Decision 043/2007 ? Mr X and the Chief Constable of Tayside Police

Request for police reports for two alleged incidents

Police Reports

Applicant: Mr X
Authority: The Chief Constable of Tayside Police
Case No: 200600625
Decision Date: 07 March 2007

Kevin Dunion
Scottish Information Commissioner

Decision 043/2006 ? Mr X and the Chief Constable of Tayside Police

Relevant statutory Provisions and other Sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 38(1)(a) and 38(1)(b) (Personal information).

Data Protection Act 1998 section 1 (Basic interpretative provisions); schedules 1 (The data protection principles) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data).

The full text of each of these provisions is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Facts

Mr X requested from the Chief Constable of Tayside Police (Tayside Police) all information held by it in respect of two alleged incidents.

Tayside Police refused to supply this information on the grounds of section 34(1)(a)(i), section 35(1)(a), (b) and (c), and section 38(1)(a) of FOISA.

Following an investigation, the Commissioner found that the information was exempt in terms of section 38(1)(a) and section 38(1)(b) of FOISA and that Tayside Police had therefore dealt with Mr X's request for information in accordance with Part 1 of FOISA.

Background

1. On 1 December 2005, Mr X made an information request to Tayside Police, asking to be supplied with the information held about him in respect of two alleged incidents, each of which had led to his detention by Tayside Police.

2. Tayside Police issued a refusal notice on 13 January 2006. This notice stated that Tayside Police held the information requested, but considered the information to be exempt under sections 34(1)(a)(i), section 35(1)(a), (b) and (c), and section 38(1)(a) of FOISA. Tayside Police provided Mr X with a subject access form to request his own personal data under section 7 of the Data Protection Act 1998 (the DPA).

3. On 11 February 2006, Mr X wrote to Tayside Police asking it to review its decision, challenging its use of the exemptions claimed.

4. On 8 March 2006 Tayside Police replied, upholding its original decision to withhold the information on the basis of the exemptions cited in paragraph 2 above.

5. On 13 March 2006, Mr X applied to me for a decision as to whether Tayside Police had dealt with his information request in accordance with Part 1 of FOISA. He argued that the exemptions had been wrongly applied and that it was in the public interest to disclose the information.

6. The case was allocated to an investigating officer and the application validated by establishing that Mr X had made a valid information request to a Scottish public authority and had appealed to me only after asking the public authority to review its response to his request.

7. Mr X made a subject access request to Tayside Police and as a consequence received certain of his personal data from Tayside Police.

The Investigation

8. The investigating officer formally contacted Tayside Police on 29 March 2006 in terms of section 49(3)(a) of FOISA, asking for its comments on the application and requiring it to provide the withheld information. Tayside Police responded on 2 June 2006, providing copies of the information withheld and the personal information released to Mr X in response to his subject access request, documentation relating to the handling of his information request and Tayside Police's comments on the exemptions applied. Further submissions were received from Tayside Police in the course of the investigation.

9. The information withheld relates to two alleged incidents. Both resulted in Mr X being detained and questioned, the first (only) resulting in a report to the Procurator Fiscal.

The Commissioner's Analysis and Findings

Section 38 of FOISA: Personal Information

10. Tayside Police claims that the information withheld falls within the definition of personal data, both of Mr X and of third parties involved in its investigation. It argues that the information is exempt under section 38(1)(a) (insofar as it is the personal data of Mr X) and section 38(1)(b) (insofar as it is the personal data of third parties).

Application of section 38(1)(a)

11. Having reviewed the information withheld, it is my view that the majority of it is absolutely exempt from release under section 38(1)(a) of FOISA. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. "Personal data" is defined in section 1(1) of the DPA (see Appendix below).

12. As I have said in previous decisions, the (UK) Court of Appeal ruling in Durant v Financial Services Authority [2003] EWCA Civ 1746 ("the Durant ruling") provides further guidance when considering the definition of personal data. According to the Durant ruling, for information is to be viewed as personal data that information must be "biographical in a significant sense". It has to go beyond simply recording an individual's involvement in a matter or event that has no personal connotations, and should feature the individual as the focus of the information. The Court of Appeal summarised personal data as information which "affects [a person's] privacy, whether in his personal or family life, business or professional capacity".

13. In looking at the information withheld, it is clear that it comprises reports and records which have Mr X at their focus. They relate to incidents allegedly involving Mr X in his personal life. Each document clearly identifies Mr X as the subject and I am satisfied that each of them contains personal data of which Mr X is the data subject.

14. The reports and records also contain statements from other individuals, for example witnesses. Again, these statements relate to Mr X and his alleged actions in respect of the two incidents. Mr X is, therefore, the focus of this information, and this information clearly concerns Mr X's private life.

15. Having considering the submissions from Tayside Police together with the information which has been withheld from Mr X, I am satisfied that the information withheld does contain personal data of which Mr X is the subject, which is therefore exempt from release under section 38(1)(a) of FOISA.

16. The exemption in section 38(1)(a) is absolute and I am therefore not required to go on to consider whether the public interest lies in the information being released or withheld.

Application of Section 38(1)(b)

17. Under section 38(1)(b) of FOISA (read in conjunction with section 38(2)(a)(i)), information is exempt information if it constitutes personal data and the disclosure of the information to a member of the public otherwise than under FOISA would contravene any of the data protection principles contained in Schedule 1 to the DPA.

18. In this case, I understand from Tayside Police that it believes the release of the information relating to third parties would breach the first and second data protection principles. The first principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 (of the DPA) is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 (again, of the DPA) is also met. The second principle states that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

19. In justifying its application of the exemption to the third party information withheld, Tayside Police has submitted that the information in question constitutes personal data relating to living individuals in the form of their personal details, together with personal recollections and opinions in relation to their involvement in the alleged incidents and their interaction with Mr X.

20. Having considered the definition of personal data contained in section 1(1) of the DPA and having taken account of the Durant ruling, I agree that the information about third parties which has been withheld is their personal data. Some of this information is also the personal data of Mr X, but there is information which is personal data of the third parties alone.

21. In determining whether release of the third party information withheld would breach the first data protection principle, I have taken into account the conditions set out in Schedule 2 to the DPA. I have also taken into consideration the submissions that have been made by Tayside Police and Mr X. I accept the submissions from Tayside Police that the third parties would have provided information in the expectation that it would be dealt with in confidence and would not be released in this manner without their consent (which I accept would be inappropriate to seek in this particular context). I take the view that the witnesses who provided information about Mr X would have had no expectation that the information recorded about them would be released to him, other than in limited circumstances as part of a court process in respect of the alleged incidents.

22. I am satisfied in the circumstances that release of the third party information withheld in response to a request under FOISA would amount to unfair processing. Since none of the conditions in Schedule 2 of the DPA could be met, release would also amount to unlawful processing. Potentially, it would also be unlawful in that it could result in a breach of confidence. I am therefore satisfied that Tayside Police would be in breach of the first principle of the DPA if they did release this information.

23. In determining whether the release of the third party information withheld would breach the second data protection principle, I have taken into account the interpretative provisions contained in Part II of Schedule 1 (in particular, paragraphs 5 and 6) and also the submissions that have been provided by Tayside Police. I accept that the information was obtained as part of the process of detecting crime and apprehending and prosecuting offenders, and that to release this information to a requestor under FOISA (by definition, to the world at large) would not be compatible with that purpose. I am therefore satisfied that Tayside Police would be in breach of the second data protection principle if it were to release this information.

24. Consequently, I am satisfied that the information relating to third parties which has been withheld is exempt from release in terms of section 38(1)(b) of FOISA.

Other exemptions

25. I am satisfied that all of the withheld information constitutes personal information of either Mr X or certain third parties, and that all if it is absolutely exempt from release under either section 38(1)(a) or section 38(1)(b) of FOISA. Consequently, I do not require to consider the application of the additional exemptions cited by Tayside Police in relation to this information and will not do so.

Decision

I find that the Chief Constable of Tayside Police (Tayside Police) dealt with Mr X's request for information in accordance with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA). The exemptions in section 38(1)(a) and section 38(1)(b) of FOISA were relied upon correctly by Tayside Police in relation to the information withheld.

Appeal

Should either the Chief Constable of Tayside Police or Mr X wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.

Kevin Dunion
Scottish Information Commissioner
07 March 2007

APPENDIX

Relevant Statutory Provisions

Freedom of Information (Scotland) Act 200238 Personal information(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?.

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; ?.

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires-

"personal data" means data which relate to a living individual who can be identified?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

SCHEDULE 1

THE DATA PROTECTION PRINCIPLES - PART I THE PRINCIPLES

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

SCHEDULE 2

CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA

1. The data subject has given his consent to the processing.

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4. The processing is necessary in order to protect the vital interests of the data subject.

5. The processing is necessary-

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under any enactment,

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(1) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.