Home Decisions

Decision 006/2017

Decision 006/2017: Mr Philip Dinsdale and the Scottish Environment Protection Agency

Voluntary severance scheme

Reference No: 201601713
Decision Date: 18 January 2017

Summary

SEPA was asked for information about the implementation of its voluntary severance scheme. SEPA withheld the information under exemptions relating to the effective conduct of public affairs and personal information.

The Commissioner accepted that SEPA was entitled to withhold the information which comprised the personal data of staff who had applied for voluntary severance. However, she did not agree that SEPA was entitled to withhold the remainder and required it to be disclosed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 30(c) (Prejudice to effective conduct of public affairs); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretive provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 18 April 2016, Mr Dinsdale made a request for information to the Scottish Environment Protection Agency (SEPA). The information requested concerned SEPA's voluntary severance (VS) scheme. The information requested included:

(iii) The reasons why, on a post by post basis, those other eligible staff who applied for VS were not offered it.

(vi) The post titles of those eligible staff who were (a) offered and (b) accepted a VS package.

(vii) The reason why (in relation to staff who were offered VS) the applicant's post was considered not to be business critical.

(viii) The criteria used in each case where VS was offered to other eligible staff.

Mr Dinsdale also requested other information which is not the subject of this Decision Notice.

2. SEPA responded on 19 May 2016. In relation to parts (iii) and (vi) of the request, SEPA withheld the information under the exemption in section 38(1)(b) (Personal information) of FOISA. In relation to part (vii), SEPA informed Mr Dinsdale that decisions were made in line with the VS scheme selection criteria, which included details of excluded posts. In relation to part (viii), SEPA informed Mr Dinsdale that the criteria used were those published in the scheme documents.

3. On 14 July 2016, Mr Dinsdale wrote to SEPA requesting a review of its decision. He did not agree that any of the information comprised personal data. Additionally, he did not consider that adequate information had been disclosed in relation to the processes and decisions made under the criteria contained in the VS scheme documents.

4. SEPA notified Mr Dinsdale of the outcome of its review on 18 August 2016. SEPA upheld its decision that the information requested in parts (iii) and (vi) of the request was exempt from disclosure in terms of section 38(1)(b) of FOISA. SEPA also stated that no additional information was held in relation to parts (vii) and (viii) of the request.

5. On 20 September 2016, Mr Dinsdale wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Dinsdale disagreed with SEPA's view that some of the information comprised personal data, stating that his request related to posts and not individuals. Furthermore, he considered there was a public interest in the information being disclosed, in order to ascertain whether SEPA had followed its procedures and guidance in relation to VS.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr Dinsdale made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 23 September 2016, SEPA was notified in writing that Mr Dinsdale had made a valid application. SEPA was asked to send the Commissioner the information withheld from Mr Dinsdale. SEPA provided the information and the case was allocated to an investigating officer.

8. At this stage, SEPA stated that it now considered the withheld information was also exempt from disclosure in terms of section 30(c) of FOISA. Some of the information supplied to the Commissioner fell within the scope of parts (vii) and (viii) of the request, despite SEPA having indicated previously to Mr Dinsdale that no additional information was held for these parts of the request.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. SEPA was invited to comment on this application and answer specific questions, with reference to its handling of the request and the application of the exemptions claimed.

10. SEPA responded, providing submissions on its application of the exemptions in sections 30(c) and 38(1)(b) of FOISA.

11. Mr Dinsdale also provided submissions on the exemptions claimed.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Dinsdale and SEPA. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

13. SEPA applied the exemption in section 38(1)(b) of FOISA to the personal data of VS applicants. SEPA considered disclosure of the information would breach the first data protection principle and argued that none of the conditions in Schedule 2 to the DPA could be met.

14. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it comprises "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

15. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

16. In order to rely on this exemption, SEPA must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Schedule 1.

Is the information under consideration personal data?

17. The Commissioner will firstly consider whether the information withheld is personal data. "Personal data" is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. (The full definition is set out in Appendix 1.)

18. Mr Dinsdale stated that he was seeking information about posts and, in his view, the identity of the individual holding that post was irrelevant. He did not agree that the public would be able to identify an individual from a post title, unless they had had dealings with SEPA and the post holder at that time.

19. However, the Commissioner is satisfied that the information highlighted by SEPA, i.e. the information under consideration concerning VS applicants, is personal data, in line with the definition in part (a) of section 1(1) of the DPA. Living individuals, i.e. those individuals who applied for VS, can be identified from this information. Given its nature (naming the individuals and including other information about their employment with SEPA), the Commissioner is satisfied that the information relates to those individuals. While it does also relate to posts, it relates too closely to the specific holders of those posts for it to be practicable to separate information about the posts from that about the individuals holding them.

Would disclosure contravene the first data protection principle?

20. As noted above, SEPA submitted that disclosing this information would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing in this case would be making the information publicly available in response to Mr Dinsdale's request.

21. If the information were sensitive personal data, as defined in section 2 of the DPA, at least one of the conditions in Schedule 3 to the DPA would also require to be met. In this case, the Commissioner is satisfied that none of the information can be defined as sensitive personal data.

Can any of the conditions in Schedule 2 be met?

22. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1], that the conditions require careful treatment in the context of a request for information under FOISA. They were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

23. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr Dinsdale. In any event, neither Mr Dinsdale nor SEPA have suggested that any other condition would be relevant

24. Condition 6 allows personal data to be processed where that processing is necessary for the purposes of legitimate interests pursued by the data controller, or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects.

25. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

· Does Mr Dinsdale have a legitimate interest in obtaining the personal data?

· If so, is disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balance as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subjects?

· Even if disclosure is necessary for these purposes, would it nevertheless be unwarranted by reason of prejudice to the rights, freedoms or legitimate interests of the data subjects? As noted by Lord Hope in the above judgment, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr Dinsdale must outweigh the rights and freedoms or legitimate interest of the data subjects before condition 6 will permit the personal data to be disclosed.

26. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[2] states:

In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

27. SEPA confirmed that it was content that Mr Dinsdale had a legitimate interest in receiving the information.

28. In the Commissioner's view, Mr Dinsdale has a legitimate interest in obtaining the withheld information. The Commissioner is satisfied that Mr Dinsdale has demonstrated that he has a personal interest (extending beyond mere curiosity) in the content of the withheld information, specifically in informing himself about the implementation of the VS scheme.

Is disclosure necessary to achieve those legitimate aims?

29. Having concluded that Mr Dinsdale has a legitimate interest in obtaining the personal data under consideration, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims, or whether these legitimate aims can be achieved by means which interfere less with the privacy of the data subjects.

30. Having reviewed the withheld information, the Commissioner cannot identify any other viable means of meeting Mr Dinsdale's interests which would interfere less with the privacy of the data subjects than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr Dinsdale's legitimate interests.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

31. The Commissioner is satisfied that disclosure of the withheld personal data is necessary to fulfil Mr Dinsdale's legitimate interests, but must now consider whether that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr Dinsdale and those of the data subjects. Only if the legitimate interests of Mr Dinsdale outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

32. In the Commissioner's briefing on the personal information exemption, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

· whether the information relates to an individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

· the potential harm or distress that may be caused by disclosure

· whether the individual objected to the disclosure, and

· the reasonable expectations of the individual as to whether the information should be disclosed.

33. SEPA submitted that there was no expectation on the part of the data subjects that their personal data and the status of their applications under the VS scheme would be disclosed into the public domain.

34. In SEPA's view, while the names of the staff might relates to their professional lives, their names also clearly related to their personal lives, as did their ages. SEPA stated that it had a mix of staff having regular contact with the public, some of whom who would expect to provide their names to the public while others would have no such expectation.

35. Mr Dinsdale stated that, in many instances, he was already aware of the identity of the post-holders. However, in his view, the disclosure of the information would reveal nothing about their private lives.

36. Mr Dinsdale also submitted that it was in the interests of the public to ensure that the VS scheme was administered properly and with best use of public funds.

37. Mr Dinsdale also provided an additional explanation of why the information was important to him. The Commissioner is unable to reproduce his exact reasons here; suffice to say they are very personal to Mr Dinsdale. They relate to matters which are of obvious personal importance to him.

38. The Commissioner has considered all of the submissions made to her when balancing the legitimate interests in this case.

39. The Commissioner does not agree with Mr Dinsdale's view that the disclosure of the information would reveal nothing about the data subjects' private lives. While the roles these individuals perform relate to their professional lives, the fact that they have applied for voluntary redundancy and other information concerning their ages and remuneration clearly relates also to their personal lives.

40. In the Commissioner's view, there would be no expectation on the part of the data subjects that personal information of this nature would be disclosed into the public domain, in response to a request made under FOISA. She accepts that this information relates to those individuals' private lives and, in all the circumstances, is satisfied that its disclosure into the public domain would have genuine potential to cause considerable distress to those data subjects.

41. The Commissioner accepts that Mr Dinsdale has strong (and understandable) personal reasons for requiring disclosure of the personal information. However, she must approach this question on the basis that disclosure under FOISA would be to the world at large and not just to Mr Dinsdale. Having considered the competing interests in this particular case, she find that Mr Dinsdale's legitimate interests are outweighed by the prejudice that would be caused to the data subjects' rights, freedoms and legitimate interests. Consequently, the Commissioner is satisfied that the requirements of condition 6 of Schedule 2 to the DPA cannot be met in this case.

42. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 to the DPA which would permit disclosure of the information. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently, the Commissioner finds that disclosure of the information would breach the first data protection principle and that the information is therefore exempt from disclosure (and was properly withheld) under section 38(1)(b) of FOISA.

43. The Commissioner will now go on to consider SEPA's application of the exemption in section 30(c) of FOISA to the remaining withheld information (i.e. that information which does not comprise the personal data of any individuals).

Section 30(c) - Prejudice to effective conduct of public affairs

44. Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs". The word "otherwise" distinguishes the harm required from that envisaged by the exemptions in section 30(a) and (b). This is a broad exemption and the Commissioner expects any public authority applying it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by disclosure of the information, and how that harm would be expected to follow from disclosure. The exemption (if found to be engaged) is also subject to the public interest test in section 2(1)(b) of FOISA.

45. SEPA submitted that disclosure of this information would limit its ability to conduct its business effectively in relation to the future use of its VS scheme.

46. SEPA stated that it had made a commitment to support the Scottish Government's policy of no compulsory redundancies in the public sector; this meant it had to rely on VS to make any sustainable reduction in workforce costs and support organisational change.

47. SEPA stated that all applications for VS were treated in the strictest confidence, with only authorised members of Human Resources, Finance and senior management given access to the names of applicants and the associated costs. SEPA submitted that if fewer, or no, staff applied for VS in future, this would substantially prejudice its ability to delete posts and realise sustainable workforce savings. In SEPA's view, if it was unable to manage its workforce to ensure that the right people were employed in the right places, this would substantially prejudice its ability to deliver its statutory purpose and strategic outcomes.

48. Mr Dinsdale disagreed that his request for information was business critical, or that it would be likely to deter staff from applying for VS. He did not consider that SEPA had demonstrated how disclosure of the information would harm the effective conduct of public affairs. In his view, the exemption was possibly being used by SEPA in order to avoid admitting that it had not kept proper records of meetings and decisions.

49. Mr Dinsdale did not believe there was any significant probability that SEPA's ability to delete posts would be substantially prejudiced by disclosure of the information and submitted that its assertion fell under the heading "remote or hypothetical possibility".

The Commissioner's view

50. The Commissioner has considered the content of the information withheld under this exemption, along with both SEPA's and Mr Dinsdale's submissions on the exemption.

51. The information under consideration comprises communications and discussion within SEPA of the practicalities of implementing its VS selection process. In the Commissioner's view, the information is uncontentious and reflects the criteria and terms contained in SEPA's VS scheme documentation.

52. The Commissioner is not persuaded that disclosure of this information would dissuade any potential applicants from applying for VS in the future. Accordingly, she does not accept that disclosure would, or would be likely to, result in the consequences envisaged by SEPA in the way of an inability to deliver its statutory purpose and strategic outcomes.

53. In all the circumstances, the Commissioner is unable to conclude that there would be any substantial prejudice to the effective conduct of public affairs by disclosure of this information. Accordingly, she does not accept that SEPA was correct to withhold this information under the exemption in section 30(c) of FOISA. The Commissioner now requires SEPA to disclose this information to Mr Dinsdale.

54. With this decision, the Commissioner will provide SEPA with a marked up copy of the withheld information, which will indicate the information to be disclosed.

Additional comment on SEPA's handling of the request

55. As noted above, SEPA informed Mr Dinsdale that it held no additional information in relation to parts (vii) and (viii) of the request, beyond that contained in the scheme documents. However, SEPA subsequently provided additional information to the Commissioner which fell within the scope of these parts of the request and which were not contained in the scheme documents.

56. By failing initially to identify all of the information which fell within the scope of Mr Dinsdale's request, the Commissioner finds that SEPA breached Part 1 of FOISA, in particular section 1(1), when responding to Mr Dinsdale's requirement for review.

Decision

The Commissioner finds that the Scottish Environment Protection Agency (SEPA) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Dinsdale.

The Commissioner finds that SEPA correctly withheld information comprising personal data under section 38(1)(b) of FOISA., but was not entitled to withhold the remaining information under section 30(c) of FOISA. In withholding this information, it breached section 1(1) of FOISA

The Commissioner therefore requires SEPA to disclose the information which was incorrectly withheld by 6 March 2017.

Appeal

Should either Mr Dinsdale or the Scottish Environment Protection Agency wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Scottish Environment Protection Agency (SEPA) fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that SEPA has failed to comply. The Court has the right to inquire into the matter and may deal with SEPA as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

18 January 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

(c) would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

 

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx