Decision 050/2008 Mr Q and the University of Glasgow

Information relating to the tendering process for internal audit function

Applicant: Mr Q
Authority: University of Glasgow
Case No: 200700016
Decision Date: 31 March 2008

Kevin Dunion
Scottish Information Commissioner

Request for information relating to the tendering process for internal audit services

Relevant Statutory Provisions and Other Sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) (General entitlement), 2 (Effect of exemptions), 12 (Excessive cost of compliance), 14(2) (Vexatious or repeated requests), 33 (Commercial interest and the economy), 36(2) (Confidentiality) and 38(1)(b) (Personal information).

The Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations) regulations 5 (Excessive cost ? prescribed amount).

Data Protection Act 1998 (DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data") and 2 (Sensitive personal data); schedules 1 (the data protection principles: first, sixth, seventh and eighth principles) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data: condition 6).

The full text of each of these provisions is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Facts

Mr Q requested documents relating to the award of the contract for internal audit services by Glasgow University (the University). The University responded by supplying Mr Q with some of the information requested but withheld the remainder on the basis that sections 38(1)(b) (Personal information), 33(1) (Commercial interests and the economy), 36(2) (Confidentiality) and 14(2) (Vexatious or repeated requests) of FOISA applied.Following a review, which upheld the University's original decision without amendment, Mr Q remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the University had partially dealt with Mr Q's request for information in accordance with Part 1 of FOISA. However, he also found that the University had not been entitled to withhold certain information relating to the successful bidder for the contract on the basis that disclosure of the information would be likely to cause substantial prejudice to that bidder's commercial interests, and that it had not been entitled to withhold the name of the person designated Head of Internal Audit Service on the basis that disclosure would contravene the data protection principles. He required the release of the information incorrectly withheld.

Background

1.On 13 October 2006, Mr Q wrote to the University requesting the following information with respect to the award of its contract for internal audit services:

(a)A copy of the invitation to tender document [request 1];

(b)Any documentation that parties wishing to receive a copy of the ITT document had to complete as a pre requisite [request 2];

(c)A copy of each of the tender submission documents submitted to the University in response to the invitation materials referred to at (a) and (b) above [request 3];

(d)Details of all the evaluation criteria (including relative weightings and guidance notes) [request 4];

(e)Details of all the evaluation scores in relation to each of the criteria [request 5];

(f)All notes( including hand written notes) taken by members of the panel which awarded the contract as well as officials in attendance at the meeting of the panel [request 6];

(g)The name of each party to whom a contract was awarded as a result of the tender process [request 7];

(h)All correspondence between the University and each of the parties who submitted a tender after the tender was awarded [request 8];

(i)The name of the person designated as "Head of the Internal Audit Service" in terms of the Code of Audit Practice issued by the Scottish Higher Education Funding Council in September 1999 [request 9];

(j)The name of the person within the University to whom the person named at (g) reported [request 10].

2.On 15 November 2006, the University wrote to Mr Q in response to his requests for information.The University supplied information in response to requests 2, 4, 7 and 10, nothing being withheld in relation to these requests.In responding to requests 1, 3, 5, 8 and 9 the University supplied Mr Q with some of the information he had requested, providing other items with information redacted and withholding others on the basis that (variously) sections 14 (Vexatious or repeated requests), 33 (Commercial interests and the economy), 36 (Confidentiality) and/or 38 (Personal information) of FOISA applied. The University advised that it did not hold any information falling within the scope of request 6.

3.Mr Q wrote to the University requesting a review of its decision on 20 November 2006.In particular, he questioned the University's application of sections 38(1)(b), 33(1) and 36(2) of FOISA in withholding information. Mr Q also questioned the University's use of section 14(2) of FOISA in response to request 1.

4.The University wrote to notify Mr Q of the outcome of its review on 14 December 2006.While providing further explanation on certain points, the University upheld its original decision without amendment.

5.On 20 December 2006, Mr Q wrote to my Office, stating that he was dissatisfied with the outcome of the University's review and applying to me for a decision in terms of section 47(1) of FOISA.

6.The application was validated by establishing that Mr Q had made a request for information to a Scottish public authority and had applied to me for a decision only after asking the authority to review its response to that request. The University appears to have responded in full to requests 2, 4, 7 and 10, by providing information to Mr Q. In response to request 6, the University asserted that it did not hold any relevant information. From his request for review and application to me it is my understanding that Mr Q accepts the University's responses to these requests, and therefore I shall not consider them further in this decision.

The Investigation

7.On 22 January 2007, the University was notified in writing that an application had been received from Mr Q and was asked to provide my Office with its comments on the application, as required by section 49(3)(a) of FOISA. In particular, it was asked to provide copies of any information withheld, along with justification of its application of exemptions to that information and details of the searches carried out to confirm that it did not hold certain of the information requested. The University responded to this letter and the case was then allocated to an investigating officer.

8.The University submitted that it had decided against issuing a fees notice to the applicant, despite the fact that there had been a significant cost in complying with these requests. The University submitted that it had taken this decision in the spirit of openness and transparency on which FOISA was based.As will be noted (see paragraphs 13 onwards below), the cost of dealing with the request was considered further in the course of the investigation.

9.The University also provided full submissions supporting its reliance on the exemptions claimed (and on section 14(2) of FOISA). In the course of the investigation, further comments were obtained from the University on a number of aspects of the case.

10.In his application, Mr Q put forward a number of arguments as to why he disagreed with the University's response to his requests for information, referring back to his request for review in support of these. During the investigation, Mr Q confirmed that he did not wish the information redacted by the University relating to third party employees to fall within the scope of this investigation, while confirming that he still required a decision on his request for the identity of the Head of Internal Audit.

11.I will consider the arguments advanced by both parties further in the relevant parts of my analysis and findings below.

The Commissioner's Analysis and Findings

12.In coming to a decision on this matter, I have considered all of the information and submissions that have been presented to me by both Mr Q and the University and I am satisfied that no matter of relevance has been overlooked.

Section 12 (Excessive cost of compliance)

13.By virtue of section 12(1) of FOISA, a Scottish public authority is not obliged to comply with a request for information if it estimates that the cost of doing so would exceed a sum prescribed for that purpose by regulations, currently set at ?600 by regulation 5 of the Fees Regulations. As the University's initial submission to my Office referred to the cost of compliance with Mr Q's requests being significant and to it not being possible to devote equivalent resources to each and every information request it received, I considered it necessary to explore the question of cost further.

14.The University having confirmed that the overall cost of complying with Mr Q's requests had been in excess of ?600, the investigating officer highlighted that neither FOISA nor the Fees Regulations allowed for Scottish public authorities aggregating the costs of responding to separate requests for information made by the same individual and therefore asked the University to confirm whether any one of the individual requests made by Mr Q had exceeded the prescribed limit.In response, the University maintained that Mr Q had made a single request to it, that it had dealt with it accordingly, and that there was no legal basis or guidance for doing otherwise. It provided detailed arguments to support its view.

15.FOISA does not currently allow Scottish public authorities to aggregate one or more requests for information made by the same person.Although section 12(2) of FOISA permits the Scottish Ministers to make regulations which would allow a Scottish public authority to aggregate the costs of responding to two or more requests from the same person, no such regulations have been made.This appears to be accepted by the University. What appears to be at issue is whether Mr Q's letter of 13 October 2006 is more properly treated as a single request for information or as ten separate requests.

16.I am prepared to accept that request 10 makes sense only if read in conjunction with request 7. However, each of the other numbered requests in the letter is capable of being read and dealt with in isolation, as a discrete request for specific information relating to the award of the internal audit contract: I therefore consider that they should each be treated as separate requests for information.

17.Having reviewed the cost submissions made by the University, which include an aggregate cost of ?679.26 for dealing with all of the requests, I am satisfied that the cost of complying with each individual request fell under the ?600 limit prescribed by the Fee Regulations.As I have determined that the cost in dealing with Mr Q's requests did not exceed the prescribed amount, I cannot uphold the University's reliance on section 12(1) of FOISA and therefore shall now go on to consider its application of exemptions and section 14(2) in withholding information from Mr Q.

Request 1 ? copy of invitation to tender document

Section 14 (Vexatious or repeated requests)

18.The University applied section 14(2) of FOISA in response to request 1.Section 14(2) provides that where a Scottish public authority has complied with a request from a person for information, it is not obliged to comply with a subsequent request from that person which is identical or substantially similar, unless a reasonable time has passed between the making of the request the authority has complied with and the making of the subsequent request.

19.The University applied section 14(2) in withholding previous Internal Audit Services Unit Annual Reports, copies of which had been issued for information with the tender documents.The University considered that Mr Q would be aware that, in tendering for Internal Audit Services, the University would supply previous Internal Audit Services Unit Annual Reports to the bidders to identify particular issues mentioned in the reports about which they could submit a competitive bid. It referred to a number of requests received from Mr Q, all of which were about audit functions and therefore were considered to be substantially similar.

20.Mr Q accepted that he had received the documents in question as aresult of an earlier request, but contended that it did not follow that the earlier request was substantially similar to request 1. He argued the two requests were quite distinct and did not accept the University's submission that the requests were substantially similar because they fell within the same"subject area". I note Mr Q has the documents and does not in fact require further copies.

21.Having carefully considered the terms of request 1, I am not satisfied that previous Internal Audit Services Unit Annual Reports fall within the scope of the request.Mr Q specifically requested a copy of the invitation to tender (ITT) document, which was supplied to him.I am not persuaded that contextual documents supplied to potential bidders alongside the ITT document would fall within the scope of that request. It was not, therefore, necessary for the University to claim that the information in question was subject to section 14(2) of FOISA.

22.In any event, however, I think it appropriate to place on record that I would not have been inclined to accept the University's reliance on section 14(2) had I deemed the information to fall within the scope of the request. I have considered the terms of the earlier request the University regards as substantially similar to request 1 and can find no justification for its conclusion. The requests are quite distinct and relate to wholly separate items of information. I cannot accept that requests will be substantially similar simply because they fall within the same general subject area: that would be an unreasonably wide interpretation of the words in question, which would in all likelihood bring a considerable number of perfectly legitimate requests within the ambit of section 14(2). I suggest that the University review its approach to this particular provision.

Request 3 ? copy of each of the tender submission documents

23.In response to request 3 the University supplied Mr Q with copies of all tender submissions received during the tender process.These documents (4 in total) were supplied subject to the redaction of information on the basis that the exemptions within sections 33(1)(b),36(2) and 38(1)(b) applied.During the course of the investigation Mr Q advised that he was not concerned with the information redacted from these documents relating to third party employees, to which section 38(1)(b) had been applied.This information will not therefore form part of my investigation.

Section 36(2) (Confidentiality)

24.Following discussion with its external legal advisers, the University concluded that disclosure of client lists, referees and insurance details contained within each tender submission would have constituted a breach of confidence actionable by the organisations that submitted responses to the ITT.The University also stated that that the tender documents specified a clear and legally binding confidentiality clause.

25.In his submissions to my Office, Mr Q highlighted that the University had taken into account the Scottish Ministers' code of practice under section 60 of FOISA to guard against the acceptance of confidentiality clauses.Mr Q believed it was stated unambiguously by the University that all the information was liable to be disclosed, arguing therefore the claim that an actionable breach of confidence would arise was without foundation.

26.Section 36(2) provides that information is exempt if it was obtained by a Scottish public authority from another person (including another such authority) and its disclosure by the authority so obtaining it to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person. Section 36(2) is an absolute exemption and is not, therefore, subject to the public interest test in section 2(1)(b) of FOISA, but it is generally accepted in common law that an obligation of confidence cannot apply to information the disclosure of which is necessary in the public interest.

27.Section 36(2) therefore contains a two stage test, both parts of which must be fulfilled before the exemption can be relied upon. Firstly, the information must have been obtained by a Scottish public authority from another person. "Person" is defined widely and includes another individual, another Scottish public authority or any other legal entity, such as a company or partnership.

28.The second part of the test is that the disclosure of the information by the public authority would constitute a breach of confidence actionable either by the person who gave the information to the public authority or by any other person. I take the view that actionable means that the basic requirements for a successful action must appear to be fulfilled.

29.I am satisfied that the client lists, referees and insurance details are all information obtained from another person, namely those organisations submitting tenders to the University.I am therefore satisfied that the first part of the section 36(2) test has been fulfilled.

30.There are three main requirements which must be met before a claim for breach of confidentiality can be established to satisfy the second element to this test. These are:

i.the information must have the necessary quality of confidence;

ii.the public authority must have received the information in circumstances which imposed an obligation on the authority to maintain confidentiality; and

iii.there must be a disclosure which has not been authorised by the person who communicated the information but which would cause damage to that person.

31.Mr Q submitted his belief that certain of the information (for example client lists) was available on the websites of the organisations concerned and could not therefore be subject to an obligation of confidentiality.On the basis of this comment from Mr Q, the University sought clarification from one of the organisations that had supplied the information in question.The organisation advised that it did not publish its client lists on its web pages: individual clients might be mentioned on the web pages but only with that client's consent.

32.In relation to Mr Q's comments on the University's statements regarding possible disclosure of information, the University confirmed that it had advised those invited to tender that "all information submitted to the University may need to be disclosed and/or published by the University in compliance with [FOISA]". This, it argued, was not a statement that information would be published, but rather one that information might be released especially in circumstances outwith its direct control. It had been inserted in accordance with FOISA guidance from the Scottish Procurement Executive, to ensure that bidders were aware that information might have to be released following, for example, a decision by a Court or myself.

33.Having reviewed the websites of the organisations in question and noting the University's submissions on this point, I am satisfied that the withheld details pertaining to insurance, client lists and referees are not (and were not at the time the University dealt with Mr Q's request) in fact freely available.I am therefore satisfied that this information had (and has) the necessary quality of confidence.

34.I accept that the ITT contains a statement to the effect that information supplied as a result of a tender to the University might require to be disclosed by the University in line with its statutory duties under FOISA. I do not accept, however (as Mr Q appears to have submitted to me), that it follows from this statement that information meeting the tests in section 36(2) could not be legitimately withheld under that section. Broadly, I agree with the University's interpretation of this statement as set out in paragraph 32 above and do not consider that the statement absolves me of the responsibility for carrying out a full analysis of the arguments presented to me in respect of the application of this (or for that matter any other) exemption.

35.Contrary to what the University has stated in its submissions, I have been able to identify no explicit obligation of confidentiality in the tender documents. In the circumstances of this particular case and taking due account of the relevant submissions made to me, however, I accept that the inherent nature of the tendering process implied an obligation of confidentiality with respect to certain types of information, at the time of submission of tenders and their evaluation by the University.

36.Having considered the information to which the University has applied section 36(2), which was obtained by the University in the process of receiving tenders (and for purposes related to the evaluation of those tenders), I am satisfied that the information in question was subject to an implied obligation of confidentiality. Given the proximity of Mr Q's request to the process of evaluating tenders and awarding a contract, I am satisfied that this implied obligation remained in existence at the time of the request and at the time the University considered Mr Q's request for review.

37.As indicated above in paragraph 30, the third requirement of an actionable breach of confidence is that there must be a disclosure which has not been authorised by the person who communicated the information but which would cause damage to that person.

38.The University also provided copies of correspondence to my Office which reflected its communications following Mr Q's request with the third parties who had submitted tenders.It is clear to me from these communications that the organisations in question did not consent to the release of this particular information.Consequently, the release of this information would not have been authorised by the parties that communicated it.

39.The information in question conveys details of other clients not party to the tender submitted to the University and details which were commercially unique to each tendering organisation. I therefore accept that disclosure of the client lists, insurance details (which for these purposes I am taking to include caps on liability set by the respective bidders) and referees could have resulted in the requisite degree of damage for an actionable breach of confidence to occur.

40.As stated above, if the conditions of section 36(2) are fulfilled an absolute exemption is created. However, it is generally accepted in common law that an obligation of confidence cannot apply to information the disclosure of which is necessary in the public interest.

41.In this case the public interest considerations which have to be taken into account are different from the public interest test contained in section 2(1) of FOISA. The exemption in section 36(2) is not subject to the public interest test in section 2(1) of FOISA. The law of confidence recognises that there is a strong public interest in ensuring that people respect confidences, and the burden of showing that a failure to maintain confidentiality would be in the public interest is therefore a heavy one. However, in certain circumstances the public interest in maintaining confidences may be outweighed by the public interest in disclosure of information. In deciding whether to enforce an obligation of confidentiality, the courts are required to balance these competing interests, but there is no presumption in favour of disclosure (Decision 056/2006 MacRoberts and the City of Edinburgh Council).

42.The courts have considered that there may be a public interest defence to actions of breach of confidentiality where to enforce an obligation of confidence would cover up wrongdoing, allow the public to be misled or unjustifiably inhibit public scrutiny of matters of genuine public concern. In this instance I have considered whether disclosure of the information in question would be necessary to secure effective scrutiny of decision-making processes or oversight of the expenditure of public funds. Taking into account the information already released by the University, I see no reasonable basis for concluding that the University would have a defence to an action of breach of confidence on public interest grounds should it disclose these details

43.In conclusion, I am satisfied that the requirements of section 36(2) of FOISA have been fulfilled in this instance. As a result, I find that the exemption under section 36(2)(b) of FOISA was correctly applied by the University to client lists, referees and insurance details.

Section 33(1)(b) (Commercial interests and the economy)

44.The University also considered that some of the information in the tender submissions was exempt under section 33(1) of FOISA.The University considered that its disclosure would be likely to both substantially harm, and prejudice substantially, the commercial interests of those organisations that submitted a response to the ITT.From this, I understand the University to beclaiming the exemption in section 33(1)(b) of FOISA, which provides that information is exempt information if its disclosure under FOISA would, or would be likely to, prejudice substantially the commercial interests of any person (including a Scottish public authority).

45.The University stated that the information withheld under section 33(1) related to pricing structures, unique methodologies and software tools, client lists and insurance details.As I have determined that the client list and insurance details have been correctly withheld by the University under section 36(2) of FOISA, I shall not consider them any further under this exemption.

46.The University submitted that the organisations in question operated in a very competitive environment, where the release of some of the specified information would seriously damage their own competitiveness.The University went on to argue that this loss in competitiveness would also harm the position of the University, in that there would be a consequential reduction in competitiveness in organisations submitting responses to ITTs.

47.Mr Q submitted that it was clear that the tendering firms had been told that all information was liable to be disclosed in compliance with FOISA, and given that possibility it was unlikely that a tendering organisation would be sufficiently imprudent to provide information at a level of detail that, if it were to be released under FOISA, would substantially harm and/or prejudice substantially its competitive position.

48.The University responded to this line of argument in the terms set out in paragraph 32 above, pointing out in addition that all of the companies responding to an ITT would provide information distinguishing themselves from their competitors and highlighting their particular areas of expertise and experience. It was this information to which the University was applying the section 33(1) exemption to as these companies had a legitimate expectation of preserving their respective competitive advantages.

49.In withholding the information the University stated that it took into account, amongst other things, the comments and recommendations collected in a consultation exercise of the various bidders for the internal audit contract.

50.Reference was also made by the University to the Scottish Public Sector Procurement and Freedom of Information Guidance (the Procurement Guidance) (http://www.scotland.gov.uk/Resource/Doc/1265/0006892.pdf). This document provides guidance on how requests for procurement-related information under FOISA should be handled by public bodies. It was produced by the Procurement Directorate of the Scottish Government and was issued in December 2004.

51.As I have recognised in previous decisions (for example, Decision 034/2006 Mr David Smith of Pentland Homeowners Association and Dundee City Council), the release of information from tenders could in some circumstances cause substantial prejudice to commercial interests. Conversely, however, I have also recognised that the commercial sensitivity of information should decline over a period of time.Mr Q made his request for information on 13 October 2006, while the successful bidder was identified in May 2006, the contract commencing in July 2006 and the formal contract being concluded in September of that year.

52.There were four tender submissions (including the successful tender) supplied to Mr Q.These were supplied subject to the redaction of specific material.Having reviewed each of these tenders, I am satisfied that the information redacted was limited (excluding material I have already found to be exempt or no longer to form part of this investigation) to unique methodologies, software tools and pricing structures.

53.The nature of the industry in question which relies heavily upon the experience and skills of the individual.Consequently, how these resources are allocated (which is reflected in each methodology and pricing structure) is a unique feature for each bid.

54.I am equally satisfied that details of the software packages and mix of software packages used by each organisation could be determined as a unique competitive feature for each organisation.

55.Having reviewed each tender submission, I accept that the information in each of these categories was unique to each tender and that this uniqueness conferred considerable competitive advantage on the respective bidders. I am therefore satisfied that at the time the University dealt with Mr Q's request and his request for review, the disclosure of such information would have prejudiced, or would have been likely to prejudice, substantially the commercial interests of the parties that supplied the information.

56.The accounts of an unsuccessful bidder were also redacted. For the reasons set out in the immediately preceding paragraphs, I am satisfied that the University was entitled to deal with this as information the disclosure of which was likely to prejudice the relevant bidder's commercial interests, given the timing and that it reflected the accounts of a partnership and thus was not available publicly.

57.In conclusion, therefore, I am satisfied that the information referred to above relating to pricing structures, unique methodologies and software tools (and the accounts of one unsuccessful bidder) was properly considered by the University to be exempt under section 33(1)(b) of FOISA. In reaching this conclusion, I have taken into account the timing of Mr Q's request, which was made and dealt with by the University only a relatively short period after the contract commenced, with the consequence that the commercial information retained its sensitivity.

Public interest test

58.As I am satisfied that the University was correct to exempt this information under section 33(1)(b), I am now required to consider the application of the public interest test. The exemption is a qualified one, in that (under section 2(1)(b) of FOISA) information which is exempt under it can be withheld only if, in all the circumstances of the case, the public interest in disclosing it is outweighed by the public interest in maintaining the exemption.

59.Mr Q submitted that the internal audit process was an important part of the scrutiny of how the University would spend hundreds of millions of pounds worth of public money over the proposed life of the contract.Mr Q therefore submitted that there was a compelling public interest in complete transparency in relation to how this contract had been awarded and how it operated.

60.The University concluded that the public interest lay in ensuring both the continuing success and competitiveness of the organisations submitting tenders and the continuation of a competitive environment for the University when seeking responses to ITTs.

61.The University considered that the disclosure of this information would have been likely to be detrimental to the public interest and to those organisations that had submitted a response to the ITT, firstly by revealing their individual and unique competitive advantages and secondly by inhibiting commercial organisations from submitting future responses to ITTs from the University.Consequently, the University argued, the potential for withdrawal of organisations from tendering for services to the University would substantially prejudice the commercial interests of both those organisations and the University. On the other hand, the University considered any public interest in disclosure of the information to be slight.

62.Although I recognise the importance of transparency of the decision-making process, particularly where it relates to the expenditure of public funds, I have considered in detail the information supplied to Mr Q (which includes the total price submitted in each tender) and I am not satisfied that the public interest in transparency and accountability could be furthered significantly by the provision of the limited information which has been withheld.In this instance I am satisfied that the public interest in maintaining the exemption, and in particular in protecting the unique competitive advantages of these commercial organisations, outweighs that of disclosure at the time the University dealt with Mr Q's request.

63.I am therefore satisfied that the University was correct in its application of section 33(1)(b) to redact the information I have considered under this exemption.

Request 5 ? full details of evaluation scores

64.In response to request 5, the University supplied the details of the weightings for each evaluation criterion.The University also supplied a copy of the evaluation panel's matrix which detailed the total evaluation scores for each tender but redacted the specific comments from the evaluation panel under each criterion.The University redacted this information on the basis that the exemptions contained within sections 33(1)(b) and 30(c) of FOISA applied

Section 33 (1)(b) (Commercial interests and the economy)

65.The University's arguments for applying the section 33(1)(b) exemption to this information are as set out above in relation to request 3.

66.With the exception of the evaluation criterion headings, the information redacted comprises subjective comments made on the assessment of each of the tender bids.Having carefully considered the nature and the manner of expression of the comments made in this evaluation form, I am satisfied that there was potential, specifically with regard to the unsuccessful bidders, that disclosure of these comments would or would be likely to prejudice substantially the commercial interests of the bidding parties.As information released under FOISA is considered to be released into the public domain, I am satisfied that the disclosure of the comments contained within these documents might reasonably have been expected (at least at the time the University dealt with the Mr Q's request, given that the award of the contract was still relatively recent) to have a significant effect on the consideration of future bids for like work made by these parties.I am therefore satisfied that the University was correct in considering these comments to be exempt under section 33(1)(b) of FOISA.

67.However, I am not persuaded that the same arguments presented by the University apply equally to the comments relating to the winning tender bid and the matrix headings (which reflect the evaluation criteria).I am not satisfied that the comments relating to the winning tender bid, which can be presumed to be positive in nature, would or would be likely to prejudice substantially the commercial interests of the incumbent contractor. Equally, I am not persuaded that the matrix headings, which reflect the evaluation criterion, in any way relate to the commercial interests of any of the parties submitting to the tender bid. Consequently, I find that the University was incorrect in its application of section 33(1)(b) to the comments relating to the winning bid and the matrix headings.(This conclusion excludes details of the pricing structure: these are duplicated within the evaluation matrix but are considered fully in my analysis of section 33(1)(b) in relation to request 3, where I have accepted that the information was properly withheld under that exemption ).

68.As I have determined that the detailed comments made by the evaluation panel in relation to the unsuccessful bidders were properly considered exempt under section 33(1)(b), I am now required to consider the public interest test.

Public Interest test

69.The public interest arguments presented to me in relation to this information were those set out and considered above in relation to request 3.

70.In relation to the tender evaluation information on unsuccessful bidders, the Procurement Guidance states, in Annex A, that although commercially non-sensitive information could be disclosed, the public interest in favour of disclosure of sensitive information is generally weaker than that for winning bidders. The Guidance states that such information should generally be withheld under section 33 of FOISA, with the exception of non-sensitive information.

71.Although I acknowledge the public interest in accountability and transparency with regard to the expenditure of public funds, I am satisfied that the public interest has been served in this respect in providing the overall scores of the unsuccessful bids and the weighting of each criterion alongside the full details of the winning bid.

72.Due to the nature and manner of expression of the comments made in this document in respect of the unsuccessful bids, I am satisfied that the public interest in protecting the tendering process and the encouragement of competition without the threat of the premature disclosure of critical subjective comments made during that process outweighs that in disclosure.

73.In this instance, therefore, I am satisfied that the public interest in maintaining the exemption outweighs that of disclosure.I am therefore satisfied that the University was correct in its application of section 33(1)(b) to these details in respect of the unsuccessful bidders.

Section 30(c) (Prejudice to effective conduct of public affairs)

74.The University, in its submissions to my Office, also applied the exemption contained within section 30(c) of FOISA to withhold this information.

75.As I have determined that the comments made in respect of the unsuccessful bids were correctly withheld under section 33(1)(b), it is only those comments relating to the winning tender bids and the matrix headings that I will consider under this exemption.

76.Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs". (The word "otherwise" is used here to differentiate this particular exemption from the other types of substantial prejudice ? such as substantial inhibition to the free and frank provision of advice or exchange of views ? envisaged by other parts of section 30.)The University did not supply my Office with further reasoning as to the application of this particular exemption other than the disclosure of the frank assessment of the tenders would be prejudicial to the effective conduct of public affairs.

77.Having considered the comments made in respect of the winning bid, which by virtue of the fact that it relates to a winning tender can be assumed to be of a fairly positive nature, and the content of the matrix headings, I am not satisfied that the University has sufficiently demonstrated that disclosure of this information would have prejudiced, or would have been likely to prejudice, substantially the effective conduct of public affairs.

78.I therefore find that the University was incorrect in its application of section 30 (c ) of FOISA in withholding the comments made on the evaluation forms in respect of the winning tender bid.Again, this conclusion is excluding the pricing structure details contained in the matrix, which are considered fully in my analysis of section 33(1)(b) in relation to request 3 (and which I have accepted as having been properly withheld under that exemption).

Request 8 ? all correspondence between the University and each bidder after the tender was awarded

79.The University supplied Mr Q with all correspondence between the University and bidders after the successful bidder was selected, subject to certain redactions.This correspondence can be separated into two groups; firstly correspondence with the successful bidder, which includes notification that they had been successful and correspondence relating to negotiation of the contract terms, and secondly notification provided to the unsuccessful bidders including feedback on their bids. As with the tender submissions (see paragraph 23 above), Mr Q confirmed in the course of the investigation that he was not concerned with information redacted from these documents relating to third party employees, to which section 38(1)(b) had been applied.This information will not therefore form part of my investigation.

80.For the reasons set out earlier (see under request 3 above), the University argued that the remaining redacted information was exempt under section 33(1)(b) of FOISA.

81.The correspondence with the successful bidder consists of a covering letter subject to the redaction of personal information, and correspondence relating to contract negotiation. Having reviewed this correspondence, I note that the non-personal details redacted relate to insurance and pricing structures.This corresponds with the information which I have agreed was correctly withheld by the University in their redactions of the tender submissions.I am therefore satisfied that the University was correct in its redaction of this information for the reasons set out above, in my analysis of section 33(1)(b) for the purposes of request 3.

82.The University also supplied Mr Q with the correspondence with the unsuccessful parties.This correspondence was again subject to the redaction of the feedback comments on the basis that section 33(1)(b) applied.Having reviewed these feedback comments, I am satisfied that these reflect the comments and views of the evaluation panel, as considered under request 5 above.For the same reasons as I have accepted the withholding of the relevant comments of the panel, I am satisfied that the disclosure of these feedback comments under FOISA would or would be likely to, prejudice substantially the commercial interests of the unsuccessful bidders.I am also satisfied that the public interest in maintaining the exemption outweighs that in disclosure in this instance, the same considerations applying as in relation to the panel's comments.

Request 9 ? name of the person designated as "Head of the Internal Audit Service"

Section 38 (Personal information)

83.Mr Q specifically requested the name of the person designated "Head of the Internal Audit Service" in terms of the Code of Audit Practice issued by the Scottish Higher Education Funding Council in 1999.This Code defines the Head of Internal Audit Service as the Head of Internal Audit Service of an institution or such person responsible for managing the provision of the internal audit service if contracted out.

84.The University applied section 38(1)(b) of FOISA in withholding third party personal data, namely the identities of employees of the bidding organisations.

85.In its submissions to my Office the University submitted that it did not as such have a University employee as head of internal audit, as that function had been out-sourced following the successful completion of the tender process.Mr Q was informed by the University that the Head of Internal Audit Services was a member of staff from the incumbent contractor, who reported to the University's Secretary of Court.

86.During the course of my investigation the University confirmed that it was able to name an individual who would be considered as the Head of the Internal Audit Service, namely a particular individual within the incumbent contractor.

87.As stated earlier in this decision, in his appeal to my Office Mr Q acknowledged that the personal details of third party employees could be redacted from the information supplied.However, he did not accept that it was appropriate for the University to withhold the identity of its Head of Internal Audit.Mr Q was dissatisfied that the University had not sought to distinguish between information which was about the home or family life of an individual and information where the individual was acting in an official or work capacity.

88.The exemption under section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or section 38(2)(b), is an absolute exemption and therefore is not subject to the public interest test laid down by section 2(1)(b) of FOISA.In order for a public authority to rely on this exemption it must show that the information which has been requested is personal data for the purposes of the DPA, and that release of the information would contravene any of the data protection principles laid down in the DPA.

89.In its submissions the University argued that the disclosure of this information would breach the first, sixth, seventh and eighth data protection principles, and therefore that it was exempt information under section 38(1)(b).

90.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the definition is set out in full in Appendix 1).

91.The University submitted that the identity of the person designated as Head of Internal Audit Service for the University was that of an individual within a third party private organisation supplying internal audit services to the University.The Head of Internal Audit Service for the University was not an employee of the University and was not employed by a public authority.The University submitted that the third party organisation was of the view that the release of the identities of its employees in the context of their employment would impair those employees' private and professional privacy and must be considered personal data in terms of the DPA.

92.I am satisfied, given the definition contained in section 1(1) of the DPA, that the identity of the Head of Internal Audit Service is that person's personal data.

93.However, FOISA does not exempt information from release simply because it is the personal data of a third party. Personal data is exempt from release under section 38(1)(b) of FOISA (read in conjunction with section 38(2)(a)(i) or (b)) if the disclosure of the information to a member of the public otherwise than under FOISA would contravene any of the data protection principles contained in the DPA.As noted above, the University has argued that, in this case, to disclose the personal data of a third party would breach the first, sixth, seventh and eighth data protection principles of the DPA.

First principle ? Personal data shall be processed fairly and lawfully

94.The first data protection principle requires that the processing of personal data (which would include the disclosure of data in response to a request made under FOISA) must be fair and lawful and, in particular, that personal data shall not be processed unless at least one of the conditions in Schedule 2 (to the DPA) is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

95.I am satisfied in this case that the identity of the Head of Internal Audit Services does not constitute sensitive personal data and so I do not need to consider whether any of the conditions in Schedule 3 can be met. However, I do need to consider whether any of the conditions in Schedule 2 can be met. In what follows below, I will focus in turn on the questions of whether disclosure of this information would be fair, and whether any of the conditions set out in Schedule 2 of the DPA can be met in this case.

Is it fair to release the identity of the Head of Internal Audit?

96.According to guidance from the Information Commissioner, who is responsible for enforcing and regulating the DPA throughout the UK ("Freedom of Information Act Awareness Guidance No 1"), which can be viewed at: http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/awareness_guidance%20_1_%20personal_information_v2.pdf), the assessment of fairness includes looking at whether the disclosure would cause unnecessary or unjustified distress or damage to the person whom the information is about, whether the third party would expect that his/her information might be disclosed to others and/or whether the third party would expect that his/her information would be kept private. In addition, this guidance also states that:

"Information which is about the home or family life of an individual, his or her personal finances, or consists of personal references, is likely to deserve protection. By contrast, information which is about someone acting in an official or work capacity should normally be provided on request unless there is some risk to the individual concerned."

97.The guidance goes on to indicate, however, "that these are not hard and fast rules". It states that: "while names of officials in public facing roles would normally be provided on request, it may not be fair processing to provide the name of a member of staff in a junior role. There may also be good reason not to disclose the names of those in a public facing role if there is good reason to think that disclosure of the information could put someone at risk. It may be unfair processing to disclose the full names and work locations of those who carry out a role involving a risk of harassment or abuse. It may also be relevant to think about the seniority of staff generally: the more senior a person is, the less likely it will be that to disclose information about him or her acting in an official capacity would be unfair".

98.The University submitted that the release of the identity of the Head of the Internal Audit Service would undermine the expectation of the individual that his/her personal data would not be released.The University highlighted that the individual in question, via his/her employer, has refused consent to the release. It referred to two decisions of the Information Commissioner on the equivalent section in the Freedom of Information Act 2000 (FS50110885 University of Cambridge and FS50085777 East Hampshire District Council) which, it submitted, made it clear that a key consideration in considering fairness would be whether the individual concerned had an expectation of disclosure.

99.The University submitted that the Head of Internal Audit Service, working in their role for the incumbent contractor, expected their identity to remain confidential.Their identity was not in the public domain and the University had undertaken to keep their identity anonymous.

100.Further, the University highlighted that the Scottish Funding Council, via its Code of Audit Practice, did not require the name of Head of the Internal Audit Service at a Higher Education institution to be made public when this service was provided via contract with a third party private organisation.

101.The University claimed that it had real concerns that disclosure of the individual's personal data might cause damage or distress to the data subject.It went on to provide my Office with details of the harm it believed would result from disclosure of this information. In support if its assertion that disclosure would not be fair in these circumstances, it referred to my Decision 005/2005 Mr S and Miss S and the Scottish Legal Aid Board.

102.The University also pointed out that the applicant, or any other person, could raise concerns about any issues covered by its internal audit function with a number of persons, without having recourse to any of the employees of the incumbent contractor.

103.Having looked at the conditions in Schedule 2, it appears to me that, without the consent of the data subject for their identity to be released, the only condition which could apply is condition 6. This allows information to be processed where:

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

104.In considering the legitimate interests of Mr Q and of the wider public, I accept that there is a legitimate and significant interest in allowing the public to identify an individual who has responsibility for a function central to the University's governance and which impacts heavily upon public expenditure, irrespective of whether that individual works in the public or private sector. This additional information would allow understanding of the level of seniority and experience of those responsible for this function.

105.In my view it is unreasonable for senior professional employees of private firms who are involved in providing public authorities with services such as internal audit to expect that their identities will remain outwith the public domain.This is not the delivery of a product or a relatively basic support service, but rather the ongoing provision of a highly specialised professional service that is integral to the university's governance. In the interests of transparency, it is hardly unreasonable that the identity of an individual in such a position to be known. I do not consider, therefore, that disclosure could be said to be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

106.In such circumstances I conclude that it would be only reasonable for the data subject would have an expectation, particularly following the advent of FOISA, that their identity may be released as a result of winning and performing a public sector contract of this kind. I reach this conclusion in the knowledge that large firms of chartered accountants have traditionally carried out external audit work in the public sector, in the execution of which it will not necessarily be possible for their senior staff to operate wholly under a veil of anonymity. While I appreciate that elements of confidentiality are inherent in internal audit work, I cannot accept as a general rule that this need extend to the identity of the individual responsible for the provision of the service.

107.In addition, I am not satisfied that the University has provided sufficient evidence of any harm that might result from disclosure of the information in question. It is entirely possible that communication with the individual concerned could result from disclosure, but I have received nothing to suggest to me that this would be of a distressing nature on any reasonable interpretation of the word and in any event I think it reasonable to expect that an organisation of the size and sophistication of the incumbent contractor would have effective strategies in place to deal with any communication that became so. In all the circumstances, therefore, I cannot accept that disclosure would be unfair. The arguments presented by the University relate to fairness and in any event I can identify no reason why disclosure should be considered unlawful.

108.In reaching this conclusion I have taken into account the fact that details of the individual concerned are currently in the public domain and that there is a clear possibility, given the information currently available to the public, that assumptions could be made about this individual's involvement in the current contract or contracts of this nature.

109.I am therefore not satisfied that the disclosure of identity of the Head of Internal Audit Service would breach the first data protection principle.

Sixth principle - Personal data shall be processed in accordance with the rights of the data subjects

110.The University also stated that the disclosure of this information would contravene the sixth data protection principle.The University submitted that the release of the identity of the Head of the Internal Audit Service would not be in accordance with that individual's right to privacy in the context of their employment, expertise and experience.The University also submitted that if the data were disclosed, it would constitute processing for an unspecified purpose.

111.This information was provided to the University for the purposes of competing for and performing a public sector contract.Following the advent of FOISA, there is a legitimate expectation that the individual's identity may be released as a result of winning and performing a public sector contract of this kind.The disclosure would be limited to the individual's identity and their connection with the performance of this contract.

112.Paragraph 8 of part II of Schedule 1 of the DPA makes it clear that the sixth data protection principle relates to certain clearly defined rights. Having considered these rights, I am not satisfied, and I have not been provided with any arguments from the University, which would suggest that any of these rights would be engaged in this case. I therefore do not accept that the sixth data protection principle would be breached if disclosure were to occur, as the rights of the data subject to which this principle refers would not be infringed.

Seventh principle ? Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data

113.The University submitted that disclosure of the identity of the Head of Internal Audit Service would breach the requirement to keep such personal data secure as Mr Q, if he were to receive the information, could make the identity available more widely. In support of this assertion, it referred to an article relating to internal audit confidentiality written by the applicant in a professional journal.

114.It should be noted that each request under FOISA is considered "applicant blind" and disclosure of information under FOISA is considered to be releasing information into the public domain.

115.In the circumstances of this case, I am not satisfied that the release of the information in question would result in a breach of the seventh data protection principle.In reaching this conclusion, I have taken into account that the personal details of this person are currently already in the public domain (and think it reasonable to conclude that the data controller, i.e. the person's employer, considers the security measures in place to be adequate for this purpose). The only additional information which would enter the public domain as a consequence of Mr Q's request be would the person's identification with this particular contract, the disclosure of which I am not persuaded would require anything by way of additional security measures.

Eighth principle? Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects In relation to the processing of personal data

116.As previously highlighted, details pertaining to this individual's name, contact details and expertise are currently, and were at the time of Mr Q's request, accessible to the public at large, in a way that ensures that they are accessible outside the European Economic Area. I therefore find it difficult to accept the that the University could claim that disclosure of the information sought in Mr Q's request 9 (which would add only that the individual was performing a particular function under the internal audit contract with the University) could breach the eighth data protection principle, assuming (as I think it must be fair to conclude) that the data controller does not consider it to have been breached by disclosure to date.

117.In summary, therefore, I am not satisfied that the release of the identity of the individual who carries out the function of Head of the Internal Audit Service, could breach the data protection principles cited by the University. In conclusion, I consider that the University was incorrect in its application of section 38(1)(b) of FOISA in withholding that individual's identity from Mr Q.

Decision

I find that the University partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information requests made by Mr Q.

However, I also find the University incorrectly applied section 33(1)(b) to the headings from the evaluation matrix and the comments of the evaluation panel relating to the successful bid (with the exception of details of the pricing structure) and section 38(1)(b) to the identity of the Head of the Internal Audit Service. In doing so, the University failed to comply with Part 1 (and in particular section 1(1)) of FOISA.

I also find that the University was incorrect in its application of section 14(2) of FOISA in response to request 1.

I therefore require the University to supply Mr Q with copies of the headings from the evaluation matrix, the evaluation panel's comments with respect to the successful bid (subject to the redaction of details of the pricing structure) and the name of the person identified as the Head of the Internal Audit Service, all within 45 days after the date of intimation of this decision notice.

Appeal

Should either Mr Q or the University of Glasgow wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Kevin Dunion

Scottish Information Commissioner

31 March 2008

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1General entitlement

(1)A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

2Effect of exemptions

(1)To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a)the provision does not confer absolute exemption; and

(b)in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2)For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

?

(c)section 36(2);

?

(e)in subsection (1) of section 38 ?

(i)paragraphs (a), (c) and (d); and

(ii)paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

12 Excessive cost of compliance

(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed such amount as may be prescribed in regulations made by the Scottish Ministers; and different amounts may be so prescribed in relation to different cases.

(2) The regulations may provide that, in such circumstances as they may specify, where two or more requests for information are made to the authority-

(a) by one person;

(b) by different persons who appear to it to be acting in concert or whose requests appear to have been instigated wholly or mainly for a purpose other than the obtaining of the information itself; or

(c) by different persons in circumstances where the authority considers it would be reasonable to make the information available to the public at large and elects to do so,

then if the authority estimates that the total cost of complying with both (or all) of the requests exceeds the amount prescribed, in relation to complying with either (or any) of those requests, under subsection (1), section 1(1) does not oblige the authority to comply with either (or any) of those requests.

(3) The regulations may, in respect of an election made as mentioned in subsection (2)(c), make provision as to the means by which and the time within which the information is to be made available to the public at large.

(4) The regulations may make provision as to-

(a) the costs to be estimated; and

(b) the manner in which those costs are to be estimated.

(5) Before making the regulations, the Scottish Ministers are to consult the Commissioner.

(6) References in this section to the cost of complying with a request are not to be construed as including any reference to costs incurred in fulfilling any such duty under or by virtue of the Disability Discrimination Act 1995 (c.50) as is mentioned in section 11(5).

14Vexatious or repeated requests

?

(2) Where a Scottish public authority has complied with a request from a person for information, it is not obliged to comply with a subsequent request from that person which is identical or substantially similar unless there has been a reasonable period of time between the making of the request complied with and the making of the subsequent request.

33Commercial interests and the economy

(1) Information is exempt information if-

?

(b) its disclosure under this Act would, or would be likely to, prejudice substantially the commercial interests of any person (including, without prejudice to that generality, a Scottish public authority).

?

36Confidentiality

?

(2) Information is exempt information if-

(a) it was obtained by a Scottish public authority from another person (including another such authority); and

(b) its disclosure by the authority so obtaining it to the public (otherwise than under this Act) would constitute a breach of confidence actionable by that person or any other person.

38Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?

(4)In determining for the purposes of this section whether anything done before 24th October 2007 would contravene any of the data protection principles, the exemptions in Part III of Schedule 8 to that Act are to be disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

?

Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004

5Excessive cost - prescribed amount

The amount prescribed for the purposes of section 12(1) of the Act (excessive cost of compliance) is ?600.

Data Protection Act 1998

1Basic interpretative provisions

In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a)from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

2Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

?

6.Personal data shall be processed in accordance with the rights of data subjects under this Act

7.Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

8.Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level or protection for the rights and freedoms of data subjects in relation to the processing or personal data.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.