Home Decisions

Decision 083/2018

Decision 083/2018: Ms L and Edinburgh College

Students on the Sex Offenders Register

Reference No: 201800285
Decision Date: 13 June 2018

Summary

The College was asked for statistical information about students who were enrolled at the College while on the Sex Offenders Register. The College withheld the requested information, considering it to be personal data exempt from disclosure.

The Commissioner accepted that the withheld information was exempt from disclosure for the reasons given by the College.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provision) (definition of personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provision etc - paragraph 56)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 27 November 2017, Ms L made a request for information to Edinburgh College (the College). The information requested was:

· How many students have you enrolled in your college in the following academic years, in the knowledge that they were listed on the Sex Offenders Register at that time?

- 2015-16

- 2016-17

- 2017-18 (to date)

· How many of these students were subject to a MAPPA (Multi-Agency Public Protection Arrangements) plan or similar conditions?

· How many of these students failed to adhere to the conditions applied?

· How many of these students attained the qualification they were seeking?

2. The College responded on 21 December 2017. It gave notice that it did not hold some of the information, in line with section 17(1) of FOISA. It stated that, as individuals could be identified from the information alongside other available information, the remaining information was exempt from disclosure under section 38(1)(b) of FOISA (Personal information).

3. On 21 December 2017, Ms L emailed the College requesting a review of its decision. She questioned why some of the information was not held and, in relation to the withheld information, she considered that, due to the large number of students enrolled at the college, risk of identification from such statistical information would be virtually nil.

4. The College notified Ms L of the outcome of its review on 30 January 2018. It modified its position and stated that all of the requested information was exempt under section 38(1)(b) of FOISA.

5. On 10 February 2018, Ms L applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Ms L did not agree that the exemption had been correctly applied, and reiterated the points she had made in her request for review.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Ms L made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 14 March 2018, the College was notified in writing that Ms L had made a valid application. The College was asked to send the Commissioner the information withheld from Ms L. The College provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The College was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested. It responded on 28 May 2018.

9. Ms L was asked for her comments on her legitimate interest in obtaining the withheld personal data; she did not respond.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Ms L and the College. He is satisfied that no matter of relevance has been overlooked.

Data Protection Act 2018 (Transitional provisions)

11. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. Amongst many other things, the DPA 2018 amended section 38 of FOISA. It also introduced a set of transitional provisions which set out what should happen where a public authority dealt with an information request before FOISA was amended on 25 May 2018, but where the matter is being considered by the Commissioner after that date.

12. In line with paragraph 56 of Schedule 20 to the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with Part 1 of FOISA.

13. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with Part 1 of FOISA (as it stood before 25 May 2018), he cannot require the authority to take steps which it would not be required to take in order to comply with Part 1 of FOISA on or after 25 May 2018.

14. The Commissioner will therefore consider whether the College was entitled to apply the exemption in section 38(1)(b) of FOISA under the old law. If he finds that the College was not entitled to withhold the information under the old law, he will only order the College to disclose the information if disclosure would not now be contrary to the new law.

Section 38(1)(b) of FOISA (Personal information)

15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA 1998) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA 1998.

16. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. In order to rely on this exemption, the College must show that the information being withheld is personal data for the purposes of the DPA 1998 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA 1998. The College considered disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

18. "Personal data" are defined in section 1(1) of the DPA 1998 as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

19. The College submitted that disclosure of the withheld information would identify living individuals. The College stated that, as the numbers are extremely low, it would be possible to combine this information with other information to identify the individual or individuals.

20. The College believed there was an extremely high risk of the student(s) being identified if the statistical information was disclosed. It provided detailed submissions to explain how the individuals could be identified. (These submissions are not replicated here, as to do so could have the effect of identifying any individual(s) concerned, but they were detailed and persuasive.)

21. Having considered the submissions received from the College and the withheld information, the Commissioner accepts the arguments put forward by the College, and is satisfied that it would be possible for a determined individual to identify living individual(s) covered by the request, if the requested information was combined with other information likely to be accessible to Ms L (and others). The withheld information clearly relates to one or more living individuals. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA 1998.

Is the information under consideration sensitive personal data?

22. The College submitted that the withheld information constituted sensitive personal data. The College provided reasons, and referred to the definition of sensitive personal data within section 2 of the DPA 1998.

23. In this case, the Commissioner is satisfied that all of the withheld personal data falls into the category of sensitive personal data listed in section 2(g) of the DPA 1998 (see Appendix 1).

Would disclosure of the personal data contravene the first data protection principle?

24. In its submissions, the College argued that disclosure of the withheld personal data would contravene the first data protection principle, which requires that personal data are processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA 1998 is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA 1998 must also be met. The processing in this case would comprise making the information publicly available in response to Ms L's request.

25. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions.

26. The conditions listed in Schedule 3 to the DPA 1998 have been considered by the Commissioner, as have additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000. The Commissioner has not identified any of these additional conditions as potentially applicable in this case.

27. The Commissioner's guidance on section 38(1)(b)[1] of FOISA notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

28. Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the processing (which in this case would be disclosure into the public domain in response to Ms L's request). Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

29. The Commissioner has concluded that it would not be reasonable or appropriate to seek consent from the data subject(s) for disclosure of the personal data, and that condition 1 could not be met in this case. He is also satisfied that none of the information under consideration has been made public as a result of steps deliberately taken by the data subject(s), and so condition 5 could not be met in this case.

30. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed.

31. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data would contravene the first data protection principle. The Commissioner therefore finds that the College was correct to withhold the information requested by Ms L, as it was exempt from disclosure under section 38(1)(b) of FOISA.

Transitional provisions

32. Given that the Commissioner has found that the College complied with Part 1 of FOISA (as it stood before 25 May 2018) in responding to the request by Ms L, he is not required to go on to consider whether disclosure would breach Part 1 of FOISA as it currently stands.

Decision

The Commissioner finds that the College complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Ms L.

Appeal

Should either Ms L or the College wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

13 June 2018

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

 Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(g) the commission or alleged commission by [the data subject] of any offence, or

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

Data Protection Act 2018

Schedule 2 - Transitional provision etc

56 Freedom of Information (Scotland) Act 2002

(1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 ("the 2002 Act") before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 10 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.

(3) To the extent that the request was dealt with before the relevant time -

(a) the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act as amended by Schedule 19 to this Act, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.

(4) In this paragraph -

"Scottish public authority" has the same meaning as in the 2002 Act;

"the relevant time" means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx