Decision 008/2025: Specified report sent by a named Detective Inspector
Authority: Chief Constable of the Police Service of Scotland
Case Ref: 202201408
Summary
The Applicant asked the Authority for a specified report sent by email from a named Detective Inspector to a named Chief Inspector. The Authority considered that the request was for the Applicant’s own personal data and responded to the request under the UK GDPR/DPA 2018 and stated that the information requested was not held. During the investigation, the Authority located information relevant to the request. The Commissioner investigated and found that the Authority failed to comply with Part 1 of FOISA in responding to the request. He required the Authority to issue the Applicant with a review outcome and, if it considered any of the information it identified to be exempt from disclosure under FOISA as the Applicant’s own personal data, to provide him with advice and assistance on how to make a subject access request (SAR) under the UK GDPR/DPA 2018 for that information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) (General entitlement); 15(1) (Duty to provide advice and assistance); 16(1) and (6) (Refusal of request); 17(1) (Notice that information is not held); 19 (Content of certain notices); 38(1)(a) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
UK General Data Protection Regulation (the UK GDPR) Articles 4(1) and 15(1)
Data Protection Act 2018 (the DPA 2018) sections 3(2) and (3)
Background
1. On 6 September 2022, the Applicant made a request for information to the Authority. He completed the Authority’s template Subject Access Request (SAR) form, stated that he was making a SAR and asked the Authority to provide him with a copy of a specified report sent by a named Detective Inspector to a named Chief Inspector.
2. By way of background to his request, the Applicant explained that he had previously provided the Authority with an evidence folder which he described as including “allegations of the serious crimes of perjury and perverting the course of justice for the police to investigate”. He referred to this as an “enhanced evidence folder” and he enclosed numbered documents with his request to assist the Authority in identifying the specified report he requested.
3. The Authority responded on 7 October 2022. It informed the Applicant that it was responding to his request in accordance with his legal rights as set out in Article 15 of the UK GDPR and section 45 of the DPA 2018 and stated that it did not hold the information requested.
4. On 10 October 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because he believed the Authority did hold the information requested.
5. The Authority notified the Applicant of the outcome of its review on 13 October 2022, which fully upheld its original response. It explained that it had contacted the Detective Inspector named in the request who had explained that there was no report as such, but they had sent a short email to the Chief Inspector named in the request. They stated that the email had been relayed to the Applicant previously and that they no longer held the email, as it was dated over 18 months ago.
6. On 6 December 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. He stated that he was dissatisfied with the outcome of the Authority’s review because he believed the information requested was held by the Authority.
Investigation
7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
8. On 29 March 2023, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments.
9. The Authority provided its comments. It explained why it had responded to the Applicant’s request as a SAR under the UK GDPR/DPA 2018 but added that if the Commissioner considered the request fell within the scope of FOISA then its position would be that it did not hold the information requested.
10. The case was subsequently allocated to an investigating officer.
11. During the investigation, the Authority was invited to provide further comments on how it established that it did not hold any recorded information falling within scope of the Applicant’s request. The Applicant was also invited to provide further comments on why he believed the information requested was held by the Authority. Both the Applicant and the Authority provided comments.
12. The Authority responded on 27 November 2024 and confirmed that, following more extensive searches, it had located the information requested by the Applicant. The Authority provided the information to the Commissioner for the purposes of his investigation.
Commissioner’s analysis and findings
13. The Commissioner has considered all the submissions made to him by the Applicant and the Authority.
FOISA or DPA?
14. The Commissioner must decide whether the Authority responded to the Applicant’s request for information in accordance with Part 1 of FOISA.
15. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. (The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.)
16. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data and this route is more appropriate for individuals accessing their personal data, as it ensures that the information is disclosed only to the individual. (Information disclosed under FOISA is considered to be disclosed into the public domain.)
17. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves but ensures that the right is exercised under the correct legislation (the UK GDPR/DPA 2018) and not under FOISA.
18. The Commissioner notes that in responding to the Applicant’s request and requirement for review, the Authority made no reference to any provision in FOISA and dealt with the request under the UK GDPR/DPA 2018.
19. The Commissioner has issued guidance on section 38 of FOISA, and, in particular, the actions that should be taken by a Scottish public authority when it receives a request where someone asks for their own personal data.
20. The Commissioner's briefing is clear that, even if an authority considers a request is for the applicant's own personal data, it should issue a refusal notice in terms of section 16 of FOISA: failure to do so is a failure to comply with Part 1 of FOISA.
21. The Authority explained that the Applicant’s request was processed as a SAR as it assumed that the report requested, if held, would contain the personal information of the Applicant in view of the information he had provided as part of his completed SAR template form. It commented that it was “somewhat confused” as to why the request was now deemed a request under FOISA as it was clear that the Applicant’s intention was to submit a SAR.
22. The Commissioner accepts that this case is not straightforward. However, until it identified relevant information during the investigation, the Authority’s position was that it did not hold the information requested. In view of that, and taking into account the terms of the request, it would appear likely at the time the Authority responded to the request that the information requested would have comprised a mixture of information – not simply the Applicant’s own personal data.
23. In this case, therefore, the Commissioner considers that the Applicant made a valid request under section 1(1) of FOISA for information held by the Authority. The Commissioner understands why the Authority responded under the UK GDPR/DPA2018 solely, particularly given the Applicant expressly stated he was making a SAR (which he made using the Authority’s template SAR form). However, given that the Applicant’s request met all the requirements of section 8(1) of FOISA, and sought information which had at least the potential to extend beyond the Applicant’s own personal data, the Authority had a duty to provide the Applicant with a response which complied with section 16 of FOISA.
24. Section 16(1) of FOISA states that where an authority holds information which is subject to a request under section 1(1) of FOISA, and which it intends to withhold under any exemption, the authority must give the applicant notice in writing to the effect that the information is held and specify which exemption it considers applies to the information (with reasons).
25. Section 16(6) of FOISA also makes it clear that a notice in terms of section 16(1) is subject to section 19 of FOISA, which requires the authority to include details of their right to seek a review and to apply to the Commissioner.
26. The Commissioner notes that (although it held information falling within the scope of the request) the Authority’s response to the Applicant’s request for information did not comply with the requirements of section 16(1) and section 19 of FOISA. It did not specify which exemption in FOISA permitted it to withhold the information under FOISA and, although it provided details of appeal rights, these related to the Applicant’s rights under the UK GDPR/DPA 2018.
27. In conclusion, the Commissioner finds that the Authority failed to comply with the technical requirements of sections 16 and 19 of FOISA, as outlined above, in responding to the Applicant’s request for information.
Section 17(1) – Notice that information is not held
28. As rehearsed earlier, the Authority stated that if the Commissioner considered the Applicant’s request fell within the scope of FOISA then its position would be that it did not hold the information requested.
29. However, during the investigation, the Authority confirmed that it had located information relevant to the Applicant’s information request. The Commissioner must therefore find that the Authority was not entitled to rely on section 17(1) of FOISA and that it failed to comply with section 1(1).
30. The Commissioner requires the Authority to issue the Applicant with a review outcome in terms of section 21 of FOISA. When issuing its review outcome, the Authority must give the Applicant notice in writing to the effect that the information is held and, if it intends to withhold it, to specify which exemption(s) it considers applies to the information (with reasons).
31. If the Authority considers that the information is exempt, either in whole or part, under section 38(1)(a) of FOISA on the basis that it is the Applicant’s own personal data, it should provide him with advice and assistance, in line with section 15 of FOISA, on how to make a SAR under the UK GDPR/DPA 2018 for that information.
Decision
The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant by failing to provide a refusal notice under section 16(1) of FOISA and by failing to identify, until during the investigation, information relevant to his request.
The Commissioner therefore requires the Authority to issue the Applicant with a review outcome, in terms of section 21 of FOISA, to consider the information it identified during the investigation for disclosure under FOISA and, if it considers any of the information to be exempt, in whole or in part, under section 38(1)(a), to provide the Applicant with advice and assistance on how to make a SAR under the UK GDPR/DPA 2018 for that information.
The Commissioner requires the Authority to take the above action, by 7 March 2025.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Euan McCulloch
Head of Enforcement
21 January 2025
