Decision 046/2009 Mr Allan McLeod and the Scottish Prison Service
Details of a prisoner's conviction and sentence
Reference No: 200801555
Decision Date: 7 April 2009
Summary
Mr McLeod requested from the Scottish Prison Service (SPS) several items of information relating to the sentence imposed on a specific prisoner.The SPS responded by withholding the information, citing the exemption in section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA) which allows public authorities to withhold information if it is personal data and if its disclosure would breach any of the data protection principles contained in the Data Protection Act 1998 (the DPA). Following a review, Mr McLeod remained dissatisfied and applied to the Commissioner for a decision.
Following an investigation, the Commissioner agreed that the disclosure of the information could identify the individual involved and that the information was personal data, disclosure of which would breach the first data protection principle. As a result, he found that the SPS was correct to withhold the information from Mr McLeod under section 38(1)(b) of FOISA.
Relevant statutory provisions and other sources
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (b) (Personal information)
Data Protection Act 1998 (DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); 2(h) (Sensitive personal data); Part 1 of Schedule 1 (The data protection principles) (the first data protection principle); Schedule 3 (Conditions relevant for purposes of the first principle:processing of sensitive personal data) (conditions 1, 5 and 7(1)(a))
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.
Background
1.On 29 August 2008, Mr McLeod wrote to the Scottish Prison Service (SPS) requesting the following information relating to a particular prisoner.Mr McLeod did not specify the name of the prisoner, but his request followed previous disclosure by the SPS that one person had been released from a specified prison, to a specified town on certain dates.He asked for:
(a) the date on which the prisoner was sentenced;
(b) the court location where the sentence was imposed;
(c) the length of the sentence;
(d) the charges of which the prisoner was convicted, and
(e) the age of the prisoner when sentenced and imprisoned.
2.The SPS responded on 25 September 2008. It refused to release any of the information requested, citing the exemption in section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA).
3.On the same day, Mr McLeod wrote to the SPS requesting a review of its decision. In particular, Mr McLeod drew the SPS's attention to the fact that he was not requesting the prisoner's name, nor his/her date of birth or address, but only information which would have been made public at the time of sentencing.
4.In further correspondence dated 1 October 2008, Mr McLeod offered a compromise to the SPS in addition to his review request.He suggested the possibility of reducing his request to seek only the information specified in paragraphs 1 (a)-(c) above.
5.The SPS notified Mr McLeod of the outcome of its review on 23 October 2008.It upheld the initial refusal to disclose the information and referred Mr McLeod to the Commissioner's Decision 201/2007 Mr McLeod and the Scottish Prison Service, in support of its conclusions.
6.On 24 October 2008, Mr McLeod wrote to the Commissioner, stating that he was dissatisfied with the outcome of the SPS's review and applying for a decision in terms of section 47(1) of FOISA.
7.The application was validated by establishing that Mr McLeod had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.
Investigation
8.The SPS is an Executive Agency of the Scottish Ministers and, on 31 October 2008, a letter was sent to the Ministers' Freedom of Information Unit, in line with agreed procedures giving notice that an application had been received from Mr McLeod and that an investigation into the matter had commenced. The Ministers were asked to provide the Commissioner with any information withheld from Mr McLeod. Subsequent references to submissions etc. being received from the SPS are therefore references to submissions etc. made by the Ministers' Freedom of Information Unit on behalf of the SPS.
9.The SPS responded with the information requested and the case was then allocated to an investigating officer.
10.The investigating officer subsequently contacted the SPS, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. In particular, the SPS was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested.
11.The SPS replied by letter with its submissions on 13 January 2009.These are summarised and considered in the section below on the Commissioner's Analysis and Findings.
12.The investigating officer then contacted Mr McLeod, to seek his submissions on the issues to be considered in the case.
13.Mr McLeod replied by email on 31 January 2009 with his submissions.These are also summarised and considered in the section below on the Commissioner's Analysis and Findings.
Commissioner's analysis and findings
14.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr McLeod and the SPS and is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) FOISA ? Personal information
15.The exemption under section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), provides that information is exempt information if it constitutes personal data (as defined in section 1(1) of the DPA) and its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles contained in Schedule 1 to the DPA. This is an absolute exemption and therefore is not subject to the public interest test laid down by section 2(1)(b) of FOISA.
16.In order for a public authority to rely on this exemption, it must show firstly that the information which has been requested is personal data for the purposes of the DPA and, secondly that disclosure of the information would contravene at least one of the data protection principles.
17.The SPS argued that the information requested by Mr McLeod constituted sensitive personal data relating to the relevant prisoner, and that its disclosure would contravene the first data protection principle, which requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.Under section 1(1) of the DPA, processing data includes, amongst other things, disclosing it. The SPS argued that no schedule 3 condition, nor any schedule 2 condition could be met.
18.In his application to the Commissioner, Mr McLeod argued that the information under consideration was not personal data, in that that he did not seek information such as name, address or date of birth of the prisoner concerned.He noted that the information he had requested would have been in the public domain at the time of the prisoner's sentencing.Mr McLeod indicated that he would have accepted from the SPS even a single one of the five items of information he had requested.He also argued during the investigation that the information requested should be released, both in the interests of justice and for the administration of justice.
Is the information personal data?
19.When considering the exemption in section 38(1)(b) of FOISA, the Commissioner must first establish whether the information withheld is personal data.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the definition is set out in full in the Appendix).
20.In this case, the information requested by Mr McLeod relates to the conviction and sentencing of a prisoner.If the Commissioner finds that the information is personal data, he will therefore also be likely to find that it is sensitive personal data, as defined in section 2, and particularly 2(h) of the DPA, which is also reproduced in the Appendix.
21.The Commissioner is satisfied that each item of the withheld information in this case does constitute personal data.In terms of the definition of personal data in the DPA, the withheld information in this case relates to, and is focussed on, a living individual in a significant and biographical sense.The SPS, as the data controller, holds other information from which the prisoner can be identified.
22.The Commissioner has also considered what other information is already in the public domain which would lead to the identification more widely of the individual concerned.
23.According to guidance entitled "Data Protection Technical Guidance: Determining what is personal data"[1] which has been issued by the (UK) Information Commissioner (who is responsible for enforcing the DPA throughout the UK), in considering whether a person can be identified, it should be assumed that it is not just the means which are reasonably likely to be used by the ordinary man in the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual.
24.This approach has been applied by the Commissioner in other decisions, for example in Decision 005/2009 Mr David Ewen and Aberdeenshire Council, which considered whether schoolchildren could potentially be identified by the release of single or cumulative piece(s) of information from one or more sources.The Commissioner decided amongst other things in that case that identification would be much more likely than might initially be thought simply considering basic factors such as the size of the school roll, once other sources of information were taken into consideration.
25.In this case, Mr McLeod is already aware that the relevant prisoner concerned was released temporarily from a particular prison to a particular home town and the dates of this release.He has made a range of information requests to gather information relating to the circumstances of the death of a family member which together would be likely to contribute to a "jigsaw" effect allowing identification of the prisoner concerned.Given the population of the relevant town, and the types of information that are or would be available to Mr McLeod or any other person determined to identify the individual in question, the Commissioner takes the view in this case that the individual prisoner concerned could, or would be likely to, be identified if any one or more items of the withheld information were disclosed.
26.The Commissioner concludes, notwithstanding Mr McLeod's submissions that he was not seeking personal details, that the information requested is personal data under the definition in the DPA.
Is the information sensitive personal data?
27.As noted above, included within the DPA's definition of sensitive personal data is section 2(h), which provides that personal data includes information as to any proceedings for any offence committed or alleged to have been committed by him; the disposal of such proceedings, or the sentence of any court in such proceedings.
28.Each item of the withheld information in this case in the Commissioner's view clearly also falls within the definition of sensitive personal data in the DPA, particularly those aspects of the definition noted above which relate to the disposal of the proceedings and to the sentence imposed.
Would disclosure of the sensitive personal data breach the first data protection principle?
29.The first data protection principle requires that the processing of personal data (here, the disclosure of data in response to Mr McLeod's information request) must be fair and lawful and, in particular, that personal data shall not be processed unless at least one of the conditions in Schedule 2 (to the DPA) is met and, additionally, in the case of sensitive personal data, that at least one of the conditions in Schedule 3 (again, to the DPA) can be met.There are therefore three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules.
30.Given the additional restrictions surrounding the disclosure of sensitive personal data, it makes sense to look firstly at whether there are any conditions in Schedule 3 which would permit the sensitive personal data to be disclosed.
The Schedule 3 Conditions in the DPA
31.There are 10 conditions listed in Schedule 3 to the DPA.One of these conditions, condition 10, also allows sensitive personal data to be processed in circumstances specified in an order made by the Secretary of State and, in addition to the conditions in Schedule 3.The Commissioner has also considered the additional conditions for processing sensitive personal data as contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.
32.In guidance recently issued by the Commissioner regarding the exemption in section 38(1)(b)[2], it is noted that the conditions in Schedule 3 are very restrictive in nature, and as a result, generally only the first and fifth conditions might be relevant when considering a request for sensitive personal data under FOISA:
33.Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the release of the information.Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. Neither of these conditions has been met in this case.
34.Mr McLeod has maintained that disclosure in this case is required for the "administration of justice" in terms of Condition 7(1)(a) of Schedule 3. He has also claimed that disclosure is required in the "interests of justice".
35.No definition of "administration of justice" is provided in the DPA, nor in FOISA.The generally accepted meaning of this phrase is the administration and procedure of litigation, particularly those cases being heard in court or dealt with under equivalent judicial procedures.Thus, legislation such as the Administration of Justice (Scotland) Act 1972 (and other similar legislation) tend to deal principally with prescribing and regulating the procedures for court cases, including for example time-limits; appeals, and various other steps in litigation and similar matters.The Commissioner considers that the word "administration" in this particular context refers to the actual, tangible process of justice.
36.While Mr McLeod is arguably seeking information that would enable him to seek justice in relation to the death of a relative, his request is not made in the context of any judicial process.In the circumstances, the Commissioner does not accept that disclosure in this case would be required for the administration of justice.
37.With respect to Mr McLeod's submission regarding the "interests of justice", the Commissioner notes that the interests of justice would be a far wider category, but this does not form part of condition 7(1)(a), nor any of the other conditions in Schedule 3 to the DPA.The Commissioner's interpretation in this context is that the "interests of justice" is a different, much broader and less specific expression than the "administration of justice".
38.The Commissioner has therefore concluded that there is no condition in Schedule 3 which could be satisfied in this case.Consequently, he is satisfied that disclosure of any of the withheld information would breach the first data protection principle.
39.The Commissioner is not therefore required to go on to consider whether disclosure under one of the conditions in Schedule 2 can be met, or whether the disclosure of the information would otherwise be fair or lawful.
40.The Commissioner is therefore satisfied that the information that has been withheld by the SPS in this instance is exempt from disclosure in terms of section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (b).
DECISION
The Commissioner finds that the Scottish Prison Service (SPS) complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr McLeod.Accordingly, the Commissioner does not require the SPS to take any action.
Appeal
Should either Mr McLeod or the SPS wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.
Margaret Keyse
Head of Enforcement
7 April 2009
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
(6) This section is subject to sections 2, 9, 12 and 14.
2Effect of exemptions
(1)To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?
(a)the provision does not confer absolute exemption; and
(b)in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.
(2)For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?
?
(e)in subsection (1) of section 38 ?
?
(ii)paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38 Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
Data Protection Act 1998
1 Basic interpretative provisions
In this Act, unless the context otherwise requires ?
?
"personal data" means data which relate to a living individual who can be identified ?
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
2 Sensitive personal data
In this Act "sensitive personal data" means personal data consisting of information as to-
?
(h)any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Schedule 1 ? The data protection principles
Part I ? The principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
?
Schedule 3 ? Conditions relevant for purposes of the first principle:processing of sensitive personal data
1 The data subject has given his explicit consent to the processing of the personal data.
?
5 The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
?
7 (1) The processing is necessary?
(a) for the administration of justice,
?
1www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf
