Home Decisions

Decision 047/2025

Decision 047/2025: Reasons for resignation of Chief Executive

Authority: Scottish National Investment Bank
Case Ref: 202201262

Summary

The Applicant asked the Authority for the reasons its Chief Executive resigned in February 2022.  The Authority signposted the Applicant to some information already in the public domain and withheld other information on the grounds it was personal data and/or provided in confidence.  The Commissioner investigated and found that the Authority had complied with FOISA in responding to the Applicant’s request.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (b) and (2)(c) and (e)(ii) (Effect of exemptions); 36(2) (Confidentiality); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner) United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

1. The Authority is an investment bank established and funded by the Scottish Government, which launched in November 2020.  On 25 February 2022, the Authority announced the resignation of its first Chief Executive (CEO), with immediate effect.

2. On 4 March 2022, the former CEO issued a statement to the media confirming that their resignation was “ultimately for personal reasons”.

3. On the same day, the Applicant made a request for information to the Authority.  Among other things they asked for “the full explanation and reasons for the resignation of the Chief Executive” at the end of February 2022.

4. The Authority responded to the Applicant’s request on 31 March 2022.  It directed the Applicant to its evidence to the Scottish Parliament’s Economy and Fair Work Committee  regarding the former CEO’s resignation and to their statement of 4 March 2022, which it considered satisfied the Applicant’s request in full.

5. On 12 April 2022, the Applicant wrote to the Authority requesting a review of its decision.  They stated that they were dissatisfied with the decision because they considered the former CEO’s own statement, which confirmed their resignation had been “ultimately” for personal reasons, strongly suggested that there were further reasons for their resignation (which they considered the Authority was obliged to disclose as a publicly funded enterprise).

6. The Authority notified the Applicant of the outcome of its review on 13 May 2022, which confirmed that it was withholding information falling within the scope of the Applicant’s request under the exemption in section 38(1)(b) of FOISA.

7. On 8 November 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  They stated that they were dissatisfied with the outcome of the Authority’s review for the reasons set out in their requirement for review and because the former CEO’s resignation was of serious concern to the public given the Authority served as an arm of the Scottish Government and because of its role in Scottish policy and politics more generally.

Investigation

8. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

9. On 10 November 2022, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was subsequently asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information, and the case was subsequently allocated to an investigating officer.

10. During the investigation, the Authority confirmed that it wished to also rely on the exemption in section 36(2) of FOISA for some of the information it had withheld under section 38(1)(b).

11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These primarily focused on the Authority’s justification for applying the exemptions in sections 36(2) and 38(1)(b) of FOISA, its consideration regarding the public interest test and its interpretation of the scope of the request.

12. Following Decision 230/2024 of the Commissioner, which considered a similar, but not identical, request, the Authority voluntarily disclosed nine documents (subject to some redactions) to the Applicant.  While the Authority did not consider the information within these documents fell within the scope of the request (barring that which it had withheld), it provided them on the basis the Applicant might find the information helpful in respect of their own request.

Commissioner’s analysis and findings

13. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

14. As stated in previous decisions, in Scottish Ministers v Scottish Information Commissioner [2006] CSIH 8 , at paragraph [18], the Court of Session recognised that:

"in giving reasons for his decision, [the Commissioner] is necessarily restrained by the need to avoid, deliberately or accidentally, disclosing information which ought not 
to be disclosed."

15. In this decision notice, the Commissioner has endeavoured to give as full account of his reasoning as he can, but, by necessity, in this case the comments of the Court of Session are applicable to some aspects.

Section 1(1) – General entitlement

16. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

Withheld information

17. In this case, the Authority withheld some information under the exemptions in sections 36(2) and 38(1)(b) of FOISA.  

18. However, as stated above, the Authority, during the investigation, voluntarily disclosed nine documents (subject to some redactions).  It had not identified the information within these documents as falling within the scope of the request (barring that which it had withheld), but it provided them to the Applicant (following Decision 230/2024, which considered a broadly similar, but not identical, request) on the basis they might find the information helpful in respect of their own request.

19. The Authority provided submissions to the Commissioner as to why the information voluntarily disclosed did not fall within the scope of the request.  

20. Having considered the withheld information, the terms of the request (which were similar, but not identical) and the Authority’s explanation of its interpretation of the scope of the request, the Commissioner is satisfied that the Authority’s interpretation of the request was appropriate (as were the searches carried out in line with that interpretation).

Section 36(2) - Confidentiality

21. Section 36(2) of FOISA provides that information is exempt from disclosure if it was obtained by a Scottish public authority from another person (including another such authority) and its disclosure, by the authority obtaining it, to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person.  

22. Section 36(2) is an absolute exemption and is not, therefore, subject to the public interest test in section 2(1)(b) of FOISA.  However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain disclosure of information which is necessary in the public interest.

Information obtained from another person

23. Section 36(2) therefore contains a two-stage test, both parts of which must be fulfilled before the exemption can be relied upon.  The first is that the information must have been obtained by a Scottish public authority from another person.  “Person” is defined widely and means another individual, another Scottish public authority or any other legal entity, such as a company or partnership.

24. The Authority explained that the withheld information had been provided to it by the former CEO in correspondence and in the context of resigning from their post.  In this specific context, the Authority submitted that the former CEO was acting as a private individual in their own right – separate to, and not on behalf of, the Authority.  In support of this, the Authority noted that the former CEO had, in the most part, corresponded with it on this matter via their personal email address.

25. The Authority argued that the Decision 166/2007 of the Commissioner (which found that, for the purposes of section 36(2) of FOISA, evidence provided by employees in a grievance procedure was “obtained from another person”) could reasonably be read as applying equally to information provided by individuals going through a resignation process.

26. Having viewed the withheld information, the Commissioner is satisfied that it was reasonable, in the circumstances, for the Authority to consider the information provided by the former CEO (either personally or where correspondence repeated information provided by them) as having been “obtained from another person”.

27. Consequently, the Commissioner is satisfied that the first part of the test for the application of the exemption in section 36(2) of FOISA is met for the information withheld under that exemption.

Actionable breach of confidence

28. The second part of the test is that disclosure of the information by a public authority must constitute a breach of confidence actionable either by the person who gave the information to the public authority or by any other person.  The Commissioner takes the view that “actionable” means that the basic requirements for a successful action must appear to be fulfilled.

29. There are three main requirements which must be met before a claim for breach of confidence can be established to satisfy the second element to this test.  These are:

(i) The information must have the necessary quality of confidence;

(ii) The public authority must have received the information in circumstances which imposed an obligation on it to maintain confidentiality; and

(iii) Unauthorised disclosure must be to the detriment of the person who communicated the information.

Necessary quality of confidence

30. The Authority claimed that the information had the necessary quality of confidence.  It explained that while the fact of the former CEO’s resignation was public knowledge at the time of the request, more specific details of this were not (which remained the case).

31. Having considered the withheld information and the Authority’s submissions, the Commissioner is satisfied, having also conducted his own searches, that the withheld information fulfils the criteria of having the necessary quality of confidence.  The information is not common knowledge and could not readily be obtained by the Applicant through any other means.

Obligation to maintain confidentiality

32. The Authority explained that the information had been received in the context of an employee-employer relationship which it considered conferred an overarching relationship of mutual trust and confidence.  

33. The Authority further submitted that the information was received in circumstances which imposed an obligation on the Authority to maintain confidentiality.  It considered this obligation was in part explicit (noting that the former CEO had marked emails as “confidential” and almost entirely carried out correspondence via a personal account) and in part, given the nature of the withheld information, implicit.

34. The Authority stated that the former CEO would not have shared the information with the Authority had they thought it might be disclosed into the public domain at any time in the future.  It noted that the former CEO had confirmed this to be the case during the Commissioner’s investigation.

35. The Authority explained that the fact the information had been labelled specifically as “confidential” further attested to the obligation to maintain confidence in relation to such.  It referred to the judgment in Coco v A N Clark (Engineers) Limited [1968] FSR 415  which it considered to be relevant in this case:

“… if the circumstances are such that any reasonable man standing in the shoes of the recipient of the information would have realised, that upon reasonable grounds the information was being given to him in confidence then this should suffice to impose upon him the equitable obligation of confidence.”

36. In summary, the Authority submitted that, notwithstanding the absence of a confidentiality agreement, the former CEO entered into dialogue in the full expectation that confidentiality would be maintained in perpetuity.

37. Having considered the circumstances, and the source and content of the withheld information, the Commissioner is satisfied that the information withheld was received in circumstances that implied an obligation to maintain confidentiality.  He therefore accepts that there was an obligation to maintain confidentiality.

Unauthorised disclosure would cause detriment

38. The third requirement is that unauthorised disclosure of the information must be to the detriment of the person who communicated it.  The damage need not be substantial and indeed could follow from the mere fact of unauthorised use or disclosure in breach of confidence.  

39. In that respect, the test of detriment is different to establishing whether, for example, disclosure would prejudice substantially the commercial interests of any person when considering the exemption in section 33(1)(b) of FOISA.

40. The Authority stated that the former CEO had not authorised disclosure of the withheld information in this case.  Disclosure would therefore have been unauthorised.  It also provided submissions detailing why disclosure of the withheld information into the public domain, which is the effect of disclosure under FOISA, would cause detriment to the former CEO.  

41. As rehearsed earlier, the Commissioner is restrained from setting out a full account of his reasoning (or that of the Authority).  However, he is satisfied that the former CEO provided the information (which is being withheld) in the expectation that it would be treated confidentially and not disclosed in the public domain in response to an information request under FOISA.

42. The Commissioner is therefore satisfied that the tests for an actionable breach of confidence are met in this case, in relation to the information being withheld under section 36(2) of FOISA.

The Commissioner’s view

43. In all the circumstances, the Commissioner is satisfied that all the tests for an actionable breach of confidence are met in this case.

44. Having found that the tests for the exemption in section 36(2) of FOISA have been met, and the exemption is properly engaged, the Commissioner must now go on to consider where the balance of public interest lies in relation to disclosure of the information.

Public interest defence – section 36(2)

45. As noted above, the exemption in section 36(2) of FOISA is an absolute exemption in terms of section 2(2) of FOISA and not subject to the public interest test in section 2(1)(b). However, the law of confidence recognises that, in certain circumstances, the strong public interest in maintaining confidences may be outweighed by the public interest in disclosure of the information.  In deciding whether to enforce an obligation of confidentiality, the courts are required to balance these competing interests, but there is no presumption in favour of disclosure.  This is generally known as the public interest defence.

46. The courts have identified a relevant public interest defence in cases where withholding information would cover up serious wrongdoing, and where it would lead to the public being misled on, or would unjustifiably inhibit public scrutiny of, a matter of genuine public concern.

The Applicant’s submissions

47. The Applicant explained that the Authority was established by the Scottish Government to act, at arm’s length, in support of its policy objectives.   They contended that the Authority’s board, including its chairperson, were appointed by the Scottish Government – the board then selecting the executives who operated the business.  

48. In view of the above, the Applicant considered that the Authority was required to be fully transparent and the reason for the resignation of the former CEO should be disclosed.  Specifically, they believed there was more to the matter than had been “divulged” – particularly as the former CEO had left their post without working a period of notice.

49. The Applicant submitted that the relevant parties in this case were known and in the public domain.  They speculated that there were “difficulties” between these parties, which was why the information requested was being withheld.  

50. In all, the Applicant submitted that the public interest favoured full disclosure of the reasons and circumstances surrounding the resignation of the former CEO.

The Authority’s submissions

51. The Authority acknowledged that a public interest defence may be relevant in certain cases (e.g. where withholding information would cover up serious wrongdoing, lead to the public being misled on or would unjustifiably inhibit public scrutiny of, a matter of genuine public concern).  However, it submitted that it did not consider this to be the case here.

52. The Authority further submitted that the former CEO had a reasonable expectation of privacy in relation to the withheld information, given the subject matter (in terms of Article 8 of the European Convention on Human Rights) and since they had provided no further public update following their media statement of 4 March 2022.

53. The Authority also referred the Commissioner to guidance issued by the UK Information Commissioner’s Office  in relation to information provided in confidence, which it had considered when evaluating the public interest in this case (specifically paragraph 84):

“… in cases where the duty of confidence protects a person’s private interests, it is hard to envisage circumstances where the public interest in transparency and accountability alone, would be sufficient to override the public interest in maintaining that individual’s privacy.”

54. On balance, the Authority concluded that the public interest lay in favour of upholding the exemption as it considered there was no public interest defence to disclosure of the information.

The Commissioner’s view on the public interest defence

55. The Commissioner has taken account of the public interest defence submissions made by the Authority and the submissions made by the Applicant on the public interest in disclosure of the information.  He has also taken account of the content of the withheld information itself.

56. The Commissioner recognises that there is clearly a strong public interest defence in transparency to allow effective scrutiny of information relating to matters of genuine public concern.  On the other hand, he accepts that there is also a strong public interest in the maintenance of confidences where information has been shared in such circumstances.

57. While the Commissioner accepts the circumstances of, and reasons for, the former CEO’s resignation are a matter of genuine public concern, he does not consider that there is a reasonable argument in this case for the disclosure of confidential information on public interest grounds.

58. Consequently, the Commissioner finds that the Authority was correct to withhold the information requested under section 36(2) of FOISA.

59. Having reached this conclusion, the Commissioner is not required to go on to consider whether the exemption in section 38(1)(b) of FOISA applies to the information he has found is exempt under section 36(2).  However, he will go on to consider whether the exemption in section 38(1)(b) of FOISA applies to information the Authority withheld solely under that exemption.

Section 38(1)(b) – Personal Information

60. Section 38(1)(b), read in conjunction with section 38(2A)(a), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018, and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

61. In this case the Authority applied the exemption in section 38(1)(b) of FOISA, as read with section 38(2A)(a), to a small amount of information that it considered to be personal data.

Is the withheld information personal data?

62. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018.  The two main elements of personal data are that:

  • the information must “relate to” a living person; and
  • the living individual must be identifiable.

63. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

64. An “identifiable living individual” is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018).

65. The Commissioner is satisfied that the information being withheld solely under section 38(1)(b) of FOISA is personal data: the data comprise the personal email addresses of individuals (including the former CEO) and, in one instance, the name of a junior member of Authority staff.  Living individuals are identifiable from this information and the information clearly relates to those individuals.

Would disclosure contravene one of the data protection principles?

66. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”.

67. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.

68. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.

69. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.

Condition (f) – legitimate interests

70. Condition (f) states that processing shall be lawful if it is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

71. Though Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

72. The three tests which must be met before Article 6(1)(f) can be met are as follows:

  • Does the Applicant have a legitimate interest in the personal data?
  • If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
  • Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data?
Does the Applicant have a legitimate interest in obtaining the personal data?

73. The Applicant explained that knowing what transpired prior to the former CEO’s resignation was of legitimate interest to them personally and to the wider public.

74. The Authority accepted that the Applicant had a legitimate interest in understanding the former CEO’s reasons for departure as a member of the public.

75. Having considered the submissions from both the Applicant and the Authority, the Commissioner accepts that the Applicant was pursuing a legitimate interest in seeking to fully understand the circumstances and reasons for the resignation of the former CEO.

76. However, because the withheld information in this case is simply the personal email addresses of identified individuals (and, in one instance, the name of a junior member of Authority staff), the Commissioner does not consider that the Applicant has a legitimate interest in obtaining the personal data.  This is because it would not advance, to any extent, the legitimate interests he has accepted the Applicant has in fully understanding the reasons for the former CEO’s resignation.

77. Having found that the Applicant does not have a legitimate interest in the personal information withheld, the Commissioner finds that condition (f) in Article 6(1) of the GDPR cannot be met and that disclosure of the information in question would be unlawful.

78. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider whether disclosure of the personal data would otherwise be fair and transparent in relation to the former CEO.

79. The Commissioner is satisfied, in the absence of a condition in Article 6 of the UK GDPR which would allow the data to be disclosed, that disclosure would be unlawful.  The personal data is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

David Hamilton
Scottish Information Commissioner

25 February 2025