Decision 090/2009 | Scottish Information Commissioner

Home Decisions

Decision 090/2009

Decision 090/2009 Mr K Stahly and Fife Council

Name and address of a complainant

Reference No: 200900907
Decision Date: 30 July 2009

Summary

Mr Stahly asked Fife Council (the Council) to provide the name and address of a complainant.The request was made within the context of ongoing correspondence about planning permission requirements relating to Mr Stahly's business.The Council advised that the information requested was personal information and was exempt from disclosure under section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA).Following a review, the Council upheld this decision.Mr Stahly remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that disclosure of the information would breach the first data protection principle in the Data Protection Act 1998 (the DPA), and that the Council had therefore dealt with Mr Stahly's request in accordance with Part 1 of FOISA by withholding the information under section 38(1)(b) of FOISA.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), and 38(2)(a)(i) (Personal information)

Data Protection Act 1998 (DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data); Schedules 1 (The data protection principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data: condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.Earlier this year, Mr Stahly was engaged in correspondence with the Council about a complaint about the premises from which his business was operating.On 26 March 2009, Mr Stahly asked the Council to provide "the name and address of the complainant".

2.The Council responded on 3 April 2009. It advised that this information was exempt from disclosure under section 38 of FOISA, because it was personal information.

3.On 21 April 2009, Mr Stahly wrote to the Council requesting a review of its decision.

4.The Council replied on 30 April 2009, confirming that the name and address of the complainant was exempt from disclosure under section 38 of FOISA.The Council explained that the relevant exemption (contained in section 38(1)(b) of FOISA) applied to information which, if released, would breach any of the data protection principles set out in Schedule 1 of the Data Protection Act 1998 (the DPA).The Council explained why, in its view, the first data protection would be contravened by disclosure.

5.On 12 May 2009, Mr Stahly wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Board's review and applying for a decision in terms of section 47(1) of FOISA.He provided further information relating to his application on 20 May 2009.

6.The application was validated by establishing that Mr Stahly had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

7.On 2 June 2009, the Council was notified in writing that an application had been received from Mr Stahly and was asked to provide the Commissioner with any information withheld from Mr Stahly. This information was provided on 15 June 2009 and the case was then allocated to an investigating officer.

8.On 18 June 2009, the Council was invited to provide any comments it wished to make on Mr Stahly's application for a decision, as required by section 49(3)(a) of FOISA, and asking it to respond to specific questions.In particular, the Council was also asked to confirm that it was relying on the exemption in section 38(1)(b) of FOISA, reading conjunction with section 38(2)(a)(i).The Council was also asked about its practice in relation to the naming of complainants.

9.The Council's response confirmed that it was relying upon the exemption in section 38(1)(b) of FOISA (read in conjunction with section 38(2)(a)(i)), and provided further comments in response to the questions raised by the investigating officer.

Commissioner's analysis and findings

10.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Stahly and the Council and is satisfied that no matter of relevance has been overlooked.

Personal data ? section 38(1)(b) of FOISA

11.The Council has withheld the name and address of the complainant under section 38(1)(b) of FOISA, arguing that it is personal data which, if disclosed, would contravene the first data protection principle.

12.Section 38(1)(b), read in conjunction with section 38(2)(a)(i) (or, where appropriate, (b)) exempts information from disclosure if it is "personal data" as defined by section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

Is the information personal data?

13.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

14.The Commissioner accepts that the name and address of the complainant enables identification of a living individual, and relates to that individual, by confirming their involvement in the relevant complaint.He is therefore satisfied that this information is the complainant's personal data.

15.The Commissioner must consider whether disclosure of this personal data would contravene the first data protection principle, as argued by the Council.

Would disclosure contravene the first data protection principle?

16.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met, and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.

17.The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA, and he is satisfied that the personal data in this case does not fall into this category. It is therefore not necessary to consider the conditions in Schedule 3 of the DPA in this case.

18.There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. However, these three aspects are interlinked.For example, if there is a specific condition in the schedules which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

19.The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed.If any of these conditions can be met, he must then consider whether the disclosure of the name and address would be fair and lawful.

Can any of the conditions in Schedule 2 of the DPA be met?

20.The Commissioner considers that only condition 6(1) of Schedule 2 of the DPA might be considered to apply in this case.Condition 6(1) allows personal data to be processed (in this case, disclosed in response to Mr Stahly's information request) if disclosure of the data is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

21.There are therefore a number of tests which must be met before condition 6(1) can apply:

Does Mr Stahly have a legitimate interest in having this personal data?

If so, is the disclosure necessary to achieve those legitimate aims?In other words, is disclosure proportionate as a means and fairly balanced as to ends or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject (in this case, the complainant)?

Even if disclosure is necessary for the legitimate purposes of the applicant, would disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject? This will involve a balancing exercise between the legitimate interests of Mr Stahly and those of the complainant. Only if the legitimate interests of Mr Stahly outweigh those of the complainant can the personal data be disclosed.

22.Mr Stahly was invited to provide his reasons for requiring the information to inform the Commissioner's consideration of condition 6(1).He explained that his immediate neighbours were all aware of the complaint having been made, and were very concerned at the mistrust which it may have created.Several had voiced their concerns that Mr Stahly may wrongly believe them to have made the complaint to the Council.Mr Stahly argued that it was only right that he should know who actually made the complaint so that he could assure his neighbours that he did not blame them for the mistrust that had been created.He also did not feel it was right that someone could hide behind an "anonymous complaint" when they could have made their complaint direct to him, allowing him to explain the situation.

23.The Commissioner accepts that Mr Stahly's personal interest in the information is sufficient to show he has a "legitimate interest" in obtaining it, given that the information relates to a complaint made about Mr Stahly's business premises.

24.The Commissioner then considered whether disclosure of the information was necessary to achieve Mr Stahly's legitimate aims, and concluded that, given the nature of the information requested and the circumstances of the case, there was no other way of achieving this.

25.The Commissioner then went on to consider whether disclosure of the personal information requested would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject (the complainant).

26.The Council has submitted that it would not normally disclose the identity of a complainant in relation to a possible breach of planning control, and that such complaints would normally be made with an expectation of confidentiality.

27.The Commissioner finds that although the complainant could have chosen to speak directly to Mr Stahly, the fact that they did not do so, and instead made their complaint direct to the Council, shows that they had opted for anonymity.The Commissioner accepts that a person submitting a complaint of this nature to the Council would do so with the expectation that it would be treated confidentially.He also accepts that disclosure of the name and address into the public domain (which would be the effect of a disclosure under FOISA) would constitute an intrusion into the private life of that person, by providing details of that person's actions to Mr Stahly.Although Mr Stahly has not indicated that he wishes to contact the complainant, nevertheless it can be understood that disclosure could in turn prompt unwanted contact with the complainant on the subject of their complaint.

28.After weighing Mr Stahly's legitimate interests against the complainant's expectation of privacy, the Commissioner has found that Mr Stahly's legitimate interest in the information is outweighed by the complainant's legitimate interest in privacy.

29.The Commissioner has therefore found that condition 6 cannot be met, and (as none of the other conditions in Schedule 2 of the DPA can be met), it follows that disclosure of the complainant's personal data would contravene the first data protection principle.

30.The Commissioner therefore finds that the Council was correct to withhold the information requested under section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that Fife Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to Mr Stahly's request.

Appeal

Should either Mr Stahly or Fife Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
30 July 2009

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(?)

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(?)

(e) in subsection (1) of section 38 ?

(?)

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(?)

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(?)

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(?)

Data Protection Act 1998

1 Basic interpretative provisions

In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.