Home Decisions

Decision 016/2017

Decision 016/2017: Mr James Donlan and East Lothian Council

Housing benefit payments for emergency accommodation

Reference No: 201602026
Decision Date: 1 February 2017

Summary

East Lothian Council was asked for the names of the recipients of housing benefit payments for emergency accommodation at a specified address.

The Council withheld the information as third party personal data, disclosure of which would breach the Data Protection Act.

The Commissioner investigated and found that the Council was entitled to withhold the personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 8 September 2016, Mr Donlan made a request for information to East Lothian Council (the Council). Referring to a previous information request concerning the provision of emergency accommodation at a specified address, Mr Donlan asked the Council for the names of the companies and/or individuals to whom it had paid housing benefits for such accommodation, over the period from April 2007 to September 2016.

2. The Council responded on 6 October 2016. It informed Mr Donlan that as the property in question was paid for directly from the Homeless Budget, any housing benefit entitlement was paid directly to the Council's Homeless Account.

3. Mr Donlan challenged the Council's response on 6 October 2016, pointing out that his request sought information relating to payments made to the owners of the property.

4. In response, the Council confirmed it held the information requested and informed Mr Donlan that it considered this to be exempt from disclosure, as the personal data of the individual(s) concerned, under what it described as section 38(b) (Personal information) of FOISA.

5. Mr Donlan asked the Council to explain the specific section being applied, and how it had applied the public interest test.

6. In response, the Council explained that "section 38(b)" was an absolute exemption and did not require a public interest test. The Council further explained that the provision linked freedom of information legislation to the DPA.

7. On 7 October 2016, Mr Donlan wrote to the Council, seeking a review of its decision. He believed the Council had failed to comply with FOISA by not applying the public interest requirements of section 38(1)(b). He believed the public interest favoured disclosure. Mr Donlan also queried the way in which the Council had managed the interaction of FOISA, the DPA and its own Privacy Policy.

8. The Council notified Mr Donlan of the outcome of its review on 1 November 2016. It addressed the points raised in Mr Donlan's requirement for review and upheld its original decision (confirming that it was applying section 38(1)(b) of FOISA).

9. On 2 November 2016, Mr Donlan wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. Mr Donlan was dissatisfied that the Council had failed to apply the public interest requirements of section 38(1)(b), submitting that the public interest favoured disclosure of the information.

Investigation

10. The application was accepted as valid. The Commissioner confirmed that Mr Donlan made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

11. On 1 December 2016, the Council was notified in writing that Mr Donlan had made a valid application and it was asked to send the Commissioner the information withheld from Mr Donlan. The Council provided the information and the case was allocated to an investigating officer.

12. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions, with particular reference to its application of section 38(1)(b) of FOISA.

13. As the Council was withholding information under the exemption in section 38(1)(b), Mr Donlan was also invited to comment on his legitimate interest in obtaining this information.

14. The Council and Mr Donlan both provided submissions to the Commissioner.

Commissioner's analysis and findings

15. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Donlan and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

16. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, section 38(2)(b)), exempts information from disclosure if it is "personal data", as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

17. In order to rely on this exemption, the Council must show, firstly, that any such information would be personal data for the purposes of the DPA and, secondly, that disclosure of those data would contravene one or more of the data protection principles to be found in Schedule 1.

18. It must be borne in mind that this particular exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA. (Mr Donlan mistakenly believed the exemption was subject to the public interest test.)

19. The Council was asked to confirm whether it wished to continue to rely upon section 38(1)(b) of FOISA in respect of the withheld information, and to explain the basis on which it was doing so.

Is the withheld information personal data?

20. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

21. In this case, the withheld information comprises the names of the individual(s) to whom the Council paid housing benefit for providing emergency homeless accommodation, in respect of a property at a specified address.

22. The Council submitted that the name(s), in connection with the address, enabled the individual(s) to be identified. In the Council's view, the information focused on the individual(s).

23. The Commissioner has considered the submissions received from the Council on this point, along with the withheld information. In line with these submissions, she is satisfied that the information comprises the personal data of the individual(s) concerned. The information records the name(s) of the individual(s), as the recipient(s) of housing benefit payments. Clearly, it is possible to identify a living individual/living individuals from it: that is what the request seeks to do. The Commissioner agrees that the information focuses on the individual(s), in a biographical sense, and so can be said to relate to them. It is therefore the personal data of the individual(s), as defined by section 1(1) of the DPA.

24. As indicated above, the Commissioner considers all of the withheld information to be the personal data of the individual(s) to whom it relates. In the circumstances, given the terms of the request and the actual information held, she does not consider it would be possible to disclose any of the withheld information without a real risk remaining that the individual(s) could be identified: consequently, she can identify no means of anonymising the information so that it would cease to be personal data.

Would disclosure contravene the first data protection principle?

25. In its submissions, the Council argued that disclosure of the withheld personal data would contravene the first data protection principle. This requires that personal data are processed fairly and lawfully. The processing in this case would be the disclosure of the information into the public domain, in response to Mr Donlan's FOISA request.

26. The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data (as defined by section 2 of the DPA) at least one of the conditions in Schedule 3 to the DPA must also be met. The Commissioner is satisfied that the personal data in question are not sensitive personal data for the purposes of section 2 of the DPA, so it is not necessary for her to consider the conditions in Schedule 3.

27. The Commissioner will now consider whether there are any conditions in Schedule 2 to the DPA which would permit the withheld personal data to be disclosed. If any of these conditions can be met, she must then consider whether the disclosure of the information would be fair and lawful.

28. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. These three aspects are interlinked. For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that disclosure will also be fair and lawful.

Can any of the conditions in Schedule 2 be met?

29. In the circumstances, it appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure of the information to Mr Donlan. In any event, neither Mr Donlan nor the Council has argued that any other condition would be relevant. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s) (the individual(s) to whom the data relate).

30. There are, therefore, a number of tests which must be met before condition 6 can apply. These are:

(i) Does Mr Donlan have a legitimate interest or interests in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could the legitimate interests be achieved by means which interfere less with the privacy of the data subject(s)?

(iii) Even if the processing is necessary for Mr Donlan's legitimate interests, would it nevertheless be unwarranted, in this case, by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s)?

31. There is no presumption in favour of disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. The legitimate interests of Mr Donlan must outweigh the rights and freedoms or legitimate interests of the data subject(s) before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Donlan.

Does Mr Donlan have a legitimate interest in obtaining the personal data?

32. In his submissions to the Commissioner, Mr Donlan submitted that the owners of the accommodation in question had been sequestrated, but had not declared to their Trustees the full income received from the Council for the rental of rooms paid through housing benefit for emergency accommodation. He referred to a considerable sum of money as being involved. He believed it was imperative that the owners of the accommodation be identified formally as recipients of the money, in order that the Trustees could take action to recover money owed to creditors.

33. In its submissions to the Commissioner, the Council explained that it had been led to believe, from a previous information request made by Mr Donlan, relating to the same address, that he was conducting research into social housing and emergency accommodation. Noting that Mr Donlan had focused on only one specific address out of the many providers of such accommodation used by the Council, it had provided him with information it believed would further such research, withholding only the personal information he subsequently asked for in the request under consideration here.

34. The Council submitted that any genuine research of this nature could be carried out without knowing the names of the recipients of any payments.

35. The Council did not accept that Mr Donlan had a legitimate interest in the information. Noting that he believed disclosure was in the public interest, the Council submitted that Mr Donlan had not explained why.

36. The Commissioner has considered all the relevant submissions she has received on this point, along with the withheld personal data.

37. The Commissioner notes that, on the one hand, Mr Donlan led the Council to understand that any legitimate interest he believed he had lay in conducting research into social housing and emergency accommodation. This is borne out by his correspondence with the Council. On the other hand, his submissions to the Commissioner identified a different, more specific, legitimate interest, in identifying individuals he believed to be involved in some kind of financial malpractice. She will consider both aspects submitted to her.

38. The Commissioner is aware that Mr Donlan may be conducting genuine research into social housing and emergency accommodation. She does not understand, however, why this should extend to a legitimate interest in the names of individual payees. Mr Donlan did not expand on this aspect of his interests when making his submissions to the Commissioner and, on the basis of the submissions she has, she is unable to conclude that he has a legitimate interest in the requested information for reasons of research.

39. In respect of any alleged financial malpractice, the Commissioner accepts that Mr Donlan does have a legitimate interest in the requested information. He has identified issues which are, on the face of it, of some public concern.

Is disclosure necessary to achieve those legitimate interests?

40. The Commissioner must now go on to consider whether disclosure of the withheld personal data would be necessary to meet the legitimate interests she has identified above. This will include consideration of whether the legitimate interests might be met by alternative means which interfere less with the privacy of the data subject(s).

41. In this case, the Commissioner has carefully considered all relevant submissions she has received, along with the withheld personal data. As she has not found Mr Donlan to have a legitimate interest in obtaining the withheld personal data for the purposes of research, she is only considering the question of necessity in connection with his legitimate interest relating to alleged financial malpractice.

42. The Council submitted that identification of the individual(s) concerned, in combination with details of the financial transactions they were party to in line with its contract with them, would be an excessive disclosure of their personal data.

43. The Commissioner acknowledges that Mr Donlan believes formal identification of the recipients would allow the Trustee to take action to recover money owned to creditors. It is not clear to the Commissioner what Mr Donlan's personal involvement in this matter is. He does not appear to be the Trustee, or to be acting on the Trustee's behalf. He has not explained why, if the matter were drawn to their attention, his concerns would not be capable of being addressed adequately using the Trustee's existing statutory powers. On the face of it, these concerns would appear to demand thorough and impartial investigation by the Trustee or other appropriate authority, possibly followed by appropriate enforcement processes, before exposure to public scrutiny could be considered appropriate.

44. In the present circumstances, without the safeguards afforded by allowing such processes to be followed, the Commissioner would consider such exposure to be disproportionate. She cannot, therefore, accept disclosure of the withheld personal data as being necessary to achieve Mr Donlan's legitimate interests.

45. Having found that disclosure is not necessary, the Commissioner must conclude that condition 6 in Schedule 2 to the DPA cannot be met in this case, in relation to the withheld personal data. In the absence of a condition permitting disclosure, she must also conclude that disclosure would be unlawful.

46. The Commissioner therefore concludes that disclosure of the withheld personal data would breach the first data protection principle, and so finds that the Council properly withheld the information under the exemption in section 38(1)(b) of FOISA.

 

Decision

The Commissioner finds that East Lothian Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Donlan.

Appeal

Should either Mr Donlan or East Lothian Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

1 February 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998


1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

 

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.