Home Decisions

Decision 015/2020

Decision 015/2020: Qualifications of interview candidates

Public authority: Moray Council
Case Ref: 201901069

Summary

The Council was asked for the names of the two separate degrees held by candidates shortlisted for interview for the post of Senior Health and Safety Advisor.

The Council withheld this information arguing that it was personal data of the candidates and was provided in confidence.

The Commissioner found that the Council had wrongly withheld the information and required the Council to disclose it.


Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 36(2) Confidentiality; 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.


Background

1. On 14 February 2019, the Applicant made a request for information to Moray Council ( the Council). This request was updated on 21 February 2019. The information requested related to the recruitment of a Senior Health and Safety Advisor and the Applicant asked for the following information:

a) How many applicants were selected for interview?

b) Did all the applicants selected for interview have 2 separate degrees - as required by the "Essential" criteria?

c) If the answer to Q2 above is no, how many of the applicants have 2 separate degrees?

d) For the applicants selected for interview - what were the names of the 2 separate degrees held by them? (i.e. - a Degree in Nursing, etc).

e) Did all the applicants selected for interview also have CMIOSH [Chartered Member of the Institution of Occupational Safety and Health] (or equivalent)?

f) Was the successful candidate already a Council employee?

g) What was the official decision not to offer me an interview?

2. The Council provided a response to the Applicant on 27 February 2019. It disclosed some information to him, but it failed to provide a response to parts d) and e) of his request.

3. Following the submission of a requirement for review on 28 February 2019, where he explained that the Council had failed to respond to all parts of his request, the Applicant received a further response from the Council on 22 March 2019. In this response, the Council sought to withhold recorded information it held in response to parts d) and e) of the request, arguing that this information could be used to identify individuals and was exempt under section 38(1)(b) of FOISA.

4. On 1 April 2019, the Applicant wrote to the Council, requesting a review of its decision on the basis that he was dissatisfied with the responses to parts b), c), d) and e) of his request. In relation to the information which would fulfil parts d) and e) of his request, the Applicant argued that disclosure of the information could in no way identify an individual.

5. The Council notified the Applicant of the outcome of its review on 25 April 2019. In its response, the Council provided information and context in relation to part b) of the request. The Council considered the provision of this clarification should lead to the Applicant being satisfied with its original response to part c). The Council continued to rely on the exemption in section 38(1)(b) of FOISA for information which would fulfil part d) of the request, as it contended that disclosure could identify individuals. In addition, the Council applied section 36(2) of FOISA (Confidentiality) to this part, because the applicants provided this information to the Council in confidence and would not expect their personal details to be disclosed to third parties. The Council no longer sought to rely on an exemption for information covered by part e) of the Applicant's request and so provided information in response.

6. In its review response, the Council also recognised that it should not have processed part g) of the request under FOISA, and should instead have responded to this in line with the Data Protection Act.

7. On 24 June 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Council's review because he did not consider the Council's application of exemptions in sections 36 and 38(1)(b) of FOISA for information covering part d) of his request to be appropriate. The Applicant asserted that there was no way at all that anyone could identify the names of individuals.


Investigation

8. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

9. On 19 August 2019, the Council was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related to the exemptions the Council considered applicable to the withheld information. The Council was also asked to send the Commissioner the information withheld from the Applicant.


Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

12. The Council withheld the names of the two separate degrees held by the candidates selected for interview for the post of Senior Health and Safety Advisor. The Council considered this information could be used to identify individuals and was therefore exempt.

13. In his requirement for review and application, the Applicant expressed dissatisfaction with the Council's decision to withhold this information, as he was of the view that providing a response to part d) of his request would in no way identify an individual.

14. The Commissioner must decide whether the Council was correct to withhold the names of the two separate degrees held by the candidates shortlisted for interview, from the Applicant, under section 38(1)(b). He will consider whether the tests required for section 38(1)(b) to apply have been met.

Is this information personal data?

15. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b) (the exemption applied by the Council), exempts information from disclosure if it is "personal data" and its disclosure would contravene any of the data protection principles in Article 5 of the GDPR or (where relevant) in the DPA 2018.

16. The first point the Commissioner must consider is whether the information is personal data in terms of section 3(2) of the DPA 2018.

17. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual." Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular by reference to -

(i) an identifier such as a name, an identification number, location data or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

18. Information will "relate" to a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

19. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals.

20. In its submissions, the Council argued that, given the highly specialised area of work and small professional community in its area, it was highly likely that there would be familiarity among those professionals, meaning a significant risk of some personal information already being known to the Applicant and among this community.

21. The Council was also of the view that both current employers and, following receipt of a job application (which would contain their qualifications), potential employers would have access to a significant amount of personal information about these candidates. The Council also identified potential that other health and safety professionals within this community were likely to be in possession of relevant personal information. In all of these contexts, the Council considered the withheld information to be information "that can be used 'in combination' with the qualifications to determine the identity of the interviewees." As such, the Council considered the likelihood of identification as a result of disclosure of the withheld information to be realistic, in line with the test set out in Breyer v Bundesrepublik Deutschland (see below). The Council argued that it was "… because this link can be made between the individuals and the names of the degrees being provided that the names of degrees held by the applicants are indeed personal information."

22. In his submissions to the Commissioner, the Applicant has been quite clear that he does not accept that disclosure of the names of the degree qualifications held could lead to identification of an individual. The Applicant commented that there were approximately 95,000 people in Moray, so it was certainly not a small community, and candidates had applied from outwith Moray (such as himself). The Applicant explained that he only requested this information as the job specification required "Degree in relevant discipline (or equivalent), Chartered membership of IOSH or demonstrable equivalent, NEBOSH diploma (or equivalent)." He was very clear in his submissions to the Commissioner that he had no interest in discovering who these people were.

23. In the case of Breyer v Bundesrepublik Deutschland [1] the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is realistic prospect of someone being identified. When making that determination, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is insignificant, the information will not be personal data.

24. Although the Breyer decision was made before the GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply now. Recital (26) of the GDPR bears this out and confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

25. Having considered the withheld information and the Council's submissions, the Commissioner is not satisfied that the names of degrees held by the shortlisted candidates is personal data, as defined in section 3(2) of the DPA 2018. The Commissioner does not accept that a living individual can be identified, directly or indirectly, from the names of the degree qualifications requested.

26. The Commissioner does not agree that it is possible to identify an individual(s) directly from a list of degree qualifications. This information relates to the name(s) of a course of study and on its/their own would not relate to an individual, and nor would it be possible to identify an individual who had completed this course of study.

27. In seeking to determine whether it is possible for individuals to be identified indirectly from the names of degrees withheld, the Commissioner has taken into account the number of Health and Safety professionals located in the immediate area. Information from the Institute of Occupational Safety and Health (IOSH) website states that it has over 4,000 members in Scotland. Of those, 300 are registered within the Highlands and Islands area and over 900 IOSH members are located throughout the North East of Scotland (membership of this body, or equivalent, was one of the essential criteria for the post). So, even if, as is possible, all candidates came from the immediate area, it would be necessary for current or previous employers and Health and Safety professionals (never mind the wider public) to have awareness of and access to the qualifications of several hundred individuals, as a minimum, to enable them to identify the individuals in this case.

28. In any event, the Council has provided no evidence to support the assertion that the professional community in question needs to be limited geographically, so it is possible that the number of registered IOSH members whose qualifications would need to be known would be far higher. Indeed, it seems highly unlikely that the pool of selected candidates would be limited geographically, raising the prospect that a far wider professional community could quite realistically be relevant. Whilst it may be possible that some employers might be able to identify the individuals, the Commissioner considers the likelihood of this to be remote. Given the number of IOSH members, the Commissioner does not agree that disclosure of the qualifications held by the candidates shortlisted for interview would lead to there being a realistic prospect of their holders being identified. Individuals may be able to confirm that they, or those they know, were among the shortlisted candidates, but they would know that anyway: disclosure of the withheld information would not contribute to identification.

29. In this case, therefore, taking into account all of the circumstances, the Commissioner is not persuaded that there is a realistic prospect of individuals being identified from disclosure of the information in question. Having taken account of the arguments presented by both parties, he is of the view that the risk of identification is insignificant and consequently the information is not personal data.

30. As the Commissioner is not satisfied that this information is personal data, he must find that the Council was not entitled to withhold the information under section 38(1)(b) of FOISA.

31. As the Council has also relied on the exemption in section 36(2) of FOISA for withholding the information, the Commissioner will go on to consider the application of this exemption.

Section 36(2) - Confidentiality

32. Section 36(2) of FOISA provides that information is exempt if it was obtained by a Scottish public authority from another person (including another such authority) and its disclosure by the authority so obtaining it to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person. Section 36(2) is an absolute exemption and is not, therefore, subject to the public interest test in section 2(1)(b) of FOISA. However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain the disclosure of information which is necessary in the public interest.

Obtained from another person

33. Section 36(2) therefore contains a two-stage test, both parts of which must be fulfilled before the exemption can be relied upon. The first is that the information must have been obtained by a Scottish public authority from another person. "Person" is defined widely and means another individual, another Scottish public authority or any other legal entity, such as a company or partnership.

34. The Council explained to the Commissioner that the information was provided by the individual applicants, via the MyJobScotland portal, as part of their job application, and was provided voluntarily.

35. In the circumstances, the Commissioner is satisfied that the withheld information was obtained by the Council from another person and the first part of the section 36(2) test has therefore been fulfilled.

Actionable breach of confidence

36. The second part of the test is that the disclosure of the information by a public authority must constitute a breach of confidence actionable either by the person who gave the information to the public authority or by any other person. The Commissioner takes the view that "actionable" means that the basic requirements for a successful action must appear to be fulfilled.

37. There are three main requirements which must be met before a claim for breach of confidence can be established to satisfy the second element to this test. These are:

(i) the information must have the necessary quality of confidence

(ii) the public authority must have received the information in circumstances which imposed an obligation on it to maintain confidentiality; and

(iii) unauthorised disclosure must be to the detriment of the person who communicated the information.

Necessary quality of confidence

38. Having considered the withheld information and the explanation put forward by the Council, the Commissioner is satisfied that it fulfils the criteria of having the necessary quality of confidence. The information is not common knowledge and could not readily be obtained by the Applicant through any other means.

Obligation to maintain confidentiality

39. The Council submitted that the information had been communicated under an explicit obligation of confidentiality. The Council explained that the privacy notice it supplied to applicants via the MyJobScotland website made it clear that their personal information would only be shared with certain groups and individuals in certain circumstances. This, the Council submitted, puts a clear obligation on those receiving the information to treat it in line with the requirements of the privacy notice (in other words, it submitted, in confidence).

40. In justifying its position, the Council referred the Commissioner to guidance on the UK Government website around the handling and processing of information obtained from a job applicant (focusing largely on the need to meet data protection requirements).

41. Having considered the circumstances of its provision to the Council, together with the content of the privacy notice, the Commissioner acknowledges that applicants for the job in question provided their personal data in the expectation that it would be held in confidence and not shared widely. That was as much assurance as the privacy notice could give: it related to the applicants' personal data and could not offer assurance as to wider use of elements of the information they provided, from which they could not be identified. The Commissioner can see no basis, in the submissions offered by the Council or elsewhere, for treating such anonymised elements as having been received in confidence (and that, essentially, is the status of the withheld information, as he has found when considering the application of section 38(1)(b) of FOISA).

Unauthorised disclosure which would cause detriment

42. The third requirement is that unauthorised disclosure of the information must be to the detriment of the person who communicated it. The damage need not be substantial and indeed could follow from the mere fact of unauthorised use or disclosure in breach of confidence. In that respect, the test of detriment is different from establishing whether, for example, disclosure would prejudice substantially the commercial interests of any person when considering the exemption in section 33(1)(b) of FOISA (Commercial interests and the economy).

43. The Council explained that the withheld information was given to it with the understanding that it would not be released into the public domain. It was the Council's view that, if this information were disclosed into the public domain, it would lead to the candidates being identified, which would amount to a breach of confidence.

44. Such a breach, the Council argued, was likely to cause distress to the applicants. The Council submitted that the breach itself would cause distress, as would the actions of a determined individual within their professional community who was likely to be able to work out that they attended for interview. The Council also asserted that disclosure may cause applicants worry that revealing they had had an interview with the Council could compromise their current employment, if they did not wish their current employer to know that they had been interviewed for other jobs (and also distress and possible prejudice if they were continuing to search for new jobs, if they could be identified by potential employers as having unsuccessfully applied for a job elsewhere).

45. Having considered the submissions from the Council, it is evident that the anticipated harm from disclosure (assuming the Council's various scenarios could be regarded as realistic) is predicated on the Council's view that the individual applicants shortlisted for interview would be identifiable from the withheld information if it were disclosed. This has been carefully considered by the Commissioner in relation to the application of section 38(1)(b) of FOISA, and discounted. In the Commissioner's view, this would apply even if the Applicant were a determined individual of the kind described above.

46. As a consequence, the Commissioner is unable to accept the distress the Council considers would be caused to the shortlisted candidates by disclosure would occur. The Commissioner is therefore not satisfied that disclosure of the names of the degree qualifications held would cause the detriment required to meet the requirements for an actionable breach of confidence (even if he were to accept that the other tests for section 36(2) could be met). The Commissioner therefore finds that the tests for an actionable breach of confidence are not met in this case, and that the Council was wrong to rely on the exemption in section 36(2) to withhold the names of the degrees. The information must therefore be disclosed to the Applicant.


Decision

The Commissioner finds that Moray Council (the Council) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. The Commissioner finds that the Council wrongly relied on sections 36(2) and 38(1)(b) of FOISA to withhold the names of the degrees held by the shortlisted candidates.

The Commissioner therefore requires the Council to disclose the names of the degrees held by the shortlisted candidates to the Applicant by 13 March 2020.


Appeal

Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.


Enforcement

If the Council fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Council has failed to comply. The Court has the right to inquire into the matter and may deal with the Council as if it had committed a contempt of court.


Margaret Keyse
Head of Enforcement
28 January 2020


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

  (ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

36 Confidentiality

(2) Information is exempt information if-

(a) it was obtained by a Scottish public authority from another person (including another such authority); and

(b) its disclosure by the authority so obtaining it to the public (otherwise than under this Act) would constitute a breach of confidence actionable by that person or any other person.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(subject to subsection 14(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[1] http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN