Home Decisions

Decision 085/2017

Decision 085/2017: Mr Bill Mair and Fife Council

Complaint correspondence

Reference No: 201700395
Decision Date: 25 May 2017

Summary

The Council was asked about a complaint raised by the person making the request. The Council disclosed some information to the requester under the DPA. Following an investigation, the Commissioner found that the Council was entitled to withhold information about the complaint under FOISA as it was the applicant's own personal data. She also found that the Council failed to comply with the procedural requirements of FOISA, but did not require it to take any action.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(i) (Effect of exemptions); 16(1) and (6) (Refusal of request); 19 (Content of certain notices); 21(5) and (10) (Review by Scottish public authority); 38(1)(a) (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data")

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

All references in this decision to "the Commissioner" are to Margaret Keyse, who has been appointed by the Scottish Parliamentary Corporate Body to discharge the functions of the Commissioner under section 42(8) of FOISA.

Background

1. Mr Mair had been in correspondence with Fife Council (the Council) regarding a complaint he had raised regarding the actions of a Council employee.

2. On 13 December 2016, Mr Mair made a request for information to the Council. The request was for:

"…copies of all written correspondence to date, internal and external, relating to my original complaint against [named individual] along with a note of any meetings where it was discussed."

3. The Council responded on 27 January 2017. It explained that it was providing Mr Mair with information under the DPA, on the understanding that he had made a Subject Access Request (SAR). It stated that the information provided had been redacted in line with the Data Protection Principles.

4. On 2 February 2017, Mr Mair wrote to the Council, requesting a review of its decision and reiterating that his request had been made under FOISA. He did not believe he had been provided with all of the information requested. In particular he stated that no internal emails had been provided, highlighting an email dated 25 November 2016.

5. The Council notified Mr Mair of the outcome of its review on 21 February 2017. The Council explained it was obliged to provide as much personal information as possible under a SAR without breaching the DPA. It concluded that the internal emails requested constituted the personal data of a third party and disclosure would breach the DPA. The Council also provided a copy of the email of 25 November 2016. It stated that this had been redacted in terms of section 38(1)(b) of FOISA.

6. On 1 March 2017, Mr Mair wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Mair stated that he did not agree with the Council's reasons for withholding information.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr Mair made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

8. On 14 March 2017, the Council was notified in writing that Mr Mair had made a valid application. The Council was asked to send the Commissioner the information withheld from him. The Council provided the information and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions relating to the application of FOISA to Mr Mair's request. It was also asked to provide the information supplied to Mr Mair under the DPA.

10. The Council responded with the information and stated that it wished to rely on section 38(1)(a) of FOISA to withhold all of the information that fell within the scope of Mr Mair's request. It also sought to rely upon section 38(1)(b) of FOISA, where the information related to third parties.

11. During the investigation, the Council stated it had re-evaluated its position and provided Mr Mair with further emails under the DPA. It also provided Mr Mair with a further copy of the email of 25 November 2016, with redacted information reinstated.

12. Mr Mair acknowledged receipt of the additional information, but wished a decision notice to be issued by the Commissioner.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Mair and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(a) of FOISA

14. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.

15. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data (commonly known as a "SAR") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to their own personal data, and govern the exercise of that right. Crucially, it provides for access by the data subject (the person to whom the data relate) alone, rather than (as under FOISA) disclosure to the world at large. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

16. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified: a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in Appendix 1).

17. The Council provided the Commissioner with all of the information that it held falling within the scope of Mr Mair's request. It explained that all of the information it held related to Mr Mair and was therefore Mr Mair's personal data. As such, all of the information fell to be exempted under section 38(1)(a) of FOISA.

18. The Commissioner has considered the information that falls within the scope of Mr Mair's request and the submissions received from both the Council and Mr Mair. It is apparent that any information held on the correspondence in question relates to Mr Mair's complaint, which relates to his own personal circumstances, and therefore would be his own personal data. Having considered the information in question, the Commissioner is satisfied that all of the information falls to be considered as the personal data of Mr Mair. In all the circumstances, therefore, the Commissioner is satisfied that the Council was entitled to withhold the information under section 38(1)(a) of FOISA.

19. Given that the Commissioner has concluded that the Council was entitled to withhold the information as Mr Mair's personal data, she is not required to consider whether any of the information withheld is also exempt under section 38(1)(b) of FOISA.

Additional comment on the Council's handling of the request - content of notices

20. As noted above, the Commissioner accepts that the Council was entitled to rely on section 38(1)(a) of FOISA to withhold the information falling within the scope of Mr Mair's request.

21. The Commissioner notes, however, that in responding to Mr Mair's request and requirement for review, the Council made no reference to any section of FOISA, except a reference to section 38(1)(b) of FOISA in relation to parts of the requested information. Generally, it appears to have dealt with the request as a SAR, under the DPA.

22. The Commissioner has issued guidance on Section 38 of FOISA[1], and in particular the actions that should be taken by a Scottish public authority when it receives a request when someone asks for their own personal data.

23. The Commissioner's briefing includes clear guidance on what should be done where a person asks for their own personal data under FOISA. Paragraph 33 states that even if an authority goes on to consider such a request for personal information as a SAR, it should issue a formal refusal notice in terms of section 16 of FOISA: failure to do so would be a breach of FOISA.

24. In this case, it is apparent that Mr Mair made a valid request under section 1(1) of FOISA, for information held by the Council. The Commissioner notes the Council responded to Mr Mair and advised that it was providing him with some information under the DPA. In doing so, however, the Council had a duty to provide Mr Mair with a response in terms of section 16 of FOISA.

25. Section 16(1) of FOISA states that where an authority holds information which is subject to a request under section 1(1) of FOISA, and which it intends to withhold under any exemption, the authority must give the applicant notice in writing to the effect that the information is held, and specify which exemption it considers applies to the information (with reasons). Section 16(6) of FOISA also makes it clear that a notice in terms of section 16(1) is subject to section 19 of FOISA, which requires that an applicant is informed of their right of application to the authority and the Commissioner conferred by sections 20(1) and 47(1) respectively.

26. The Commissioner notes that in responding to Mr Mair's request for information the Council's response of 27 January 2017, did not comply with the requirements of sections 16 and 19 of FOISA, as outlined in the above paragraph.

27. Section 21(10) of FOISA states that a Scottish public authority's response to the applicant (under section 21(5)) following a review carried out under section 21 must contain particulars about the rights of application to the Commissioner and of appeal to the Court of Session conferred by sections 47(1) and 56 respectively.

28. The Commissioner notes that the Council's response to Mr Mair's requirement for review of 21 February 2017 did not contain particulars about his rights of application to the Commissioner and of appeal to the Court of Session, as required by section 21(10).

29. In correspondence with the Commissioner, the Council accepted that it had failed to comply with Part 1 of FOISA in responding to Mr Mair's request for information. It explained to the Commissioner that it had advised its Information Request Team to ensure that future such requests were dealt with by exempting the information under section 38(1)(a) of FOISA and advising applicants of their review and appeal rights under FOISA.

30. In conclusion, the Commissioner finds that the Council failed to comply with the technical requirements of sections 16, 19 and 21(10) of FOISA, as outlined above, in responding to Mr Mair's requests for information. She would also urge the Council, in responding to similar requests for information, to be absolutely clear as to which legislative regime it is responding under at any given point

31. In the circumstances, given that the Council has advised staff regarding the correct procedures to be followed in future, the Commissioner does not require the Council to take any immediate action in respect of these breaches of Part 1 of FOISA.

Decision

The Commissioner finds that Fife Council (the Council) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Mair.

The Commissioner accepts that the information held was exempt from disclosure under section 38(1)(a) of FOISA. However, by failing to give proper notice of this exemption in its responses to Mr Mair, and by failing to advise him of his rights of review and appeal, the Council failed to comply with sections 16(1) and (6), 19 and 21(1) of FOISA.

The Commissioner does not require the Council to take any action in this case, in response to Mr Mair's application.

Appeal

Should either Mr Mair or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Acting Scottish Information Commissioner

25 May 2017

 

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

16 Refusal of request

(1) Subject to section 18, a Scottish public authority which, in relation to a request for information which it holds, to any extent claims that, by virtue of any provision of Part 2, the information is exempt information must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant a notice in writing (in this Act referred to as a "refusal notice") which-

(a) discloses that it holds the information;

(b) states that it so claims;

(c) specifies the exemption in question; and

(d) states (if not otherwise apparent) why the exemption applies.

(6) Subsections (1), (4) and (5) are subject to section 19.

 

19 Content of certain notices

A notice under section 9(1) or 16(1), (4) or (5) (including a refusal notice given by virtue of section 18(1)) or 17(1) must contain particulars-

(a) of the procedure provided by the authority for dealing with complaints about the handling by it of requests for information; and

(b) about the rights of application to the authority and the Commissioner conferred by sections 20(1) and 47(1).

21 Review by Scottish public authority

...

(5) Within the time allowed by subsection (1) for complying with the requirement for review, the authority must give the applicant notice in writing of what it has done under subsection (4) and a statement of its reasons for so doing.

(10) A notice under subsection (5) or (9) must contain particulars about the rights of application to the Commissioner and of appeal conferred by sections 47(1) and 56.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx