Decision 098/2019: Exam grades

Public authority: Stirling Council
Case Ref: 201801904

Summary

The Council was asked for details of exam grades of a named school, broken down by subject and grade. The Council disclosed some information, but refused to disclose a more detailed breakdown on the basis that disclosure would be a breach of the data protection legislation.

After an investigation, the Commissioner agreed that some of the information held by the Council was personal data and exempt from disclosure. However, he also found that the Council was wrong to withhold information which it subsequently disclosed during the investigation.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3) and (4)(d) (Terms relating to the processing of personal data)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 14 August 2018, Mr Y made a request to Stirling Council (the Council) for a named school's Scottish Qualifications Authority (SQA) results for 2018. He requested the grades for each subject at Higher and National level, showing the number of students awarded grades A, B, C, and D and where no grade was awarded.

2. The Council responded on 28 August 2018 and supplied some information to Mr Y. The Council disclosed data showing the number of presentations in each subject (i.e. the number of pupils who had sat the exams). The Council aggregated the number of pupils awarded grades A-C in each subject, but disclosed the number awarded grade D in each subject and the number with no award in each subject.

3. On the same day, Mr Y wrote to the Council stating that he wanted separate totals for grades A, B and C (per subject).

4. The Council wrote to Mr Y on 4 September 2018. It refused to disclose separate totals for grades as to do so could potentially lead to identification of individual pupils by those in the school community.

5. Mr Y wrote to the Council on the same date, requesting a review. He did not accept that provision of the information requested could lead to the identification of individuals.

6. The Council notified Mr Y of the outcome of its review on 27 September 2018. Again, it refused to disclose the numbers as to do so would, it said, allow pupils to be identified. The Council explained that it would not disclose any number less than a certain value. The Council stated that it took into consideration guidelines issued by the Scottish Government with regard to the sharing of SQA data when reaching this decision.

7. On 6 November 2018, Mr Y wrote to the Commissioner. Mr Y applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Y was dissatisfied with the outcome of the Council's review because he did not accept that the statistics would allow identification of individual pupils and disclosure was in the public interest.

Investigation

8. The application was accepted as valid. The Commissioner confirmed that Mr Y made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

9. On 14 December 2018, the Council was notified in writing that Mr Y had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr Y. The Council provided the information and the case was allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions.

11. The Council responded to these questions. During the investigation, the Council also offered to supply Mr Y with a partial breakdown of the data it had withheld. It did this on 13 May 2019.

12. Mr Y also provided arguments to assist his case.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr Y and the Council. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

14. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

15. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

16. To rely on this exemption, the Council must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

17. Mr Y sought separate totals for grades A, B and C for each subject in 2018. During the investigation, the Council disclosed specific numbers for grades A, B and C where the number was 10 or higher.

18. The Commissioner must decide whether the Council was correct to withhold the detailed breakdown requested by Mr Y, under section 38(1)(b).

Is the withheld information personal data?

19. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018. (The definition of personal data is set out in full in Appendix 1.)

20. With regard to numerical information relating to individuals (i.e. the number of pupils) the authority should consider whether or not there is a "realistic" chance of the individual(s) being identified by release of the data.

21. The Council believed there was "more than a realistic chance" of data subjects being identified, not only because of the low numbers, but because of Mr Y's personal connections to the school.

22. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland[1]. In that case, the Court said that the correct test is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data. Public authorities responding to requests for numbers will therefore have to determine whether members of the public would be able (realistically) to identify individuals from the numbers, if they are disclosed.

23. Although this decision was made before the GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply. Recital (26) of the GDPR bears this out and confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

24. The Commissioner must therefore consider whether, if the individual grades per pupil were disclosed into the public domain, third parties would be able to identify individual pupils from the grades and from other information in the public domain.

25. The obvious example would be where the number disclosed is "1" or "2" (and where there is a low number of pupils who took the subject). Disclosing the number "1" would allow anyone who knows that the pupil was studying the subject to find out that pupil's grade. Disclosing the number "2" would allow one of the two pupils taking a subject to know the other person's grade.

26. The circumstances of this case are such that there is a relatively small population under consideration. It is single year at a named school (the total school roll is approximately 850 pupils). Disclosure is also by subject matter which further reduces the number of persons to whom the respective data relate. Where the number of pupils studying a subject is relatively small, this increases the potential for third parties, such as other pupils, parents, other family members or carers, to know which subjects an individual pupil studied and thereby increase the likelihood of identification.

27. In this case, due to the small population, further stratified by subject and grade, the Commissioner is satisfied that there would be a realistic prospect of individual pupils being identified if the information were disclosed.

28. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has then as its main focus. It is clear that the information in this case "relates to" the individual pupils: it is their individual exam grade in a subject.

29. The Commissioner therefore concludes that the information withheld is personal data, for the purposes of section 3(2) of the DPA 2018.

Which of the data protection principles would be contravened by disclosure?

30. In its submissions, the Council made reference to Articles 5 and 6 of the GDPR. Among other data protection principles, it referred to that in Article 5(1)(a) of the GDPR. Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

31. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

32. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed. The Commissioner considers conditions (a) and (f) in Article 6(1) are the only conditions which could potentially apply in the circumstances of this case. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

33. "Consent" is defined in Article 4 of the GDPR as-

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

34. In terms of Article 7(1), the data controller (in this case, Council) must be able to demonstrate that the required consent exists.

35. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

Condition (a): consent

36. Condition (a) would allow the Council to disclose personal data if a data subject has consented to the processing of his or her personal data for one or more specific purposes.

37. The Council did not explain whether the pupils had been asked for consent or had objected to their personal data being disclosed.

38. The GDPR explicitly states that personal data of children merits specific protection. In this case, the data subjects are school pupils. In Scotland, children aged over 12 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown. When relying on consent as a basis of processing, an authority also needs to take account of any imbalance of power in its relationship with the child, to ensure that consent is freely given.

39. Recital (43) of the GDPR provides that consent should not provide a valid legal ground for the processing of personal data where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.

40. The Commissioner does not consider the provision of consent appropriate in the circumstances. The data subjects are school pupils, with unknown capacity and there is an evident imbalance of power between the Council and the pupil in such circumstances. The Commissioner concludes that the freely given consent for their personal data to be disclosed cannot be provided and consequently condition (a) does not allow for disclosure of the information.

Condition (f): legitimate interests

41. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

42. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

43. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does Mr Y have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subjects?

Does Mr Y have a legitimate interest in obtaining the personal data?

44. The Commissioner accepts that Mr Y has (and, indeed, the wider public would have) a legitimate interest in disclosure of the personal data. The information he requested would allow him to fully assess the performance of the school departments in respect of the various subjects.

Is disclosure of the personal data necessary?

45. Having accepted that Mr Y has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for Mr Y's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

46. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[2]. In this case, the Supreme Court stated (at paragraph 27):

… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

47. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

48. Based on the facts of this case, the Commissioner accepts that disclosure of the personal data is necessary to achieve Mr Y's legitimate interests. Although Mr Y can, to an extent, assess the performance within various subjects from the information he initially received from the Council and from the information disclosed during the Commissioner's investigation, the Commissioner can identify no viable means of meeting Mr Y's legitimate interests which would interfere less with the privacy of the data subjects than providing all the withheld information. In all the circumstances, and for the reasons recounted above, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr Y's legitimate interests.

The data subjects' interests or fundamental rights and freedoms

49. It is necessary to balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subjects would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure. Only if the legitimate interests of Mr Y outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

50. The Commissioner's guidance on section 38 of FOISA[3] notes factors that should be taken into account in balancing the interests of parties. He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

(i) Does the information relates to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii) Would the disclosure cause harm or distress?

(iii) Whether the individual has objected to the disclosure

.

51. The guidance also goes on to say that care needs to be taken when responding to a request for a child's personal data: Article 6 and recital 38 of the GDPR makes it clear that particular care must be taken to protect the rights of children.

52. Disclosure under FOISA - although to a specific applicant - is public disclosure. So, in considering the effects of disclosure, it is relevant to be aware that disclosing information under the FOISA has the effect of putting the information in the public domain.

53. The Commissioner acknowledges that the withheld information clearly relates to the individuals' private lives (an individual's exam grade), and there is no aspect of public life involved for such data that is linked to a specific pupil. This factor (private life) must add weight against disclosure.

54. The Commissioner has also considered the harm or distress that may be caused by disclosure. The Council has given no developed argument or sustained evidence in this respect, but simply submitted that pupils have a right to privacy and disclosure could harm pupils "including low self-esteem, mental health issues, their future right to work and also reputational damage to the school and Council".

55. The Commissioner acknowledges that the effect on a pupil of disclosing his or her grade will vary according to the pupil's circumstances. For example, where a pupil had a strong expectation of getting an A grade in a specific subject, and where that expectation was connected with a hope to pursue future education or work in that subject, disclosure that would link that pupil with a lower grade may cause harm to that pupil in terms of reputation or esteem.

56. The Commissioner has also considered the Council's Privacy Notice with respect to pupil attainment data and the SQA Privacy Notice with regard to candidate data to assess whether school pupils have a reasonable expectation that their exam grades would be publicly available. Neither Privacy Notice provides this expectation. The Commissioner is of the view that the data subjects would not (in general terms) expect the withheld information to be made available to the general public under FOISA.

57. The Commissioner has attributed weight to Mr Y's legitimate interest. He is trying to assess the school's record in teaching subjects by obtaining exam results. Mr Y's interests in accessing such information deserve recognition and weight in the balancing exercise. It must also be acknowledged that the Council has provided some information and that information allows Mr Y to partially satisfy his legitimate interest.

58. Having carefully balancing the legitimate interests of the pupils against those of Mr Y, the Commissioner finds that the legitimate interests served by disclosure of the remaining withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the pupils in question. Condition (f) in Article 6(1) of the GDPR cannot, therefore, be met in relation to the withheld personal data.

59. In the absence of a condition in Article 6 of the GDPR allowing the personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful.

Fairness

60. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subjects.

Conclusion on the data protection principles

61. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Stirling Council (the Council) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Y.

The Commissioner finds that by correctly withholding some of the information on the ground that it is personal data exempt under section 38(1)(b) of FOISA, the Council complied with Part 1.

However, in the absence of submissions from the Council explaining why the information disclosed during the investigation was originally withheld, the Commissioner finds that the Council failed to comply with Part 1 of FOISA.

Given that the Council has now disclosed this latter information to Mr Y, the Commissioner does not require the Council to take any action in respect of this failure in response to Mr Y's application.

Appeal

Should either Mr Y or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
26 June 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and 14 of that Act);

…

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

 

 

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

…

(d) disclosure by transmission, dissemination or otherwise making available.

…

 

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

…

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

…

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

…

---