Decision 038/2021: Personal data sharing agreements
Public authority: Scottish Minsters
Case Ref: 202001416
Summary
The Ministers were asked about data sharing agreements with third parties, including NGOs and third sector organisations.
The Ministers stated that it would exceed the cost threshold to supply information in response to the request and applied section 12 of FOISA. Following an investigation, the Commissioner agreed.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 12(1) (Excessive cost of compliance)
The Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations) regulations 3 (Projected costs) and 5 (Excessive cost - prescribed amount)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 29 September 2020, the Applicant made a request for information to the Ministers. The request was entitled "IVPD Agencies and NGO/third sector organisations" and read as follows:
Under Freedom of Information (Scotland) Act 2002 please supply me with Information contained in your records relating to the following:
Please advise each multi agency/partner agencies including NGO and third sector organisations that you have a memorandum of agreement to share personal data about a data subject.
Please supply the agreements appertaining to each agency: NGO: third sector organisation that a person's data is in free flow transmission in many cases without the data subjects' consent.
Please advise the checks and balances in place to ensure that this data is in fact ACCURATE.
2. The Ministers responded on 27 October 2020. They stated to comply with the request would exceed the upper cost limit and, therefore, section 12(1) of FOISA applied. The Ministers also provided the Applicant with advice on how to reduce scope and cost of her request.
3. On 29 October 2020, the Applicant wrote to the Ministers requesting a review of their decision. She was dissatisfied with application of section 12 of FOISA and was of the view that the costs should be negligible due to the Scottish Government's new Digital Technology Policy.
4. The Ministers notified the Applicant of the outcome of their review on 26 November 2020 and confirmed their original decision. They stated the searches conducted had been robust in the context of the scope and scale of the request and that the cost of providing the information would exceed £600. They advised that there was no central registry of Memorandum of Agreements to share personal and non-personal data thus a search was required. The Ministers reiterated that the Applicant could narrow the scope her request by way of any specific organisation she required.
5. That day, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of the Ministers' review because she did not believe it would cost more than £600 to provide her with the information she had asked for. She provided the Commissioner with a link to where she thought the information should be held[1].
Investigation
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 11 December 2020, the Ministers were notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Ministers were invited to comment on this application and to answer specific questions. These related to the costs involved in responding to the information request.
9. Submissions were received from both the Ministers and the Applicant.
Commissioner's analysis and findings
10. In coming to a decision on this matter, the Commissioner considered the relevant submissions, or parts of submissions, made to him by both the Applicant and the Ministers. He is satisfied that no matter of relevance has been overlooked.
Section 12(1) - Excessive cost of compliance
11. Under section 12(1), a Scottish public authority is not obliged to comply with a request for information where the estimated cost of doing so would exceed the relevant amount prescribed in the Fees Regulations. This amount is currently set at £600 (regulation 5 of the Fees Regulations). Consequently, the Commissioner has no power to require the disclosure of information should he find that the cost of responding to a request for information exceeds this sum.
12. The projected costs the public authority can take account of in relation to a request for information are, according to regulation 3 of the Fees Regulations, the total costs (whether direct or indirect) which the authority reasonably estimates it is likely to incur in locating, retrieving and providing the information requested in accordance with Part 1 of FOISA. The public authority may not charge for the cost of determining whether it actually holds the information requested, or whether it should provide the information. The maximum rate a Scottish public authority can charge for staff time is £15 per hour.
Submissions from the Applicant
13. The Applicant believed the information she sought was centrally available and submitted that the question of the Interim Vulnerable Persons Database (IVPD) was intrinsically connected to training and funding to the relevant agencies to roll out training through Woman's Aid and other agencies for the new Domestic Abuse (Scotland) Act 2018. She was of the view that, as this Act covered all agencies, the records should be held all in one place.
Submissions from the Ministers
14. The Ministers explained that it was policy that a data sharing agreement must be completed by any official sharing personal data with organisations outside of the Scottish Government. This applies when the sharing is systematic and regular, involving multiple data subjects. These data sharing agreements are held at divisional level and authorised by the information asset owner.
15. The Ministers submitted that their information asset register has a facility to log data sharing agreements against an asset. However, this is not mandatory and as such they did not consider the information asset register to be a centrally held list detailing all data sharing agreements. They stated that they do not maintain a central record of all data sharing agreements held and would be required to complete a global search across the Scottish Government's records in order to identify whether the specific information requested is held.
16. Whilst acknowledging that the Applicant had given some indication of the subject area in stating the organisations are in connection with the IVPD, the Ministers submitted that the definition of "Vulnerable Person" is broad and would capture a wide range of organisations who work with the Ministers across various aspects of their work. While it was possible that this information could be held by the Ministers, to establish this definitively required searches to be undertake which would exceed the upper cost limit.
17. The Ministers explained that, as Police Scotland was the data controller for IVPD, Police Scotland would be likely to hold any data sharing agreements with organisations specifically in relation to personal data sharing for the purposes of the IVPD.
18. It was the Ministers' view that the Applicant's request, in its current form, would capture any memorandum of agreement to share personal data or data sharing agreement the Ministers have with an organisation working with vulnerable individuals which could have input into Police Scotland's IVPD since the date it was established in 2013. It would also capture any exceptional data sharing, when data is shared on a one-off basis for any of a range of purposes. The Ministers did not have a list of organisations which work with Police Scotland in this regard and would therefore need to consider any organisation which shares personal data with the Scottish Government who are known to work with vulnerable individuals and examine the specific agreements in place to check the relevance to the Applicant's request.
19. The Ministers explained that there are 116 data sharing agreements logged on their information asset register, and these would need to be reviewed individually to identify any information potentially falling within the scope of the request. In addition, a global search of the Ministers' electronic management system would be required to identify the information held across the organisation, for all data sharing agreements and Memorandums of Understanding (MoUs) in place, in so far as they cover the sharing of personal data. Even with this extensive search, the returns would be limited to data sharing which is systemic and regular and would be unlikely to identify any exceptional data sharing when data is shared on a one-off basis for any of arange of purposes.
Searches
20. The Ministers provided the Commissioner with a screen-print of searches across their electronic management system which returned 4,221 results. While this captured returns from any area of the Scottish Government who use eRDM (the Ministers' electronic records system), it would not cover all of the executive agencies covered by the Scottish Ministers' designation and a search would need to be commissioned through information governance leads to identify information held by executive agencies.
21. Searches would be required across many directorates of the core Scottish Government, including Justice, Health and Social Care, Local Government and Communities as well as executive agencies such as Scottish Prison Service, Social Security Scotland and Disclosure Scotland because these areas could hold personal information on vulnerable individuals and may have entered into data sharing agreements with partner organisations.
22. Electronic files (but not paper files) would need to be searched. A B2 grade case handler in the Data Protection and Information Asset Team would carry out the searches at a cost of £15.00 per hour. Based on a focused search using the key words "Data Sharing Agreement" it was estimated that it would take the case handler approximately 60 minutes to complete the relevant global searches and identify any other individuals who may hold relevant information as they do not all store all information centrally on eRDM. The case handler would need to contact the information governance leads in each of the seven executive agencies to ensure that all information held by them is included for consideration. It was estimated that their searches would take on average approx. 30 minutes per individual, giving a total time for searching of 270 minutes. (4½ hours @ £15.00 per hour = £67.50).
23. The case handler would then need to review the 116 data sharing agreement records held on the information asset register. In a trial search, this task took one hour in total (1 x £15.00 per hour = £15.00) and determined that none of the documents were in scope of the request.
24. As noted, a single search using "Data Sharing Agreement" alone returned 4,221 returns which would need to be sifted individually to identify whether the information held would fall within the scope of the request.
25. The Ministers considered that they would be able to exclude some returns on the basis of title, but would need to open and review others individually where further information is required to make a determination on scope. Taking a conservative estimate of an average 30 seconds per return, it would take approximately 35 hours to sift 4,221 returns which, at the rate of £15.00 per hour, would cost approx. £525. Taken together with the time taken for searches and sifting the information asset register, this would total £607.50.
26. The Ministers considered that this demonstrated that the work required to reach this point would exceed the upper cost limit of £600. This was notwithstanding the need to complete further key word searches to identify MoUs which include data sharing provisions and to sift any subsequent returns, to sift any returns received from our executive agencies or any cost associated with the physical redaction of information prior to release. The Ministers submitted that that undertaking this further work would take them substantially over the cost limit.
Narrowing the scope of the request
27. The Ministers stated that, in responding to both the request and review, they had provided advice to the Applicant in relation to how she could narrow the scope of her request to bring it within the upper cost limit. The Ministers acknowledged that the additional information provided in her application to the Commissioner suggested that she may be seeking information in relation to a particular organisation or sector.
28. The Ministers stated that this suggested she did not anticipate such a broad interpretation of the request, but that she had not engaged with them to narrow the scope of her request or more clearly set out the specific information she is seeking. The Ministers stated that in hindsight it may have been beneficial to seek clarification from the Applicant to more clearly define the information being requested.
29. With that in mind, the Ministers stated that they remained open to considering a request from the Applicant which allowed them to limit the searches required to identify personal data sharing agreements with a particular organisation or sector.
The Commissioner's conclusions
30. The Commissioner has considered the submissions received from both parties
31. Taking account of all the circumstances, the Commissioner is satisfied that the Ministers have taken a reasonable interpretation of the Applicant's request and the cost of complying with the request would exceed £600. He therefore finds, in line with section 12(1) of FOISA, that the Ministers were not obliged to comply with the request.
32. He notes the Ministers' willingness to engage with the Applicant on the basis of her submitting a fresh request made in terms of a narrower scope.
Decision
The Commissioner finds that the Scottish Ministers complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Ministers wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
22 March 2021
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
…
(6) This section is subject to sections 2, 9, 12 and 14.
12 Excessive cost of compliance
(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed such amount as may be prescribed in regulations made by the Scottish Ministers; and different amounts may be so prescribed in relation to different cases.
…
Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004
3 Projected costs
(1) In these Regulations, "projected costs" in relation to a request for information means the total costs, whether direct or indirect, which a Scottish public authority reasonably estimates in accordance with this regulation that it is likely to incur in locating, retrieving and providing such information in accordance with the Act.
(2) In estimating projected costs-
(a) no account shall be taken of costs incurred in determining-
(i) whether the authority holds the information specified in the request; or
(ii) whether the person seeking the information is entitled to receive the requested information or, if not so entitled, should nevertheless be provided with it or should be refused it; and
(b) any estimate of the cost of staff time in locating, retrieving or providing the information shall not exceed £15 per hour per member of staff.
5 Excessive cost - prescribed amount
The amount prescribed for the purposes of section 12(1) of the Act (excessive cost of compliance) is £600.
