Home Decisions

Decision 025/2019

Decision 025/2019: Responding to requests for requester's own personal data under FOISA

Public authority: Police Investigations and Review Commissioner
Case Ref: 201801932

Summary

PIRC was asked to confirm that it held, or had seen, specific legal advice and to confirm the status of the person providing that advice.

PIRC considered that the request was for the applicant's own personal data and responded to the request under the GDPR.

The Commissioner agreed that the information was the applicant's own personal data, but found that PIRC had failed to comply with Part 1 of FOISA as no refusal notice was sent in terms of section 16(1) of FOISA. He did not require PIRC to take any action.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1); 16(1) and (6) (Refusal of request); 19 (Content of certain notices); 38(1)(a) (Personal information)

General Data Protection Regulation (the GDPR) articles 4(1) and 15(1)

Data Protection Act 2018 (the DPA 2018) sections 3(2) and (3)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 1 November 2018, Mr Y made an information request to the Police Investigations and Review Commissioner (PIRC). With regard to legal advice on a complaint he had submitted, Mr Y asked:

  • Let me know if PIRC has seen that "legal advice" and if so;
  • Please tell me the status of the person giving that advice. For instance, was that advice formally received from a legal entity or via an ordinary citizen or perhaps a police officer or something else?

Mr Y added that, if PIRC had not seen the advice, he would ask whether it was requested by PIRC. If not, then he required PIRC to explain why the advice had not been seen or requested by PIRC.

2. PIRC responded on 8 November 2018. It informed Mr Y that it was responding to his request under "the Data Protection Regulations" as disclosure of the information under the Freedom of Information (Scotland) Act (FOISA) would mean that the information would need to be provided to anyone who asked for it. (PIRC's reference to "the Data Protection Regulations" is understood to refer to the GDPR and the DPA 2018.) PIRC provided a response to the first two parts of Mr Y's request and provided details of how to seek a review and appeal to the (UK) Information Commissioner (who enforces data protection throughout the UK).

3. On 8 November 2018, Mr Y wrote to PIRC requesting a review of its decision, on the basis that he had made his request under FOISA. He stated that PIRC held the information he had requested but had failed to deal with his request under FOISA, and had provided no lawful reason to withhold the information under FOISA.

4. PIRC notified Mr Y of the outcome of its review on 8 November 2018. It reiterated that information released under FOISA is essentially provided publicly. It stated that it would not normally answer questions about specific review reports in a public forum or provide details about a complaint handling review to anyone who asked. This would incur a risk that the person who made the complaint, or other individuals, could become identifiable.

5. PIRC explained that it could have handled the request under FOISA and applied the relevant exemption for personal data; however, it was good practice to also assess whether the information being withheld could be disclosed under data protection regulations. As Mr Y had asked for information relating to his own complaint handling review, it was considered it would be more appropriate to disclose the information to him personally.

6. On 9 November 2018, Mr Y applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Y complained that PIRC had refused to state what part of FOISA it was relying upon, which meant that he was unable to challenge the refusal.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr Y made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 20 November 2018, PIRC was notified in writing that Mr Y had made a valid application and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. PIRC was invited to comment on this application and to answer specific questions. These related to why PIRC considered the request should be responded to under the GDPR and had not responded under FOISA.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr Y and PIRC. He is satisfied that no matter of relevance has been overlooked.

FOISA or DPA

11. The Commissioner must decide whether PIRC responded to Mr Y's request for information in accordance with Part 1 of FOISA.

12. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. (The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.)

13. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the GDPR/DPA 2018. This route is more appropriate for individuals accessing their personal data as it ensures that it is disclosed only to the individual. As PIRC has stated in its correspondence with Mr Y, information disclosed under FOISA is considered to be disclosed into the public domain.

14. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the correct legislation (the GDPR/DPA 2018) and not under FOISA.

15. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:

" … any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

The definition of personal data is set out in full in Appendix 1.

16. In response to questions from the Commissioner, PIRC explained that individuals often make requests for information and name the incorrect regime, asking for general information under the GDPR/DPA 2018 or for their personal data under FOISA. In all circumstances, PIRC reviews the content of the information prior to preparing a response to ensure it is applying the most appropriate regime.

17. PIRC had provided the information requested by Mr Y under the GDPR/DPA 2018 as it considered it to be his personal data.

18. PIRC acknowledged that Mr Y's request met all the requirements for a valid information request specified in section 8(1) of FOISA. However, it considered that the information was his own personal data, and that it was more appropriate to respond under data protection legislation.

19. As the information requested was held in connection to an incident in which Mr Y was involved, PIRC considered release under FOISA would provide details of the case to anyone who wished to search for it. Therefore, by allowing details to appear publically on a third party website and by publishing details of the specific Complaint Handling Review, it was considered that a link could be made to the individual through such a release.

Is the information Mr Y's own personal data?

20. The Commissioner has considered the information that falls within the scope of Mr Y's request and the submissions received. It is apparent that any information held with regard to Mr Y's complaint relates to his personal circumstances and therefore would be his own personal data. In the circumstances, the Commissioner is satisfied that PIRC would have been entitled to withhold the information under section 38(1)(a) of FOISA, which exempts from disclosure under FOISA information which is the personal data of the applicant.

21. The Commissioner believes it was appropriate for PIRC to treat Mr Y's request as a subject access request under the GDPR/DPA 2018. However, given that Mr Y's request was also a valid request in terms of section 8(1) of FOISA, PIRC was required to consider his request under FOISA as well as under the GDPR/DPA 2018.

Content of notices

22. The Commissioner notes that in responding to Mr Y's request and requirement for review, PIRC made no reference to any provision in FOISA and dealt with the request under the GDPR/DPA 2018.

23. The Commissioner has issued guidance on section 38 of FOISA[1], and, in particular, the actions that should be taken by a Scottish public authority when it receives a request where someone asks for their own personal data.

24. The Commissioner's briefing is clear that, even if an authority considers a request is for the applicant's own personal data, it should issue a refusal notice in terms of section 16 of FOISA: failure to do so is a failure to comply with Part 1 of FOISA.

25. In this case, it is apparent that Mr Y made a valid request under section 1(1) of FOISA for information held by PIRC. The Commissioner notes that PIRC provided him with the information. However, given that Mr Y's request met all the requirements of section 8(1) of FOISA, PIRC had a duty to provide Mr Y with a response which complied with section 16 of FOISA.

26. Section 16(1) of FOISA states that where an authority holds information which is subject to a request under section 1(1) of FOISA, and which it intends to withhold under any exemption, the authority must give the applicant notice in writing to the effect that the information is held, and specify which exemption it considers applies to the information (with reasons).

27. Section 16(6) of FOISA also makes it clear that a notice in terms of section 16(1) is subject to section 19 of FOISA, which requires the authority to include details of their right to seek a review and to apply to the Commissioner.

28. The Commissioner notes that PIRC's response to Mr Y's request for information did not comply with the requirements of section 16(1) and section 19 of FOISA. It did not specify which exemption in FOISA permitted it to withhold the information under FOISA, and although it provided details of appeal rights, these related to Mr Y's rights under the GDPR/DPA 2018.

29. In correspondence with the Commissioner, PIRC accepted that it could have provided a response under FOISA and applied the relevant exemption for personal data (section 38(1)(a)). It explained that it had received criticism in the past that its responses contained too much "jargon".

30. The Commissioner is has some sympathy with this, and accepts that it can be difficult for applicants to understand why a request may be refused under FOISA if the same information is disclosed under the GDPR/DPA 2018. However, Mr Y is correct that he was entitled to a refusal notice which specified the exemption in FOISA under which information had been withheld, and explained why it applied. It should have been clear from the terms of Mr Y's request for review that he required PIRC to issue a response under FOISA, even though he had received the information under the GDPR.

Conclusion

31. In conclusion, the Commissioner finds that PIRC failed to comply with the technical requirements of sections 16, 19 and 20 of FOISA, as outlined above, in responding to Mr Y's request for information.

32. In the circumstances, given that PIRC has already provided the relevant information to Mr Y, the Commissioner does not require PIRC to take any action in respect of these breaches of Part 1 of FOISA.

Decision

The Commissioner finds that the Police Investigations and Review Commissioner failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Y by failing to provide a refusal notice under section 16(1) of FOISA.

Given that Mr Y has received the information he requested, the Commissioner does not require PIRC to take any action in response to Mr Y's application.

Appeal

Should either Mr Y or PIRC wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
27 February 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

16 Refusal of request

(1) Subject to section 18, a Scottish public authority which, in relation to a request for information which it holds, to any extent claims that, by virtue of any provision of Part 2, the information is exempt information must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant a notice in writing (in this Act referred to as a "refusal notice") which-

(a) discloses that it holds the information;

(b) states that it so claims;

(c) specifies the exemption in question; and

(d) states (if not otherwise apparent) why the exemption applies.

(6) Subsections (1), (4) and (5) are subject to section 19.

19 Content of certain notices

A notice under section 9(1) or 16(1), (4) or (5) (including a refusal notice given by virtue of section 18(1)) or 17(1) must contain particulars-

(a) of the procedure provided by the authority for dealing with complaints about the handling by it of requests for information; and

(b) about the rights of application to the authority and the Commissioner conferred by sections 20(1) and 47(1).

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation:

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 15 Right of access by the data subject

1 The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed, and where that it the case, access to the personal data …

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living

individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or

indirectly, in particular by reference to-

(a) an identifier such as a name, an identification number, location data or an online

identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx