Decision 066/2014 | Scottish Information Commissioner

Home Decisions

Decision 066/2014

Decision 066/2014 Mr Michael Gregson and Aberdeenshire Council

Information relating to a statutory nuisance notice

Reference No: 201302644
Decision Date: 20 March 2014

Summary

On 15 July 2013, Mr Gregson asked Aberdeenshire Council (the Council) for information relating to a statutory nuisance notice. The Council disclosed information to Mr Gregson subject to the redaction of personal data. The Council withheld the personal data under section 38(1)(b) of FOISA on the basis that it was personal data, disclosure of which would breach the first data protection principle.

The Commissioner found that the Council had been entitled to withhold information comprising the personal data of members of the public and junior members of staff, but that other information should be disclosed to Mr Gregson.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1. On 15 July 2013, Mr Gregson emailed the Council requesting information relating to a statutory nuisance notice served by the Council on a specified date. Mr Gregson also requested other information that is not the subject of this decision.

2. The Council responded on 6 August 2013. The Council disclosed information to Mr Gregson which it considered fulfilled the terms of his request.

3. On 16 September 2013, Mr Gregson emailed the Council requesting a review of its decision. Mr Gregson did not consider that all relevant information had been disclosed to him. Additionally, he was dissatisfied that some of the information disclosed to him contained redactions.

4. The Council notified Mr Gregson of the outcome of its review on 14 October 2013. The Council explained that it had redacted some information under the exemption in section 38(1)(b) of FOISA on the basis that its disclosure would contravene the data protection principles in the DPA. The Council also explained that it intended disclosing an additional email to him (this was subsequently disclosed on 21 October 2013).

5. On 19 November 2013, Mr Gregson wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

6. The application was validated by establishing that Mr Gregson made a request for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

7. On 22 November 2013, the Council was notified in writing that an application had been received from Mr Gregson and was asked to provide the Commissioner with the information withheld from him. The Council provided the information and the case was then allocated to an investigating officer.

8. The investigating officer subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. The Council was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested. The Council was also asked to explain the searches that it had undertaken in order to locate and retrieve any information falling within the scope of Mr Gregson's request.

9. At this stage, the investigating officer pointed out that some of the information withheld under the exemption in section 38(1)(b) did not appear to comprise personal data. Instead, it comprised the names of businesses. The investigating officer asked the Council if it was now prepared to disclose this information to Mr Gregson. Additionally, the investigating officer noted that some of the information withheld under section 38(1)(b) comprised the names of two Council employees whose names had already been disclosed to Mr Gregson. The investigating officer asked the Council if it was willing also to disclose this information to Mr Gregson.

10. In response, the Council provided submissions on why it considered the withheld information was exempt from disclosure in terms of section 38(1)(b) of FOISA. It also clarified the searches that had been undertaken in order to locate and retrieve any relevant information. The Council was now prepared to disclose the information referred to in paragraph 9 above to Mr Gregson, but preferred to do so at the conclusion of the Commissioner's investigation.

11. During the investigation, the investigating officer also sought and received submissions from Mr Gregson.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Gregson and the Council. She is satisfied that no matter of relevance has been overlooked.

Has all relevant information been identified and retrieved by the Council?

13. In his application to the Commissioner, Mr Gregson expressed dissatisfaction with the Council's failure to disclose correspondence from other individuals despite some "cross reference" in the correspondence disclosed to him by the Council on 6 August 2013. In subsequent correspondence with the investigating officer, Mr Gregson suggested that other information had been hidden or lost.

14. In its submissions to the Commissioner, the Council clarified that the only information it held which fell into this category was an email which (as noted above) was disclosed to Mr Gregson on 21 October 2013.

15. The Commissioner has checked the information that was disclosed to Mr Gregson on 6 August 2013. She is satisfied that the only information referenced therein which could be construed as a "cross reference" to correspondence from other individuals was the email which the Council disclosed to Mr Gregson on 21 October 2013.

16. The Council explained that all of the information it held in relation to the investigation of the statutory nuisance in this case was contained in the paper file on the case which was held in its Environmental Health Office. This information had been disclosed to Mr Gregson.

17. The Council further explained that it had searched the email accounts of the officers who had dealt with the statutory nuisance, and explained the search terms that had been utilised.

18. Having considered the Council's submissions, the Commissioner is satisfied that it took adequate, proportionate steps to establish that all relevant information falling within the scope of Mr Gregson's request had been identified and retrieved. That information was disclosed to Mr Gregson, subject to the redaction of the personal data which is the subject of this decision.

19. The Commissioner also notes that her remit in carrying out this investigation extends to the consideration of whether the Council actually holds the relevant information requested by Mr Gregson. She cannot comment on whether a public authority should have recorded any, or more, information about a particular event or process. Consequently, in this instance, she cannot comment on whether the Council ought to hold further recorded information, or whether it was entitled to deal with the statutory notice which is the subject of this decision in the way it did.

Section 38(1)(b) of FOISA - personal data

20. The Council applied the exemption in section 38(1)(b) to information which had been redacted from the documents disclosed to Mr Gregson. This was on the basis that the information comprised the personal data of individuals. The Council submitted that disclosure of the information would breach the first data protection principle of the DPA.

21. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

22. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.

Is the information personal data?

23. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

24. During the investigation, it was apparent to the investigating officer that some of the information that had been redacted by the Council did not comprise personal data, instead comprising the details of businesses. The investigating officer asked the Council if it was prepared to disclose this information to Mr Gregson. The Council agreed to disclose this information, but believed it should only do so at the end of the Commissioner's investigation.

25. To the extent that the information withheld by the Council concerns businesses, the Commissioner finds that the information does not comprise personal data and therefore was incorrectly withheld by the Council under the exemption in section 38(1)(b). The Commissioner now requires the Council to disclose this information to Mr Gregson. (The Commissioner takes the view that, as best practice, information should always be disclosed as quickly as possible and is disappointed that the Council did not do so as soon as it accepted that the information was not exempt from disclosure.)

26. The Commissioner is satisfied that the remaining withheld information is personal data, in line with the definition in part a) of section 1(1) of the DPA. Living individuals, i.e. the named members of the public and Council employees, can be identified from this information. The names of the individuals would clearly allow their identification, and reveal that they had been the recipients of correspondence from the Council or worked for the Council.

Would disclosure of the personal data contravene the first data protection principle?

27. As noted above, the Council argued that making this information available would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met. The processing in this case would be making the information available in response to Mr Gregson's request.

28. The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA, and she is satisfied that the personal data under consideration in this case do not fall into any of the categories set out in that definition. Therefore, it is not necessary to consider the conditions in Schedule 3 in this case.

29. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. However, these three aspects are interlinked. For example, if there is a specific condition which permits the personal data to be disclosed, it is likely that disclosure would also be fair and lawful.

30. The Commissioner must now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed. Where a Schedule 2 condition can be met, she will then go on to consider whether disclosure of the personal data would otherwise be fair and lawful.

31. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1] that the conditions require careful treatment in the context of a request for information under FOISA (and, by extension, the EIRs), given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

Can any schedule 2 conditions be met?

32. The Commissioner considers that the only condition in Schedule 2 to the DPA which might apply in this case is condition 6. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects.

33. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

i. Is Mr Gregson pursuing a legitimate interest or interests?

ii. If yes, is the processing (in this case, the disclosure of the information) necessary for the purposes of those interests? In other words, is the processing proportionate as a means and fairly balanced to its ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subjects.

iii. Even if the processing is necessary for Mr Gregson's legitimate interests, is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the CSA case, given that there is no presumption in favour of the release of personal data, the legitimate interests of Mr Gregson must outweigh the rights, freedoms or legitimate interests of the data subject(s) before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Gregson.

Is Mr Gregson pursuing a legitimate interest or interests?

34. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's published guidance on section 38 of FOISA[2] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

35. In his application to the Commissioner, Mr Gregson stated that he did not consider the information that had been redacted by the Council to be "data protected". Mr Gregson stated that he considered the statutory notice to be defective. He also considered the Council's handling of the issues surrounding the statutory notice had not been dealt with appropriately, staff had dealt with the matter negligently and the Council had not exercised its statutory powers properly.

36. In its submissions, the Council contended that Mr Gregson had a legitimate interest in being able to contest the service of a statutory nuisance notice. However, the Council did not consider he had a legitimate interest in obtaining the personal data of other owner occupiers who had been served with a similar notice. In relation to the names of Council staff which had been withheld, the Council submitted that these staff were at junior and middle level in the organisation. The Council stated that these staff were not responsible for decision making and were entitled to the same rights of privacy as members of the public.

37. In this case, given the nature of Mr Gregson's dissatisfaction with the Council's handling of the matter, the Commissioner is satisfied that he has a legitimate interest in obtaining the names of Council staff who were involved in the creation of the information that was the subject of his request. This would allow him to see which staff within the Council were involved in the process of creating and issuing a statutory nuisance notice.

38. The Commissioner does not consider that this legitimate interest extends to the personal data of other owners who were also the recipients of statutory nuisance notices. The Commissioner considers that Mr Gregson has a legitimate interest in the process followed by the Council, knowing whether that process was followed lawfully and being able to challenge any decisions taken by the Council. However, the Commissioner does not consider that this interest extends to obtaining the personal data of the other owners. She does not consider the information to be of sufficient relevance to engage Mr Gregson's legitimate interest.

39. Given this conclusion (in relation to the personal data of the other owners), the Commissioner finds that there is no condition in Schedule 2 which would permit disclosure of the personal data under consideration. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently, the Commissioner finds that disclosure of the personal data of the other owners would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld by the Council) under section 38(1)(b) of FOISA.

Is the processing necessary for the purposes of those interests?

40. Having concluded that Mr Gregson has a legitimate interest in obtaining the names of the Council employees, the Commissioner must now consider whether disclosure of the personal data is necessary in order to satisfy the legitimate interests identified above. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

41. The Commissioner is not aware of any other viable means of meeting Mr Gregson's interests which would interfere less with the privacy of the data subjects than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr Gregson's legitimate interests.

Would disclosure cause unwarranted prejudice to the legitimate interests of the data subjects?

42. The Commissioner is satisfied that disclosure of the withheld personal data would be necessary to fulfil Mr Gregson's legitimate interests, but must now consider whether that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr Gregson and the data subjects in question (Council employees). Only if the legitimate interests of Mr Gregson outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

43. In the Commissioner's briefing on personal information, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

? whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

? the potential harm or distress that may be caused by disclosure

? whether the individual objected to the disclosure

? the reasonable expectations of the individual as to whether the information should be disclosed.

44. As noted above, the Council withheld the names of two employees whose names had already been disclosed to Mr Gregson. Whilst the Council has now agreed to disclose this information to Mr Gregson, the Commissioner must conclude that disclosure was not unwarranted in relation to these employees on the basis that their names had already been disclosed to Mr Gregson by the Council. Therefore, the Commissioner finds that this information was incorrectly withheld by the Council in terms of section 38(1)(b) of FOISA. She now requires the Council to disclose this information to Mr Gregson.

45. In its submissions, the Council stated that the remaining withheld information related to employees at junior and middle level in the organisation. The Council stated that these employees were not responsible for decision making and were entitled to the same rights of privacy as members of the public.

46. Mr Gregson submitted that the Council had been unhelpful and obstructive in dealing properly with the statutory nuisance notice and considered the Council had hidden behind data protection issues in withholding information from him.

47. The Commissioner has considered all of the submissions made by the Council and Mr Gregson when considering the balancing test in this case. She considers that the data subjects who are employed in junior and middle level would hold no expectations that they would be publicly named (which is the effect of the disclosure of information under FOISA) in relation to the limited work they had undertaken in the matter. In the Commissioner's view, these employees had no significant involvement in the decisions concerning the issuing of the statutory nuisance notice.

48. On balance, while the Commissioner accepts that disclosure of the withheld information would be necessary to fulfil Mr Gregson's legitimate interests, she does not agree that this outweighs the prejudice that would be caused to the data subjects' rights, freedoms and legitimate interests. She considers that such prejudice would be unwarranted in this case. The Commissioner is therefore satisfied that condition 6 of Schedule 2 is not met in this case.

49. Having concluded that disclosure of the withheld information would lead to unwarranted prejudice to the rights, freedoms and legitimate interests of the data subjects, the Commissioner must also conclude that disclosure would be unfair. As condition 6 cannot be met, she would also regard disclosure as unlawful. In all the circumstances, therefore, she finds that disclosure would breach the first data protection principle and that this information was properly withheld under section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that Aberdeenshire Council (the Council) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Gregson.

The Commissioner finds that the Council was entitled to withhold the personal data of some members of staff and of members of the public.

The Commissioner finds that the Council was not entitled to withhold the names of businesses and the employees whose personal data had already been disclosed to Mr Gregson. The Commissioner therefore requires the Council to disclose this information to Mr Gregson by 5 May 2014.

Appeal

Should either Mr Gregson or Aberdeenshire Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
20 March 2014

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1]

[2]