Home Decisions

Decision 043/2020

Decision 043/2020: Complaints of racism and compensation

Public authority: University of Edinburgh
Case Ref: 201900938

Summary

The University was asked for information about racism complaints over a five year period.

The University withheld a compensation payment on the basis it was personal data which, in this case, was exempt from disclosure.

The Commissioner investigated and found that the University had complied with FOISA in responding to the request.


Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) articles 4(1) and (11) (definition of "personal data" and "consent") (Definitions); 5(1)(a) (Principles relating to the processing of personal data; 9(1), (2)(a) and (e) (Processing of special categories of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.


Background

1. On 4 April 2019, the Applicant made a 14-part request for information to the University of Edinburgh (the University). The Applicant requested information about complaints of racism, including racial harassment, assault and discrimination, at the University over a five year academic period 2014 -2019. These included a number of questions on student on staff complaints, student compensation, staff compensation, Islamophobia and Antisemitism.

2. The University responded on 30 April 2019. The University stated that it did not hold some information asked for and pointed the Applicant to information it had provided him in response to an earlier request. The University also confirmed that one student had received compensation in relation to racial harassment, assault or discrimination, but told the Applicant it was withholding the year the payment was made and the amount of compensation paid on the basis that it was personal data and exempt from disclosure under section 38(1)(b) of FOISA.

3. On 2 May 2019, the Applicant wrote to the University requesting a review of its decision. The Applicant stated his interest was only in the amount paid (not the year it was paid) and he was not convinced that the amount would identify the student. He indicated that he would be satisfied with a rounded figure.

4. The University notified the Applicant of the outcome of its review on 14 May 2019. The University confirmed its original decision but advised the Applicant that it also considered the information to be exempt under section 26(a) (Prohibitions on disclosure) of FOISA. The University explained why it considered disclosing the amount of the compensation payment would identify an individual and, therefore, why it considered the information to be personal data. The University highlighted that there had only been one case in the five year period requested.

5. On 6 June 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. He disagreed that the compensation payment comprised personal data.


Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 28 June 2019, the University was notified in writing that the Applicant had made a valid application. The University was asked to send the Commissioner the information withheld from the Applicant. The University provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The University was invited to comment on this application and to answer specific questions.


Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the University. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

10. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

11. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

12. In order to rely on this exemption, the University must show that the information being withheld is personal data in terms of section 3(2) of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

13. In his application to the Commissioner, the Applicant did not accept that the information requested could be considered personal data. The Applicant considered that this student (one of nine complaints) in the specified period would not be identifiable from the compensation payment unless the University or the student themselves had published information.

Is the withheld information personal data?

14. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 -see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR, also set out in Appendix 1.)

15. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

16. An "identifiable living individual" is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018 in Appendix 1).

17. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals. There may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual, but this is not necessarily sufficient to lead to the identification of individuals.

18. The information withheld by the University is the amount of compensation paid to an individual student as a result of a successful complaint of racism.

19. The University considered that, as one of five complaints upheld by the University, the student would be identifiable. In its review response to the Applicant, the University set out why it considered the information would identify an individual. It explained that the student attended the University, was one of nine to make a complaint of racism during the specified time, only one of five to have their complaints upheld and, of those five, the only one to receive a compensation payment.

20. The University also provided the Commissioner with further explanation which he is unable to set out in detail here due to the identifiable nature of the details provided. These explained why, due to the unique circumstances of the case, disclosing the details of this case would identify this student, not only to the people who may already be aware of the complaints, but also to other individuals.

21. Having considered the University's submissions, the Commissioner accepts that the individual in question could be identified if the information were to be disclosed. He is also satisfied that the information would clearly relate to that person. The Commissioner is therefore satisfied that the withheld information is personal data as defined in section 3(2) of the DPA 2018.

Special category data

22. In its submissions, the University submitted that the data was special category data as defined by Article 9 of the GDPR as the Applicant was seeking information that was awarded as the result of a racial discrimination claim related to one individual.

23. Article 9 of the GDPR lists the categories of personal data which fall within the special categories of personal data. This includes data which reveals information about an individual's racial or ethnic origin.

24. Article 9 of the GDPR only allows special category personal data to be processed in very limited circumstances. The only situations where it is likely to be lawful to disclose third party special category data in response to an information request under FOISA are where, in line with Article 9 of the GDPR:

(i) the data subject has explicitly consented to their personal data being disclosed in response to the information request (condition 2(a)) or

(ii) the personal data has manifestly been made public by the data subject (condition 2(e)).

25. The Commissioner does not accept that the compensation payment falls within any of the special categories of personal data detailed above. Although the compensation payment is intrinsically linked to a racism complaint, this does not, in and of itself, reveal any information about the individual's racial or ethnic origin.

26. As the Commissioner is satisfied that this information does not fall within the definition of special category data, he will consider whether disclosure would contravene one of the data protection principles in Article 5 of the GDPR.

Would disclosure contravene one of the data protection principles?

27. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

28. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". For the purposes of FOISA, personal data are processed when disclosed in response to a request. This means that the personal data can only be disclosed if disclosure would be both lawful (i.e. it would meet one of the conditions for lawful processing listed in Article 6(1) of the GDPR) and fair.

29. The University did not consider that any of the conditions in Article 6(1) applied in the circumstances of this case. The Commissioner considers conditions (a) and (f) in Article 6(1) are the only conditions which could potentially apply in this case.

Condition (a): consent

30. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. "Consent" is defined in Article 4 of the GDPR as-

"…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

31. In terms of Article 7(1), the data controller (in this case the University) must be able to demonstrate that the required consent exists.

32. The University has stated that it has not contacted the student with regard to this request or sought consent to release the information.

33. The Commissioner concludes that it would not be appropriate for the University to seek consent in this instance. Therefore, as consent has not been freely given for the personal data to be disclosed, condition (a) does not allow for the disclosure of the information.

Condition (f): legitimate interests

34. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

35. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

36. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

37. The Commissioner understands that the Applicant, a journalist, sought the information from all UK universities and has published a number of articles on racism in universities.

38. The Applicant submitted that disclosure of the figure would help the public, who include black and minority ethnic students and prospective students, to assess how serious racism is at those particular universities, and how seriously those universities respond to upheld complaints of racism.

39. He commented that the UK Government and the higher education sector have recognised the need to address racism at UK universities, ranging from overt racism to institutional racism.

40. He noted that The Guardian, in particular, is undertaking a long term investigation into racism in UK universities, which incorporates data gathered from FOI requests. He noted that the first stage of this investigation was recognised by the Equality and Human Rights Commission inquiry into racism in higher education[1] and noted that the Commission's subsequent recommendations include increasing protections, transparency and scrutiny about how universities are tackling harassment.

41. The Applicant submitted that the data gathered to date shows a wide variation in the ways universities respond to complaints of racism and disclosure of this information, in light of the lack of official information on the subject.

42. The Commissioner recognises the importance of the investigative work being carried out by the Applicant and, in the circumstances, is satisfied that the Applicant has (and the wider public would have) a legitimate interest in obtaining the personal data.

Is the disclosure of the personal data necessary?

43. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

44. To be "necessary" in this context, disclosure would need to be proportionate as a means (of achieving the Applicant's legitimate interest) and fairly balanced as to ends. The Commissioner must consider whether these interests could be achieved by means which interfere less with the privacy of the data subjects.

45. The Commissioner has considered the withheld information. In the circumstances, he accepts that disclosure of the compensation payment is necessary in order for the Applicant to determine the level of complaints submitted and upheld and the seriousness of the incident based on the compensation paid.

46. The Commissioner can identify no viable means of meeting the Applicant's legitimate interests which would interfere less with the privacy of the data subject than disclosing this withheld information.

47. The Commissioner will now consider whether the Applicant's legitimate interest in obtaining the remaining information outweighs the rights of the data subject to privacy.

The data subjects' interests or fundamental rights and freedoms

48. It is necessary to balance the legitimate interests in disclosure against the data subject's interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subject would not reasonably expect that the information would be disclosed to the public under FOISA in response to a request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override the legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subject can the information be disclosed without breaching the first data protection principle.

49. The Commissioner's guidance on section 38 of FOISA[2] notes factors that should be taken into account in balancing the interests of parties. He makes clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii) Would disclosure cause harm or distress?

(iii) Whether the individual has objected to the disclosure.

50. Disclosure under FOISA is public disclosure; information disclosed under FOISA is effectively placed into the public domain.

51. The Commissioner acknowledges that the withheld information relates to the student's private life as it concerns compensation paid following a complaint of racial harassment. In consideration of this, significant weight must lean toward withholding the data.

52. The Commissioner has also considered the harm or distress that may be caused by disclosure.

53. The Commissioner received arguments from the University which explained the circumstances following the payment of compensation and why disclosure would be likely to cause harm and distress to the student involved.

54. After carefully balancing the legitimate interests of the individual concerned against those of the Applicant, the Commissioner finds that the legitimate interests served by disclosure of the personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individual. Condition (f) in Article 6 of the GDPR cannot be met in relation to the withheld personal data.

55. In the absence of a condition in Article 6 of the GDPR allowing personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful.

Fairness

56. Given that the Commissioner has concluded that the processing of personal data would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be fair and transparent in relation to the data subject.

Conclusion on section 38(1)(b)

57. The Commissioner is satisfied that disclosure would breach the first data protection principle. This means that the information is exempt from disclosure under section 38(1)(b) of FOISA.

Section 26(a) of FOISA

58. As the Commissioner has accepted that section 38(1)(b) was correctly upheld, he will not go on to consider whether the information is also exempt from disclosure under section 26(a) of FOISA.


Decision

The Commissioner finds that the University of Edinburgh complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.


Appeal

Should either the Applicant or the University wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.


Margaret Keyse
Head of Enforcement
4 March 2020


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption …

(2) For the purposes of paragraph (a) of subsection (1), the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied. .

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

...

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 4 Definitions

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 9 Processing of special categories of personal data

1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2 Paragraph 1 shall not apply if one of the following applies:

a. the data subject has given explicit consent to the processing of those personal data for one or more specific purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

e. processing relates to personal data which are manifestly made public by the data subject;

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[1] https://www.equalityhumanrights.com/en/inquiries-and-investigations/racial-harassment-higher-education-our-inquiry

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx