Decision 053/2017: Mr Paul Fair and the City of Glasgow Licensing Board Application for a licence Reference No: 201602152 Decision Date: 18 April 2017 Summary The Board was asked for information about the consideration of a named person's licence. The Board disclosed some information but withheld information which it considered to be personal data and exempt from disclosure. The Commissioner accepted that the withheld information was exempt from disclosure.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provision) (definition of personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 2 (Conditions relevant for the purposes of the first principle: processing of any personal data) (condition 6); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

 Background

1. On 21 July 2016, Mr Fair made a request for information to the City of Glasgow Licensing Board (the Board). The information requested was all correspondence, minutes, agendas and papers/reports connected with the Board's consideration of a named person's application for a Personal Licence.

2. This request was first considered in Decision 251/2016: Mr Paul Fair and Glasgow City Licensing Board[1], issued on 22 November 2016. In that decision, the Commissioner found that the Board had failed to respond to the request and requirement for review within the required timescales.

3. The Board provided Mr Fair with its response to his request for review on 14 November 2016. It provided some information but found that most of the information covered by his request was exempt from disclosure.

4. On 23 November 2016, Mr Fair applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Fair considered the Board's response to his request for review was unsatisfactory. He provided detailed reasons why he considered the withheld information should be disclosed.

Investigation

5. The application was accepted as valid. The Commissioner confirmed that Mr Fair made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

6. On 22 December 2016, the Board was notified in writing that Mr Fair had made a valid application. The Board was asked to send the Commissioner the information withheld from him. The Board provided the information and the case was allocated to an investigating officer.

7. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Board was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

8. During the investigation, the Board was asked to clarify aspects of its submissions, and provided further comment. Mr Fair was invited to comment on his legitimate interest in obtaining the withheld personal data.

9. During the investigation, Mr Fair confirmed that the Board's response to his request for the agenda and minutes of a meeting could be excluded from the Commissioner's decision.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Fair and the Board. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA

11. The Board withheld information in four documents under section 38(1)(b) of FOISA.

· Two of the documents were withheld in their entirety under section 38(1)(b) of FOISA. These documents were a form completed by the named individual and a letter from another organisation about the named individual.

· The information withheld in the other two documents was the home address of the named individual and related reference numbers.

12. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

13. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

14. In order to rely on this exemption, the Board must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA. The Board considered disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

15. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

16. The Board submitted that the withheld information is the personal data of the individual named by Mr Fair in his request. The Board listed the information and submitted that it could be used to identify the named individual.

17. Having considered the submissions received from the Board and the withheld information, the Commissioner is satisfied that a living individual can be identified from the information, on its own or together with other information likely to be accessible to Mr Fair (and others). The withheld information clearly relates to a living individual. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA.

Is the information under consideration sensitive personal data?

18. The Board submitted that some of the withheld information constituted sensitive personal data. The Board provided details as to why it considered this information to be sensitive and referred to the definition of sensitive personal data within section 2 of the DPA.

19. In this case, the Commissioner is satisfied that some of the withheld information comprises sensitive personal data for the purposes of section 2 of the DPA. The Commissioner is unable to confirm the specific type or types of sensitive personal data which form part of the withheld information as to do so could risk revealing the data itself.

20. The Commissioner will now consider whether disclosure of the personal data would breach the first data protection principle, as the Board has argued.

Would disclosure of the personal data contravene the first data protection principle?

21. The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met. The processing in this case would comprise making the information publicly available in response to Mr Fair's request.

22. There are three separate aspects to the first data protection principle:

· fairness

· lawfulness and

· the conditions in the schedules.

23. These three aspects are interlinked. For example, if there is a specific condition which permits the personal data to be disclosed, it is likely that disclosure would also be fair and lawful.

Sensitive personal data

24. The Commissioner will first consider whether there are any conditions in Schedule 3 to the DPA which would allow the sensitive personal data to be disclosed.

25. The conditions listed in Schedule 3 to the DPA have been considered by the Commissioner, as they have additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

26. The Commissioner's guidance on section 38(1)(b)[2] notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

27. Condition 1 of Schedule 3 allows sensitive personal data to be processed where the data subject has given explicit consent to the processing.

28. In this case, the Commissioner is unaware of any explicit consent having been provided. Accordingly, the Commissioner has concluded that condition 1 of Schedule 3 cannot be met.

29. Condition 5 of Schedule 3 allows sensitive personal data to be processed where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

30. In this case, the Commissioner is not aware of any steps having been taken deliberately in order to make the specific information public. Therefore, condition 5 cannot apply.

31. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed.

32. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data would contravene the first data protection principle. It is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Non-sensitive personal data

33. The Commissioner will now consider whether there are any conditions in Schedule 2 to the DPA which would permit the non-sensitive personal data to be disclosed. If a Schedule 2 condition can be met, she will go on to consider whether disclosure of the personal data would otherwise be fair and lawful.

34. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[3] (the CSA case), that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

35. Condition 1 of Schedule 2 allows personal data to be processed where the data subject has consented to the processing. The Board did not consider it reasonable to seek consent from the named individual to disclose their personal data into the public domain. In the circumstances, the Commissioner agrees that seeking the named person's consent would not have been appropriate.

36. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure of the personal data to Mr Fair.

37. Condition 6 of Schedule 2 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

38. There are a number of different tests which must be satisfied before condition 6 can be met. These are:

· Is Mr Fair pursuing a legitimate interest or interests?

· If yes, is the processing involved necessary for the purposes of those interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subject?

· Even if the processing is necessary for Mr Fair's legitimate interests, is that processing nevertheless unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

39. There is no presumption in favour of disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. The legitimate interests of Mr Fair must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Fair.

Does Mr Fair have a legitimate interest in obtaining the personal data?

40. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[4] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

41. Most of the reasons Mr Fair gave for requiring the personal data relate to his view that there is a public interest in disclosing information which would explain the delay in processing "a legitimate Personal Licence application".

42. In his correspondence with the Board, Mr Fair explained that he also required the information for his own professional development. He noted that, across Scotland, in many areas of Council regulatory practice, there are groups who regularly share "best practice" using real examples of things that are done well and things that are done badly, without redaction.

43. The Board did not accept that Mr Fair had a legitimate interest in the personal data. It made the following points:

· There is no provision of the Licensing (Scotland) Act 2005 (the 2005 Act) that facilitates the transfer of personal data to a Licensing Standards Officer for their own "personal development".

· The Board only provides personal data to Licensing Standards Officers within Glasgow City Council where it considers there is a statutory basis under the 2005 Act to do so.

· As a "Data Controller", the Board will routinely provide personal data to third parties under the provisions of parts 29, 31 and 35 of the DPA, but in this case the tests were not met.

· Prior to submitting his FOI request, Mr Fair was in dialogue directly with the named person. The Board considered that the named person would have disclosed their personal data to Mr Fair if they considered it was appropriate.

· The Board considers that personal data should not be shared between local authorities (or even between departments of the same local authority) unless there is a specific statutory mechanism to allow the data to be shared or the processing can be justified in terms of the DPA. Mr Fair appeared to be expressing a view on behalf of his Authority that because he is a Council Officer he is entitled to receive personal data to assist in his own "personal development". The Board did not agree with this position.

44. The Commissioner notes the points made by both parties. She is satisfied that Mr Fair has a legitimate interest in obtaining the withheld personal data. Disclosure of the withheld information would assist Mr Fair in understanding the actions taken by the Board in processing this particular licence, particularly in relation to the reasons for length of time taken. This information may advance his own professional development as well as permitting scrutiny of the actions of a public authority.

Is disclosure necessary to achieve those legitimate interests?

45. Having concluded that Mr Fair has a legitimate interest in obtaining the withheld personal data, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims. In doing so, she must consider whether these interests might reasonably be met by any alternative means, interfering less with the privacy of the individual concerned.

46. The Commissioner has considered in detail the withheld information and the submissions provided by the Board, which included a copy of the full minutes of the meeting in question, the procedures for considering a licence and details of how the Board corresponds with other organisations about licence applications. This information has assisted the Commissioner in reaching her decision.

47. The Commissioner notes that at the same meeting in which the named person's application was considered, an application from another individual was also "continued". Mr Fair did not make enquiries as to why this application was continued. If the purpose of Mr Fair's request was to assist in his professional development, it is not clear why he would ask for the personal data relating to one continued application and not another.

48. Having considered all relevant submissions, the Commissioner does not accept that disclosure of the personal data Mr Fair has requested is necessary to meet his legitimate interests. Mr Fair has not explained in any detail why it is required for his professional development. The Commissioner considers that Mr Fair's professional development could be advanced in ways which do not require the disclosure of personal data. .

49. The Commissioner also considered whether disclosure is necessary to meet the legitimate interest in understanding the Board's decision and scrutinising its actions. The Commissioner is satisfied that disclosure of the non-sensitive personal data in this case in not required for this purpose. For the most part, it would reveal little about the processes and procedures followed by the Board or the reasons for delay in the case in question. Some information about the approach which the Board takes to the licensing process is available online[5].

50. Having decided that disclosure of the information requested by Mr Fair is not necessary to achieve his legitimate interests, the Commissioner does not consider it necessary to decide whether disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject. As disclosure is not necessary in the circumstances, she must conclude that condition 6 in Schedule 2 of the DPA cannot be met and, for the same reasons, that disclosure would not be fair. In the absence of a condition permitting disclosure, it would also be unlawful.

51. In all the circumstances, therefore, the Commissioner has concluded that disclosure of the withheld personal data would contravene the first data protection principle. Consequently, she is satisfied that this information was properly withheld by the Board under section 38(1)(b) of FOISA.

Decision The Commissioner finds that the City of Glasgow Licensing Board complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Fair.

Appeal

Should either Mr Fair or the Board wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

18 April 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

…

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

…

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

…

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

…

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

…

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

…

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

…

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

…

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

…

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

…

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

---