Decision 012/2009 Mr John Young and North Lanarkshire Council

Posts graded as NLC9 and NLC10

Reference No: 200801365
Decision Date: 13 February 2009

Summary

Mr Young asked North Lanarkshire Council (the Council) to provide a list of all posts graded as NLC9 and NLC10 as a result of Job Evaluation within the Council. The Council withheld the information under the exemption in section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA), which allows public authorities to withhold personal data if the disclosure of the information would breach any of the data protection principles contained in the Data Protection Act 1998 (the DPA). Following a review, Mr Young remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the Council had failed to deal with Mr Young's request for information in accordance with Part 1 of FOISA, by wrongly withholding the information under section 38(1)(b). He required the Council to provide Mr Young with the information he had requested.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e) (Effect of exemptions) and 38(1)(b), (2)(a)(i) and (b) (Personal information)

Data Protection Act 1998 (DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data) and 4(4) (The data protection principles); Schedules 1 (The data protection principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data: condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.On 15 July 2008, Mr Young submitted the following request for information to the Council by email:

A list of all posts currently graded as NLC9 and NLC10 as a result of Job Evaluation within North Lanarkshire.

2.The Council responded on 8 August 2008, and advised Mr Young that the information he sought was personal data, the disclosure of which would contravene the data protection principles; the Council therefore considered the information to be exempt under section 38 of FOISA.

3.On 11 August 2008, Mr Young sent an email to the Council requesting a review of its decision.He made it clear that he was not seeking to identify individuals in asking for a list of the job titles currently evaluated as either NLC9 or NLC10.

4.The Council notified Mr Young of the outcome of its review on 8 September 2007. The Council provided further explanation of its view that the information constituted personal data which was exempt from disclosure under section 38(1)(b) of FOISA.

5.On 16 September 2008, Mr Young wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

6.The application was validated by establishing that Mr Young had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

7.On 8 October 2008, the Council was notified in writing that an application had been received from Mr Young and was asked to provide the Commissioner with any information withheld from the applicant. The Council provided a copy of the information on 15 October 2008.

8.The case was then allocated to an investigating officer who subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. In particular, the Council was asked whether, after taking account of other available information, it would be possible to identify individual employees from their job titles.The Council was also asked what the gradings were used for, and whether the grading revealed any information about the post-holder's salary.

9.On 11 November 2008, the Council provided the investigating officer with its comments and answers to the questions raised.

10.The Council advised that it was likely that individual employees could be identified by a person to whom the information was disclosed, from their job titles and other available sources of information (such as the Council's internal telephone directory).In relation to the gradings, the Council advised that each grading constitutes a [salary] scale containing a varying number of points.Knowledge of an employee's grading would not allow their precise salary to be known, but would provide information about the range within which their salary was located.

Commissioner's analysis and findings

11.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Young and the Council and is satisfied that no matter of relevance has been overlooked.

12.The exemption under section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), provides that information is exempt information if it constitutes personal data (as defined in section 1(1) of the DPA) and its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles contained in the DPA. This is an absolute exemption and therefore is not subject to the public interest test laid down by section 2(1)(b) of FOISA.

13.In order for a public authority to rely on this exemption, it must therefore show firstly that the information which has been requested is personal data for the purposes of the DPA, and secondly that disclosure of the information would contravene at least one of the data protection principles laid down in the DPA.

14.In this case, the Council has argued that the information requested by Mr Young is personal data, and that its disclosure would breach the first data protection principle

Is the information withheld personal data?

15.The Commissioner first considered whether the information withheld constituted personal data as defined by the Data Protection Act 1998 (the DPA); that is, data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or likely to come into the possession of, the data controller.The full definition of personal data is set out in the Appendix to this decision.

16.The Commissioner notes Mr Young's assurance that he was not looking to identify individuals, in requesting the list of posts grade NLC9 and NLC10.However, should the officers who hold the posts requested by Mr Young be identifiable, the information under consideration reveals that those individuals are employed at a particular grade, which attracts a salary at a certain level.Such information relates to the lives of those individuals and their financial affairs in a significant sense.

17.Irrespective of Mr Young's purpose in making his request, information disclosed under FOISA is understood to be accessible by any member of the public, and the Commissioner must therefore consider whether individual Council officers could be identified from the list of posts, if these were to be disclosed; if so, the Commissioner accepts that the information falls within the definition of personal data in the DPA.

18.The Commissioner accepts that, in relation to the posts graded NLC9 and NLC10, it would generally be possible for a member of the public to identify individual officers from their job title, through enquiry to the Council or by other means.The names of Council officers at this level are commonly published or provided on request.Although the list of posts withheld does not specify whether the job title is common to more than one officer, the Commissioner accepts that it is likely that a complete list of the individuals represented by the information withheld could be obtained.

19.This being so, the Commissioner accepts that the information withheld constitutes the personal data of the holders of the posts that are graded as NLC9 and NLC10.

20.The Commissioner is aware that, in coming to this decision, he has taken a different view from previous decisions, in which he found, for example, that information relating to a person's job description did not relate to the individual in question, but to the actual post itself.However, he is satisfied that, in the circumstances of this case, the list of posts sought by Mr Young does amount to personal data.

Would disclosure breach the first data protection principle?

21.The first data protection principle states that personal data shall be processed fairly and lawfully. It also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA is also met. The Commissioner is satisfied that the information withheld is not sensitive personal data and so he is not required to consider whether any of the conditions in Schedule 3 to the DPA can be met.

22.The Commissioner considers that only condition 6(1) of Schedule 2 of the DPA might be considered to apply in this case. Condition 6(1) allows personal data to be processed (in this case, disclosed in response to Mr Young's information request) if disclosure of the data is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

23.There are a number of tests which must be considered before condition 6(1) can apply:

? Does Mr Young have a legitimate interest in having this personal data?

? If so, is the disclosure necessary to achieve those legitimate aims? (In other words, is disclosure proportionate as a means and fairly balanced as to ends or could these legitimate aims be achieved by means which interfere less with the privacy of the data subjects?)

? Even if disclosure is necessary for the legitimate purposes of the applicant, would disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects? This will involve a balancing exercise between the legitimate interests of Mr Young and those of the data subjects. Only if the legitimate interests of Mr Young outweigh those of the data subjects can the personal data be disclosed.

24.Mr Young has explained that he is seeking to identify all the posts graded as NLC9 and NLC10 to enable him to collate information for an equal pay claim or equal work for equal pay claim. The Commissioner is satisfied that Mr Young has demonstrated a legitimate interest in the personal data withheld.

25.The second test is whether disclosure is necessary for those legitimate interests. In this case the Commissioner, in taking account of the specific information requested by Mr Young, is satisfied that disclosure is proportionate and that the aims of Mr Young cannot be achieved by any other means which would interfere less with the privacy of the employees in question.It should be stated that the Commissioner does not consider the employees' privacy would be affected to any significant degree by disclosure of the list of job titles.

26.The Commissioner must now consider whether disclosure would nevertheless cause unwarranted prejudice to the rights, freedoms and legitimate interests of the employees in relation to the information withheld. As noted above, this will involve a balancing exercise between the legitimate interests of Mr Young and those of the employees. Only if the legitimate interests of Mr Young outweigh those of the employees can information about their job titles be disclosed without breaching the first data protection principle.

27.The (UK) Information Commissioner considers the question of fairness in his Freedom of Information Act Awareness Guidance No 1 ? Personal Data[1].The guidance distinguishes between information relating to an individual's private and public lives, suggesting that information about an individual acting in an official or work capacity is less likely to deserve protection.

28.This guidance includes examples of the types of question which should be asked when assessing whether the disclosure of personal data (which would be a form of processing) would be fair.These sample questions are set out below.They are useful tools in considering the rights, freedoms and legitimate interests of the employees in question.

a.Would disclosure cause unnecessary or unjustified distress or damage to the person who the information is about?

b.Would the third party expect that his or her information might be disclosed to others? Is disclosure incompatible with the purposes for which it was obtained?

c.Has the person been led to believe that his or her information would be kept secret?

d.Has the third party expressly refused consent to disclosure of the information?

e.Does the legitimate interest of a member of the public seeking information about a public authority, including personal information, outweigh the rights, freedoms and legitimate interests of the data subject?

29.The guidance referred to above is supplemented by the Information Commissioner's Data Protection Technical Guidance: Freedom of Information ? Access to information about public authorities' employees. In considering the expectations of the employees concerned regarding disclosure, this document states that more senior staff and those carrying out public functions should expect more information about them to be disclosed.

30.The Commissioner notes that the gradings for NLC9 and NLC10 fall midway within the NLC scale and typically apply to managers, assistant managers, team leaders and other professional officers.The Commissioner does not find that the privacy of the employees would be greatly infringed if their identities were discovered through disclosure of the list of post titles, given that at this level of seniority, the identity of Council officers is information which is generally readily obtainable by enquirers or is otherwise published.

31.The Council has argued that disclosure of the list of posts graded NLC9 and NLC10 is unwarranted by reason of prejudice to the rights, freedoms and legitimate interests of the data subject in privacy with regard to their financial affairs.The Council has had regard to guidance issued by the Information Commissioner[2] which advises that salary information about a job constitute personal data "relating to" the employee in that post.

32.The Council has advised that the grades NLC9 and NLC10 each represent a salary scale, with a varying number of points on the scale.The Council acknowledges that disclosure of a grading alone will not disclose the post-holder's exact salary; it will, however, indicate the range within which the individual's salary is located.

33.The Commissioner accepts that salary details relating to an individual constitute that individual's personal data.However, he does not find that the rights, freedoms and legitimate interests of the data subjects would be prejudiced by disclosing information which would indicate the salary scale on which they are placed.The Commissioner notes that such information about is openly published when recruiting staff, and that the precise salary paid to each employee would not be obtainable from information about the salary scale.

34.After balancing the legitimate interests of Mr Young against the rights, freedoms or legitimate interests of the Council employees, the Commissioner is satisfied that the processing of the data would not be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the post-holders concerned.

35.The Commissioner, being satisfied that the three tests as set out at paragraph 22 above are fulfilled, finds that the processing is permitted by condition 6(1) of Schedule 2 to the DPA.

36.The Commissioner must, in addition, consider whether the disclosure is otherwise unfair or unlawful. The Commissioner is satisfied that the disclosure of the information would not be unfair, for the reasons outlined above in relation to condition 6(1). Given that the Council did not put forward any arguments as to why the disclosure of the information would be unlawful (other than in terms of a breach of the data protection principles ? section 4(4) of the DPA imposes a duty on data controllers to comply with the data protection principles), the Commissioner is satisfied that the disclosure of the data under FOISA would not breach the first data protection principle.

37.Having found that disclosure would not breach the first data protection principle, the Commissioner does not accept that the information requested is exempt from disclosure under section 38(1)(b) of FOISA.

38.The Commissioner requires the Council to provide Mr Young with the lists of posts graded at NLC9 and NLC10.

DECISION

The Commissioner finds that North Lanarkshire Council failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr John Young, by wrongly withholding the information under section 38(1)(b).

The Commissioner therefore requires North Lanarkshire Council to provide Mr Young with the information requested, by Tuesday 31 March 2009.

Appeal

Should either Mr Young or North Lanarkshire Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Kevin Dunion
Scottish Information Commissioner
13 February 2009

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

?

(e) in subsection (1) of section 38 ?

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires ?

?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

4 The data protection principles

?

(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

Schedule 1 ? The data protection principles

Part I ? The principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

?

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

---