Home Decisions

Decision 049/2020

Decision 049/2020: Email addresses of registered charities

Public authority: Office of the Scottish Charity Regulator
Case Ref: 201901275

Summary

The Office of the Scottish Charity Regulator (OSCR) was asked for a database of email addresses of all Scottish charities registered with it.

OSCR refused to disclose this information as some of it constituted personal data and the cost of providing the remaining information would exceed the £600 cost limit.

Following an investigation, the Commissioner agreed that certain of the information was personal data and the cost of providing the email addresses without personal data would exceed the amount prescribed in the Fees Regulations (and so OSCR was not required to comply with the request).


Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 12(1) (Excessive cost of compliance); 15 (Duty to provide advice and assistance); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 4(11) (definition of "consent") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing); 7(1) (Conditions for consent)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations) regulations 3 (Projected costs) and 5 (Excessive cost - prescribed amount)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.


Background

1. On 3 November 2018, the Applicant made a request for information to the Office of the Scottish Charity Regulator (OSCR). The information requested was a database of email addresses for all Scottish charities registered with OSCR.

2. OSCR responded on 6 November 2018. It gave notice, under section 17 of FOISA, that it did not hold the information. OSCR also sought to rely on the exemption in section 38(1)(b) (Personal information) of FOISA. It explained that it did not hold a definitive database of email addresses, or in any form which could be provided without breaching the principles in the GDPR.

3. On 7 November 2018, the Applicant wrote to OSCR, requesting a review of its decision on the basis that OSCR did hold a database of email addresses for registered charities and these email addresses were provided by the charities as their official contact details, which meant that they had consented to their use on the OSCR database. The Applicant also argued that the official email contact details for a registered charity were not personal data, but were public records.

4. OSCR notified the Applicant of the outcome of its review on 3 December 2018. OSCR confirmed its original decision, i.e. that it did not hold a database of email addresses for registered charities. It explained that, under the terms of the Charities and Trustee Investment (Scotland) Act 2005 (the 2005 Act), it has to be provided with certain information to enable it to compile the Scottish Charity Register. This does not include an email address, which it only collected to allow it to maintain contact with the charity (and for which it had not, therefore, sought consent for disclosure). As it did not hold email addresses in a format where it could automatically differentiate between what might be a business email address and a personal one, OSCR continued to rely on the exemption in section 38(1)(b) of FOISA.

5. On 4 March 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of OSCR's review because OSCR did hold a database of email addresses of all charities, which must/should be the official communication addresses for the charities, as published on their websites. The Applicant also considered that they should be a matter of public record and disputed OSCR's assertion that removing personal email addresses from the list would be onerous.

6. Following correspondence among the Commissioner, OSCR and the Applicant, OSCR undertook to issue a revised response to the Applicant's requirement for review. Following receipt of this revised response, the Applicant withdrew his application for a decision.

7. OSCR issued its revised response to the requirement for review on 11 July 2019. In its response, OSCR explained that it was now relying on section 12 (Excessive cost of compliance) of FOISA. It acknowledged that it held email addresses for Scottish charities registered with it, but noted that this was not complete or held in a definitive database. OSCR also explained that it could not disclose this information without removing personal data in terms of section 38(1)(b) of FOISA.

8. The Applicant submitted a new application to the Commissioner on 31 July 2019. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA, and stated that he did not have confidence in the current response from OSCR (that dated 11 July 2019). He commented that, in today's world, communications with organisations by email is standard practice and likely to be more popular than post. The Applicant considered that, if OSCR was happy to include charity postal addresses in the register, it should also provide email addresses, and the cost of this was OSCR's responsibility. He also argued, with reasons, that there were no grounds to withhold the email addresses under data protection legislation.


Investigation

9. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

10. On 6 August 2019, OSCR was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.

11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. OSCR was invited to comment on this application and to answer specific questions. These related to reliance on section 12(1) (Excessive cost of compliance) and section 38(1)(b) (Personal information) of FOISA for refusing to disclose the email addresses to the Applicant.

12. Submissions were also sought and received from the Applicant on why he considered he had a legitimate interest in receiving the email addresses.


Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and OSCR. He is satisfied that no matter of relevance has been overlooked.

14. As noted above, OSCR withheld the information on the basis that it contained elements of personal data and the cost of locating, retrieving and providing what remained would exceed the £600 cost limit set for the purposes of section 12(1) FOISA. Given the extent to which OSCR's argument depends on the need to redact personal data, the Commissioner will consider that question before going on to consider whether section 12(1) applies.

Section 38(1)(b) - Personal information

15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

16. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. To rely on this exemption, OSCR must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the GDPR.

18. The Applicant sought a database of email addresses of all Scottish charities registered with OSCR.

19. OSCR confirmed that it held email addresses of Scottish charities registered with it, but this list is not complete, or held in a definitive database as publicly available information or in a form which could be disclosed consistent with data protection requirements.

20. OSCR submitted that disclosure of personal data from the email addresses would breach the first data protection principle, which requires the processing of personal data to be lawful, fair and carried out in a transparent manner (Article 5(1)(a) of the GDPR).

Is the information personal data?

21. The first question for the Commissioner is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR.)

22. OSCR submitted that the email addresses provided by the registered charities are held on its administration database and there is no field that identifies whether the principal contact email address is Personal or Corporate. OSCR provided the Commissioner with an example of some of the email addresses held.

23. Having considered the example of the email addresses being withheld by OSCR, with the above submission, the Commissioner accepts that certain of the email addresses held would contain personal data. This would include those where the charity has provided a private contact email address where part of the address relates to the name or private address of a person. It would also include corporate email addresses where part of the address relates to the name of a person. This is the case as these are clearly related to identifiable living individuals and an identifiable natural person can be identified directly or indirectly from either their name or address. The Commissioner therefore accepts this information is personal data as defined in section 3(2) of the DPA 2018.

24. The Commissioner does not accept that generic email addresses would constitute personal data as these do not relate to an identifiable living individual and it would not be possible to identify a living individual directly or indirectly from that information. For that reason, the Commissioner does not accept that these email addresses would be exempt from disclosure under section 38(1)(b).

Would disclosure contravene one of the data protection principles?

25. In its submissions, OSCR made reference to Article 5 of the GDPR, specifically the data protection principle in Article 5(1)(a). Article 5(1)(a) states that personal data shall be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

26. In terms of section 3(4)(d) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

27. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed.

28. The Commissioner considers conditions (a) and (f) in Article 6(1) are the only conditions which could potentially apply in the circumstances of this case.

Condition (a): Consent

29. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specified purposes.

30. "Consent" is defined in Article 4 of the GDPR as -

"...any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

31. In terms of Article 7(1), the data controller (in this case, OSCR) must be able to demonstrate that the required consent exists.

32. OSCR explained, in it is response to the Applicant's request and requirement for review, that consent had not been sought from the data subjects and nor had they given consent for release of their email addresses.

33. The Commissioner is satisfied that, in the absence of consent, condition (a) cannot be met.

Condition (f): legitimate interests

34. Condition (f) states that processing shall be lawful if it "...is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

35. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

36. The tests which must be met before Article 6(1)(f) can be met are as follows:

a. Does the Applicant have a legitimate interest in obtaining the personal data?

b. If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

c. Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

37. The Applicant argued that OSCR is a publicly accountable regulatory body overseeing the conduct of charities in Scotland, and these charities are also publicly accountable bodies. The Applicant asserted that this was particularly the case as OSCR was set up to avoid previous bad practices in the charity industry. Based on this, the Applicant submitted that any member of the public had a legitimate right to clear and transparent information about charities, including any information those charities provided to OSCR about the workings of their organisations, including email addresses.

38. The Applicant also explained that he wished to have access to these email addresses for research purposes. He was invited to explain his research further, but did not do so.

39. The Applicant also argued that when charities provided email addresses to OSCR as part of their submissions for a database record system - irrespective of whether OSCR intended the database to be used for public access - the email addresses had been given as an official contact email of the charity for the purpose of that charity going about its business. Therefore, that email was a matter of public interest and record, irrespective of whether it was a personal email address. OSCR, on the other hand, explained that the email addresses were provided for its own administrative purposes only, and not as part of the information was required to collect and make available to the public, in the form of the Scottish Charity Register, in accordance with the 2005 Act.

40. The Commissioner accepts that the Applicant (and, indeed, the public) has a legitimate interest in the matters set out in paragraph 37 above. It is difficult to see, however, how that legitimate interest would be furthered in any way by making email contact details available, in addition to the information OSCR is required to make available to the public, as part of the Scottish Charity Register,. Neither is it apparent, without any further information on the research in question, how these details might facilitate research. The email addresses would undoubtedly facilitate contact, but it is not evident how they would facilitate transparency about the workings of the charities in any meaningful sense.

41. The Commissioner cannot accept the inherent public interest in this information identified by the Applicant and set out in paragraph 39 above. The Commissioner accepts OSCR's explanation that this is information obtained for its own administrative purposes only and can identify no inherent expectation that it should be a matter of public interest and record.

42. Having concluded that the withheld personal data would not contribute to the legitimate interest identified in this case, to the extent that such interest exists, the Commissioner is not required to consider whether the other tests set out in paragraph 36 above can be met.

43. The Commissioner therefore concludes that there is no condition in Article 6 of the GDPR allowing the personal data to be disclosed, with the result that he must also conclude that disclosure would be unlawful.

44. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would be otherwise fair and transparent in relation to the data subject.

Conclusion on the data protection principles

45. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data under consideration here would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA. Accordingly, it is reasonable to accept that OSCR would remove these before disclosing any of the requested information to the Applicant.

46. In its submissions to the Commissioner, OSCR argued that the cost to it of locating, retrieving and providing the remaining email addresses (i.e. not the personal data) to the Applicant would exceed the statutory maximum of £600 set out for the purposes of section 12(1) of FOISA. For that reason, it was relying on section 12(1) for refusing to comply with the request.

Section 12(1) - Excessive cost of compliance

47. Section 12(1) of FOISA provides that a Scottish public authority is not obliged to comply with a request for information where the estimated cost of doing so would exceed the relevant amount prescribed in the Fees Regulations. This amount is currently set at £600 (regulation 5 of the Fees Regulations). Consequently, the Commissioner has no power to require the disclosure of information should he find that the cost of responding to a request for information exceeds this sum.

48. The projected costs the public authority can take into account in relation to a request for information are, according to regulation 3 of the Fees Regulations, the total costs (whether direct or indirect) which the authority reasonably estimates it is likely to incur in locating, retrieving and providing the information requested in accordance with Part 1 of FOISA. The public authority may not charge the cost of determining whether it actually holds the information requested, or whether it should provide the information. The maximum rate a Scottish public authority can charge for staff time is £15 an hour.

49. OSCR explained that it holds the email addresses for all of the Scottish charities registered with it in its electronic administrative database. OSCR explained that information contained in this database changes on a daily basis due to the addition of new charities, or as a consequence of changes made to contact information by charity trustees or administrators, (who have the ability to update their accounts with changes to email addresses). This database does not, OSCR explained, have a facility which enables it to differentiate between email address types (i.e. private, corporate, generic).

50. In order to be able to locate, retrieve and provide the requested information to the Applicant, the email addresses held in the database can, OSCR submitted, be extracted as one list and converted to a PDF document, to allow for secure redaction. An exercise would then have to be carried out to redact the parts of the email addresses contained in the list previously identified as being exempt under section 38(1)(b).

51. Based on information held by OSCR at 25 September 2019, there were 24,572 charities registered with it, of which 24,467 had email addresses and 7,299 also provided alternative contact email addresses. Only 285 of the charities registered had not provided email contact details. Having carried out a sample exercise, OSCR submitted that approximately 25,572 email addresses would need to be redacted to remove personal data prior to providing the information to the Applicant. The cost of this would, OSCR explained, be £796.29. This is based on it being possible to redact 1,000 entries in 139 minutes at a cost of £11.16 an hour. An exercise would also have to be undertaken to review the list of 25,572 email addresses for any errors or omissions prior to disclosure, where it would take 17 minutes to check 1,000 entries. The process of checking the list for errors or omissions would be charged at £15 an hour, due the grade of the staff member required to carry out the exercise.

52. Taking account of the actions that would have to be carried out to physically redact personal data and check these prior to providing the list to the Applicant, together with the costs involved (all of which the Commissioner accepts as reasonable in the circumstances), the Commissioner is satisfied that the cost of complying with the Applicant's request would exceed £600. He therefore finds that, in line with section 12(1) of FOISA, OSCR was not obliged to comply with the Applicant's request.

53. Having accepted that section 12 was correctly applied by OSCR, the Commissioner cannot require it to disclose the email addresses that do not contain personal data.


Decision

The Commissioner finds that, in respect of the matters specified in the application, the Office of the Scottish Charity Regulator complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.


Appeal

Should either the Applicant or OSCR wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.


Margaret Keyse
Head of Enforcement
13 March 2020


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

12 Excessive cost of compliance

(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed such amount as may be prescribed in regulations made by the Scottish Ministers; and different amounts may be so prescribed in relation to different cases.

15 Duty to provide advice and assistance

(1) A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and assistance to a person who proposes to make, or has made, a request for information to it.

(2) A Scottish public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice issued under section 60 is, as respects that case, to be taken to comply with the duty imposed by subsection (1).

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 4 Definitions

For the purposes of this Regulation:

11 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Article 7 Conditions for consent

1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(subject to subsection 14(c ) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004

3 Projected costs

(1) In these Regulations, "projected costs" in relation to a request for information means the total costs, whether direct or indirect, which a Scottish public authority reasonably estimates in accordance with this regulation that it is likely to incur in locating, retrieving and providing such information in accordance with the Act.

(2) In estimating projected costs-

(a) no account shall be taken of costs incurred in determining-

(i) whether the authority holds the information specified in the request; or

(ii) whether the person seeking the information is entitled to receive the requested information or, if not so entitled, should nevertheless be provided with it or should be refused it; and

(b) any estimate of the cost of staff time in locating, retrieving or providing the information shall not exceed £15 per hour per member of staff.

5 Excessive cost - prescribed amount

The amount prescribed for the purposes of section 12(1) of the Act (excessive cost of compliance) is £600.