Decision 089/2015 | Scottish Information Commissioner

Home Decisions

Decision 089/2015

Decision 089/2015: Mr Leslie Mitchell and Risk Management Authority

Changes to risk level definitions

Reference No: 201500004
Decision Date: 22 June 2015

Summary

On 17 October 2014, Mr Mitchell asked the Risk Management Authority (the RMA) for information relating to changes to risk level definitions.

RMA responded and withheld the information under various exemptions in FOISA. Following a review, Mr Mitchell remained dissatisfied and applied to the Commissioner for a decision.

During the investigation, the RMA disclosed information to Mr Mitchell in relation to part of his request, subject to the redaction of personal data. The RMA continued to withhold other information in its entirety.

The Commissioner investigated and found that RMA had partially failed to respond to Mr Mitchell's request for information in accordance with Part 1 of FOISA. She found that the RMA was entitled to withhold some of the information on the basis that disclosure was likely to substantially prejudice the effective conduct of public affairs. She also found that the RMA was entitled to apply section 38(1)(b) (Personal information) of FOISA to most of the information redacted as personal data.

The Commissioner found that the RMA had failed to comply with section 1(1) of FOISA, by initially failing to identify all of the information falling within the scope of Mr Mitchell's request and also by withholding information under sections 37(1)(a)(iii) (Court records etc.) and 38(1)(b). She required the RMA to provide Mr Mitchell with the information it had wrongly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1), (2)(d) and (2)(e)(ii) (Effect of exemptions); 21(4) and (5) (Review by Scottish public authority); 30(b) (Prejudice to effective conduct of public affairs); 37(1)(a)(iii) (Court records, etc.); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for the purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. The RMA was established in 2005 by the Criminal Justice (Scotland) Act 2003. It is responsible for administering and overseeing the risk assessment and management processes supporting the Order for Lifelong Restriction (OLR) sentence, including the approval of Risk Management Plans for offenders who are subject to an OLR.

2. On 17 October 2014, Mr Mitchell made a request for information to the RMA. He requested:

? All information relating to the decision to change the RMA's risk definitions (request 1)

? The number of risk assessment reports, under both the original and new risk classifications, given a medium risk classification, and the number of these subsequently resulting in an order for lifelong restriction (OLR) being given (requests 2 and 3).

3. The RMA responded on 17 November 2014. The RMA withheld information covered by request 1 on the basis that sections 30(b), 35(1)(c), 36(2) and 38(1)(b) of FOISA applied. In relation to requests 2 and 3, the RMA withheld the information on the basis that section 37(1)(a)(iii) applied.

4. On 18 November 2014, Mr Mitchell wrote to the RMA requesting a review of its decision. He did not accept that the exemptions applied.

5. The RMA notified Mr Mitchell of the outcome of its review on 19 December 2014. It upheld its original decision without modification.

6. On 28 December 2014, Mr Mitchell wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Mitchell stated he was dissatisfied with the outcome of the RMA's review because he did not agree that the RMA was correct in applying the exemptions relied upon. He also argued that the notice given to him on review did not comply with the requirements of section 21(5) of FOISA.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr Mitchell made requests for information to a Scottish public authority and asked the authority to review its response to that those requests before applying to her for a decision.

8. On 16 January 2015, the RMA was notified in writing that Mr Mitchell had made a valid application. The RMA was asked to send the Commissioner the information withheld from him. It provided the information and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The RMA was invited to comment on this application and answer specific questions, justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

10. During the investigation, the RMA reconsidered its approach to request 1 and supplied Mr Mitchell with the information identified as falling within the scope of his request, with what it considered to be personal data redacted under section 38(1)(b).

11. Mr Mitchell remained dissatisfied with this response. He believed he had not been provided with all the relevant information held by the RMA and did not accept that section 38(1)(b) applied to the redacted information.

12. On the basis that Mr Mitchell considered the response to request 1 was incomplete, the RMA was asked to provide details of the searches undertaken to identify and locate the information. As a result, the RMA identified additional information, which it withheld on the basis that sections 30(b), 36(2) and 38(1)(b) of FOISA applied.

13. Mr Mitchell was provided with an opportunity to comment on the application of these exemptions to the additional information found during the investigation. Mr Mitchell did not accept that the exemptions claimed applied to this information.

Commissioner's analysis and findings

14. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Mitchell and the RMA. She is satisfied that no matter of relevance has been overlooked.

Adequacy of searches

15. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received, subject to qualifications which are not applicable in this case.

16. As narrated above, it is a matter of fact that the RMA failed to locate all of the information falling within the scope of request 1 at the time of its initial response and in responding to Mr Mitchell's requirement for review. Further relevant information was identified and located during the investigation. In this respect, the RMA failed to comply with section 1(1) of FOISA.

17. Following the disclosures during the investigation, Mr Mitchell maintained his view that the RMA had failed to identify all of the information it held falling within the scope of request 1.

18. The RMA explained that it was a small organisation of 13 permanent staff located in one office, with no separate departments. In response to this request, it continued, a meeting was arranged with senior staff to consider the information request and identify what was held. At this meeting, it was agreed that staff would check their "outlook" system for emails, review their network folders and identify any information held on risk definitions. In addition, the FOI officer manually reviewed network folder records of all RMA Board and Accreditation Committee meetings, from 2010 to 2014, and sourced information relating to this request. A further meeting was held to finalise the request.

19. The RMA also confirmed that it had carried out a new search of its full network drive during the investigation, as a result of which the additional information referred to in paragraph 12 was identified. Although it originally failed to identify all of the information held and falling within the scope of the request, the Commissioner is satisfied that the RMA has now conducted adequate and proportionate searches order to identify and locate all of the relevant information. This has either been provided to Mr Mitchell or withheld under exemptions.

Redactions under section 38(1)(b)- personal information

20. The RMA applied the exemption in section 38(1)(b) to what it considered to be personal data in information covered by request 1. The RMA considered disclosure of this redacted information would breach the first data protection principle.

21. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

22. The exemption in section 38(1)(b) of FOISA, applied on the basis under consideration here, is an absolute exemption. This means that it is not subject to the public interest contained in section 2(1)(b) of FOISA.

23. In order to rely on this exemption, the RMA must show that the information being withheld is personal data for the purposes of the DPA and its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Schedule 1 to the DPA.

Is the information under consideration personal data?

24. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified: a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. (The full definition is set out in the Appendix.)

25. The Commissioner is satisfied that the majority of the information under consideration does comprise personal data, in line with the definition in part (a) of section 1(1) of the DPA. Living individuals, referred to within the information, can be identified from this information. Given its nature (names, contact details etc.), the Commissioner is satisfied that the information clearly relates to them.

26. However, the Commissioner is not satisfied that one redaction to which this exemption has been applied actually comprises personal data. One reference redacted under this exemption is simply to a class of posts rather than particular individuals. The Commissioner does not believe these words are capable of identifying living individuals. Consequently, the Commissioner is not satisfied that this information is exempt from disclosure in terms of section 38(1)(b) of FOISA and so finds that it was incorrectly withheld by the RMA. She now requires the RMA to disclose this information to Mr Mitchell.

27. With this decision, the Commissioner will provide the RMA with a marked up copy of the document in question, indicating the information that should be disclosed.

28. The RMA did not consider any of the information withheld under section 38(1)(b) to fall within the definition of sensitive personal data.

Would disclosure of the personal data contravene the first data protection principle?

29. The RMA argued that making this information available would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing in this case would be making the information publicly available in response to Mr Mitchell's request.

Can any of the conditions in schedule 2 be met?

30. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1], that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

31. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr Mitchell.

32. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the data subject.

33. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

(i) Does Mr Mitchell have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subject?

(iii) Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the judgement referred to in paragraph 30, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr Mitchell must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed.

Does Mr Mitchell have a legitimate interest in obtaining the personal data?

34. There is no definition in the DPA of constitutes a "legitimate interest". The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA states[2]:

In some cases, the legitimate interest might be personal to the applicant e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

35. Mr Mitchell submitted to the Commissioner that he had a personal interest in the matter and that there was a wider public interest in the information, to allow the public to know who were making decisions which had important consequences for the administration of justice.

36. In the Commissioner's view, Mr Mitchell has a legitimate interest in obtaining the withheld personal data. There is a clear legitimate interest in transparency in relation to the decision making process of which this information forms part.

Is disclosure necessary to achieve those legitimate interests?

37. Having concluded that Mr Mitchell has a legitimate interest in obtaining the personal data under consideration, the Commissioner must now consider whether disclosure of the withheld personal data is necessary to achieve that legitimate interest. In doing so, she must consider whether that interest might reasonably be met by any alternative means.

38. Having reviewed the information withheld in the context of the information already disclosed to Mr Mitchell, the Commissioner is not satisfied that Mr Mitchell's legitimate interests can be furthered to any appreciable extent by knowing the names and contact details of those involved. Consequently, the Commissioner is not satisfied that disclosure is necessary to achieve his legitimate interest.

39. It therefore follows that condition 6 could not be met to permit disclosure in this particular case. In the absence of a Schedule 2 condition, disclosure would be unlawful. Disclosure of the withheld personal data would therefore breach the first data protection principle. Accordingly, the Commissioner accepts that the RMA was entitled to withhold the personal data under section 38(1)(b) of FOISA.

Section 30 - Prejudice to effective conduct of public affairs

40. As indicated above, the RMA withheld information covered by request 1 under the exemptions in section 30(b) of FOISA

41. In order for the RMA to rely on these exemptions, it must show that the disclosure of the information would (or would be likely to) inhibit substantially the free and frank provision of advice (section 30(b)(i)) or the free and frank exchange of views for the purposes of deliberation (section 30(b)(ii)). The exemptions are subject to the public interest test in section 2(1)(b) of FOISA.

42. It is the Commissioner's view, as stated in previous decisions, that there is a high standard to be met in applying the tests in these exemptions. The chief consideration is not whether the information constitutes advice or opinion, but whether the disclosure of that information would, or would be likely to, inhibit substantially (as the case may be) the provision of advice or the exchange of views. The inhibition must be substantial and, therefore, of real and demonstrable significance.

43. As with other exemptions importing a similar test, the Commissioner expects authorities to demonstrate a real risk or likelihood that actual inhibition will occur at some time in the near (certainly the foreseeable) future, not simply that inhibition is a remote or hypothetical possibility. For inhibition to be likely, there would need to be at least a significant probability of it occurring. Each request must, of course, be considered individually.

44. As noted above, the RMA was established under the Criminal Justice (Scotland) Act 2003. Part of its statutory role is to prepare and issue guidelines and standards regarding the assessment and minimisation of risk of harm posed by serious violent and sexual offenders. The RMA stated that Mr Mitchell requested information relating to the change in risk level definitions in its standards and guidance. Part of the process of developing these standards and guidance and the risk level definitions contained within them, it explained, involved the RMA receiving advice from expert third parties and information in the course of deliberations within the RMA.

45. Given the sensitive nature of the advice and views exchanged, the RMA argued that those providing advice and engaging in the discussions would be substantially inhibited from providing free and frank advice or engaging in free and frank exchanges of views as part of this process in the future, if their views were to be disclosed.

46. The RMA argued that it needed a forum in which free and frank advice was exchanged, to develop effective guidance and standards and thus carry out its statutory duty under the Criminal Justice (Scotland) Act 2003. The RMA submitted that if the requested information were to be disclosed, individuals would be substantially inhibited from participating in this process, which would impact on its ability to prepare and issue effective and informed standards and guidance which included accurate and relevant risk level definitions.

47. The Commissioner has considered all of the submissions made by the RMA, along with the withheld information. The Commissioner accepts, in all the circumstances of this case, that disclosure of the withheld information would be likely to result in substantial inhibition to the free and frank provision of advice and the free and frank exchange of views for the purposes of deliberation, for the reasons argued by the RMA. As a result, she is satisfied that this information is exempt from disclosure in terms of section 30(b)(i) and 30(b)(ii) of FOISA.

48. The Commissioner must now go on to consider the application of the public interest test, as set out in section 2(1)(b) of FOISA. Before the information can be withheld under these exemptions, the Commissioner must be satisfied that the public interest in maintaining the exemptions outweighs that in disclosing the information.

The public interest

49. As stated in previous decisions, the "public interest" is not defined in FOISA, but has been described as "something which is of serious concern and benefit to the public", not merely something of individual interest. It has also been held that the public interest does not mean "of interest to the public" but "in the interest of the public", i.e. disclosure must serve the interest of the public.

50. The RMA stated that it was in the public interest for it to carry out its statutory functions effectively in preparing standards and guidance, together with its role working with the courts in the administration of justice. These functions of the RMA would be at risk, it contended, if this information were to be disclosed in to the public domain. The RMA stated that it considered there to be a strong public safety interest in its guidance and standards on risk relating to violent and sexual offenders being as effective as possible.

51. The RMA accepted there was a general public interest in making information accessible to the public, to improve its accountability. Disclosure of the information would contribute to ensuring that the RMA was discharging its functions adequately.

52. Having considered these factors, the RMA concluded that the public interest in disclosing the information was outweighed by the public interest in maintaining the exemption.

53. Mr Mitchell considered an OLR to be a form of indeterminate life sentence, applied to those convicted of a crime and whose behaviour indicated a propensity to cause serious harm. According to Mr Mitchell, anyone given an OLR must have met a condition known as the Risk Criteria. He submitted that central to a judge assessing whether this condition was met was his consideration of a risk assessment report, written by an RMA approved risk assessor. In order to assess the level of risk (high, medium or low) posed by an offender, the assessor had to refer to the risk classification or definition detailing the conditions applicable to each risk level.

54. In March 2013, Mr Mitchell submitted, changes were made to the risk definitions by the RMA. He wished to know why those changes were made and believed that it was in the public interest to know how the law was being applied and if it was being applied fairly.

55. The Commissioner has considered all of these arguments carefully, in the context of the information withheld. She acknowledges that there is a public interest in transparency in relation to the development of these risk definitions, where disclosure would assist the public's understanding of the process.

56. The Commissioner also recognises the public interest in ensuring effective decision making and allowing the RMA to fulfil its statutory functions effectively by obtaining relevant advice and views from experts.

57. The Commissioner has considered all submissions very carefully, in conjunction with the withheld information, in balancing the potential benefits of disclosure against the potential harm. In all the circumstances, she is not satisfied that the public interest in disclosure of this particular information is strong enough to outweigh the public interest in maintaining the exemption claimed.

58. On balance, therefore, the Commissioner finds that the public interest in disclosing the withheld information is outweighed by that in maintain the exemptions in section 30(b)(i) and 30(b)(ii) of FOISA. Consequently, she is satisfied that the RMA was correct to withhold the information under these exemptions.

59. Given that the Commissioner has concluded that all of the information withheld by the RMA in relation to request 1 was correctly withheld in terms of section 30(b)(i) and (ii) of FOISA, she is not required (and does not intend) to consider the exemption in section 36(2) in relation to that information.

Section 37(1)(a)(iii)

60. In response to requests 2 and 3, the RMA sought to rely on section 37(1)(a)(iii) of FOISA. Section 37(1)(a)(iii) of FOISA states that information is exempt information if it is contained in a document:

created by a court or member of its administrative staff for the purposes of, or in the course of, such proceedings [i.e. court proceedings in relation to a particular cause or matter].

61. Section 37(1)(a)(iii) also provides that the exemption will only be engaged if the authority holds the information solely because it is contained in such a document.

62. The RMA submitted that when the court is considering imposing an OLR, it would order a risk assessment order and appoint an RMA accredited risk assessor to carry out a risk assessment and report back to the court in the form of a risk assessment report (RAR). The court is responsible for commissioning the RAR and paying the risk assessor, it explained, so RARs are created by the court for the purposes of OLR proceedings. Whether a RAR is given a medium classification under the original or new classification, the classification is contained within the RAR itself. Therefore, the RMA argued it could not disclose the number of RARs given a medium classification under either the original or new classification without disclosing the information contained a document created by the court for the purposes of proceedings: it submitted that it held the information solely because it was contained within RARs.

63. The RMA submitted that under the Criminal Justice (Scotland) Act 2003, it has specific responsibility to administer and oversee the standard setting, accreditation and approval processes that support the OLR. In order to carry out this function, it receives copies of the RARs, which it uses as part of its management of the assessor accreditation scheme and the risk management plan approval process.

64. The RMA stated that it holds a record of each RAR for its own purposes, and copies information from them into a spreadsheet recording data on each OLR case. The RMA argued that it was merely changing the format of the information in populating a spreadsheet with it, not the information itself (which remained exempt in terms of section 37(1)(a)(iii)).

65. The Commissioner has considered in detail the arguments presented by the RMA. She is not satisfied that the information in question was "created by a court or a member of its administrative staff".

66. It is clear to the Commissioner that this information has been derived from a spreadsheet of statistical data created by the RMA in its own right, for the purpose of its own administrative functions. This can be distinguished from information obtained individually from each RAR report. A degree of effort and resource has been expended by the RMA to extrapolate this data to form a statistical report. Consequently, the Commissioner does not accept the application of section 37(1)(a)(iii), as the information (as now held by the RMA) was not created by a court or member of its administrative staff for the purposes of, or in the course of, court proceedings.

67. In addition, the Commissioner cannot accept that the RMA holds this information solely because it is contained in a document of the kind described in section 37(1)9A)(iii). It is clear that this information is held by the RMA to monitor the performance of its own administrative functions, in a different document from the RARs from which it was extrapolated. The Commissioner therefore requires the RMA to disclose this statistical data to Mr Mitchell, in response to requests 2 and 3.