Decision 061/2013 Mr R and Aberdeen City Council
Educational and professional qualifications
Reference No: 201201815
Decision Date: 28 March 2013
Summary
On 24 July 2012, Mr R asked Aberdeen City Council (the Council) for the tertiary educational and professional qualifications of two staff members.The Council responded by informing Mr R that any information it held was personal data, the disclosure of which would breach the data protection principles.Following an investigation, the Commissioner accepted this.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)
Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles, Part I ? the principles) (the first data protection principle); and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 5(a) and (d) and 6(1))
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.
Background
1.On 24 July 2012, Mr R wrote to the Council and asked for:
? the tertiary education and professional qualifications, including the subjects of the degrees and professional qualifications, of the current Pensions Manager, who I understand to be [Named Person 1] and of her predecessor [Named Person 2].
He also requested details of work Named Person 2 was retained to do by the Council, in particular the number of times the person had been called upon to do the work, the nature of the work and the payments made for each aspect of work undertaken.He referred to Named Person 1 in seeking details of the payments, although it was evident from the context that he was seeking payment information in respect of Named Person 2.
2.The Council responded on 21 August 2012.It informed Mr R that all the information it held and which fell within the scope of his request was exempt from disclosure in terms of section 38(1)(b) of FOISA.This was because the information was personal data and disclosing it would breach the data protection principles.
3.On 27 August 2012, Mr R wrote to the Council requesting a review of its decision.He explained his reasons for requiring the information.He also confirmed that his reference to Named Person 1 in that part of the request relating to payments should have referred to Named Person 2).
4.The Council notified Mr R of the outcome of its review on 24 September 2012.It provided some explanation about the ad hoc role of Named Person 2, but otherwise upheld its original decision that the information held was exempt in terms of section 38(1)(b) of FOISA.
5.On 25 September 2012, Mr R wrote to the Commissioner's office.He stated that he was dissatisfied with the outcome of the Council's review and applied to the Commissioner for a decision in terms of section 47(1) of FOISA.
6.The application was validated by establishing that Mr R made a request for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to that request.
Investigation
7.On 4 October 2012, the Council was notified in writing that an application had been received from Mr R.It was asked to provide the Commissioner with the information withheld from him. The Council refused to provide the Commissioner with the information.
8.The case was then allocated to an investigating officer and further discussions followed, with a view to obtaining the withheld information for the purposes of the investigation.Eventually, the Council supplied the information, in response to an Information Notice served under section 50(1)(a) of FOISA.
9.The investigating officer contacted the Council again, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.The Council was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested.The investigating officer's questions focused in particular on the application of section 38(1)(b) of FOISA: the Council responded with full submissions on these points.
10.Mr R also provided submissions to the effect that, in his view, disclosure of the information requested would not breach the data protection principles.
11.The relevant submissions received from both the Council and Mr R will be considered fully in the Commissioner's analysis and findings below.
Commissioner's analysis and findings
12.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to her by both Mr R and the Council.She is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) ? personal data
13.The Council submitted that the withheld information held was personal data for the purposes of the DPA and that its disclosure would contravene the first and second data protection principles.Therefore, it argued that the information was exempt under section 38(1)(b) of FOISA.
14.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data from release if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.As noted above, the Council believes that disclosure of the information would breach the first and second data protection principles.
15.In considering the application of this exemption, the Commissioner will therefore first consider whether the information in question is personal data as defined in section 1(1) of the DPA.If it is, she will go on to consider whether disclosure of the information would breach the first and (if necessary) the second data protection principle.The Commissioner will also consider whether any of the information is sensitive personal data as defined in section 2 of the DPA: if it is, she will consider the implications of that status for the application of the first data protection principle.
16.It must be borne in mind that this particular exemption is an absolute exemption.This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
Is the information under consideration personal data?
17."Personal data" is defined in section 1(1) of the DPA as:
data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
18.The Commissioner is satisfied that details of an identifiable, living individual's tertiary education and professional qualifications falls within the definition of that individual's personal data.In this case, given the nature of the arrangements described by the Council, she is also satisfied that the other information requested in respect of Named Person 2 is that individual's personal data.She accepts that all of the information relates to the named individuals.
19.The Commissioner has considered whether any of the personal data in question is sensitive personal data as defined by section 2 of FOISA. She is satisfied that none of the personal data fall within any of the categories of sensitive personal data listed in section 2.
20.The Commissioner will therefore go on to consider whether disclosure of the personal data would breach the first data protection principle.If necessary, she will go on to consider the application of the second data protection principle.
The first data protection principle
21.The first data protection principle states that personal data shall be processed fairly and lawfully.(The processing in this case would be disclosure of the information into the public domain in response to Mr R's request.)The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met.In the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA must also be met.As noted above, the Commissioner is satisfied that the information is not sensitive personal data, so she is not required to consider the application of any of the conditions in Schedule 3.
22.In his submissions, Mr R argued that conditions 5(a), 5(d) and 6 in Schedule 2 would allow the information to be disclosed without breaching the first data protection principle.The Commissioner will first of all consider whether conditions 5(a) and (d) can be applied in this case.
23.Condition 5(a) allows processing which is necessary for the administration of justice.Condition 5(d) allows processing which is necessary for the exercise of any other functions of a public nature exercised in the public interest by any person.
24.The Commissioner has taken account of Mr R's submissions on the application of these conditions, which relate to his reasons for seeking the information.She cannot accept that disclosure is necessary for either.Mr R may have an interest in obtaining the information to pursue certain matters about which he is concerned, but he is neither responsible for the administration of justice nor does he have responsibility for the exercise of any other functions of a public nature.
25.Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.In this case, there are two data subjects, i.e. the two individuals named in Mr R's request.
26.There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:
Does Mr R have a legitimate interest in having these personal data?
If so, is the disclosure necessary to achieve these legitimate aims?In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these aims be achieved by means which interfere less with the privacy of the data subjects?
Even if disclosure is necessary for the legitimate purposes of the applicant, would disclosure still cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?This will involve a balancing exercise between the legitimate interests of Mr R and those of the data subjects.Only if the legitimate interests of Mr R outweigh those of the data subjects can the personal data be disclosed.
Does the applicant have a legitimate interest?
27.Mr R was asked by the Commissioner to explain why he believed he had a legitimate interest in obtaining the information.He commented that there had been a number of precedents set by the Commissioner and Aberdeen City Council, relating to disclosures he considered comparable, which he believed would support disclosure.The Commissioner has noted these, but must consider each case on its own merits.In each case where section 38(1)(b) has been applied by the authority, she must be satisfied that a breach of the data protection principles will not occur before requiring disclosure.
28.Mr R also provided further submissions regarding a recruitment process he was dissatisfied with.He referred to changes in the essential and desirable elements of the person specification (relating to qualifications) during the process.In this context, he was interested in the qualifications held by the previous and current post holders.
29.Responding to the Commissioner on this point, the Council acknowledged that Mr R might have a personal interest in information relating to the recruitment exercise in question.It went on to explain that neither of the named individuals had been interviewed within that recruitment process.It explained the arrangements whereby one of the named individuals was undertaking the relevant duties on an acting basis, while the other was providing ad hoc support for the function in question.In the circumstances, the Council did not believe any interest Mr R might have in the information amounted to a legitimate interest for the purposes of condition 6.
30.Having considered all relevant submissions she has received on this point, the Commissioner does not accept that Mr R could be said to have a legitimate interest in the withheld personal data.He may have legitimate concerns about the recruitment process referred to above, but the Commissioner fails to see how they could extend to a legitimate interest in the personal data under consideration here.Mr R has indicated an intention to complain about the recruitment process in some way, but he has not explained adequately how the information he is seeking would facilitate the pursuit of such a complaint.In all the circumstances, this would appear to be information about which Mr R is merely curious, and that is not enough to create a legitimate interest.
31.Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 which would permit disclosure of the personal data under consideration.In the absence of a condition permitting disclosure, that disclosure would be unlawful.Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.
32.In the circumstances, the Commissioner is not required to go on to consider whether disclosure would breach the second data protection principle.
DECISION
The Commissioner finds that the Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr R.
Appeal
Should either Mr R or the Aberdeen City Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.
Margaret Keyse
Head of Enforcement
28 March 2013
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?
(a) the provision does not confer absolute exemption; and
...
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?
?
(e) in subsection (1) of section 38 ?
?
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
?
Data Protection Act 1998
1Basic interpretative provisions
(1)In this Act, unless the context otherwise requires ?
?
"personal data" means data which relate to a living individual who can be identified ?
(a)from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
Schedule 1 ? The data protection principles
Part I ? The principles
1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?
(a)at least one of the conditions in Schedule 2 is met, and
(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
?
Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data
...
5 The processing is necessary?
(a)for the administration of justice,
?
(d) for the exercise of any other functions of a public nature exercised in the public interest by any person
6(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
?
