Home Decisions

Decision 064/2015

Decision 064/2015: Mr Mark Howarth and City of Edinburgh Council

Significant Case Review

Reference No: 201402662
Decision Date: 15 May 2015

Summary

On 12 June 2014, Mr Howarth asked City of Edinburgh Council (the Council) for a full copy of the Significant Case Review (SCR) report in the case of Mr Kevin Rooney.

In response, the Council directed Mr Howarth to a redacted version of the SCR report which was already publicly accessible. It considered the redacted information to be exempt as personal data, disclosure of which would breach the data protection principles. Following a review, at which point the Council supplied Mr Howarth with some related material but confirmed its decision to withhold the material redacted from the report, Mr Howarth remained dissatisfied and applied to the Commissioner for a decision.

The Commissioner investigated and found that the Council had responded to Mr Howarth's request for information in accordance with Part 1 of FOISA.

  Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data); 2 (Sensitive personal data); 3 (The special purposes); Schedules 1 (The data protection principles) (the first data protection principle); 3 (Conditions relevant for the purposes of the first principle: processing of sensitive personal data) (conditions 1, 5 and 10).

Data Protection (Processing of Sensitive Personal Data) Order 2000 (Circumstances in which Sensitive Personal Data may be processed) (paragraph 3)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

  Background

1. On 12 June 2014, Mr Howarth made a request for information to the Council. The information requested was that contained in the entire SCR report regarding the case of Kevin Rooney.

2. The Council responded on 10 July 2014. The Council informed Mr Howarth that a redacted version of the report was available publicly[1].

3. The Council withheld the information redacted from the full report, on the basis that it contained personal data and its disclosure would contravene the first data protection principle. In the Council's view, therefore, the information was exempt under section 38(1)(b) of FOISA. It also withheld the information under section 39(1) of FOISA (Health, safety and the environment).

4. On 15 July 2014, Mr Howarth wrote to the Council requesting a review of its decision, on the basis that the victim's family had expressed an interest in the full report being published and he did not accept that all the personal data could be withheld.

5. The Council notified Mr Howarth of the outcome of its review on 13 August 2014. The Council provided Mr Howarth with a redacted version of the report, alongside:

? a timeline for Kevin Rooney's periods of imprisonment

? an explanatory note, and

? the Council's original response to the report.

It upheld its reliance on section 38(1)(b) of FOISA (but not section 39(1)).

6. On 17 November 2014, Mr Howarth wrote to the Commissioner's office. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Howarth stated he was dissatisfied with the outcome of the Council's review because he did not accept that section 38(1)() had been applied correctly. He considered there to be a significant public interest in disclosure of the full SCR report.

  Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr Howarth made a request for information to a Scottish public authority and asked the authority to review its response to that request requests before applying to her for a decision.

8. On 8 December 2014, the Council was notified in writing that Mr Howarth had made a valid application. The Council was asked to send the Commissioner the information withheld from him. The Council provided the information and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application, with particular reference to the application of section 38(1)(b) of FOISA.

10. The Commissioner has considered requests for the same information in Decision 050/2015 Mr Gordon MacDonald MSP and the Chief Constable of the Police Service of Scotland[2] and 058/2015 Mr Mark Howarth and the Chief Constable of the Police Service of Scotland[3].

  Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Howarth and the Council. She is satisfied that no matter of relevance has been overlooked.

 Background to request

12. A Significant Case Review (SCR) is undertaken, generally, in the following circumstances:

a) When an offender managed under Multi-Agency Public Protection Arrangements (MAPPA) is charged with murder, attempted murder or a crime of serious sexual harm,

b) Significant concern has been raised in respect of the management of a MAPPA offender which gives rise to serious concerns about professional and/or service involvement, or

c) Where it appears that an offender managed under MAPPA is killed or is seriously injured as a direct result of his/her status as a sex offender becoming known.

13. The overarching objectives of SCRs are to:

a) Establish whether there are lessons to be learnt about how better to protect the public from risk of harm,

b) Make recommendations for action,

c) Address accountability,

d) Provide public reassurance in relation to the actions of the responsible authorities in the specific circumstances, and

e) Identify good practice.

14. A SCR was commissioned by the Edinburgh Offender Management Committee at Edinburgh City Council, following the death of Rosina Sutherland on 30 October 2011. Kevin Rooney, a registered sex offender, was convicted of Mrs Sutherland's murder. A redacted version of the SCR report and a timeline was published on 29 July 2014.

Redactions made to SCR report

15. Mr Howarth recognised that the names of individuals redacted from the report could legitimately be withheld for data protection purposes, but believed there was a clear public interest in the remainder of the information being disclosed.

16. The Council withheld complete sections of the SCR report and made smaller redactions in other areas, on the basis that section 38(1)(b) (read in conjunction with section 38(2)(a)(i)) of FOISA applied. The Council also sought to rely on section 30(c) of FOISA during the investigation. Its reliance on section 38(1)(b) will be considered first.

17. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, (2)(b)) exempts personal data if their disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

Is the information under consideration personal data?

18. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

19. The Commissioner has considered the submissions received from the Council on this point, along with the withheld information. The Commissioner is satisfied that the information withheld is personal data: it is possible to identify individuals from the data itself, in line with the definition of personal data. The information is biographical in relation to Mr Rooney, and therefore can be said to relate to him.

Is the withheld information sensitive personal data?

20. During the investigation, the Council argued that some of the information withheld comprised sensitive personal data.

21. The definition of sensitive personal data is contained in section 2 of the DPA (see Appendix 1).

22. The Commissioner has reviewed the information withheld from the SCR report. As she has concluded already in the two previous decisions on the same withheld information, referred to in paragraph 10 above, the Commissioner is satisfied that all of the personal data withheld in this case falls into at least one of the categories in section 2 of the DPA and therefore should be considered to be the sensitive personal data of an individual. (The Commissioner is unable to confirm which of the categories of sensitive personal data are relevant here, without, in effect, disclosing the sensitive personal data.)

Would disclosure contravene the first data protection principle?

23. In their submissions, the Council argued that the disclosure of the withheld personal data would contravene the first data protection principle. This requires that personal data are processed fairly and lawfully and, in particular, are not processed unless at least one of the conditions in Schedule 2 to the DPA is met. For sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met.

The first data protection principle: sensitive personal data

24. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions. The conditions listed in Schedule 3 have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in secondary legislation, such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

25. Guidance issued by the Commissioner regarding the exemption in section 38(1)(b) notes that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA. Condition 1 would allow personal data to be disclosed where the data subject has given explicit (i.e. fully informed and freely given) consent to their release. Condition 5 would allow the personal data to be disclosed if the data had been made public as a result of steps deliberately taken by the data subject.

26. The Council confirmed that Kevin Rooney had not consented to the release of personal data and had not taken steps to place this information into the public domain, with the result that conditions 1 and 5 could not be met. The Commissioner accepts this, in the circumstances.

27. Condition 10 of Schedule 3 allows sensitive personal data to be processed in circumstances specified in an order made by the Secretary of State. As noted above, the relevant order is the Data Protection (Processing of Sensitive Personal Data) Order 2000. Article 2 of that Order provides that the circumstances specified in any of the paragraphs in Schedule to the Order are circumstances in which sensitive personal data may be processed.

28. Mr Howarth argued that paragraph 3 of the Schedule to the Order applied in this case. The remaining paragraphs refer to "processing", which covers both disclosure and other forms of processing. Paragraph 3 differs, in referring only to "disclosure". Paragraph 3 provides for sensitive personal data being disclosed where it is:

a) in the substantial public interest,

b) in connection with the commission by any person of any unlawful act, whether alleged or established,

c) for the special purposes defined in section 3 of the DPA, i.e. the purposes of journalism or artistic or literary purposes, and

d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

29. Mr Howarth set out in detail why he considered disclosure to be in the substantial public interest. These arguments are set out in Decision 058/2015 and are not repeated at length here.

30. The Council disagreed with Mr Howarth's view and did not accept that all four tests in paragraph 3 of the Schedule to the Order were met. The Council submitted that the publication of Mr Rooney's sensitive personal data was not required to address the public's concerns in relation to the management of Registered Sex Offenders. The Council believed the public interest in ensuring accountability and transparency in relation to the actions of the MAPPA agencies had been met through publication of the SCR with the sensitive personal data redacted.

31. As in previous related cases, the Commissioner has considered the arguments presented by both parties carefully. The key consideration is whether disclosure would be in the substantial public interest. In this instance, the Commissioner is aware that a substantial volume of the report has been published, including all the recommendations arising from the report. The information which has been withheld is Mr Rooney's sensitive personal data, which may be of interest to the public but would not provide transparency in relation to the MAPPA process as argued by Mr Howarth. In light of this, the Commissioner is satisfied that the conditions in paragraph 3 of the Schedule to the Data Protection (Processing of Sensitive Personal Data) Order 2000 cannot be met in this case.

32. Having reached these conclusions, and having concluded that no other condition in Schedule 3 applies in this case, the Commissioner finds that the disclosure of Mr Rooney's sensitive personal data would breach the first data protection principle. She therefore finds that the Council was correct to withhold this information under section 38(1)(b) of FOISA.

33. As the Commissioner has found that the withheld information has been correctly withheld under section 38(1)(b) of FOISA, there is no requirement for her to consider the application of section 30(c) of FOISA in this case.

Decision

The Commissioner finds that City of Edinburgh Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Howarth.

  Appeal

Should either Mr Howarth or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
15 May 2015

  Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

?

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

?

(e) in subsection (1) of section 38 -

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

?

 
  Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

?

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

3 The special purposes

In this Act "the special purposes" means any one or more of the following-

(a) The purposes of journalism,

?

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

?

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

10. The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.

The Data Protection (Processing of Sensitive Personal Data) Order 2000

Circumstances in which Sensitive Personal Data may be processed

3. (1) The disclosure of personal data -

(a) is in the substantial public interest;

(b) is in connection with -

(i) the commission by any person of any unlawful act (whether alleged or established),

(ii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or

(iii) mismanagement in the administration of, or failure in services provided by, anybody or association (whether alleged or established);

(c) is for special purposes as defined in section 3 of the Act; and

(d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

[1]

[2]

[3]