Home Decisions

Decision 058/2018

Decision 058/2018: Mr Mark Howarth and Glasgow City Council

Members of two MAPPA oversight groups

Reference No: 201702192
Decision Date: 30 April 2018

Summary

The Council was asked for details of the members of the Strategic Oversight Group (SOG) and MAPPA Oversight Group (MOG) in Glasgow.

The Council withheld the information, arguing that the information was the personal data of third parties and exempt from disclosure.

During the investigation, the Council disclosed one member's name.

The Commissioner agreed that the remaining information should be withheld, as it was personal data and its disclosure would breach the first data protection principle.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 31 July 2017, Mr Howarth made a request for information to Glasgow City Council (the Council). Among other information not the subject of this decision, he asked who were the members of the Glasgow Strategic Oversight Group (SOG) and MAPPA Oversight Group (MOG), and for details of their roles within and outwith SOG and MOG.

2. The Council responded on 31 August 2017. It withheld the requested information under section 39(1) of FOISA, as it considered disclosure would, or would be likely to, endanger the physical or mental health or the safety of an individual.

3. On 27 September 2017, Mr Howarth emailed the Council requesting a review of its decision on the basis that he did not consider that the exemption applied. He asked whether the Council held any evidence that a person's physical or mental health had been harmed thus far, and he questioned the Council's assertion that disclosure would make the individuals vulnerable to targeting for harassment or intimidation.

4. The Council notified Mr Howarth of the outcome of its review on 25 October 2017. It upheld its previous response and, in addition, relied on section 38(1)(b) of FOISA (Personal information) to withhold the requested information. It provided Mr Howarth with a list of the bodies represented by the members of SOG and MOG.

5. On 6 December 2017, Mr Howarth applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Howarth stated he was dissatisfied with the outcome of the Council's review, and reiterated the points made in his review request.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr Howarth made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 11 January 2018, the Council was notified in writing that Mr Howarth had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr Howarth. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions, with reference to the application of sections 38(1)(b) and 39(1) of FOISA. It responded on 19 March 2018.

9. Mr Howarth was asked for, and provided, further comments on his legitimate interest in the withheld information and the public interest in its disclosure.

10. On 26 March 2018, the Council disclosed one of the member's names to Mr Howarth. It informed Mr Howarth that this individual's name had been published in the MAPPA annual report and was therefore otherwise accessible to him. The Council also informed Mr Howarth that further information about the employment background of the members of SOG and MOG could be obtained from the Assistant Chief Officer for Public Protection, Glasgow Health and Social Care Partnership.

11. Mr Howarth confirmed that the Commissioner's investigation and decision could exclude consideration of the name which had been provided.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr Howarth and the Council. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

13. The Council relied on section 38(1)(b) to withhold the names and job titles of the members of MOG and SOG.

14. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

15. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

16. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA. The Council considered disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

17. For this exemption to apply, the withheld information must fall within the definition of "personal data" contained in section 1(1) of the DPA. The full definition is set out in Appendix 1, but it applies to data relating to a living individual who can be identified from either (a) the data themselves or (b) those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

18. The Council submitted that, as some of the job titles are specific to individuals, it would not be possible to disclose this information without allowing the individuals to be identified.

19. The Commissioner is satisfied that the information comprises the personal data of the individuals concerned (members of MOG and SOG). The individuals can be identified by the information (their name and job title). The information relates to them as individuals. It is therefore those individuals' personal data, as defined by section 1(1) of the DPA.

20. The Commissioner does not consider it would be possible to anonymise the personal data to permit disclosure.

Would disclosure contravene the first data protection principle?

21. The Council submitted that disclosure of the withheld personal data would breach the first data protection principle.

22. The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing in this case would be making the information publicly available in response to Mr Howarth's request.

23. In the case of sensitive personal data (as defined by section 2 of the DPA), at least one of the conditions in Schedule 3 to the DPA must also be met. The Council submitted that, although the data does not fall within the statutory definition of sensitive personal data for the purposes of the DPA, the context and nature of the work of MAPPA makes the information highly sensitive.

24. The Commissioner notes the Council's point, but he is satisfied that the personal data in question are not sensitive personal data for the purposes of section 2 of the DPA, so it is not necessary for him to consider the conditions in Schedule 3.

Can any of the conditions in Schedule 2 be met?

25. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1] (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

26. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure of the personal data to Mr Howarth. In any event, neither Mr Howarth nor the Council have suggested that any other condition would be relevant.

27. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

28. There are a number of different tests which must be satisfied before condition 6 can be met. These are:

(i) Does Mr Howarth have a legitimate interest or interests in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subjects?

(iii) Even if the processing is necessary for Mr Howarth' legitimate interests, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

29. There is no presumption in favour of disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. The legitimate interests of Mr Howarth must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Howarth.

Does Mr Howarth have a legitimate interest in obtaining the personal data?

30. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[2] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

31. Mr Howarth considered the information should be disclosed, as it is relevant to know who is making decisions that affect public safety and whether they are adequately qualified for the role. He submitted that it is not clear whether the people involved have a background in offender management or social work or law enforcement; the withheld information would allow scrutiny and evaluation of whether the MAPPA structure could be more effective.

32. The Council accepted that Mr Howarth could have a legitimate interest in the information as it relates to individuals who are making decisions that affect public safety.

33. The Commissioner is satisfied that Mr Howarth has a legitimate interest in information which would enable him to understand who makes decisions concerning public safety, and whether those individuals are adequately qualified for the role.

Is the processing necessary for the purposes of these interests?

34. In reaching a decision on this, the Commissioner must consider whether Mr Howarth's legitimate interests might reasonably be met by any alternative means.

35. The Council considered that Mr Howarth's legitimate interests had already been satisfied by the disclosure of the information provided in its review response, which showed the organisations represented by the members of SOG and MOG. The Council considered that providing the names and job titles of members would not assist him in understanding whether these individuals are adequately qualified for the role.

36. Having considered all relevant arguments carefully, the Commissioner accepts that the information provided to Mr Howarth in the Council's review response goes some way to fulfil his legitimate interests. However, the Commissioner is satisfied that the withheld personal data would give Mr Howarth a clearer understanding of who are the members of SOG and MOG, and a fuller understanding of their professional background. Disclosure would enable him to conduct his own research regarding the specific qualifications and experience of the individual SOG and MOG members.

37. The Commissioner finds that, in the circumstances of this case, Mr Howarth's legitimate interests could not reasonably be met by alternative means. He is satisfied that disclosure of the personal data is necessary to meet Mr Howarth's legitimate interests.

Would disclosure cause unwarranted prejudice to the legitimate interest of the data subjects?

38. As the Commissioner is satisfied that disclosure of the withheld personal data would be necessary to fulfil Mr Howarth's legitimate interests, he is now required to consider whether that disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr Howarth and those of the data subjects. Only if the legitimate interests of Mr Howarth outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

39. The Commissioner must approach this balancing exercise on the basis that disclosure under FOISA is disclosure to the world at large and not simply to Mr Howarth.

40. The Council provided the Commissioner with copies of correspondence with some of the members of MOG and SOG in which the members were asked whether they were content for their names and roles to be disclosed. None who replied gave consent for the disclosure of their names or job titles.

41. The Council confirmed that the members of MOG and SOG were not given any specific assurances that their identities would be kept confidential, but the responses received from some members show there was an assumption that this would be the case, given the history of offending by the individuals managed by MAPPA.

42. The Council submitted that disclosure of the information about the SOG and MOG members into the public domain could put their safety at risk. MAPPA exists to put in place restrictions on offenders to ensure that the public are kept safe. Individuals managed through MAPPA include the highest risk individuals within society, who have been previously convicted of acts of violence and sexual violence. The Council submitted that these individuals represent a specific risk to MAPPA members as MAPPA members are also members of the public. The Council considered it likely that one or more of these individuals will also have, or develop in future, a grievance against figures in authority (the MAPPA members) who control and restrict their lives.

43. The Council considered that members of SOG and MOG have a reasonable expectation that their personal details should not be disclosed, given the nature of the work. The Council confirmed that none of the bodies represented on SOG and MOG had published details of the individual members.

44. The Commissioner considers that the Council has provided persuasive evidence to show that the data subjects have a reasonable expectation that their names and other identifying information would not be disclosed. The Commissioner accepts the Council's argument that disclosure of the personal data could be used by an individual subject to MAPPA conditions to pursue grievances against identifiable members of SOG or MOG. The Council has provided evidence to show that this is more than a hypothetical argument.

45. Having balanced the legitimate interests of the data subjects against those of Mr Howarth, the Commissioner finds that any legitimate interests served by disclosure of the withheld personal data would not outweigh the unwarranted prejudice that would result in this case to the rights and freedoms or legitimate interests of the individuals in question. In the circumstances of this particular case, the Commissioner concludes that condition 6 in Schedule 2 to the DPA cannot be met in relation to the withheld personal data.

46. Having accepted that disclosure of the withheld personal data would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects, as described above, the Commissioner must also conclude that its disclosure would be unfair. As no condition in Schedule 2 to the DPA can be met, he must regard disclosure as unlawful. In all the circumstances, therefore, the Commissioner's conclusion is that the first data protection principle would be breached by disclosure and that the information was properly withheld under section 38(1)(b) of FOISA.

47. As the Commissioner is satisfied that the withheld information was correctly withheld under section 38(1)(b), it is not necessary to consider whether section 39(1) of FOISA also applies.

Decision

The Commissioner finds that Glasgow City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Howarth.

Appeal

Should either Mr Howarth or Glasgow City Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

30 April 2018

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.bailii.org/uk/cases/UKHL/2008/47.html

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx