Home Decisions

Decision 041/2015

 Decision 041/2015: Mr X and the Scottish Prison Service

 Information relating to a tender

 Reference No: 201402582
 Decision Date: 30 March 2015

 Summary

On 2 September 2014, Mr X asked the Scottish Prison Service (the SPS) for information concerning a tender.

The SPS responded by disclosing some information. The SPS withheld some information on the basis that it was exempt from disclosure in terms of sections 36(2) (Confidentiality) and 38(1)(b) (Personal data) of FOISA. Additionally, the SPS informed Mr X that it did not hold some of the requested information.

The Commissioner investigated and found that the SPS had partially failed to respond to Mr X's request for information in accordance with Part 1 of FOISA. The Commissioner found that some of the withheld information did not comprise personal data and required the SPS to disclose it to Mr X. In respect of the information that did comprise personal data, the Commissioner was satisfied that the SPS was entitled to withhold it under the exemption in section 38(1)(b) of FOISA. The Commissioner also accepted that the SPS did not hold any recorded information concerning individuals contacted by telephone.

 Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data); 2 (Sensitive personal data); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for the purposes of the first principle: processing of any personal data: conditions 1 and 6(1))

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

 Background

1. On 2 September 2014, Mr X made a request for information to the SPS. The request concerned a tender conducted by the SPS to identify a suitably qualified person to carry out a specialist assessment. Mr X referred to previous correspondence with the SPS concerning the tender. The information requested was:

(i) The basis upon which the "5 to 10" individuals referred to in your letter were identified by SPS as being suitable, including their names.

(ii) The responses received from the "up to 8" who were unable to consider the tender at the time.

(iii) The identities and basis for further selection of the "up to 5" individuals who were approached.

(iv) The responses received from the 3 individuals including in particular information provided in respect of training, expertise and experience in their respective fields.

2. The SPS responded on 1 October 2014.

? In relation to part (i) of the request, the SPS provided an explanation of why the individuals had been approached. The SPS disclosed emails between it and the individuals concerned; personal data of those individuals was redacted on the basis that it was exempt from disclosure in terms of section 38(1)(b) of FOISA. The SPS gave notice in terms of section 17(1) of FOISA that it did not hold any information concerning potential tenderers contacted by telephone.

? In relation to part (ii), the SPS disclosed one email. It withheld the personal data of individuals named within the email under the exemption in section 38(1)(b) of FOISA.

? In relation to part (iii), the SPS withheld the information in terms of section 38(1)(b) of FOISA.

? In relation to part (iv), the SPS stated that the information was exempt from disclosure in terms of section 36(2) of FOISA on the basis that it was obtained from another person and its disclosure to the public would constitute an actionable breach of confidence. Additionally, the SPS withheld the information under the exemption in section 38(1)(b) of FOISA.

3. On 2 October 2014, Mr X wrote to the SPS requesting a review of its decision. Mr X disagreed with the SPS's application of the exemptions in sections 36(2) and 38(1)(b) of FOISA. Mr X reiterated that he wished to receive information concerning individuals contacted by telephone.

4. The SPS notified Mr X of the outcome of its review on 28 October 2014. The SPS upheld its initial decision without modification.

5. On 5 November 2014, Mr X wrote to the Commissioner. Mr X applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr X stated he was dissatisfied with the outcome of the SPS's review because the SPS had not disclosed all of the information which he believed it held.

  Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr X made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 14 November 2014, the SPS was notified in writing that Mr X had made a valid application. The SPS was asked to send the Commissioner the information withheld from him. The SPS provided the information and the case was allocated to an investigating officer.

8. At this stage, the SPS stated it now considered some of the withheld information to be exempt from disclosure in terms of section 30(c) of FOISA (Prejudice to effective conduct of public affairs).

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPS was invited to comment on this application (and answer specific questions) including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

10. The SPS responded with submissions in support of its position that the information was properly withheld from Mr X under section 38(1)(b) of FOISA. The SPS stated that it no longer wished to rely on the exemptions in sections 30(c) and 36(2) of FOISA. Additionally, the SPS explained the searches it had undertaken in order to locate and retrieve any records of telephone calls.

  Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr X and the SPS. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA - Personal information

12. The SPS applied the exemption in section 38(1)(b) to the personal data of tenderers and potential tenderers. The withheld information comprised (generally) names, addresses, contact details, qualifications and work history of individuals. The SPS considered that disclosure of the information would breach the first data protection principle of the DPA and that none of the conditions in Schedules 2 or 3 to the DPA could be met.

13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA .

14. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

15. In order to rely on this exemption, the SPS must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.

Is the information under consideration personal data?

16. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified: a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. (The full definition is set out in the Appendix.)

17. The Commissioner is satisfied that the majority of the information under consideration does comprise personal data, in line with the definition in part a) of section 1(1) of the DPA. Living individuals, i.e. tenderers and potential tenderers who are the subject of the information or who are referenced within the information, can be identified from this information. Given its nature (names, contact details and biographical information), the Commissioner is satisfied that the information clearly relates to them.

18. However, the Commissioner is not satisfied that some of the information to which this exemption has been applied actually comprises personal data. In the Commissioner's view, some of the information contained in document 5 which has been withheld by the SPS is not capable of identifying living individuals. As such, the Commissioner is not satisfied that this information is exempt from disclosure in terms of section 38(1)(b) of FOISA and finds that it was incorrectly withheld by the SPS. The Commissioner now requires the SPS to disclose this information to Mr X.

19. With this decision, the Commissioner will provide the SPS with a marked up copy of document 5, indicating the information that should be disclosed.

Is the information under consideration sensitive personal data?

20. The SPS stated that some of the information supplied to it by one individual comprised sensitive personal data. The SPS submitted that it related to the individual's personal life and was highly sensitive as it related to their work and interests.

21. The Commissioner has considered the definitions of sensitive personal data in section 2 (a) to (h) of the DPA. Having done so, the Commissioner is unable to conclude that any of the personal data to which the SPS referred comprises sensitive personal data as defined in section 2 of the DPA.

22. The Commissioner will therefore consider the position in what follows on the basis that the information comprises non-sensitive personal data.

Would disclosure of the personal data contravene the first data protection principle?

23. As noted above, the SPS argued that making this information available would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing in this case would comprise making the information publicly available in response to Mr X's request.

24. The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met.

Can any of the conditions in schedule 2 be met?

25. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1], that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

26. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr X. In any event, neither Mr X nor the SPS have suggested that any other condition would be relevant.

27. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

28. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

? Does Mr X have a legitimate interest in obtaining the personal data?

? If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balances as to ends, or could these legitimate interest be achieved by means which interfere less with the privacy of the data subjects?

? Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects? As noted by Lord Hope in the above judgment, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr X must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.

Does Mr X have a legitimate interest in obtaining the personal data?

29. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[2] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

30. The SPS submitted that Mr X's only legitimate interest in the matter was the identity of the successful tenderer and that this information had already been disclosed to him. The SPS argued that Mr X had no legitimate interest in any of the remaining personal data.

31. In the Commissioner's view, Mr X has a legitimate interest in obtaining all of the withheld information. The tender carried out by the SPS was to appoint a suitably qualified professional to carry out a specialist assessment of Mr X. Clearly, this is a matter of considerable interest to Mr X. Disclosure of the information would allow him some insight into the range of individuals who had been contacted by the SPS, their qualifications and whether they had decided to submit a tender.

32. The Commissioner also notes that she must assess the position as it existed at the time the SPS notified Mr X of the outcome of its review on 28 October 2014. At that time, the SPS withheld all of the information, including the identity of the successful tenderer from Mr X.

Is disclosure necessary to achieve those legitimate interests?

33. Having concluded that Mr X has a legitimate interest in obtaining the personal data under consideration, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims and fairly balanced as to ends, or whether these legitimate aims can be achieved by means which interfere less with the privacy of the data subjects. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

34. The SPS argued that disclosure of the withheld information was not necessary for the purposes of any legitimate interest and would therefore be disproportionate.

35. Having reviewed the information that has been withheld, the Commissioner cannot identify any other viable means of meeting Mr X's interests which would interfere less with the privacy of the data subjects than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr X's legitimate interests.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

36. The Commissioner is satisfied that disclosure of the withheld personal data is necessary to fulfil Mr X's legitimate interests, but must now consider whether that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr X and the data subjects in question. Only if the legitimate interests of Mr X outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

37. In the Commissioner's briefing on the personal information exemption, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

? whether the information relates to an individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

? the potential harm or distress that may be caused by disclosure

? whether the individual objected to the disclosure

? the reasonable expectations of the individual as to whether the information should be disclosed.

38. The SPS submitted that the data subjects would have no expectation that their personal data would be disclosed into the public domain. The SPS argued that those individuals contacted by it for the purposes of identifying suitably qualified professionals would have no expectation that the fact they had been contacted for this specific purpose would be made public.

39. The SPS also submitted that, at the time it carried out its review, none of the data subjects had consented to disclosure of their personal data.

40. In Mr X's view, the information under consideration related to professionals (psychologists and psychiatrists) in their professional practice. In his view, this meant the disclosure of the information would be fair. Mr X also argued that the individuals in question were likely to have their own websites containing the information that he was seeking. Furthermore, he believed the individuals were likely to be listed on their professional bodies' websites along with the withheld personal data.

41. The Commissioner has considered all of the submissions made by Mr X and the SPS when balancing the legitimate interests in this case. In this case, the Commissioner agrees with the SPS that there would be no expectation on the part of the data subjects that their personal data would be disclosed into the public domain as a consequence of Mr X's information request. The Commissioner considers the individuals would have a general expectation that disclosure of information of this nature would be a significant intrusion into matters which the data subjects would reasonably expect to be kept private. It may be the case (as Mr X has suggested) that the individuals have their own websites, or information on their professional qualifications is available on professional bodies' websites. However, the fact of their involvement (or potential involvement) in this tender exercise is not publicly available.

42. Having considered the nature and content of the withheld information, the Commissioner has concluded that, on balance, disclosure would be disproportionately intrusive. She finds that disclosure would cause unwarranted prejudice to the rights, freedoms and legitimate interests of the data subjects. As such, she finds that condition 6 in Schedule 2 to the DPA is not met.

43. For the reasons given above, the Commissioner also finds that disclosure would be unfair. In addition, since the Commissioner has found that no condition in Schedule 2 can be met, she would consider disclosure to be unlawful. It therefore follows that disclosure of the personal data under consideration would breach the first data protection principle. Accordingly, the Commissioner accepts that this information is exempt from disclosure and the SPS was entitled to withhold it under section 38(1)(b) of FOISA.

Section 17 of FOISA - Notice that information is not held

44. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received, subject to qualifications which are not applicable in this case. Under section 17(1) of FOISA, where an authority receives a request for information it does not hold, it must give an applicant notice in writing to that effect.

45. In this case, the SPS informed Mr X that it did not hold any information relating to individuals contacted by telephone.

46. In Mr X's view, it was reasonable to expect that written file notes would be held detailing the names, contact details and other relevant information for such individuals along with notes made during the phone conversations.

47. The SPS explained the searches it had undertaken in order to locate and retrieve any such phone notes. The SPS stated that only two individuals of any significance were involved in the exercise. Therefore, key searches were focussed on their files and emails.

48. The SPS stated that searches were undertaken of the tender documentation file and email accounts of those involved in the tender, including checking archived files. Additionally, searches were carried out of notebooks for records of any phone calls and within the Sharepoint electronic document management system. No relevant information was located as a result of these searches.

49. The Commissioner is surprised that no records were kept of potential tenderers contacted by telephone, in terms of effective management of the tender process. However, she has considered the SPS's submissions and is satisfied that the SPS has carried out reasonable, proportionate searches to establish whether it hold this particular information.

50. The Commissioner accepts that the SPS was entitled gave notice in terms of section 17(1) of FOISA that it did not hold this information. In doing so, the SPS complied with Part 1 of FOISA.

 Decision

The Commissioner finds that the Scottish Prison Service (the SPS) partially failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr X.

The Commissioner finds that by wrongly withholding information that did not comprise personal data under the exemption in section 38(1)(b) of FOISA, the SPS failed to comply with section 1(1) of FOISA.

However, the Commissioner accepts that the SPS was entitled to withhold personal data under the exemption in section 38(1)(b) of FOISA. The Commissioner also finds that the SPS was entitled to give notice in terms of section 17(1) of FOISA that it did not hold any information relating to individuals contacted by telephone.

The Commissioner therefore requires the SPS to disclose to Mr X the information specified in paragraph 18 above by 14 May 2015.

 Appeal

Should either Mr X or the Scottish Prison Service wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 Enforcement

If the Scottish Prison Service fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Scottish Prison Service has failed to comply. The Court has the right to inquire into the matter and may deal with the Scottish Prison Service as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

30 March 2015

 Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

?

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

?

(e) in subsection (1) of section 38 -

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

?

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

?

... 

 Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

?

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

?

?

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[2]