Decision 023/2016 | Scottish Information Commissioner

Home Decisions

Decision 023/2016

Decision 023/2016: Mr N and East Lothian Council

Actions relating to a named individual

Reference No: 201502132
Decision Date: 4 February 2016

Summary

On 24 August 2015, Mr N asked East Lothian Council (the Council) for information relating to its treatment of a named individual.

The Council refused to provide the information, considering it to be personal data and that disclosure would breach the data protection principles.

The Commissioner investigated and found that the information Council held by the Council was exempt from disclosure: it was personal data and, in this case, disclosure would breach the data protection principles. The Commissioner also found that the Council should have notified Mr N that it did not hold some of the information he had asked for.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); 2 (Sensitive personal data); Schedules 1 (The data protection principles) (the first data protection principle); 3 (Conditions relevant for the purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 24 August 2015, Mr N made a request for information to the Council. Mr N requested a range of information about incidents involving a named person (Person A). This request included questions about another individual (Person B), the actions taken by the Council with respect to Person B, and questions as to whether the Council had taken any action when another individual (Person C) had informed the Council about incidents involving Person A.

2. The Council responded on 1 September 2015. It refused to provide this information as it considered it to be personal data relating to third parties, exempt from disclosure under section 38(1)(b) of FOISA. The Council informed Mr N that if he provided a mandate from the three named individuals, then it could comply with the request.

3. On 18 September 2015, Mr N provided a signed mandate from Person B.

4. On 22 September 2015, Mr N wrote to the Council requesting a review of its decision on the basis that he did not accept that the information was exempt from disclosure under section 38(1)(b) of FOISA.

5. The Council notified Mr N of the outcome of its review on 22 October 2015. It upheld its reliance on section 38(1)(b) of FOISA in relation to the majority of the information.

6. On 12 November 2015, Mr N applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr N stated he was dissatisfied with the outcome of the Council's review because he considered that it was in the public interest for him to obtain the answers he had requested in order to change internal procedures and hold the Council accountable for maladministration.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr N made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

8. On 1 December 2015, the Council was asked for comments about its response to Mr N's request. The Council responded on 8 December 2015.

9. The investigating officer wrote to Mr N on 17 December 2015. In this letter, Mr N was informed that his request would be considered under FOISA, and the Commissioner could not investigate his complaint about the Council's actions. Mr N confirmed that he wanted to the Commissioner to investigate his application and provided his comments on his legitimate interests in the withheld information.

10. In his correspondence with the investigating officer, Mr N commented that he was seeking an explanation regarding the different treatment of two individuals. The investigating officer confirmed in writing to Mr N that the focus of the investigation and decision would be his request for information regarding named individuals, and not his other complaints to the Council.

11. On 13 January 2016, the Council was notified in writing that Mr N had made a valid application. The Council was asked to send the Commissioner the information withheld from him. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested. The Council responded on 14 January 2016.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr N and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, (2)(b)) exempts information from disclosure if it is "personal data", as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

14. In order to rely on this exemption, the Council must show, firstly, that any such information would be personal data for the purposes of the DPA and, secondly, that disclosure of that data would contravene one or more of the data protection principles to be found in Schedule 1.

Is the information under consideration personal data?

15. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

16. The Commissioner has considered the submissions received from the Council on this point, along with the withheld information. She is satisfied that the information is personal data: it is possible to identify living individuals from the information itself, in line with the definition of personal data. Although other individuals can be identified from the information, the Commissioner is satisfied that all the withheld information is the personal data of Person B, because it relates to this individual. In the circumstances, the Commissioner does not consider it would be possible to disclose any of the withheld information without a real risk remaining that the data subject could be identified: consequently, it would remain his or her personal data even following any redaction.

Is the withheld information sensitive personal data?

17. Having considered the withheld information, the Commissioner considers that the information comprises sensitive personal data.

18. The definition of sensitive personal data is contained in section 2 of the DPA (see Appendix 1).

19. The Commissioner is satisfied that all of the personal data withheld falls into at least one of the categories in section 2 of the DPA and therefore should be considered to be the sensitive personal data of the data subject. (The Commissioner is unable to confirm which of the categories of sensitive personal data are relevant here, without, in effect, disclosing sensitive personal data.)

Would disclosure contravene the first data protection principle?

20. In its submissions, the Council argued that the disclosure of the withheld personal data would contravene the first data protection principle. This requires that personal data are processed fairly and lawfully and, in particular, are not processed unless at least one of the conditions in Schedule 2 to the DPA is met. For sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met. The processing in this case would be the disclosure of the personal data into the public domain in response to Mr N's information requests.

The first data protection principle: sensitive personal data

21. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is appropriate in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions. The conditions listed in Schedule 3 have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in secondary legislation, such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

22. Guidance issued by the Commissioner regarding the exemption in section 38(1)(b)[1] notes that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA. Condition 1 would allow personal data to be disclosed where the data subject has given explicit (i.e. specific, fully informed and freely given) consent to their release. Condition 5 would allow the personal data to be disclosed if the data had been made public as a result of steps deliberately taken by the data subject.

23. The Council informed the Commissioner that it had not considered it appropriate in the circumstances to ask the data subjects if they have consented to the disclosure of the personal data.

24. The Commissioner notes that Mr N obtained a mandate from one individual which authorised the Council to provide Mr N with personal data relating to that individual. The mandate authorised the Council to disclose the personal data to Mr N alone. It did not authorise the Council to disclose the personal data into the public domain in response to an information request under section 1 of FOISA.

25. In the circumstances, the Commissioner does not consider the requirement for explicit consent to be capable of being fulfilled. She is also satisfied that the data subject has not taken steps to place this information into the public domain, with the result that neither of conditions 1 and 5 could be met in this case.

Commissioner's conclusions - Section 38(1)(b)

26. Having reached this conclusion, and having concluded that no other condition in Schedule 3 applies in this case, the Commissioner finds that the disclosure of the data subject's sensitive personal data would breach the first data protection principle. She therefore finds that the Council was correct to withhold the information requested by Mr N under section 38(1)(b) of FOISA.

Section 17 - Notice that information is not held

27. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received, subject to qualifications which are not applicable in this case. Under section 17(1) of FOISA, where an authority receives a request for information it does not hold, it must give an applicant notice in writing to that effect.

28. The Council submitted that when conducting searches for the requested information it checked the Human Resources Department in Person B's personnel file for any relevant information and nothing was found. In addition, a comprehensive search was carried out in the Council's electronic records using the individuals' names in the keyword search. The same keyword search was carried out by the Complaints and Feedback Team and no further information was identified.

29. The Council explained that any information about a complaint would be taken very seriously. It provided information about how complaints are registered and how long certain information would be held on file.

30. In his application, Mr N provided the dates of and described the incidents he was interested in, which took place more than two years ago. The Commissioner considers that, given the time that has passed and the explanation the Council has provided about the length of time it retains certain types of information, it is likely that records of these events (if held at any time) would have been deleted or destroyed by the time Mr N made his request on 24 August 2015.

31. The Commissioner has considered the terms of Mr N's request, the information which the Council withheld, and all of the relevant submissions, including the searches undertaken by the Council. She accepts that the Council does not hold all of the information requested by Mr N.

32. The Council's response to Mr N stated that all of the information covered by his request was exempt under section 38(1)(b) of FOISA. The Commissioner has concluded that the Council does not hold all of the requested information. In failing to give Mr N notice that it did not hold some information, the Council failed to comply with section 17(1) of FOISA.

Decision

The Commissioner finds that East Lothian Council (the Council) generally complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr N. The Council correctly withheld information under section 38(1)(b) of FOISA. However, the Council did not give notice that it did not hold all of the information falling within scope of Mr N's request, and so failed to comply with section 17(1) of FOISA.

The Commissioner does not require the Council to take any action in relation to this failure.

Appeal

Should either Mr N or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

4 February 2016

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5 The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

[1]