Decision 077/2025: Alleged complaints
Authority: South Lanarkshire Council
Case Ref: 202401501
Summary
The Applicant asked the Authority for information relating to alleged complaints made about him by a specified person. The Authority withheld the information requested on the grounds it was either the Applicant’s personal data or third-party personal data. The Commissioner investigated and found that the Authority was entitled to withhold the information requested.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(a), (b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).
United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing).
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10), 14(a), (c) and (d) (Terms relating to the processing of personal data).
Background
1. On 27 January 2022, the Applicant made a request for information to the Authority. He asked for information about any claims of racism made about him, by his neighbour [at a specified address].
2. The Authority responded on 15 February 2022. It refused the Applicant’s request as it considered that the requested information was exempt from disclosure under section 38(1)(b) of FOISA, as the information was personal information.
3. On 16 February 2022, the Applicant wrote to the Authority requesting a review of its decision. He stated that he was dissatisfied with the Authority’s decision because he did not agree with the application of the exemption and believed that the information should be provided to him.
4. The Authority notified the Applicant of the outcome of its review on 16 March 2022. It substituted a different decision and stated that it was no longer relying on section 38(1)(b) of FOISA. It was instead applying section 18(1) of FOISA, to neither confirm nor deny whether it held information falling within the scope of the Applicant’s request. It informed the Applicant that if it did hold the information, it would be exempt from disclosure under section 38(1)(a) of FOISA.
5. On 18 March 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. He stated that he was dissatisfied with the outcome of the Authority’s review because he did not agree with the application of section 18(1) or section 38(1)(a) of FOISA.
6. In Decision 210/2024, the Commissioner found that the Authority was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA, whether it held the information requested, or whether that information existed. He required the Authority to provide the Applicant with a fresh review outcome (in terms of section 21(4)), otherwise than in terms of section 18 of FOISA.
7. The Authority notified the Applicant of the outcome of its revised review outcome on 14 November 2024. It withheld the information requested under the exemptions in section 38(1)(a) and (b) of FOISA, though it noted that the Applicant had already received the information withheld under section 38(1)(a) after making a subject access request.
8. On 15 November 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. He stated that he was dissatisfied with the outcome of the Authority’s review because he disagreed with the exemptions applied.
Investigation
9. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
10. On 3 December 2024, the Authority was notified in writing that the Applicant had made a valid application, and it was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information, and the case was subsequently allocated to an investigating officer.
11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions related to its reasons for withholding the information requested.
Commissioner’s analysis and findings
12. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 38(1)(a) – Personal information (requester’s own personal data)
13. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.
14. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the UK GDPR). This route is more appropriate for individuals accessing their personal data, as it ensures that it is disclosed only to the individual.
15. Section 38(1)(a) of FOISA does not deny individuals a right to access information about themselves but ensures that the right is exercised under the correct legislation (the UK GDPR) and not under FOISA.
16. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the UK GDPR:
"… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
17. The Commissioner has carefully considered the information withheld under section 38(1)(a) of FOISA. It is apparent that the subject matter of the request and the withheld information relate to a matter directly concerning the Applicant. It is also apparent that the Applicant could be identified from the information withheld under section 38(1)(a) of FOISA.
18. The Commissioner therefore considers that the information withheld under section 38(1)(a) of FOISA is the Applicant’s own personal data and can therefore be withheld under this exemption. This remains the case, notwithstanding the Applicant confirming that he would be content for his own personal data to be disclosed under FOISA. (As stated above, the Applicant received the information withheld under section 38(1)(a) of FOISA, after making a subject access request for this information.)
Section 38(1)(b) – Personal information
19. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and if its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
20. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is also not subject to the public interest test contained in section 2(1)(b) of FOISA.
21. To rely on the exemption in section 38(1)(b), the Authority must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1) of the UK GDPR.
Is the withheld information personal data?
22. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. “Identifiable living individual" is defined in section 3(3) of the DPA 2018. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)
23. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
24. Having reviewed the withheld information, the Commissioner is satisfied that the majority of the information being withheld under section 38(1)(b) of FOISA is personal: it identifies a living individual and clearly relates to that individual.
25. There is a small amount of information withheld under section 38(1)(b) of FOISA that does not appear to be personal data. However, the Commissioner is satisfied that this information (the phone number and email address of a member of staff of the Authority and a generic Police Scotland email address) does not fall within the scope of the request as it does not relate to claims of racism made against the Applicant by his next-door neighbour. The Commissioner will therefore not consider that information
further in his decision.
Would disclosure contravene one of the data protection principles?
26. The Authority argued that disclosing the personal data would breach the first data protection principle in Article 5(1)(a) of the UK GDPR. Article 5(1)(a) states that personal data shall be processed “lawfully, fairly, and in a transparent manner in relation to the data subject”.
27. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.
28. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
29. The Commissioner considers that condition (f) in Article 6(1) of the UK GDPR is the only condition which could potentially apply in the circumstances of this case.
Condition (f): legitimate interests
30. Condition (f) states that processing shall be lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”
31. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
32. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) does the Applicant have a legitimate interest in obtaining personal data?
(ii) if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?
Does the Applicant have a legitimate interest in obtaining the personal data?
33. The Authority did not dispute that the Applicant has a legitimate interest in obtaining the personal data.
34. The Applicant stated that the information being withheld by the Authority was of “great value” to him and that disclosure could help “restore [his] reputation” in the local area.
35. In the circumstances, the Commissioner agrees that the Applicant has a legitimate interest in obtaining the personal data.
Is disclosure of the personal data necessary?
36. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure would be necessary to achieve the legitimate interest in the information.
37. Here, “necessary” means “reasonably” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interest could reasonably be met by means which interfered less with the privacy of the data subject.
38. The Commissioner has considered the withheld information. In the circumstances, he accepts that disclosure of the withheld information is necessary in order for the Applicant to determine the exact nature of any complaints made about him and by whom they were made.
39. The Commissioner can identify no viable means of fully meeting the Applicant's legitimate interest which would interfere less with the privacy of the data subject than disclosing the withheld information. In all the circumstances, therefore, he is satisfied that disclosure of the information is necessary for the purposes of the Applicant's legitimate interest.
40. The Commissioner will now consider whether the Applicant’s legitimate interest in obtaining the withheld information outweighs the rights and freedoms of the data subject.
The data subject’s interests or fundamental rights and freedoms (and balancing exercise)
41. The Commissioner has concluded that the disclosure of the information would be necessary to achieve the Applicant’s legitimate interests. However, this must be balanced against the fundamental rights and freedoms of the data subjects. Only if the legitimate interests of the Applicant outweighed those of the data subject could the information be disclosed without breaching the first data protection principle.
42. The Commissioner’s guidance on section 38 of FOISA list certain factors that should be taken into account in balancing the interests of the parties. He makes it clear that, in line with Recital (47) of the UK-GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider.
(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?
(ii) Would the disclosure cause harm or distress?
(iii) Whether the individual has objected to the disclosure.
43. The Commissioner has considered the reasonable expectations of the data subject in this case and the potential harm or distress that could be caused by disclosure of the personal data, including the Authority’s submissions that complainers would not reasonably expect their personal data to be disclosed to the public under FOISA and that such disclosure could cause unjustified harm and distress. He has also considered the nature and scope of the request.
44. Having done so, the Commissioner agrees that the information requested would be information a person would generally expect to be kept confidential and only shared amongst limited individuals for specific purposes. He accepts that the data subject would have no reasonable expectation that the information requested would be disclosed into the public domain (which, as noted above, is the effect of information being disclosed in response to an FOI request) and that disclosure would therefore be likely to
cause the data subject a degree of harm and distress.
45. After carefully balancing the legitimate interest of the Applicant against the interests or fundamental rights or freedoms of the data subject, the Commissioner finds that the legitimate interest served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject.
46. Having found that the legitimate interest served by disclosure of the personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject, the Commissioner finds that condition (f) in Article 6(1) of the GDPR cannot be met in this case and that disclosure of the information in question would be unlawful.
47. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider whether disclosure of the personal data would otherwise be fair and transparent in relation to the data subject.
48. The Commissioner is satisfied, in the absence of a condition in Article 6 of the UK GDPR which would allow the data to be disclosed, that disclosure would be unlawful. The personal data is therefore exempt from disclosure under section 38(1)(b) of FOISA.
Decision
The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Euan McCulloch
Head of Enforcement
25 March 2025
