclosure of the personal data would be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
77. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.
78. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, is disclosure of the personal data necessary to achieve that legitimate interest?
(iii) Even if the processing is necessary to achieve that legitimate interest, is that overridden by the interests or fundamental rights and freedoms of the data subjects?
Does the Applicant have a legitimate interest in obtaining the information?
79. There is no definition in the GDPR of what constitutes a "legitimate interest". The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance[1] on regulation 11 of the EIRs states (at paragraph 62):
"In some cases, the legitimate interest might be personal to the requester, e.g. they might want the information in order to bring legal proceedings. For most requests, however, there are likely to be wider legitimate interests, such as scrutiny of the actions of public bodies or public safety."
80. The Council submitted that at no time in requesting the information did the Applicant provide a legitimate public interest in obtaining that information, nor did he specify any relevant public interest in disclosure of the personal information to the public.
81. The Council acknowledged, however, that there was always a public interest in relation to accountability and openness in relation to its decision-making and actions.
82. The Council commented that it was only in his application to the Commissioner that the Applicant set out his views on the relevant public interests, namely openness and transparency in relation to:
(i) evidence and opinions being likely to carry significant weight in determining the outcome of calling in the planning application,
(ii) allocation of significant public resources to the case, and
(iii) the role of the Council in proceedings being not merely to provide information, but to express a view on the outcome of the case and to urge Reporters to support it.
83. However, the Council stated it was unsure as to whether disclosure of the information would advance the public interest, even as set out by the Applicant. The information in question merely related to the actions of individuals in the course of their employment (i.e. as senders or recipients of email correspondence): it did not relate to these stated public interests.
84. Consequently, the Council concluded that this part of condition (f) as set out in Article 6(1) of the GDPR could not be met, and disclosure would breach the first data protection principle.
85. In his submissions to the Commissioner, the Applicant stated that he understood that the redaction of names would be applied to junior or clerical staff members who had no material role in providing advice to elected members, e.g. clerical officers or personal assistants.
86. The Applicant believed it was important that senior officials who provided advice should also be accountable for it. In his view, the relationship between officers and elected members in planning matters was at the heart of his request. He submitted that discretion within the planning system is normally exercised by elected members, having received advice from Council officers. However, this case was unusual as the planning application was called in by the Scottish Ministers, and Council officers were operating under delegated powers: this, he believed, increased the public interest in accountability and transparency.
87. The Applicant further commented that the extent of the redactions applied by the Council not only made it difficult to follow the information disclosed, but also reduced its meaning.
88. Having considered the submissions from both the Council and the Applicant, the Commissioner is satisfied that the Applicant has a legitimate interest in obtaining the withheld personal data. He accepts that the Applicant has a personal interest in the planning application in question, and consequently has a personal legitimate interest in knowing the identities of the individuals to whom reference is made in this correspondence, with a view to understanding that correspondence, and the underlying issues, more completely. The Commissioner further accepts that this legitimate interest would extend to other members of the public in the South Lanarkshire area (and potentially beyond) with an interest in this planning matter.
Is disclosure of the personal data necessary to achieve the legitimate interest?
89. Having accepted that the Applicant has a legitimate interest in the personal data of Council employees, the Commissioner must now go on to consider whether disclosure of that personal data is necessary to meet the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.
90. The Commissioner has considered the submissions from both parties carefully, and in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 [2]. In that case, the Supreme Court stated (at paragraph 27 of the judgment):
"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."
91. As the Supreme Court confirmed, "necessary" means "reasonably" rather than absolutely or strictly necessary. When considering whether disclosure would be necessary, public authorities need to consider whether the disclosure is proportionate as a means and fairly balanced as to ends, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subjects.
92. Having considered the Applicant's legitimate interests, the Commissioner accepts that, to some extent, disclosure of the information is necessary in order to fulfil them. The Commissioner is satisfied that the withheld personal data would provide the Applicant with information which would aid his understanding of the information disclosed, and the level of involvement by the parties referenced in the correspondence.
93. The Commissioner also accepts that, in all the circumstances of the case, the Applicant's legitimate interests could not reasonably be fully met by alternative means. He is satisfied that disclosure of the personal data is necessary to meet the Applicant's legitimate interests.
Would disclosure cause unwarranted prejudice to the legitimate interests of the data subjects?
94. As the Commissioner is satisfied that disclosure of the withheld personal data would be necessary to fulfil the Applicant's legitimate interests, he is now required to consider whether that disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or interests of the data subjects.
95. It is necessary to balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subjects would not reasonably expect that the information would be disclosed to the public under the EIRs in response to the information request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.
96. The Commissioner's guidance on regulation 11 of the EIRs notes factors that should be taken into account in balancing the interests of parties. He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects, and these are some of the factors public authorities should consider:
(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?
(ii) Would the disclosure cause harm or distress?
(iii) Whether the individual has objected to the disclosure.
97. Disclosure under the EIRs - although to a specific Applicant - is public disclosure. As such, in considering the effects of disclosure, it is relevant to be aware that disclosing information under the EIRs has the effect of putting the information in the public domain.
98. The Council was asked to explain the level of seniority of each of the individuals referenced in the withheld information, including how public-facing their role was, and whether any of that information was already in the public domain. The Council duly provided this information to the Commissioner, along with a diagram showing the relevant structure within Community and Enterprise Resources.
99. The Council submitted that none of the posts were of a significant level that would negate the expectation of privacy through seniority. It referred to Decision 218/2010 Mr Michael Traill and South Lanarkshire Council[3] where, after considering the structure of the Council, the Commissioner considered (at paragraph 44) that the senior officers falling within this class would be Executive Directors and above.
100. The Council submitted that all of the posts under consideration here fell below that level. It further explained that, while some of these posts included making limited decisions on behalf of the Council in terms of its Scheme of Delegation, the postholders were not doing so in this present case and so the accountability that would arise from such powers did not reduce their expectation of privacy in this case.
101. The Council submitted that, even if the information advanced any identified legitimate public interest, given its context it would only do so slightly. In the Council's view, any identified public interest was overridden by the rights and freedoms of the officers concerned, as they were not of sufficient seniority to negate their expectation of privacy. It stated that the employees concerned would not expect their details to be released into the public domain merely because they were the sender or recipient of an email. The Council concluded that the harm to the individuals would exceed any benefit in making the information publicly available.
102. In his submissions to the Commissioner, and as set out in paragraphs 86?87 above, the Applicant argued that disclosure of the personal data was necessary to allow full understanding of the context of the information disclosed, particularly given that Council officers were operating using delegating powers. In his view, this increased the public interest in senior officers taking responsibility for their decisions and advice, as they were doing so in place of elected members. The Applicant believed these considerations outweighed those of privacy in this instance.
The Commissioner's views
103. The Commissioner has considered the submissions from both parties, together with the withheld information. He acknowledges that the information clearly relates to the individuals' public lives (in their roles as Council employees). He also notes that the Applicant has no objection to the redaction of personal data of junior or clerical staff with no material responsibility for the information requested.
104. The Commissioner has also considered the harm or distress that might be caused by disclosure of the personal data. The Council has given no developed argument or sustained evidence in this respect, but submitted that, given the level of seniority of the relevant staff, they would have no expectation of disclosure of their personal data into the public domain.
105. The Commissioner acknowledges the conclusion reached in Decision 218/2010 referred to above, which considered gifts and hospitality offered to, declined or accepted by Council staff. However, he takes the view that the conclusion reached therein cannot be adopted on a "blanket" basis, and the disclosure of information must be considered depending upon the circumstances of the case in question.
106. The Information Commissioner, who is responsible for enforcing and regulating the DPA throughout the UK, has published guidance on Requests for Personal Data about Employees[4]. This guidance sets out a number of factors for the public authority to consider, including whether the information relates to the employee in their professional role or to them as individuals, the seniority of their role, and public facing roles (pages 11-12). This guidance states:
"It is reasonable to expect that you disclose more information about senior public authority employees than more junior ones. Senior employees should expect their posts to carry a greater level of accountability, since they are likely to be responsible for major policy decisions and the expenditure of public funds."
107. This is reflected in the (Scottish) Commissioner's own guidance on regulation 11.
108. The Commissioner has given full consideration to the level of seniority of the individuals referenced in the correspondence which all, with one exception, fall below tier 3 within the Council.
109. Given the nature of the withheld personal information, the Commissioner therefore finds it necessary to consider separately the nature of the prejudice which disclosure would cause, firstly to Council employees below tier 3, and secondly to any officers of tier 3 and above.
Council employees - tier 3 and above
110. In this case, the Commissioner considers the expectation surrounding the availability of information relating to the names and roles of senior council officers has evolved over time. He takes the view that personal data relating to the names and roles of council officers, at the level immediately below Executive Director (for example, heads of service), is routinely available (and indeed is expected to be routinely available) in the public domain.
111. Having reached this view, the Commissioner finds that information pertaining to one employee falls within this category, whose personal data (in relation to their employment with the Council) is already available in the public domain. He considers that the legitimate interests he has identified in disclosure to be all stronger in relation to this employee, given the considerable delegated authority they will exercise.
112. With this in mind, the Commissioner finds that disclosure of the withheld information in this case, relating to a Council officer at the level immediately below Executive Director and to their professional (rather than their private) life, would not cause unwarranted prejudice to their rights, freedoms or interests. On balance, therefore, those rights freedoms and interests cannot be said to override the Applicant's legitimate interests and condition (f) of Article 6(1) of the GDPR can be met in relation to the disclosure of this particular information.
113. Having reached the conclusion that condition (f) of Article 6(1) of the GDPR can be satisfied in respect of certain of the personal data withheld (relating to a Council officer at the level immediately below Executive Director), the Commissioner must now go on to consider whether its disclosure would be fair, as required by Article 5(1)(a) of the GDPR.
114. The Council gave no specific submissions on fairness but, as stated above, submitted that (given the level of seniority of the relevant staff) they would have no expectation of disclosure of their personal data into the public domain.
115. The Commissioner accepts that, in general, Council employees have an expectation of privacy in relation to their personal data. However, given the seniority of this particular individual, the nature of the information and the fact that their name and job title is already available in the public domain, the Commissioner can identify no reason why disclosure would be unfair.
116. Accordingly, the Commissioner finds that disclosure of the withheld personal data of this particular Council officer would not contravene the data protection principle in Article 5(1)(a) of the GDPR. He finds that the Council was not entitled to withhold this information under regulation 11(2) of the EIRs and by so doing, breached regulation 10(3) of the EIRs. He requires the Council to disclose this information to the Applicant.
Council employees - below tier 3
117. For the remainder of the withheld personal data, the Commissioner has balanced the legitimate interests of the data subjects against those of the Applicant. He accepts that staff below tier 3 would not (in general terms) have any reasonable expectation that their personal data would be made available to the general public under the EIRs. He is satisfied that this information is private to the data subjects (whose roles all fall below tier 3) and that there is a reasonable expectation on the part of the data subjects that their personal data would remain private.
118. The Commissioner has given weight to the Applicant's legitimate interest in obtaining the personal data, as set out previously. The quote detailed above (paragraph 90) highlights the standard required for disclosure: a measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. In the Commissioner's view, the Applicant's legitimate interest has been met, to some extent, in a way which did not interfere with the privacy of these data subjects, by providing the information in the redacted form done by the Council.
119. In reaching a decision on this matter, and having carefully balanced the legitimate interests of the data subjects against those of the Applicant, the Commissioner finds that any legitimate interests served by disclosure of the remaining withheld personal data are outweighed by the unwarranted prejudice that would result to the rights, freedoms and interests of the data subjects in question. In the circumstances, those rights, freedoms and interests must prevail.
120. In the circumstance of this particular case, therefore, the Commissioner concludes therefore that condition (f) in Article 6(1) of the GDPR cannot be met in relation to the remaining withheld personal data. Disclosure would therefore be unlawful.
121. Given that the Commissioner has concluded that the processing of the remaining personal data would be unlawful, he is not required to go on to consider separately whether its disclosure would otherwise be fair and transparent in relation to the data subjects.
Conclusion on the data protection principles
122. For the reasons set out above, the Commissioner is satisfied that, with one exception, disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the majority of the personal data were properly withheld under regulation 11(2) of the EIRs.
123. The Commissioner requires the Council to disclose the information found to have been wrongly withheld under regulation 11(2).
Decision
The Commissioner finds that South Lanarkshire Council (the Council) partially complied with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the information request made by the Applicant.
The Commissioner finds that, by the end of the investigation, the Council was correct to withhold some information under regulation 11 (Personal data) of the EIRs, and so complied with the EIRs in that respect.
However, he finds that the Council was not entitled to withhold some other information under regulation 11(2), and so failed to comply with regulation 5(1) of the EIRs in that respect.
The Commissioner also finds that the Council wrongly withheld some information under the exception in regulation 10(4)(e), and so failed to comply with regulation 5(1) of the EIRs in that respect also.
The Commissioner further finds that the Council failed to fully comply with regulation 5(1) of the EIRs in only identifying some information as falling within the scope of the request after his investigation had started.
Given that, during the investigation, the Council issued the Applicant with a further response, withdrawing its reliance on regulation 10(4)(e) and disclosing the information originally withheld under that exception, together with the further information identified as falling within scope, all with some personal data redacted, the Commissioner does not require the Council to take any further action in respect of these failures (except in relation to the information wrongly withheld under regulation 11(2)) in response to the Applicant's application.
The Commissioner requires the Council to provide the Applicant with the information found to have been wrongly withheld under regulation 11(2) of the EIRs, by 2 March 2020.
Appeal
Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
16 January 2020
Appendix 1: Relevant statutory provisions
The Environmental Information (Scotland) Regulations 2004
2 Interpretation
(1) In these Regulations -
…
"the data protection principles" means the principles set out in -
(a) Article 5(1) of the GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act):
…
"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -
(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;
(b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in paragraph (a);
(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;
…
"the GDPR" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Act (see section 3(10), (11) and (14) of that Act);
"personal data" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
…
(3A) In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing) -
(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations;
(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.
…
5 Duty to make available environmental information on request
(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any Applicant.
(2) The duty under paragraph (1)-
…
(b) is subject to regulations 6 to 12.
…
10 Exceptions from duty to make environmental information available
(1) A Scottish public authority may refuse a request to make environmental information available if-
(a) there is an exception to disclosure under paragraphs (4) or (5); and
(b) in all the circumstances, the public interest in making the information available is outweighed by that in maintaining the exception.
(2) In considering the application of the exceptions referred to in paragraphs (4) and (5), a Scottish public authority shall-
(a) interpret those paragraphs in a restrictive way; and
(b) apply a presumption in favour of disclosure.
(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.
(4) A Scottish public authority may refuse to make environmental information available to the extent that
…
(e) the request involves making available internal communications.
…
11 Personal data
(1) To the extent that environmental information requested includes personal data of which the Applicant is the data subject then the duty under regulation 5(1) to make it available shall not apply to those personal data.
(2) To the extent that environmental information requested includes personal data of which the Applicant is not the data subject, a Scottish public authority must not make the personal data available if -
(a) the first condition set out in paragraph (3A) is satisfied, or
…
(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations -
(a) would contravene any of the data protection principles, or
…
(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
General Data Protection Regulation
Article 4 Definitions
For the purpose of this Regulation:
1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
…
11 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
…
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to-
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.
…
Schedule 20 - Transitional provision etc
61 Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
(1) This paragraph applies where a request for information was made to a Scottish public authority under the Environmental Information (Scotland) Regulations 2004 ("the 2004 Regulations") before the relevant time.
(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with those Regulations.
(3) To the extent that the request was dealt with before the relevant time -
(a) the amendments of the 2004 Regulations in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with those Regulations, but
(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with those Regulations as amended by Schedule 19 to this Act.
(4) In this paragraph -
"Scottish public authority" has the same meaning as in the 2004 Regulations;
"the relevant time" means the time when the amendments of the 2004 Regulations in Schedule 19 to this Act come into force.
[1] http://itspublicknowledge.info/Law/FOISA-EIRsGuidance/EIRsexceptionbriefings/Regulation11/Regulation11PersonalInformation.aspx
[2] https://www.supremecourt.uk/cases/docs/uksc-2012-0126-judgment.pdf
[3] http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2010/201001057.aspx
[4] https://ico.org.uk/media/for-organisations/documents/1187/section_40_requests_for_personal_data_about_employees.pdf
