Home Decisions

Decision 071/2019

Decision 071/2019: Reasonable adjustment under the Equality Act 2010

Public authority: Dumfries and Galloway Counci
Case Ref: 201801011

Summary

The Council was asked for documentation confirming that an assertion made by the Council in relation to a request made under the Equality Act 2010 was true.

The Council initially failed to respond to the request but, on review, withheld the information under section 38(1)(b) of FOISA.

The Commissioner investigated and found that the information, which comprised third party special category data, was exempt from disclosure under FOISA. 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a) and (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") (Personal information)

General Data Protection Regulation (the GDPR) articles 4(11) (Definitions); 5(1)(a) (Principles relating to the processing of personal data), 9(2)(a) and (e) (Special category data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data); 10(1)(c) (Special categories of personal data and criminal convictions etc data); 11(1)(a) (Special categories of personal data etc: supplementary); schedule 2, Part 4, section 19(a) and (b) (Exemptions etc from the GDPR)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. This decision follows on from previous communications between Mr E, his partner and Dumfries and Galloway Council (the Council) with regard to a request made to the Council for a "reasonable adjustment" under the Equality Act 2010.

2. On 19 March 2018, Mr E made an information request to the Council. He asked for documentation proving that an assertion made by the Council was true.

3. On 20 April 2018, Mr E wrote to the Council requesting a response to his request as the 20 day statutory deadline had passed.

4. This was followed up by a further email from Mr E on 4 May 2018 seeking a review of the Council's handling of his FOI request and failure to respond.

5. The Council responded on 14 June 2018. It apologised for the failure to respond to Mr E's request and request for review. The Council confirmed that it held information in relation to his request, but that it was withholding it under section 38(1)(b) of FOISA (Personal information).

6. Later that day, Mr E wrote to the Commissioner. Mr E applied to the Commissioner for a decision in terms of section 47(1) of FOISA. He stated he was dissatisfied with the outcome of the Council's review because he disagreed with the exemption applied and believed the information could be disclosed.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr E made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 13 August 2018, the Council was notified in writing that Mr E had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr E. The Council provided the information and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. On 2 October 2018, the Council was invited to comment on this application and to answer specific questions.

10. The Council initially failed to respond to the request for submissions, or engage with the investigator, wrongly assuming that the Scottish Information Commissioner and the (UK) Information Commissioner (the ICO) were the same body and that correspondence provided by the Council to the ICO on a related matter was accessible to the investigator.

11. On 28 November 2018, the Council advised Mr E that the information withheld under section 38(1)(b) of FOISA was the same information that had been provided to his partner in response to a subject access request (SAR). The Council commented that his partner had previously reminded the Council that she consented to the sharing of her personal information with Mr E. The Council hoped that this may resolve the issue.

12. The investigator contacted Mr E to see if he was willing to withdraw his application.

13. Mr E confirmed he had received the communication from the Council, but remained dissatisfied and wanted the Commissioner to issue a decision.

14. The Council eventually provided the Commissioner with submissions on 20 December 2018.

Commissioner's analysis and findings

15. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the submissions made to him by Mr E. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) (Personal information)

16. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

17. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

18. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

Is the withheld information personal data?

19. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018. (The definition is set out in full in Appendix 1.)

20. The Commissioner's briefing on section 38 (Personal information)[1] notes that the two main elements of personal data are that:

(i) the information must "relate to" a living person; and

(ii) the living individual must be identifiable.

21. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

22. An "identifiable living individual" is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018).

23. The information withheld by the Council comprises:

(i) a request from a senior social worker to a Council solicitor for legal advice and

(ii) a note of the advice given by the solicitor by phone.

24. The request for advice itself, read in conjunction with the note of the advice, clearly identifies the relevant third parties (i.e. Mr E's partner and the partner's child). It is also important to note that Mr E is aware of the identities of the third parties.

25. The request for advice, and the advice itself, is about a specific social work case and meetings with the Council's social work department. The withheld information therefore relates to the third parties.

26. The Commissioner is therefore satisfied that the information captured by Mr E's request is, by definition, the personal data for the purposes of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

27. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

28. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request.

Lawfulness

29. As noted above, the information in question relates to a request for a reasonable adjustment under the Equality Act 2010. It reveals information about the third parties' health. Information about a data subject's health is "special category data" for the purposes of Article 9 of the GDPR. Special category data is afforded more protection by the GDPR.

30. The Commissioner considers that the only situations where it is likely to be lawful to disclose special category data in response to an information request under FOISA are where, in line with Article 9 of the GDPR:

  • the data subject has explicitly consented to their personal data being disclosed in response to the information request (condition 2(a)) or
  • the personal data has manifestly been made public by the data subject (condition 2(e))

Explicit consent

31. Article 4(11) of the GDPR states that consent must be freely given, specific, informed and unambiguous. While Mr E's partner has consented to the Council sharing their personal data with Mr E, this does not mean that they have consented to extend to their personal data being disclosed into the wider public domain, which would be the effect if the data was disclosed under FOISA.

32. Similarly, there is nothing to suggest that consent, for the purposes of Article 4, has been given either by or on behalf of the child.

Manifestly made public

33. Neither the Council nor Mr E has suggested that the personal data has manifestly been made public by either of the data subjects.

34. In the circumstances, the Commissioner has concluded, in the absence of a condition in the GDPR allowing the special category data to be processed, that disclosing the information would be unlawful.

Fairness

35. Given that the Commissioner has concluded that the processing of the data would be unlawful, he is not required to go on to consider whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.

36. The Commissioner therefore finds that the personal data is exempt the information requested from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that, in respect of the matters raised in Mr E's application, Dumfries and Galloway Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr E.

Appeal

Should either Mr E or Dumfries and Galloway Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
15 May 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

 

General Data Protection Regulation

4 Definitions

For the purposes of this Regulation:

11 "consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

9 Processing of special categories of personal data

1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2 Paragraph 1 shall not apply if one of the following applies:

a. the data subject has given explicit consent to the processing of those personal data for one or more specific purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

e. processing relates to personal data which are manifestly made public by the data subject …

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx