Home Decisions

Decision 054/2019

Decision 054/2019: Investigation of whistleblowing allegation

Public authority: University of Glasgow
Case Ref: 201801972

Summary

The University was asked for all communications relating to a whistle blower's complaint of financial irregularities and the subsequent investigation by the University. The University disclosed some information, withheld other information, and - for part of the request - said it held no information.

The Commissioner investigated and found that the University had complied with FOISA in responding to the request. The University was correct to state that it held no information for part of the request, and to withhold information which was personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 13 August 2018, Mr D made a request for information to the University of Glasgow (the University). In March 2018, he had reported financial irregularities relating to two accounts. He requested all communications relating to this "whistle blower" disclosure and the subsequent investigation.

2. On 14 August 2018, the University acknowledged receipt of Mr D's request.

3. Having not received a response, on 11 September 2018 Mr D wrote to the University to ask when it would respond. The University apologised for the delay. Mr D wrote on 21 September 2018, again asking when it would respond.

4. The University responded on 19 October 2018. It disclosed information to Mr D, but withheld information that could identify individuals external to, or no longer employed by, the University, and personal details of staff members. The University believed release of the information would breach the data protection principles. It also withheld documents with banking details and names of third party companies, stating that disclosure would be likely to prejudice substantially the commercial interests of the University. It apologised for the delay in responding and explained that it had consulted a third party about one document and was awaiting a response.

5. On 19 October 2018, Mr D wrote to the University requesting a review of its decision on the basis that the University had unreasonably withheld minutes or notes of meetings held between a named staff member and four other named persons. Mr D said that the information disclosed showed that additional information was held by the University.

6. The University notified Mr D of the outcome of its review on 16 November 2018. The University said it did not hold information on meetings with two of the named persons, but it did hold information on meetings involving the other two persons. It continued to withhold that information under section 38(1)(b) of FOISA (Personal information). In relation to a report, the University explained that it was seeking agreement of a third party, and more information would soon be disclosed to Mr D.

7. On 16 November 2018, Mr D applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr D was dissatisfied with the outcome of the University's review, believing that information had been withheld because it would be "damaging to the University in an upcoming tribunal case." He said that the University had already released information which suggested that it held more information.

Investigation

8. The application was accepted as valid. The Commissioner confirmed that Mr D made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

9. On 14 December 2018, the University was notified in writing that Mr D had made a valid application. The University was asked to send the Commissioner the information withheld from Mr D. On 28 January 2019, the University provided the information and the case was allocated to an investigating officer.

10. On 21 December 2018, the University disclosed more information to Mr D, but, as before, withheld some information such as banking details and names of third party companies, arguing that disclosure would be likely to prejudice substantially the commercial interests of the University. It also withheld information under section 38(1)(b), arguing that disclosure would breach the data protection principles.

11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The University was invited to comment on this application and to answer specific questions relating to the exemptions it was relying on. The University provided submissions to the Commissioner on 28 February 2019.

12. Mr D was invited by the Commissioner (12 March 2019) to provide any comments or submissions he wished, but has chosen not to do so.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr D and the University. He is satisfied that no matter of relevance has been overlooked.

Scope of the Commissioner's investigation

14. The main focus of the Commissioner's investigation is whether the University was entitled to withhold information under the exemption for personal data (section 38(1)(b) of FOISA). The University withheld a number of emails and meeting minutes under this exemption.

15. The Commissioner has also investigated whether the University successfully identified all information covered by Mr D's request, particularly in relation to notes of meetings.

Section 17(1) - Notice that information is not held

16. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received. This is subject to qualifications, but these are not applicable here. If no such information is held by the authority, section 17(1) of FOISA requires the authority to give the applicant notice in writing to that effect.

17. The University confirmed it wished to rely on section 17(1) of FOISA in relation to the request for information on meetings involving two named persons, as it did not hold any relevant information. The University was asked to explain how it had established this. It explained that it had confirmed that no meetings took place with two of the named persons in relation to the investigation after making enquiries to the person who had investigated the reported financial irregularities and to the then Deputy Director of Human Resources.

18. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining this, the Commissioner will consider the scope, quality, thoroughness and results of the searches carried out by the public authority. He will also consider, where appropriate, any reason offered by the public authority to explain why the information is not held.

19. The Commissioner accepts that the University has provided sufficient evidence to show that it does not hold information relating to meetings with two of the named persons. The University has consulted staff with experience of the subject and who were likely to have been involved, if meetings had taken place, reducing the likelihood of relevant information being overlooked. The University evidenced this consultation to the Commissioner. Also, any information falling within the request would likely be easily identifiable or locatable by being part of a specific investigation. The searches which the University carried out when it first responded to Mr D successfully located information which fell within his request and were clearly capable of locating and retrieving relevant information, if held.

20. From the circumstances of this case, and the submissions and responses received from the University, the Commissioner is satisfied, on the balance of probabilities, that the University does not hold the recorded information which Mr D requested in relation to meetings with two named persons.

Section 38(1)(b) - Personal information

21. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" and its disclosure would contravene any of the data protection principles in the GDPR or in the DPA 2018.

22. The University submitted that disclosure would breach the first data protection principle, which requires the processing of personal data to be lawful and fair (Article 5(1)(a) of the GDPR).

Is the information personal data?

23. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

24. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

25. The information withheld under section 38(1)(b) relates to minutes of meetings which took place under the University's disciplinary procedures. These minutes contain information that identifies the data subjects by name, and contextual information that - even with redaction of the names - would still allow identification of the data subjects. The University submitted that disclosure would immediately identify, both directly and indirectly, the individuals that were being interviewed, and that the information therefore constituted their personal data.

26. The Commissioner accepts that the information is personal data: it relates to identifiable living individuals. Given the subject matter of the request, which names individuals and makes clear their connection to the University, the withheld information would clearly relate to identifiable individuals. The Commissioner therefore accepts that the information is personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

27. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject." The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

28. The University believed that to disclose the information would contravene the first and second data protection principles.

Lawful processing: Articles 6(1)(a) and (f) of the GDPR

29. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the personal data to be disclosed. The University took the view that no conditions in Article 6 apply in the circumstances of this case. The Commissioner considers conditions (a) and (f) of Article 6(1) of the GDPR to be the only conditions which could possibly apply in this case.

Condition (a): consent

30. Condition (a) would allow the University to disclose personal data if a data subject has consented to the processing of his or her personal data for one or more specific purposes. "Consent" is defined in Article 4 of the GDPR as -

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

31. The University approached both data subjects about consent to the disclosure of the requested information and both refused to consent. The Commissioner is satisfied that condition (a) does not apply to the information.

Condition (f): legitimate interests

32. In the Commissioner's view, condition (f) in Article 6(1) could apply. This condition is that processing shall be lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

33. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

34. The University said that, in terms of the first data protection principle, the data subjects would not expect information relating to a confidential and sensitive matter such as being subject to disciplinary procedures ever to be disclosed to a third party. Those involved in such matters would legitimately expect privacy and confidentiality. To disclose the requested information would, therefore, be contrary to the fairness and transparency element of the first data protection principle. In addition, the University did not believe that there was any lawful basis that would permit the disclosure of such information. The University therefore believed that to disclose the requested information would be unfair, unlawful and lacking in transparency - and thus in contravention of the first data protection principle.

35. The University also said that as the information was processed for specific, explicit and legitimate purposes, disclosure in response to Mr D's request would constitute additional processing and be contrary to the purpose limitation requirement of the second data protection principle.

36. The tests which must be met before Article 6(1)(f) can be met are as follows:

(a) Would Mr D have a legitimate interest in obtaining the personal data if held?

(b) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subject/s?

37. The University submitted that Mr D does not have a legitimate interest in disclosure of the personal data. The information relates to the actions and conduct of the data subjects and adherence to University policy and procedure. Mr D made a complaint concerning financial irregularities and any legitimate interest he may have was in ensuring that his complaint was fully investigated by the University. The University said it had investigated his complaint and made a finding in relation to the allegations raised by him.

38. However, the Commissioner believes that Mr D does have a legitimate interest in disclosure of the personal data. Mr D made a complaint which resulted in an investigation by the University. He now seeks detailed information about meetings that took place as a result of his complaint. He has an interest in the investigation of concerns which he raised. The information he requested would allow him to assess how his complaint was investigated by the University. Although the University is correct that Mr D has an interest in the investigation's finding, that does not mean he has no interest in other aspects of the investigation.

39. The Commissioner also accepts that there is a wider public interest in the scrutiny of the University's investigation of a complaint relating to alleged financial irregularities. Scrutiny of Scottish public authorities, including their financial standards and how they investigate complaints, is an important facet of FOISA.

Is disclosure of the personal data necessary?

40. Having accepted that Mr D has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for Mr D's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means. As the University did not consider Mr D had a legitimate interest in the withheld information, it follows that its view would be that disclosure of the personal data is not necessary.

41. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[1]. In this case, the Supreme Court stated (at paragraph 27):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

42. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

43. Based upon the facts of this case, the Commissioner accepts that disclosure of the personal data is necessary to achieve Mr D's legitimate interests. Mr D can, to an extent, assess the University's findings and conclusions on the investigation and the investigative process it followed. He has already received information from the University, some under FOISA, some under the DPA, which will take him some way towards this.

44. However, the Commissioner can identify no viable means of meeting Mr D's legitimate interests which would interfere less with the privacy of the data subject(s) than providing the withheld information. In all the circumstances, and for the reasons recounted above, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr D's legitimate interests.

The data subjects' interests or fundamental rights and freedoms

45. It is necessary to balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subject(s) would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure. Only if the legitimate interests of Mr D outweigh those of the data subject(s) can the information be disclosed without breaching the first data protection principle.

46. The University argued that the interests, fundamental rights and freedoms of the data subjects outweighed any other interest.

47. The Commissioner's guidance[2] on section 38 of FOISA notes factors that should be taken into account in balancing the interests of parties. These factors include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

(iv) the reasonable expectations of the individual as to whether the information should be disclosed.

48. Disclosure under FOISA is a public disclosure. The University is correct to submit that the information, relating to a disciplinary procedure, is information which a person would not expect to be put in the public domain, particularly in view of the attendant implications this could have for the individual. The Commissioner agrees that the information is of a type a person would generally expect to be kept confidential.

49. The Commissioner has also considered the harm or distress that may be caused by disclosure. He has taken into account that, in this case, disclosure of the information would link an individual to a complaint and a disciplinary procedure and an allegation of financial irregularity. At the most general level, disclosing or even alleging a failure to adhere to a financial procedure is likely to cause some reputational damage to a person, and to have an impact on public perception of that person, unless there are mitigating circumstances (which may be private) that are also made known.

50. The Commissioner acknowledges that the withheld information relates to the individuals' public lives (as employees of the University) rather than to private life and that must be considered too, adding some weight towards disclosure. However that must be balanced against the objection of each data subject to disclosure of their own personal data.

51. The Commissioner has attributed weight to Mr D's legitimate interest. He is trying to assess how the University investigated his complaint and came to its finding. The Commissioner accepts that Mr D's interests in accessing such information deserve recognition and weight in the balancing exercise. Still, the University is correct to point out that it has provided other information about the investigation to him; also, Mr D is in a different position from other members of the public as he is aware of the identities of those involved.

52. In reaching his decision, the Commissioner has considered whether, in relation to each individual, disclosure of any or all of the information would breach the data protection principles. He has therefore considered each data subject separately, though the decision notice does not refer to each separately. After carefully balancing the legitimate interests of each data subject against those of Mr D, the Commissioner finds that the legitimate interests served by disclosure of the withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question in this case. In the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the GDPR cannot be met in relation to the withheld personal data.

Fairness

53. Given that the Commissioner has concluded that the processing of the personal data, if held, would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

54. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that, in respect of the matters specified in the application, the University of Glasgow complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr D.

Appeal

Should either Mr D or the University wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
5 April 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

….

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to section 14(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier, such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

[1] http://www.bailii.org/uk/cases/UKSC/2013/55.html

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx