Home Decisions

Decision 028/2020

Decision 028/2020: Correspondence between SEPA and a third party

Public authority: Scottish Environment Protection Agency
Case Ref: 201901658

Summary

SEPA was asked for correspondence between itself and a third party which it had previously withheld. SEPA withheld the information on the basis it was personal data and had been provided in confidence.

The Commissioner accepted that SEPA was entitled to withhold the information as personal data.


Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions (a) and (c) of "environmental information", "the data protection principles", "the GDPR" and "personal data") and (3A) (Interpretation); 5(1) and (2)(b) (Duty to make available environmental information on request); 10(3) (Exceptions from duty to make environmental information available); 11(2), (3)(A)(a) and (7) (Personal data)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.


Background

1. On 27 May 2015, the Applicant made a request to the Scottish Environment Protection Agency (SEPA), which included all documentation, including letters, emails and telephone calls, between a third party and SEPA from the beginning of 2010 to the present day in connection with a specified matter.

2. The request of 27 May 2015 was the subject of Decision 177/2016 Mrs L (the Applicant) and SEPA[1], which was issued on 19 August 2016. That decision found that information had been correctly withheld by SEPA under regulations 10(5)(f) and 11(2) of the EIRs.

3. On 2 February 2019, the Applicant made a request for information to SEPA. The Applicant stated that as a legal action (referred to in Decision 177/2016) had been withdrawn, the information that had previously been withheld should now be disclosed. The Applicant requested that information.

4. SEPA responded on 1 March 2019. It advised that it had applied section 39(2) of the Freedom of Information (Scotland) Act 2002 (FOISA), as the request was for environmental information and fell to be considered under the EIRs. It further advised that it considered the information requested to be excepted from disclosure under both regulation 11 and 10(5)(f) of the EIRs, and explained why.

5. On 2 March 2019, the Applicant wrote to SEPA, requesting a review of its decision on the basis that the public interest favoured disclosure of the information requested. The Applicant also commented that names of individuals could be redacted, thus allowing the information to be disclosed.

6. SEPA notified the Applicant of the outcome of its review on 29 March 2019. SEPA commented that in the request the Applicant had stated that the status of the legal proceedings, which had been cited as a factor in withholding the information, had changed in the intervening period. SEPA advised that the court proceedings were still listed in the Court of Session roll in early March 2019, a position confirmed by the third parties. As it could not conclude that the circumstances surrounding the legal process had changed, it maintained that the information was excepted from disclosure and upheld the application of regulations 10(5)(f) and 11(2) of the EIRs.

7. On 2 September 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. The Applicant stated she was dissatisfied with the outcome of SEPA's review because the legal circumstances had changed and the public interest favoured disclosure of the information. She also argued that the personal data could lawfully be disclosed.


Investigation

8. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

9. On 23 October 2019, SEPA was notified in writing that the Applicant had made a valid application. SEPA was asked to send the Commissioner the information withheld from the Applicant. SEPA provided the information and the case was allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. SEPA was invited to comment on this application and to answer specific questions, focusing on its application of exceptions claimed.

11. SEPA provided submissions to the effect that it considered all of the information requested was excepted from disclosure under regulation 11(2) of the EIRs, as it was personal data and disclosure would breach the data protection principle in Article 5(1)(a) of the GDPR, which requires that processing of personal data be lawful, fair and carried out in a transparent manner. It withdrew reliance on regulation 10(5)(f) of the EIRs.

12. The Applicant provided submissions to the effect that the disclosure of the information was in the public interest.


Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and SEPA. He is satisfied that no matter of relevance has been overlooked.

Application of the EIRs

14. The Commissioner is satisfied that any information falling within the scope of the request is properly considered to be environmental information, as defined in regulation 2(1) of the EIRs (paragraphs (a) and (c) are reproduced in Appendix 1 to this decision). The Applicant made no comment on SEPA's application of the EIRs in this case and the Commissioner will consider the request in what follows solely in terms of the EIRs.

Regulation 11(2) of the EIRs

15. SEPA submitted that the information withheld was the personal data of those individuals, who had been in correspondence and contact with SEPA. As such, the information was considered excepted from disclosure under regulation 11(2) of the EIRs.

16. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply. These include where disclosure would contravene any of the data protection principles in the GDPR or in the DPA 2018 (regulation 11(3)(A)(a)).

17. SEPA submitted that disclosure of the personal data would breach the first data protection principle, which requires the processing of personal data to be lawful and fair, and to be carried out in a transparent manner (Article 5(1)(a) of the GDPR).

18. SEPA referred to the response it had provided to the Applicant when dealing with the initial request in 2015, stating it had explained that disclosure would not be fair or lawful in the circumstances. It also drew attention to Decision 177/2016, and submitted that this decision was still relevant and that the position regarding personal data had not changed since it was issued.

Is the information withheld personal data?

19. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:

"… any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

20. The Commissioner has considered the information that falls within the scope of the Applicant's request and the submissions received. The Commissioner accepts that a living individual can be identified from the information. Given the subject matter of the request, which asks for letters, emails and telephone calls, between a third party and SEPA and makes clear their connection to SEPA, the withheld information would clearly relate to that identifiable individual. The Commissioner therefore accepts that the information is personal data as defined in section 3(2) of the DPA 2018.

21. In her request for review, the Applicant had submitted that personal data could be redacted, thus allowing the remaining information to be disclosed.

22. SEPA submitted that the withheld information was the personal data of an identifiable person and drew attention to paragraph 68 of Decision 177/2016, where the Commissioner accepted that the withheld information related to a living person and that person was identifiable. That paragraph also acknowledged that the Applicant knew the identity of the data subject (so the third party is identifiable) and the information clearly related to that person.

23. In considering whether the information held could be redacted to allow disclosure, the Commissioner considers that even if names where redacted from the information that has been withheld, the Applicant would still know who the personal data related to, and so finds that the information could not be redacted to allow disclosure.

Would disclosure contravene one of the data protection principles?

24. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject." The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of the EIRs (or, where relevant, FOISA) personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(a) and (f) of the GDPR

25. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the personal data to be disclosed.

26. SEPA took the view that no conditions in Article 6 applied in the circumstances of this case, and provided submissions in support of its position.

27. The Commissioner considers condition (f) in Article 6(1) to be the only one which could possibly apply in this case.

Condition (f): legitimate interest

28. Condition (f) states that processing will be lawful if it "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child."

29. Although Article 6 states that this condition cannot apply to processing carried out by public authorities in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

30. The tests which must be met before Article 6(1)(f) can be met are as follows:

a) Does the Applicant have a legitimate interest in obtaining the personal data?

b) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject(s)?

Does the person making this request have a legitimate interest in obtaining the personal data?

31. There is no definition within the DPA 2018 of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. In the Commissioner's published guidance on personal information[2], it states:

"In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

32. In its submissions to the Commissioner, SEPA drew attention to paragraphs 80 and 81 of Decision 117/2016, where the Commissioner accepted that the Applicant was pursuing a legitimate interest in making her information request. SEPA accepted that the Applicant continued to pursue a legitimate interest.

33. The Applicant believed that she was entitled to receive the withheld correspondence and explained why.

34. Having considered the submissions from both the Applicant and SEPA, the Commissioner accepts that the Applicant is pursuing a legitimate interest in seeking to understand the actions taken by the third party and SEPA. As such, the Applicant has a legitimate interest in the withheld information.

Is disclosure of the personal data necessary?

35. In its submissions to the Commissioner, SEPA drew attention to paragraphs 82 and 83 of Decision 117/2016, where the Commissioner accepted that making the personal data available was necessary to meet the Applicant's legitimate interests. It accepted that this would continue to be the case.

36. The Commissioner considers that the passage of time since Decision 117/2016 was issued has not changed this position and finds that disclosure of the personal data continues to be necessary to meet the Applicant's legitimate interests.

Interests or fundamental rights and freedoms of the data subjects

37. It is necessary to consider the data subject(s)' interests or fundamental rights and freedoms, and balance them against the legitimate interest in disclosure. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subject(s) would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests, freedoms or rights are likely to override legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subject(s) can the information be disclosed without breaching the first data protection principle.

38. SEPA provided submissions to the effect that the Commissioner's findings as set out in paragraphs 84 to 91 of Decision 117/2016 were still applicable and, therefore, condition (f) could not be met to allow disclosure of the information.

39. The Applicant provided submissions setting out why she considered the information requested should be disclosed.

40. The Commissioner's guidance on regulation 11 of the EIRs notes factors that should be taken into account in considering the interests of the data subject(s) and carrying out the balancing exercise. He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (e.g. their home, family, social life or finances);

(ii) the potential harm or distress that may be caused by the disclosure;

(iii) whether the individual objected to the disclosure.

41. In considering the rights, freedoms and interests of data subjects, it is important to take account of whether the proposed disclosure would be within individuals' reasonable expectations. There are factors that assist in determining the expectations of an individual in respect of their person data. These include the distinction between private and public life; the nature of the information; how the personal data were obtained; whether any specific assurances were given to the individuals; the terms of any relevant privacy notices, and any policy or standard practice of the authority.

42. As paragraph 7 of the guidance on regulation 11 states, the regulation applies regardless of how old the information is: it applies for as long as the information comprises the personal data of a living individual. The Commissioner has revisited paragraphs 84 to 91 of Decision 117/2016 and considered all the submissions made by both the Applicant and SEPA in this case. The Commissioner concludes that, in the intervening period, nothing has changed that would contradict the findings in Decision 117/2016. He is satisfied that the data subject would still have a reasonable expectation that the information in question should remain private, regardless of whether the court proceedings referred to by the Applicant are now at an end.

43. Having considered the competing interests in this particular case, the Commissioner finds that the Applicant's legitimate interests are outweighed by the prejudice to the interests, rights and freedoms of the data subject that would result from disclosure. He therefore finds that condition (f) cannot be met, to allow disclosure of the information.

44. In the circumstances of this particular case, therefore, in the absence of a condition in Article 6(1) of the GDPR being met, the Commissioner must conclude that that disclosure of the personal data would be unlawful and would therefore breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that disclosure of the personal data is not permitted by regulation 11(2) of the EIRs.

Decision

The Commissioner finds that the Scottish Environment Protection Agency complied with the Environmental Information (Scotland) Regulations 2004 in responding to the information request made by the Applicant.


Appeal

Should either the Applicant or SEPA wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.


Margaret Keyse
Head of Enforcement
4 February 2020


Appendix 1: Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004

2 Interpretation

(1) In these Regulations -

"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -

(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;

(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"the GDPR" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Act (see section 3(10), (11) and (14) of that Act);

"personal data" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);

(3A) In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing) -

(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations;

(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.

5 Duty to make available environmental information on request

(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.

(2) The duty under paragraph (1)-

(b) is subject to regulations 6 to 12.

10 Exceptions from duty to make environmental information available-

(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.

11 Personal data

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -

(a) the first condition set out in paragraph (3A) is satisfied, or

(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations -

(a) would contravene any of the data protection principles, or

(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[1] http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2016/201600053.aspx

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/EIRsexceptionbriefings/Regulation11/Regulation11PersonalInformation.aspx