Decision 017/2023: Information regarding a named social worker
Public authority: Renfrewshire Council
Case Ref: 202101054
Summary
The Council was asked for a range of information regarding a named social worker. The Council stated that it did not hold some of the information requested, and it considered the remaining information to be exempted from disclosure as it was considered to be the personal data of a third party. The Commissioner investigated and found that the Council’s response complied with FOISA.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), 1(4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Information not held); 38(1)(b), (2A), (5) (definitions of “data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of "personal data"); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 2 March 2021, the Applicant made a request for information to Renfrewshire Council (the Council). She asked for letters, memorandums, minutes of meetings, reports, notes or emails sent or received by a named social worker (“the social worker”) or case files with the social worker’s name in them relating to a case between two specified dates.
2. The Council responded on 30 March 2021. It notified the Applicant, in line with section 17(1) of FOISA, that it did not hold some of the information she had requested (i.e. the emails previously held in the social worker’s email account). The Council notified the Applicant that the information it did hold was exempt from disclosure under section 38(1)(b) (Personal information) and section 36(2) (Confidentiality) of FOISA.
3. On 25 April 2021, the Applicant wrote to the Council requesting a review of its decision.
4. The Council notified the Applicant of the outcome of its review on 21 May 2021. It upheld its initial response. The reasons for this are considered in detail below.
5. On 24 August 2021, the Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of the Council’s review. She did not accept that the Council did not hold some of the information she had asked for and disagreed that the exemptions relied on by the Council applied to all of the information held by the Council. The Applicant’s reasons are considered in more detail below.
Investigation
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 16 September 2021, the Council was notified in writing that the Applicant had made a valid application. The Council was asked to send the Commissioner the information withheld from the Applicant. The Council provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. On 16 February 2022, the Council was invited to comment on this application and to answer specific questions. The Council responded on 3 March 2022.
9. On 10 March 2022, the Applicant was advised that some of the information captured by the request related to other parties and included special category personal data (which could not be disclosed under FOISA). The Applicant was therefore asked whether she was content to focus solely on the social worker’s personal data. The Applicant confirmed she was content with this approach.
Commissioner’s analysis and findings
10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.
Section 17(1) - Notice that information is not held
11. Under section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received.
12. Under section 17(1) of FOISA, where an authority receives a request for information it does not hold, it must (unless it wishes neither to confirm nor deny whether the information is held under section 18 of FOISA), give the applicant notice in writing to that effect.
13. The Council explained that the social worker had not been employed by the Council for a number of years and that their email account was no longer recoverable. As a result, it did not hold some of the information the Applicant had asked for.
14. The investigating officer therefore asked the Council to explain what searches had been carried out and what the results of those searches were.
15. The Council advised that extensive searches had been carried out on the Council’s ICT systems to return any results which contained any reference whatsoever to the social worker, even if only to their name. This was to ensure that, if the social worker sent emails to other staff, if other staff had sent emails to them or their name was mentioned in any files, the information would be captured and examined to determine if it fell within the scope of the request.
16. The Council provided screenshots of searches it had carried out.
17. The searches returned 3,907 results, all of which were reviewed by the Council. The emails recovered related to issues such as general communications to entire teams of staff, system based/ICT emails, meeting invitations unrelated to case in question, emails in relation to the social worker’s new role and emails regarding other service users.
18. None of these emails were about how the social worker discharged their duties in relation to the case in question. The only information which fell within scope related to the fact that the social worker had, for example, attended a meeting (the emails held by the Council which fall within scope are considered below).
19. The Applicant had queried whether the social worker’s emails were transferred to another colleague when they left the Council’s employment. The Council explained that it is standard practice that the email account of any employee who leaves the Council is closed 90 days after the person leaves, unless a manager asks for it to be kept open; such requests are unusual, and did not happen in this case. The Council commented that there would be little reason for a manager to have asked for the account to be kept open, as any key information relating to clients would be held in the social work records and not in staff email accounts. Furthermore, as a number of years had passed, the Council would no longer hold a record of such a request, as this would only have been held for a limited period of time.
The Commissioner's findings
20. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining whether a Scottish public authority holds information, the Commissioner will consider the scope, quality, thoroughness and results of the searches carried out by the public authority. He will also consider, where appropriate, any reason offered by the public authority to explain why the information is not held.
21. The Commissioner has considered the detailed searches undertaken by the Council and its submissions why it no longer holds the emails in the social worker’s email account.
22. The Applicant has explained clearly why she considers that the requested emails would be held. However, the Commissioner considers the Council has provided a credible explanation that any information about the case would be held in social work files as opposed to individual’s employee’s email accounts.
23. The Commissioner is satisfied that the Council does not hold the emails in question and was correct to notify the Applicant, in line with section 17(1) of FOISA, that the information was not held.
Section 38(1)(b) – Personal information
24. During the investigation, the Applicant agreed that her request could focus on the named social worker as opposed to any other third party.
25. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
26. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
Is the information personal data?
27. The first question the Commissioner must address is whether the information withheld by the Council under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. “Identifiable living individual” is defined section 3(3) of the DPA 2018 – see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)
28. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
29. The Applicant requested letters, memorandums, minutes of meetings, etc. sent or received by the social worker pertaining to a case and for case files
30. While the Applicant noted that it was difficult to separate information about the case from the social worker, she did not consider it was impossible to do so, and asked the Commissioner to reach a decision on this matter.
31. The Commissioner has considered the withheld information in detail. He notes that the social worker’s personal data is inextricably linked to the subject(s) of the case but that there is data within the files that is purely the social worker’s personal data. The Commissioner will consider the information that relates solely to the social worker.
32. The Commissioner is satisfied that the information identified by the Council relates to an identifiable individual and accepts that the information is personal data for the purposes of section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
33. The Council argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR. Article 5(1) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”
34. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
35. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
36. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.
Condition (f): legitimate interests
37. Condition (f) states that processing shall be lawful if it -
is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
38. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
39. The three tests which must be met before Article 6(1)(f) can be relied on are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (the South Lanarkshire Council case) - although this case was decided before the GDPR (and UK GDPR) came into effect, the relevant tests are almost identical):
- does the Applicant have a legitimate interest in the personal data?
- if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
- even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)?
Does the Applicant have a legitimate interest?
40. The Applicant considered that there was a legitimate interest in the information.
41. The Council noted that the Applicant’s interest focussed on one single member of staff rather than organisational accountability. However, it did accept that the Commissioner might conclude that the Applicant has a legitimate interest in the withheld information, and so provided submissions on this basis.
42. The Commissioner considers that the Applicant (and, indeed, the wider public) does have a legitimate interest in this information. Although the Applicant’s focus is on the social worker, the Commissioner considers that such interests would extend to whether there were failures in the Council social work department, as the social worker was employed within that department.
Is disclosure necessary to achieve that legitimate interest?
43. Here, “necessary” means “reasonably” rather than absolutely or strictly necessary. The Commissioner must therefore consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the privacy of the data subjects.
44. The Commissioner notes that, if the information the Applicant has requested is disclosed in response to a FOISA request, it is, in effect, disclosed into the public domain.
45. The Council did not consider that disclosure of the withheld information was necessary to meet the Applicant’s legitimate interest in the scrutiny of a public body.
46. The Commissioner has considered the submissions from both parties carefully in the light of the South Lanarkshire Council [2013] UKSC 55. In that case, the Supreme Court stated (at paragraph 27 of the judgment):
… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.
47. As the Applicant’s focus is on the social worker and in effect the decision-making and professional practice within the social work department, the Commissioner can identify no other means of meeting the Applicant’s legitimate interests which would interfere less with the privacy of the data subject than providing the relevant information within the case files. He is therefore satisfied that disclosure of the information is necessary for the purposes of the Applicant’s legitimate interests.
Would disclosure cause unwarranted prejudice to the legitimate interests of the data subjects?
48. The Commissioner must balance the legitimate interests in disclosure of the information against the social worker’s interests or fundamental rights and freedoms. In doing so, it is necessary for him to consider the impact of such a disclosure. For example, if the social worker would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override any legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the social worker could the information be disclosed without breaching the first data protection principle.
49. Much will depend on the reasonable expectations of the social worker. These are some of the factors public authorities should consider:
(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?
(ii) Would the disclosure cause harm or distress?
(iii) Whether the individual has objected to the disclosure.
50. The seniority of the individual is also relevant when determining what their legitimate interests were: the more senior the individual, the more likely it is that their personal data will be disclosed.
51. In this case, the social worker was only one of a number of staff involved.
52. The Commissioner must consider the potential harm or distress that may be caused by the publication of information from the Council’s case files. Although, the information falling within scope is minimal as the request is focussed solely on the social worker, it is clear to the Commissioner that disclosure would cause distress to the social worker.
53. The Applicant’s right to the information for journalistic purposes must be given the appropriate weight, and the Commissioner has done this. He has recognised the important function of the media in the scrutiny of public bodies. He has recognised that the Applicant sought this information to allow her to scrutinise the actions of those employed by a public body. This is a legitimate and important function.
54. The subject of the Applicant’s scrutiny is also a vitally important area of concern and the Commissioner has attributed weight to that. Still, it must be acknowledged that this is not a case where there has been no form of scrutiny.
55. Whilst the Applicant’s legitimate interests are strong, the Commissioner finds, on balance, that they are outweighed by the prejudice to the rights and freedoms of the social worker that would result from disclosure. The requirements of condition 6 cannot be met here.
56. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the personal data sought by the Applicant.
Fairness and transparency
57. Given that the Commissioner has concluded that the processing of the personal data, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.
Conclusion on the data protection principles
58. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the UK GDPR.
59. In all the circumstances, the Commissioner is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA, on the basis that the information would be so exempt.
Section 36(2) – confidentiality
60. As the Commissioner has concluded that the information is exempt from disclosure under section 38(1)(b) of FOISA, he is not required to go on to consider whether the exemption in section 36(2) of FOISA also applies to the information.
Decision
The Commissioner finds that Renfrewshire Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Daren Fitzhenry
Scottish Information Commissioner
28 February 2023
?
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
…
(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
…
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
17 Notice that information is not held
(1) Where-
(a) a Scottish public authority receives a request which would require it either-
(i) to comply with section 1(1); or
(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),
if it held the information to which the request relates; but
(b) the authority does not hold that information,
it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
UK General Data Protection Regulation
4 Definitions
For the purpose of this Regulation:
(1) ‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.
