Decision Notice 071/2024: Complaint made by the Standards Commission
Authority: Scottish Parliament
Case Ref: 202200389
Summary
The Applicant asked the Authority for the formal complaint sent to it by the Standards Commission about the
conduct of the former Ethical Standards Commissioner. The Authority identified two letters and initially withheld
them both on the grounds that they comprised personal data, before later disclosing one letter.
The Commissioner investigated and found that the Authority had partially breached FOISA in responding to the
request. While the Commissioner found that the Authority had correctly withheld some information, he found that
it had wrongly withheld other information under the exemption claimed.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1) and (2)
(e)(ii) (Effect of exemptions) ;38(1)(b), (2A)(a), (5) (definitions of “data protection principles”, “data
subject”, “personal data”, “processing” and “UK GDPR”) and 5(A) (Personal information); 47(1) and (2) (Application
for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (definition of “personal data”)
(Definitions) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of
processing); 9(1) and (2)(e) (Processing of special categories of personal data)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms
relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The
Appendix forms part of this decision.
Background
1. On 7 February 2022, the Applicant made a request for information to the Authority. He asked for the
formal complaint, sent to the Authority, by the Standards Commission about the conduct of the Commissioner for
Ethical Standards.
2. The Authority responded on 24 February 2022 and confirmed that it held two letters falling within the
scope of the request and it was withholding them both in their entirety under section 38(1)(b) of FOISA.
3. On 2 March 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant
stated that he was dissatisfied with the decision because he did not accept that the exemption had been correctly
applied given that some of the information had already been disclosed by the Standards Commission.
4. The Authority notified the Applicant of the outcome of its review on 24 March 2022. It confirmed its
original decision, and provided further argument as to why section 38(1)(b) applied to the information.
5. On 1 April 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section
47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he
considered that either the exemption had been applied incorrectly or it had been applied without due weight given
to the public interest in disclosure. He argued that there was a clear and legitimate interest in the personal
data being disclosed.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the
power to carry out an investigation.
7. On 5 May 2022, the Authority was notified in writing that the Applicant had made a valid application. The
Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided
the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide
comments on an application. The Authority was invited to comment on this application and to answer specific
questions. These related to why it considered that section 38(1)(b) applied to the information it was withholding.
Information disclosed during the investigation
9. During the investigation the Authority disclosed one of the two letters it was withholding under section
38(1)(b) of FOISA, namely the letter dated 27 April 2021.
10. The Applicant asked the Commissioner to focus solely on the letter that the Authority was continuing to
withhold from him (the November letter). As a consequence, this decision will only consider the information
withheld in the November letter and will not reach a view on the April letter, that has since been disclosed.
Scope of the investigation
11. The Commissioner will now consider whether or not the Authority has correctly withheld the letter dated 11
November 2021, under section 38(1)(b) of FOISA.
Commissioner’s analysis and findings
12. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 38(1)(b) – Personal information
13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from
disclosure if it is “personal data”, (as defined in section 3(2) of the DPA 2018) and its disclosure would
contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where
relevant) in the DPA 2018.
14. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an
absolute exemption. This means it is not subject to the public interest test contained in section 2(1)(b) of
FOISA.
15. To rely on the exemption in section 38(1)(b), the Authority must show that the withheld information is
personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain
(which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in
Article 5(1) of the UK GDPR.
Is the withheld information personal data?
16. The first question the Commissioner must address is whether the information withheld by the Authority
under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information
relating to an identified or identifiable living individual. “Identifiable living individual” is defined section
3(3) of the DPA 2018 – see Appendix 1. (This definition reflects the definition of personal data in Article 4(1)
of the UK GDPR, also set out in Appendix 1.)
17. Information will "relate to" a person if it is about them, is linked to them, has biographical
significance for them, is used to inform decisions affecting them, or has them as its main focus.
18. The Authority has submitted that the personal data relates to the now former Commissioner for Ethical
Standards in Public Life in Scotland (the former Ethical Standards Commissioner) and that some of the information
comprises special category health data, within the meaning of Article 9 of the UK GDPR.
19. The Commissioner has reviewed the content of the withheld letter (the November letter) and he concurs with
the explanation provided by the Authority, and is satisfied that all of the information being withheld under
section 38(1)(b) is personal data. The Commissioner notes that the information identifies a living individual
(the former Ethical Standards Commissioner) and the views and comments in the letter are clearly focused on, and
relate to, that individual. He is also satisfied that some of this personal data is special category health data.
Would disclosure contravene one of the data protection principles?
20. The Authority argued that disclosure would breach the data protection principle (Article 5(1)(a) of the UK
GDPR). Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent manner
in relation to the data subject.”
21. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d))
disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore
covers disclosing information into the public domain in response to a FOISA request.
22. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering
lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be
disclosed.
23. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could
potentially apply in the circumstances of this case.
Special category personal data
24. As noted above, some of the information which has been redacted by the Authority is special category
personal data. The Commissioner’s guidance on section 38(1)(b) notes (paragraphs 70 to 72) that Article 9 of the
UK GDPR only allows special category personal data to be processed in very limited circumstances. Although
Schedule 1 to the DPA 2018 contains a wide range of conditions which allow authorities to process special category
data, for the purposes of FOISA, the only situation where it is likely to be lawful to disclose third party
special category data in response to an information request is where, in line with Article 9(2)(e) of the UK GDPR,
the personal data has manifestly been made public by the data subject. Any public authority relying on this
condition must be certain that the data subject made the disclosure with the intention of making the special
category data public.
25. In this case, there is nothing to suggest that disclosing information about the former Ethical Standards
Commissioner’s health would comply with Article 9(2)(e).
26. Consequently, the Commissioner is satisfied that it would be unlawful for the Authority to disclose this
information. Disclosing the special category data would breach the first data protection principle. It is
therefore exempt from disclosure under section 38(1)(b) of FOISA.
Non-special category personal data
27. The Commissioner must now consider the remaining personal data which has been withheld and decide whether
disclosing it would breach the first data protection principle.
28. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of
the UK GDPR would allow the data to be disclosed. As the Commissioner has noted in his guidance on section 38(1)
(b) (paragraph 54), condition (f) is the only condition which could potentially apply in the circumstances of this
case.
Condition (f) – legitimate interests
29. Condition (f) states that processing shall be lawful if it –
is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a child.
30. Although Article 6 states that this condition cannot apply to processing carried out by a public authority
in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities
can rely on Article 6(1)(f) when responding to requests under FOISA.
31. The three tests which must be met before Article 6(1)(f) can be fulfilled are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by
the interests or fundamental rights and freedoms of the data subject?
32. There is no presumption in favour of the disclosure of personal data under the general obligation laid
down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicant must outweigh the rights
and freedoms or legitimate interests of the data subject before condition (f) will permit the data to be
disclosed. If the two are evenly balanced, the Commissioner must find that the Authority was correct to refuse to
disclose the personal data to the Applicant.
Does the Applicant have a legitimate interest in obtaining the personal data?
33. The Applicant submitted that it was important to note the importance of the role of the Ethical Standards
Commissioner and the way in which that role related to public life and standards in public life.
34. He commented that the former Ethical Standards Commissioner was paid significant money during their
“extended leave” and that this information is in the public domain. He argued that this “extended leave” damaged
the way the standards system, which protects Scotland's democracy by acting as a watchdog of those elected or
appointed to public office, operated so badly that it was subject to a scathing report by the Auditor General in
which failings within the organisation were described as “disturbing”.
35. The Applicant submitted that this demonstrated the importance of the information being made public,
particularly given the role of a Commissioner as an office holder of the Scottish Parliament, which is an
inherently public-facing role.
36. In its submissions the Authority recognised the legitimate interest of the Applicant in seeking the letter
in the course of his work as a journalist and for the purposes of accountability and scrutiny of the office of the
Ethical Standards Commissioner.
37. The Commissioner is satisfied that the Applicant has a legitimate interest in the personal data, for the
reasons acknowledged by the Authority and, taking into account the nature of the report issued by the Auditor
General . These are clearly matters of considerable public interest.
Is disclosure necessary to achieve that legitimate interest?
38. The Commissioner will now consider whether disclosure of the personal data requested is necessary for the
Applicant’s identified legitimate interest. In doing so, he must consider whether these interests might
reasonably be met by any alternative means.
39. The Commissioner has considered this carefully in light of the decision of the Supreme Court in South
Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 .
40. Here, “necessary” means “reasonably” rather than “absolutely” or “strictly” necessary. The Commissioner
must, therefore, consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to
be achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the
privacy of the data subject.
41. The Authority did not agree that disclosure of the information in the November letter was necessary and it
argued that the Applicant’s legitimate interests could be met in other ways. It submitted that the Applicant
could review the substantial publicly-available work being done to remedy the issues in the Commissioner’s office,
and that such an approach would be less detrimental to the former Ethical Standards Commissioner as an individual
data subject.
42. The Applicant commented that his request was seeking details of a formal complaint submitted to Parliament
by the Standards Commission about the former Ethical Standards Commissioner. He argued that disclosure of the
November letter was required, due to the overwhelming public interest in the matters covered by his request.
43. The Commissioner has considered the Authority’s views, and he acknowledges that there was some publicly
available information about the issues in the former Ethical Standards Commissioner’s office, at the time of the
Applicant’s information request, but he is not satisfied that this fully addresses the information contained in
the November letter.
44. The Commissioner can identify no other viable means of meeting the Applicant’s legitimate interests than
providing the withheld information. In all the circumstances, the Commissioner is satisfied that disclosure of
the information is necessary for the purposes of the Applicant’s legitimate interests.
Balancing the legitimate interests of the Applicant and the legitimate interests or fundamental rights and
freedoms of the data subjects
45. Having found that disclosure is necessary for the purposes of the Applicant’s legitimate interests, the
Commissioner must now balance the legitimate interests in disclosure against the individual’s interests or
fundamental rights and freedoms.
46. The Commissioner’s guidance on section 38 of FOISA lists certain factors that should be taken into
account in balancing the interests of the parties. He makes it clear that much will depend on the reasonable
expectations of the data subjects and that these are some of the factors public authorities should consider:
(i) Does the information relate to an individual’s public life (their work as a public official or employee)
or their private life (their home, family, social life or finances)?
(ii) Would disclosure cause harm or distress?
(iii) Whether the individual has objected to the disclosure.
47. As noted above, disclosure under FOISA is public disclosure; information disclosed under FOISA is
effectively placed into the public domain.
48. The Commissioner acknowledges that the November letter was sent from the Standards Commission to the
Parliament and that it concerns the actions and practices of the former Ethical Standards Commissioner. At the
time of the request (7 February 2022) the former Ethical Standards Commissioner was on long-term leave and another
individual was functioning as Acting Ethical Standard Commissioner. However, while absent, the former Ethical
Standards Commissioner was still employed and therefore, at the time of the request she still held a senior
position in public life.
49. The Authority made detailed submissions explaining why the personal data should be withheld, and why the
legitimate interests of the data subject outweighed those of the requester. The Commissioner will not reproduce
those arguments in full in this decision notice, but he has taken them into account.
50. The Commissioner must consider the circumstances at the time the Authority responded to the Applicant’s
request for review, and at that point the former Ethical Standards Commissioner was still employed, albeit on long
term leave. The former Ethical Standards Commissioner was not simply a private individual, but was a public
figure of some seniority, holding a post with significant powers and duties. The Commissioner is satisfied that
the withheld information relates to the public life of the former Ethical Standards Commissioner, in that it
identifies her as a senior officeholder, and raises concerns about how she discharged her public duties.
51. The Commissioner has also considered the harm or distress that might be caused by disclosure of the
personal data. Disclosure, under FOISA, is a public disclosure. He has taken this into account when reaching his
decision.
52. The Authority made a number of points supporting its view that disclosure could cause harm and distress to
the data subject. It stated that the allegations made against the former Ethical Standards Commissioner in the
November letter were not, to its knowledge, in the public domain (in marked contrast to the information in the
April letter) and it commented that the former Ethical Standards Commissioner had had no opportunity to respond to
the allegations and that, disclosing the complaint now could objectively have a detrimental impact on the former
Ethical Standard Commissioner.
53. The Authority explained that the April and November letters were submitted in the context of a challenging
period for the office of the Ethical Standards Commissioner, and concern in a number of quarters about the
functioning and governance of Scotland’s Ethical Standards regime. It argued that it had to balance the objective
expectation of public scrutiny that comes with the role of Ethical Standard Commissioner, with the former Ethical
Standards Commissioner’s personal circumstances and the extent to which they might be exacerbated by disclosure of
the information in question.
54. The Commissioner considers that the November letter comprises some comments which are, arguably, more
personal and go beyond the sphere of work and public accountability. The Commissioner is satisfied that
disclosure of these comments would cause some harm to the data subject and that the former Ethical Standards
Commissioner would not have had any reasonable expectation that their personal data would be made public in this
way.
55. Having carefully balanced the legitimate interests of the Applicant against the interests or fundamental
rights or freedoms of the data subject, the Commissioner finds that for some of the personal comments, the
legitimate interests served by disclosure of the personal data would be outweighed by the unwarranted prejudice
that would result to the rights and freedoms and legitimate interests of the data subject. He finds that this
information has been correctly withheld under section 38(1)(b) of FOISA.
56. However, given the seniority of the data subject and the significant public profile they have in relation
to their role, as well as the public concerns that had already been disclosed into the public domain by Audit
Scotland, the Commissioner considers that it would be within their reasonable expectation that concerns raised by
the Standards Commission regarding the execution of their official duties would be made public. As a consequence,
the Commissioner finds that fulfilment of the legitimate interests of the Applicant, in relation to the remaining
personal data which he has not already found to have been correctly withheld, outweighs any harm to the data
subject’s interests, fundamental rights or freedoms.
57. In the circumstances of this particular case, the Commissioner finds that condition (f) in Article 6(1) of
the UK GDPR can be met in relation to the remaining withheld personal data.
Decision
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland)
Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that by correctly withholding some information under section 38(1)(b) of FOISA, the
Authority complied with Part 1.
However, by wrongly withholding other information under section 38(1)(b) of FOISA, the Authority failed to comply
with Part 1.
The Commissioner therefore requires the Authority to provide the Applicant with the information it wrongly
withheld under section 38(1)(b) of FOISA, by 13 June 2024.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal
to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of
intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of
Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal
with the Authority as if it had committed a contempt of court.
David Hamilton
Scottish Information Commissioner
29 April 2024
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given
it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to
the extent that –
(a) the provision does not confer absolute exemption; and
(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed
by that in maintaining the exemption.
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are
to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than
under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data
held by public authorities) were disregarded.
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see
section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)
of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the
UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be
read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public
authorities) were omitted.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a
notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the
request for information to which the requirement relates has been dealt with in accordance with Part 1 of this
Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used
for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
UK General Data Protection Regulation
Article 4 Definitions
For the purpose of this Regulation:
1 ‘personal data’ means any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one
or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person:
…
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject
(“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require the protection
of personal data, in particular where the data subject is a child.
Article 9 Processing of special categories of personal data
1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for
the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural
person’s sex life or sexual orientation shall be prohibited.
2 Paragraph 1 shall not apply if one of the following applies:
…
e. processing relates to personal data which are manifestly made public by the data
subject;
…
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living
individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly
or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an
online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations
which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and
Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see
section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to
which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of
personal data to which Part 2, Part 3 or Part 4 applies.
…