Decision 059/2009 | Scottish Information Commissioner

Home Decisions

Decision 059/2009

Decision 059/2009 Mr Angus Macmillan and Loch Lomond and The Trossachs National Park Authority

Identity of employees

Reference No: 200900105
Decision Date: 21 May 2009

Summary

Mr Angus Macmillan requested from Loch Lomond and the Trossachs National Park Authority (the Authority) the names of Authority employees who had been involved in an incident involving the unauthorised use of an Authority vehicle. The Authority withheld the information under the exemption in section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA) which allows public authorities to withhold personal data if the disclosure of the information would breach any of the data protection principles contained in the Data Protection Act 1998 (the DPA). Following a review, Mr Macmillan remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the Authority had dealt with Mr Macmillan's request for information in accordance with Part 1 of FOISA by correctly applying the exemption in section 38(1)(b) to the personal data it was withholding from Mr Macmillan.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions) and 38(1)(b), (2)(a)(i) and (b) (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of personal data); Schedules 1 (The data protection principles) (the first principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (Conditions 5(a) and (d) and 6(1))

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.On 28 October 2008, Mr Macmillan wrote to the Authority requesting information relating to an allegation that employees (of the Authority) had used a vehicle belonging to the Authority without proper authorisation. In particular, Mr Macmillan asked for the identity of the employees involved and, if there had been more than one such incident, where and when similar occurrences had taken place.

2.The Authority subsequently wrote to Mr Macmillan on 26 November 2008. The Authority informed Mr Macmillan that the matter had been investigated and that, having identified a breach of procedures, it had taken appropriate action in response. The Authority also advised Mr Macmillan that no similar incident had occurred in the past and it was confident that there would be no recurrence in future. The Authority's response made no mention of the identities of the individuals involved.

3.On 29 November 2008, Mr Macmillan wrote to the Authority noting that it had not provided the information which he was seeking and querying certain aspects of the Authority's position as outlined in its letter of 26 November 2008.

4.The Authority wrote to Mr Macmillan again on 17 December 2008. It advised him that it considered the names of the employees to be exempt from disclosure in terms of section 38 of FOISA as it considered the information to be the personal data of the individuals concerned in terms of the DPA.

5.On 24 December 2008, Mr Macmillan wrote to the Authority requesting a review of its decision. In particular, Mr Macmillan suggested that certain information was now available in the public domain which the authority would have been unaware of at the time of its initial response.

6.The Authority notified Mr Macmillan of the outcome of its review on 14 January 2009, upholding its earlier decision that the information was considered exempt from disclosure in terms of section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) and (ii).

7.On 16 January 2009, Mr Macmillan wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Authority's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

8.The application was validated by establishing that Mr Macmillan had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

9.On 20 January 2009, the Authority was notified in writing that an application had been received from Mr Macmillan and was asked to provide the Commissioner with any information withheld from the applicant. The Authority responded with the information requested and the case was then allocated to an investigating officer.

10.The investigating officer subsequently contacted the Authority, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. In particular, the Authority was asked to justify its reliance on the exemption in section 38(1)(b) of FOISA.

11.The Authority responded with its submissions on 11 March 2009.These are summarised and considered in the section below on the Commissioner's analysis and findings. At this stage, the Authority advised the Commissioner that it no longer wished to argue that section 38(2)(a)(ii) of FOISA was applicable.

12.The investigating officer also contacted Mr Macmillan during the investigation seeking his submissions on the matters to be considered in the case. Mr Macmillan' submissions are also summarised and considered in the section below on the Commissioner's analysis and findings.

13.In this correspondence, Mr Macmillan was also advised that the investigation and this decision could only address matters relating to the information requested by him on 28 October 2008; that is the names of the persons involved, and whether and when there had been any similar incidents.

14.Since the Authority's response of 26 November 2008 indicated that there were no further such incidents, and Mr Macmillan's request for review expressed no dissatisfaction with the handling of this part of his request, the consideration below relates only to the question of whether names of the employees involved should be disclosed.

Commissioner's analysis and findings

15.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Macmillan and the Authority and is satisfied that no matter of relevance has been overlooked.

Consideration of section 38(1)(b)

16.The Authority has applied the exemption in section 38(1)(b) of FOISA to the names of the employees requested by Mr Macmillan.

17.The exemption under section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), provides that information is exempt information if it constitutes personal data (as defined in section 1(1) of the DPA) and its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles contained in the DPA.This is an absolute exemption and therefore is not subject to the public interest test laid down by section 2(1)(b) of FOISA.

18.In order for a public authority to rely on this exemption, it must show firstly that the information which has been requested is personal data for the purposes of the DPA and secondly that disclosure of the information would contravene at least one of the data protection principles laid down in the DPA.

19.The Authority submitted that the information requested by Mr Macmillan was personal data, the release of which would contravene the first data protection principle (which requires in general that personal data shall be processed fairly and lawfully; this principle is discussed in more detail below).It considered that of the processing conditions provided in Schedule 2 of the DPA, only the sixth might be of relevance, but in practice it was not met. In its view, processing of the data in this case was not necessary for the purposes of any legitimate interest, and even if it were, the processing would be prejudicial to the rights and freedoms or legitimate interests of the data subjects.

20.In his submissions to the Commissioner, Mr Macmillan argued that conditions 5(a) and (d) of Schedule 2 were met as he considered the processing was necessary for the administration of justice and the exercise of any other functions of a public nature exercised in the public interest by any person.

Is the information personal data?

21.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the definition is set out in full in the Appendix).

22.In this case, the Commissioner is satisfied that the withheld information relates to living individuals (i.e. the employees of the Authority) who can be identified from that informationand the information is clearly about them.

Would disclosure breach the first data protection principle?

23.The Authority has argued that the release of the information would breach the first data protection principle.

24.The first data protection principle requires that the processing of personal data (here, the disclosure of the data in response to a request made under FOISA) must be fair and lawful and, in particular, that personal data shall not be processed unless at least one of the conditions in Schedule 2 (to the DPA) is met. For sensitive personal data, one of the conditions in Schedule 3 to the DPA must also be met. The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA, and he is satisfied that the personal data in this case does not fall into this category. It is therefore not necessary to consider the conditions in Schedule 3 of the DPA in this case.

25.There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. However, these three aspects are interlinked.For example, if there is a specific condition which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

26.The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed.If any of these conditions can be met, he must then consider whether the disclosure of this personal data would be fair and lawful.

Can any of the conditions in Schedule 2 of the DPA be met?

27.The Authority has argued that conditions 2-5 are self-evidently inapplicable in the context of this particular information request. The Authority has also confirmed that none of the individuals involved has consented to the disclosure of the information and, accordingly, condition 1 is not satisfied. The Authority gave consideration to the application of condition 6, but set out its reasoning as to why it considered it to be inapplicable in this case.

28.Mr Macmillan has argued that condition 5(a) and (d) would allow processing in this case.This will be considered following the discussion of condition 6 below.

Condition 6

29.Condition 6(1) allows personal data to be processed (in this case, disclosed in response to an information request made under section 1(1) of FOISA) if the processing is necessary for the purposes of legitimate interests pursued by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

30.There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

a.Does the applicant (Mr Macmillan) have a legitimate interest in obtaining this personal data?

b.If yes, is the disclosure necessary to achieve these legitimate aims? In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject(s)?

c.Even if the processing is necessary for the legitimate purposes of the applicant, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject(s)?This will involve a balancing exercise between the legitimate interests of the applicant and those of the data subjects. Only if (or to the extent that) the legitimate interests of the applicant outweigh those of the data subject(s) can the personal data be disclosed.

Does the applicant have a legitimate interest?

31.Mr Macmillan was invited to comment on what legitimate interest there was in the disclosure of this personal data, i.e. the names of the employees involved. In his response, he alleged that the law had been broken (this was denied by the Authority) and commented that, as a taxpayer and member of the general public, he should be entitled to know which public servants had been involved. He also stated that the press had advised him that they wished to be kept informed of his progress and he intended publishing his correspondence file on the internet for public interest and awareness.

32.Mr Macmillan submitted that those involved are individuals who should be beyond reproach and should expect their actions to be subject to public scrutiny as their role requires a significant level of personal judgement, individual responsibility and accountability. Mr Macmillan considered that the individuals in question had put their own interests ahead of the public interest on this occasion.

33.In its submissions to the Commissioner, the Authority noted that Mr Macmillan had stated his interest in obtaining the data to allow the public to decide whether the actions of the staff involved constituted an abuse of power. The Authority believed Mr Macmillan's intention was to circulate the names of the individuals concerned to the local press and that in doing so, he would seek to cause distress and embarrassment to those individuals. The Authority submitted that this would be an "illegitimate" use of the information.

34.The Authority also submitted that the release of the information would not provide any additional insight into the incident itself and that it had provided Mr Macmillan with other relevant information regarding the incident which he had requested.

35.The Commissioner has considered the submissions made by Mr Macmillan and the Authority and accepts that members of the public are entitled to have some insight into the activities of staff employed by public authorities, particularly where issues have been raised concerning any deviation from normal practice or procedures within that authority.

36.The Commissioner has noted that, in this case, the Authority has provided some information to Mr Macmillan regarding the incident, and the breach of procedures by its staff. He also notes that the Authority has taken action in response to that breach and has informed Mr Macmillan that action has been taken.

37.While the Commissioner would not wish to diminish the significance of the matter which has given rise to Mr Macmillan's concerns, and while he accepts that the incident could be construed as a breach of public trust, the Commissioner also notes that there has been no significant misuse of public resources or endangerment to the wider public.

38.The Commissioner is satisfied that there is a general and legitimate interest in Mr Macmillanand the wider public knowing whether a breach of a public authority's rules has occurred and has been acted upon by that authority. The Commissioner considers that this has been served by the response provided by the Authority in this case confirming that it had investigated the matter and taken appropriate action in response.

39.The Commissioner considers that, to the extent there is a legitimate public interest in assessing the wider circumstances surrounding the subject of this information request, this could be achieved from the information already made available to Mr Macmillan without identifying which particular individuals were involved.

40.In conclusion, therefore, the Commissioner is not persuaded that Mr Macmillan has a legitimate interest in obtaining the personal data that has been withheld by the Authority.

41.As the Commissioner considers that Mr Macmillan does not have a legitimate interest in obtaining the information withheld by the Authority, he is satisfied that Condition 6 of Schedule 2 is not met in this case.

Condition 5

42.As noted above, Mr Macmillan has argued that Conditions 5(a) and (d) of Schedule 2 to the DPA are met in this case which would allow the information to be disclosed.

43.Condition 5 allows personal data to be processed (in this case, disclosed in response to an information request made under section 1(1) of FOISA) if the processing is necessary (a) for the administration of justice or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

44.Mr Macmillan contended that a criminal offence had been committed and that the general public should be entitled to know which individuals had broken the law.

45.No definition of "administration of justice" is provided in the DPA, nor in FOISA. The generally accepted meaning of this phrase is the administration and procedure of litigation, particularly those cases being heard in court or dealt with under equivalent judicial procedures. Thus, legislation such as the Administration of Justice (Scotland) Act 1972 (and other similar legislation) tends to deal principally with prescribing and regulating the procedures for court cases, including for example time-limits; appeals, and various other steps in litigation and similar matters. The Commissioner considers that the word "administration" in this particular context refers to the actual, tangible process of justice.

46.The Commissioner is unable to comment on Mr Macmillan's assertion that a criminal offence has been committed, although he notes that the Authority has denied that this is the case. Whilst Mr Macmillan is arguably seeking information which would enable him to form a view on whether certain individuals had committed such an offence, his request is not made in the context of any judicial process. In the circumstances, the Commissioner does not accept that disclosure in this case would be required for the administration of justice.

47.Mr Macmillan has not made any separate submissions to support his contention that Condition 5(d) is also met. The Commissioner has considered the terms of this condition, but is unable to conclude that there are any functions of the Authority which are exercised in the public interest which necessitate the disclosure of the information under consideration.

48.The Commissioner is therefore satisfied that Condition 5 of Schedule 2 is not met in this case.

49.Since no condition within Schedule 2 of the DPA can been met in this case, the Commissioner has concluded that disclosure would breach the first data protection principle.

50.As the Commissioner has concluded that disclosure would breach the first data protection principle, he finds that the information is exempt from disclosure in terms of section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that Loch Lomond and the Trossachs National Park Authority (the Authority) complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Macmillan.

Appeal

Should either Mr Macmillan or the Authority wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
21 May 2009

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

Data Protection Act 1998

1 Basic interpretative provisions

In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

5.The processing is necessary ?

(a)for the administration of justice,

(d)for the exercise of any other functions of a public nature exercised in the public interest by any person.

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.