Decision 057/2020: Correspondence from Environmental Health Department

Public authority: Inverclyde Council
Case Ref: 201902125

Summary

The Council was asked for copies of correspondence sent by its Environmental Health Department to a named individual relating to a particular address.

The Council provided the Applicant with relevant information from the correspondence but withheld the correspondence itself on the basis that it was personal data and had been sent in confidence.

The Commissioner investigated and found that the Council had complied with the EIRs in responding to the request and had correctly withheld personal data.

Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of "the data protection principles", "data subject", "the GDPR" and "personal data" and paragraphs (a), (b), (c) and (f) of definition of "environmental information") and (3A) (interpretation); 11(2)(a), (3A)(a) and (7) (Personal data)

General Data Protection Regulation (the GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 30 August 2019, the Applicant made a request for information to Inverclyde Council (the Council). The information requested copies of all correspondence sent by the Council's Environmental Health Department to a named individual in respect of disrepair at a particular address.

2. The Council responded on 20 September 2019, providing the Applicant with the date a letter was sent, and relevant information about disrepair found at the property, from a letter sent to the named individual concerning the named property. The Council withheld a copy of the letter itself, with the remaining content, as it considered the letter was sent in confidence to a third party.

3. On 24 September 2019, the Applicant wrote to the Council, requesting a review of its decision on the basis that there had been no reference made to any exemptions "in the relevant FOI legislation" in the Council's refusal notice.

4. The Council notified the Applicant of the outcome of its review on 21 October 2019. It noted that the request was processed under the EIRs, as opposed to under the Freedom of Information (Scotland) Act 2002 (FOISA). The Council acknowledged and apologised for failing to provide details of the review procedure and the exception that was being applied to withhold the requested information. The Council upheld its original decision to withhold the information, applying regulation 11(2) of the EIRs.

5. On 24 October 2019, the Applicant wrote to the Council, acknowledging the request concerned some personal data but questioning the withholding of the entire document and asking the Council to reconsider its position. The Applicant referred to a previous decision of the Commissioner Decision 129/2007 MacRoberts Solicitors and Aberdeenshire Council. [1] In that decision the Commissioner found that only names and addresses could be redacted from the statutory notices that had been requested.

6. On 15 November 2019, the Council responded, reiterating its position that disclosure of the third party data into the public domain would breach data protection principles and drawing the Applicant's attention to the right to appeal to the Commissioner. A heavily redacted copy of the information was provided to the Applicant.

7. On 19 November 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. The Applicant stated it was dissatisfied with the outcome of the Council's review because the degree of redaction appeared unjustified, given Decision 129/2007. It believed the information should be provided to him with only the name and address of the recipient redacted.

Investigation

8. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

9. On 21 November 2019, the Council was notified in writing that the Applicant had made a valid application. The Council was asked to send the Commissioner the information withheld from the Applicant. The Council provided the information and the case was allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application, focusing on its application of exception in regulation 11(2) of the EIRs to the requested information.

11. The Council provided submissions in response. The Applicant also provided submissions, outlining why he considered this exception did not apply to the information requested.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.

Application of the EIRs

13. The Commissioner is satisfied that any information falling within the scope of the request is properly considered to be environmental information, as defined in regulation 2(1) of the EIRs (paragraphs (a), (b), (c) and (f) are reproduced in Appendix 1 to this decision). The Applicant made no comment on the Council's application of the EIRs in this case and the Commissioner will consider the request in what follows solely in terms of the EIRs.

Regulation 11(2) of the EIRs - personal data

14. The Council considered that the information withheld was the personal data of the individual it had been in correspondence with. As such, the information was considered excepted from disclosure under regulation 11(2) of the EIRs.

15. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply. These include where disclosure would contravene any of the data protection principles in the GDPR or in the DPA 2018 (regulation 11(3)(A)(a)).

16. The Council submitted that disclosure would breach the data protection principle in Article 5(1)(a) of the GDPR.

Is the withheld information personal data?

17. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:

"… any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

18. The Council's view was that, as the withheld information consisted of a name, address and information relating to an individual, the information was personal data in line with section 3 of the DPA 2018.

19. Having considered the information being withheld, the Commissioner accepts that the information is personal data as it relates to an identifiable living individual.

20. In its correspondence of 24 October 2019, the Applicant submitted that personal data such as the name and address could be redacted, thus allowing the remaining information to be disclosed.

21. The Council considered that (given the subject matter of the request, which asks for correspondence between the Council and an identified third party) a living individual could still clearly be identified from the information requested. The Applicant knew the identity of the data subject (so the third party was identifiable) and the information clearly related to that person.

22. The Commissioner accepts that, even if the name and address were withheld, the Applicant would still know who the data subject was, and so finds that the information could not be redacted to allow disclosure.

Would disclosure contravene one of the data protection principles?

23. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject". The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of the EIRs, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(a) and (f) of the GDPR

24. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the personal data to be disclosed.

25. The Council was of the view that there was no condition in Article 6 which would allow the personal data to be disclosed. In reaching this conclusion, it considered the application of conditions (f) in Article 6(1).

Condition (f): legitimate interests

26. Condition (f) states that processing would be lawful if it "… is necessary for the purposes of the legitimate interests to be pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child".

27. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.

28. The tests which must be met before Article (6)(f) can be apply are as follows:

a) Does the Applicant have a legitimate interest in obtaining the personal data?

b) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject(s)?

Does the Applicant have a legitimate interest in obtaining the personal data?

29. There is no definition within the DPA 2018 of what constitutes a "legitimate interest ", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. In the Commissioner's published guidance on personal information[2] , it states:

"In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

30. The Council was of the view that the Applicant did have a legitimate interest in the requested information (although it believed that interest had been met - see below).

31. The Applicant submitted that it was entitled to receive the withheld correspondence and explained why.

32. Having considered the submissions from both the Council and the Applicant, the Commissioner accepts that the Applicant was pursuing a legitimate interest in seeking to understand actions taken by the Council. As such, the Applicant would have a legitimate interest in the information requested.

Is disclosure of the personal data necessary?

33. Having accepted that there is a legitimate interest in the withheld personal data, the Commissioner must consider whether disclosure of the personal data is necessary for those legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

34. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner (2013) UKSC 55[3]. In this case, the Supreme Court stated (at paragraph 27):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

35. As the Supreme Court confirmed, "necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities need to consider whether the disclosure is proportionate as a means and fairly balanced as to ends, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

36. The Council was of the view that the Applicant's legitimate interests had already been met by disclosure of the substantive and relevant content of the correspondence, in its response to the request.

37. The Applicant outlined the information necessary to meet its legitimate interest.

38. Having considered the Applicant's legitimate interests, the Commissioner is not satisfied that that disclosure of the full correspondence is necessary to achieve the Applicant's legitimate interests. In coming to this conclusion, the Commissioner has taken into account the comments made by the Council, the information disclosed already and the description of information the Applicant explained was needed meet his legitimate interests.

39. Given that the Applicant's legitimate interests can be met without requiring the disclosure of the withheld personal data, the Commissioner finds that condition (f) of Article 6(1) of the GDPR cannot be satisfied in this case. Accordingly, he accepts that disclosure of the personal data would be unlawful.

Interests or fundamental rights and freedoms of the data subject

40. Given that the Commissioner has concluded that the processing was unlawful, he is not required to go on to consider separately the data subject's interests or fundamental rights and freedoms, and balance them against the legitimate interest in disclosure.

41. In the circumstances of this case, in the absence of a condition of Article 6(1) of the GDPR being met, the Commissioner must conclude that disclosure of the personal data would be unlawful and would therefore breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that disclosure of the personal data is not permitted by regulation 11(2) of the EIRs.

Decision

The Commissioner finds that Inverclyde Council complied with the Environmental Information (Scotland) Regulations 2004 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
20 March 2020

Appendix 1: Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004

  2 Interpretation

(1) In these Regulations -

…

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act):

…

"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -

(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;

(b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in paragraph (a);

(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;

…

(f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in paragraph (a) or, through those elements, by any of the matters referred to in paragraphs (b) and (c);

"the GDPR" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Act (see section 3(10), (11) and (14) of that Act);

"personal data" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);

…

(3A) In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing) -

(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations;

 b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.

…

11 Personal data

…

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -

(a) the first condition set out in paragraph (3A) is satisfied, or

…

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations -

(a) would contravene any of the data protection principles, or

…

(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

 

General Data Protection Regulation

  Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

…

  Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

…

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
 

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

…

(d) disclosure by transmission, dissemination or otherwise making available.

…

(5) "Data subject" means the identified or identifiable living individual to whom the data relates

…

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

 

---