Home Decisions

Decision 112/2011

Decision 112/2011 Mr Alan Richardson and Perth and Kinross Council

Documentation relating to an investigation into staff conduct

Reference No: 201001865
Decision Date: 8 June 2011

Summary

Mr Richardson asked Perth and Kinross Council (the Council) for information relating to an investigation which it had carried out into the conduct of certain Building Standards staff.The Council refused to disclose the information on the basis that it was exempt from disclosure under sections 30(c) (effective conduct of public affairs) and 38(1)(b) (personal data) of the Freedom of Information (Scotland) Act 2002 (FOISA). Following a review, Mr Richardson remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the Council had generally complied with FOISA in dealing with Mr Richardson's request, given that most of the information withheld from him was personal data, which was, in this case, exempt under section 38(1)(b).

However, the Commissioner found that a small proportion of the withheld information was not exempt under either section 30(c) or 38(1)(b), and ordered the Council to disclose this information to Mr Richardson.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 30(c)(Prejudice to the effective conduct of public affairs) and 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles) (the first and second data protection principles) and Schedule 2 (Conditions relevant for the purposes of the first principle: processing of any personal data) (condition 6)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: recital 26.

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Information Commissioner's Data Protection Technical Guidance Determining what is personal data

http://www.ico.gov.uk/.../personal_data_flowchart_v1_with_preface001.pdf

House of Lords decision: Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

Background

1.Between March and July 2010, Perth and Kinross Council carried out an investigation into the conduct of certain staff within its Building Standards Section.This investigation resulted in the preparation of three investigation reports. These reports include interview notes and statements from individuals interviewed as part of each investigation.They also include evidence of areas of concern in the employees' work and conduct, including examples of work undertaken.A final report on the outcome of the investigation is also included for each case.

2.On 23 July 2010, Mr Richardson (a reporter with DC Thomson & Co) wrote to the Council requesting the following information:

"?all documentation regarding an investigation into the conduct of buildings standards staff in [named place] conducted between March and July this year, including the allegations giving rise to the investigation, minutes of the disciplinary hearing and final report on the matter."

3.The Council responded on 23 August 2010. It refused to supply the information on the grounds that it was exempt from disclosure under sections 30(c)and 38(1)(b) (read in conjunction with section 38(2)(a)(i)) of FOISA.It stated that the information was personal data as defined in the DPA and its disclosure would breach the first and second data protection principles.It also argued that its disclosure would detrimentally affect the Council's ability to undertake similar investigations in the future.

4.On 31 August 2010, Mr Richardson wrote to the Council, requesting a review of its decision.Mr Richardson argued that documents could have been redacted to prevent the identification of individuals.Mr Richardson also commented that he could see no reason why the disclosure of the information into the public domain would have any effect on future investigations, and that, in his opinion, there is a very definite public interest in disclosure of the information.

5.The Council notified Mr Richardson of the outcome of its review on 28 September 2010.It upheld its original decision without amendment.

6.On 29 September 2010, Mr Richardson wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

7.The application was validated by establishing that Mr Richardson had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

8.On 30 September 2010, the Council was notified in writing that an application had been received from Mr Richardson and was asked to provide the Commissioner with the information withheld from him. The Council responded with the information requested and the case was then allocated to an investigating officer.

9.The investigating officer subsequently contacted the Council on 4 November 2010, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. In particular, the Council was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested.

10.The Council responded on 29 November 2010 and advised that it considered all of the withheld information to be exempt under both sections 30(c)and 38(1)(b) of FOISA.The Council provided an explanation of its reasoning in support of this view.

11.Mr Richardson was also invited to comment on the matters raised by this case, in particular in relation to his legitimate interests in accessing the withheld information insofar as it was personal data, and the application of the exemption in section 30(c)of FOISA.Mr Richardson's comments were received on 19 January 2011.

12.All submissions received from the Council and Mr Richardson, insofar as relevant, are considered in the Commissioner's analysis and findings below.

Commissioner's analysis and findings

13.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Richardson and the Council and is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) ? Personal information

14.The Council has applied the exemption in section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i), to all of the withheld information.

15.Section 38(1)(b) (read with section 38(2)(a)(i) or, as appropriate, section 38(2)(b)) of FOISA exempts information from disclosure if it is "personal data" as defined in section 1(1) of the DPA and its disclosure would contravene any of the data protection principles contained in Schedule 1 to the Data Protection Act 1998 (the DPA). This particular exemption is an absolute exemption in that it is not subject to the public interest test set down in section 2(1)(b) of FOISA.

16.In order to rely on this exemption, therefore, the Council must show firstly that the information being withheld is personal data for the purposes of the DPA, and secondly that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.

17.The Council has submitted that all of the information withheld from Mr Richardson is personal data, disclosure of which would contravene the first and second data protection principles.

18.In considering the application of the exemption, the Commissioner will therefore first consider whether the information that has been withheld is personal data as defined in section 1(1) of the DPA.

Is the information personal data?

19.Section 1(1) of the DPA defines personal data as data which relate to a living individual who can be identified (a) from those data or (b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

20.The information under consideration is the entire content of three files relating to disciplinary investigations and processes.The Council noted that each of these files refers to the employee by their name and the content was gathered as part of the investigation of the allegations against the individual and to facilitate a disciplinary hearing for that individual.

21.The Council recognised that the files contain information that is not ostensibly personal data, including copies of plans and copies of other non-personal documents, but explained that this information was also considered to be personal data in the context of the file as a whole, since that information related in some way either to the employee or to the allegations about them.

22.The Commissioner has considered these points, and accepts that the vast majority of the information contained within the three investigations files comprises personal data.The contents in general relate to one or more living individuals, primarily the employees who were the subject of the investigations, but also to third parties who gave statements or provided information in the course of the investigations, and individuals otherwise involved in the investigations or the events under investigation.The individuals concerned can be identified from that information..

23.The Commissioner has accepted that, in the context of the relevant investigations, information relating to certain planning/building control applications is also the personal data of the individuals under investigation, since, in the context of the investigations about the conduct of staff concerned, this information relates to those individuals.

24.However, the Commissioner has not been able to accept that all of the withheld information is personal data and has concluded that the information in the following documents does not relate to any living individual, and so is not personal data:

document 8, which contains guidance for the public on how to apply for a building warrant.

document 22, which contains extracts from the Council's Employee Code of Conduct and Councillors' Code of Conduct, published by the Scottish Government.

document 63, which contains guidance for Council employees on undertaking secondary employment.

25.In reaching this conclusion, the Commissioner has considered whether these items should be considered to relate to the staff who were the subject of investigation, since they are documents consulted in the course of the investigations regarding their conduct.However, having regard to the content of these documents, he notes that they are generic guidance for Council employees and service users.He is unable to accept that this information relates to the particular staff under investigation, even if they were considered to be information relevant to the Council's investigations.

26.The Commissioner has reached a similar conclusion with respect to documents 20 and 21.These documents are emails providing guidance to staff on the current protocol regarding the submission of planning applications and building warrants.The Commissioner considers that the content of these emails (except for the identities of the sender and recipients of these emails, addressed in more detail below) do not relate to any living individual and is not personal data for the purposes of section 1(1) of the DPA.

Could the withheld information be made fully anonymous?

27.In the case of the Common Services Agency v Scottish Information Commissioner[1] (the Collie judgement), the House of Lords considered a request for information relating to childhood leukaemia statistics in the Dumfries and Galloway postal area.In that case, the Lords concluded that the definition of "personal data" in the DPA had to be taken to permit the disclosure of information which had been rendered fully anonymous in such a way that individuals were no longer identifiable from it, without having to apply the data protection principles.If individuals cannot be identified from the actual information requested, then the information is not personal data and cannot, therefore, be exempt under section 38(1)(b) of FOISA.

28.The Commissioner has considered whether such anonymisation would be possible in this case, since Mr Richardson suggested in his request for review and his submissions to the Commissioner that the withheld documents could have been redacted to prevent identification of those concerned.

29.The Council did not address this point in its response to Mr Richardson's request for review, but did when asked to comment on it during the investigation.It explained that it considered that it was unlikely to be able to redact the information to adequately anonymise the information without rendering it completely meaningless.

30.The Council submitted that it was unable to assess the degree to which other people could identify the individuals to whom the personal data relates, but it was aware of the possibility of colleagues, relatives and some of the individuals interviewed being able to establish the identity of one or more of the employees.The Council also considered that, as each of the employees whose conduct was investigated have copies of their relevant file and correspondence, it was likely that they could also identify their own redacted information.The Council also considered it likely that each of the employees could identify information about each other.

31.Although Mr Richardson indicated, in his correspondence with the Council, that, while he appreciated the effect of section 38(1)(b), documents could have been redacted accordingly to prevent identification of those concerned, it is clear from reading the withheld information that information constituting personal data makes up a large proportion of what has been withheld.In considering questions of identifiability, the Commissioner must also bear in mind the reference in recital 26 to EU Directive 95/46/EC (reproduced in the Appendix below) to "all the means likely reasonably to be used either by the controller or by any other person to identify the said person", which is the subject of further discussion in the Information Commissioner's Data Protection Technical Guidance Determining what is personal data.In this context, the Commissioner notes that, even if the names of those interviewed and their responses to questions, together with the personal data on the building warrant and planning application information, were redacted there would still be sufficient information available which would allow the data subjects to be identified.The Commissioner has also noted that Mr Richardson has stated that he is aware of the identities of the members of staff who were the subject of the investigations.

32.Having considered the information that has been withheld in this case, and having considered all relevant submissions and other materials, the Commissioner accepts that the withheld information, other than that described in paragraphs 24 and 26 above does constitute personal data for the purposes of section 1(1) of the DPA, and that it is not possible in the circumstances to fully anonymise that personal data by redacting certain information.This would, in the Commissioner's opinion, require the redaction of the information to the extent that what remained would not be in any sense meaningful.

33.Having reached this conclusion, the Commissioner must now go on to consider whether disclosure of the personal data would contravene any of the data protection principles cited by the Council.In doing so, the Commissioner has taken into consideration the guidance[2] issued by the Information Commissioner which indicates for the purposes of disclosure under the Freedom of Information Act 2000, it is only the first principle ? that data should be processed fairly and lawfully ? that is likely to be relevant.Given that this point is relevant also to the consideration of whether personal data is exempt under FOISA, the Commissioner will firstly consider the Council's submissions relating to the first data protection principle before going on to consider, if necessary, submissions relating to any of the other data protection principles.

Would disclosure contravene the first data protection principle?

34.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.The processing under consideration in this case is disclosure of the personal data into the public domain in response to Mr Richardson's information request.

35.There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules.However, these three aspects are interlinked.For example, if there is a specific condition which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

36.The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed.If he considers that there is a condition in Schedule 2 which would permit the data to be disclosed, he will then go on to consider whether that information comprises sensitive personal data for the purposes of section 2 of the DPA and, if so, whether there are any conditions in Schedule 3 to the DPA which would allow the data to be processed.

37.Where a schedule 2 condition (and if necessary a schedule 3 condition) can be met he will then go on to consider whether the disclosure of this personal data would otherwise be fair and lawful.

Can any Schedule 2 condition be met?

38.In its submissions, the Council indicated that it had considered the conditions in Schedule 2 of the DPA, but that it was unable to identify a condition that would be satisfied in order to make the processing lawful.

39.The Council was asked by the investigating officer whether the data subjects has been asked to consent to the information being disclosed.In response, the Council explained that the individual data subjects had not been asked for consent (as required to fulfil condition 1 in Schedule 2) and, given the confidentiality associated with the disciplinary process, the Council considered that it was unreasonable in the circumstances to seek consent.

40.The Commissioner has therefore determined that condition 1 cannot be met in the circumstances of this case.

41.Condition 6 would appear to be the only condition which might permit disclosure to Mr Richardson in the circumstances of this case.Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects (i.e. the individuals to whom the data relate).

42.There are, therefore, a number of different tests which must be satisfied before condition 6 can be met.These are:

Does Mr Richardson have a legitimate interest in obtaining the personal data?

If yes, is the disclosure necessary to achieve these legitimate interests?In other words, is the disclosure proportionate as a means and fairly balanced to its ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subjects?

Even if the processing is necessary for Mr Richardson's legitimate interests, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

43.There is no presumption in favour of the release of personal data under the general obligation laid down by FOISA.Accordingly, the legitimate interests of Mr Richardson must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Richardson.

Does Mr Richardson have a legitimate interest?

44.Mr Richardson submitted that the case to which this appeal relates concerns an abuse of public office by "front line" public officials.Mr Richardson believes that, as a member of the local press, a key part of his role is to report on the workings of local government, ensuring that they are transparent and that public bodies are accountable.

45.It is Mr Richardson's view that the disclosure of the information sought is necessary to meet that aim and to serve the needs of the public, who have a legitimate interest in discovering exactly what happened in this case and how it was dealt with.Mr Richardson considers that it is only with such disclosure that public affairs can be effectively conducted as justice must not only be done, but must also be seen to be done.

46.Mr Richardson stated that the Council has admitted in this case that three employees were investigated, one was sacked and another resigned, and that the hearings were carried out in private, but at a cost to the public.

47.In his submission, Mr Richardson indicated that the Council has refused to state what sanction, if any, was taken against the third staff member.Mr Richardson has commented that no other information was released, leaving parties with a legitimate interest ? who may have been directly affected by the conduct of the officials involved ? in the dark.Mr Richardson considers that disclosure of the withheld personal data would ensure the protection of public office by making it transparent and accountable.

48.The Council advised that it had not asked Mr Richardson if he has a legitimate interest in obtaining the withheld information.However, the Council has noted that Mr Richardson is a journalist and from his articles and editorials it is clear that he wants to be able to publish details of the investigations and outcomes.The Council submits that it considers that, in this respect, the applicant does have a legitimate interest in obtaining the information.

49.The Commissioner considers that there is a general public interest, where complaints have been raised about the service and conduct of front line staff in a public authority to understand what action, if any, has been taken to address these complaints.This interest also ties in with the general public interest in ensuring that public authorities which receive and spend public money are both transparent and accountable.

50.The Commissioner also accepts that, as a journalist, Mr Richardson's role leads him to write about matters of local and national interest regarding the workings of public authorities, which affect the public.Part of this role includes ensuring that local government is transparent and accountable and that its staff act in compliance with relevant rules and regulations, which ties in with the wider public interest of ensuring that, where complaints have been raised about the service and conduct of front line staff, relevant actions are taken to investigate and address these fully.

51.Having considered all the comments from the Council and Mr Richardson, the Commissioner has concluded that Mr Richardson does have a legitimate interest in obtaining the information.

Is disclosure of the information necessary to achieve those legitimate interests?

52.The Commissioner must now consider whether disclosure is necessary for those legitimate interests, and in doing so he must consider whether these interests might reasonably be met by any alternative means.

53.Mr Richardson has commented that the Council has made it clear that there will be no other means to obtain the information sought, so requesting the information under FOISA is the only avenue available.

54.The Council has explained that it does not consider that disclosure of the withheld information is necessary for the purposes of condition 6 in Schedule 2 to the DPA.It submitted that each of the employees investigated were provided with complete copies of the investigation files into their case, and so it is possible that the information could be obtained by Mr Richardson from the employees.

55.The Commissioner has considered this point, but does not accept that this represents an alternative route for Mr Richardson to access the information.Although the Commissioner is aware that there has been coverage in the local press about the matter that gave rise to the investigation of the particular employees' conduct, and it is the case that the identity of the individuals is known to Mr Richardson, there is no evidence to suggest that the individuals concerned would provide this information to him.They would certainly be under no obligation to share the information available to them with any other person. The Commissioner therefore cannot accept that Mr Richardson's legitimate interests would be fulfilled by approaching the individual employees to obtain the withheld information.

56.In this case, the Commissioner can identify no viable means of meeting Mr Richardson's legitimate interest in understanding the circumstances surrounding the Council's investigation which would interfere less with the privacy of the data subjects other than by obtaining the information requested.Therefore, he is satisfied that disclosure of the information is necessary for the purposes of the legitimate interests identified by Mr Richardson.

Would disclosure cause unwarranted prejudice to the legitimate interests of the data subjects?

57.The Commissioner must now consider whether disclosure would nevertheless cause unwarranted prejudice to the rights, freedoms and legitimate interests of the data subjects.As noted above, this involves a balancing exercise between the legitimate interests of Mr Richardson and those of the data subjects.Only if the legitimate interests of Mr Richardson outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

58.In considering the legitimate interests of the data subjects, the Commissioner must consider the legitimate interests of a range of individuals whose personal data is contained in the withheld information.This is principally the employees who were the subject of the investigations, but also includes individuals who were interviewed or gave statements as part of the investigations and individuals who were otherwise involved in the investigations or the events under investigation.

59.The Council has submitted that the data subjects have no expectation or understanding that this personal data will be released to the public.

60.It explained that its disciplinary process is conducted in confidence.Those persons interviewed as part of the process were asked if they consented to the disclosure of their statement for the purpose of a subject access request under the DPA, and were advised that a copy of their statement would be issued to the subject of the investigation if a disciplinary hearing was called.

61.The Commissioner has seen the text that was used to obtain witnesses' consent to disclosure and recognises that any consent given was limited to disclosure in terms of the DPA (i.e. to another data subject).Such consent (if given) would not extend to the public disclosure in response to a request under FOISA.

62.The Council has also noted that the withheld information relates primarily to the employees whose conduct was investigated as part of the Council's internal disciplinary procedures, and internal discipline is considered to be a private matter between the employer and the employee.

63.The Council submitted that it considers that disclosure of the information would represent a breach of the rights contained in Article 8 of the European Convention on Human Rights, which provides for the right to respect for private and family life.

64.As mentioned previously, the Council did not approach the data subjects to seek their consent to disclose the information in response to a FOISA request.The Council considered that, given the confidentiality associated with the disciplinary process, it was unreasonable in the circumstances to do so.

65.Mr Richardson has indicated that the individuals may not have expected their information to be released into the public domain but, as it relates, in Mr Richardson's view, to a "proven abuse of public position", he argues that the right of the public to know outweighs any right and/or expectation to keep the proceedings private.

66.The Commissioner has noted Mr Richardson's comments, and he recognises that the investigations into the conduct of certain staff raised matters of serious and genuine concern, relating to the conduct of Council employees. While he recognises, and has given weight to, Mr Richardson's wish to understand the steps taken to investigate and address these concerns, and the action taken by the Council, this interest must be balanced against the legitimate interests of the staff whose conduct was investigated, and the other parties involved in the investigations.

67.Turning first to the legitimate interests of the staff whose conduct was under investigation, the Commissioner recognises that disciplinary proceedings are internal processes between employer and employee and any investigation or hearing would normally be conducted in private.This would be the case whatever the outcome of that process.

68.The Commissioner acknowledges that it would not be within the reasonable expectation of the employees that the information forming the report following the investigation of their conduct would be made available to anyone other than themselves, their representatives and those persons conducting the disciplinary hearing. The Commissioner also recognises that the employees would expect that this information, to the extent that it is personal data, to be kept confidential in the event that it may be subject to any further proceedings raised by either themselves or by the Council.Indeed the Commissioner considers that the staff concerned would have a strong expectation that the disciplinary process, and the information gathered as part of that, would remain private.

69.The Commissioner considers that disclosure of the personal data would cause a significant intrusion into the privacy of these staff, revealing details of the allegations made against them and the evidence gathered by the Council in relation to these, and the conclusions reached by the Council.

70.In all the circumstances, having considered the arguments made by both Mr Richardson and the Council, and having weighed Mr Richardson's legitimate interests against the legitimate interests, rights and freedoms of the staff who were under investigation, the Commissioner has concluded that the legitimate interests of those staff outweigh those of Mr Richardson.As a result, he has determined that disclosure would be unwarranted in this case.

71.The Commissioner has also carried out a similar balancing exercise in relation to the information insofar as it is personal data of other third parties.Given the general expectations of confidentiality associated with the disciplinary process, the Commissioner recognises that the individuals who were interviewed or who provided information within the disciplinary process would expect that the information they provided would be taken into account in the disciplinary process, but they would not expect that information to be disclosed into the public domain as part of a response to a FOISA request.

72.The Commissioner also considers that those individuals whose personal data is present as a result of their indirect connection to the matters under investigation (for example, whose planning and/or building warrant applications, maps and plans form part of the investigation file) would not expect this information to be released into the public domain in response to a FOISA request seeking information relating to investigations into a Council employee's conduct.He notes that the context of such disclosure would be different from the routine publication of information relating to the planning and building warrant process.While the individuals concerned could only reasonably expect disclosure of their planning applications in that routine process, disclosure in response to Mr Richardson's information request would be different, and unexpected, since it would reveal which applications had been considered or found to be pertinent to the investigations of employee conduct.

73.Having balanced Mr Richardson's legitimate interests against the rights, freedoms or legitimate interests of these other data subjects, the Commissioner has again found that the legitimate interests served by release of the investigation reports to Mr Richardson would not outweigh the prejudice that would be caused to the rights, freedoms or legitimate interests of the data subjects, and so the disclosure would be unwarranted.

74.As noted in paragraph 26 above, there are two documents (documents 20 and 21, both emails), which the Commissioner considers do not contain personal data, except for the names of the sender and the recipients. The Commissioner has also carried out the balancing exercise in relation to these names and has concluded that disclosure of four out of the five names would not cause unwarranted prejudice to the rights, freedoms or legitimate interests of the data subjects.The Commissioner is aware that the sender and three of the recipients to the email hold senior positions within the Council, and as such he considers that it would be within the data subject's reasonable expectation that their name would be released in the context of their professional duties in response to a FOISA request.

75.The Commissioner does accept, however, that the other named recipient to the email communications is a junior member of staff who would not expect their identity to be disclosed in response to a FOI request.As such, the Commissioner has again found that the legitimate interests served by release of this information to Mr Richardson would not outweigh the prejudice that would be caused to the rights, freedoms or legitimate interests of that data subject, and so disclosure of their name would be unwarranted.

76.Having drawn these conclusions, the Commissioner has concluded that condition 6 in Schedule 2 (to the DPA) is not met in this case in relation to the majority of the personal data (i.e. all of the personal data except the names of the senior members of staff contained in documents 20 and 21) that has been withheld in this case..

77.Having accepted that disclosure of the majority of the withheld information would lead to unwarranted prejudice to the rights, freedoms and legitimate interest of the data subjects as described above, the Commissioner also concludes, for the same reasons, that disclosure of the majority of the withheld information would be unfair.

78.As disclosure of the majority of the withheld personal information would be unfair and no schedule 2 condition can be met, that personal data cannot be disclosed without contravening the first data protection principle.Consequently, disclosure would also be unlawful.The Commissioner therefore concludes that disclosure of the majority of the withheld personal data would breach the first data protection principle, and so this information was properly withheld on the grounds that the exemption in section 38(1)(b).

79.However, having concluded that condition 6 in Schedule 2 (to the DPA) has been met in relation to the personal data of the sender and three of the recipients of the emails in documents 20 and 21, the Commissioner went on to consider whether this information was sensitive personal data (as defined in section 2 of the DPA), but concluded that it was not.Having reached this conclusion, he is not required to consider whether any condition in Schedule 3 to the DPA can be met in this case.

80.The Commissioner next considered whether disclosure of this personal data would be fair.The Commissioner has found that disclosure of the names of the sender and three of the recipients to the emails in document 20 and 21 would not lead to unwarranted prejudice to the rights, freedom and legitimate interests of the data subjects as described above, and has concluded, for the same reasons, that disclosure of this information would not be unfair.

81.Section 4(4) of the DPA imposes a duty on data controllers to comply with the data protection principles and so a breach of the second principle would also lead to a breach of the first data protection principle, since the processing would be unlawful.Since the Council has claimed that disclosure in this case would also breach the second data protection principle, the Commissioner will consider this principle before reaching a final decision on the question of the lawfulness of the processing of the names of the sender and three of the recipients to the email communications in documents 20 and 21.

Second data protection principle ? Personal data shall be obtained for one or more specified and lawful purposes

82.The second data protection principle provides that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

83.The paragraphs on the interpretation of the second data protection principle (in Part II of Schedule 2 of the DPA) further provide that, in deciding whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, consideration will be given to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

84.The Council, in submissions made in relation to the withheld information considered as a whole (the Commissioner here is focusing on the names of the sender and of some of the recipients in the emails comprising documents 20 and 21), has argued that it conducts disciplinary investigations and hearings in confidence, and that anyone being interviewed as part of the investigation is told that it is in confidence for the purpose of the investigation, and that the information will be disclosed to the subject of the investigation if the case reaches a disciplinary hearing.The Council advised that any person being interviewed is also informed about possible disclosure of the information at an employment tribunal.As mentioned previously individuals are also asked about disclosure of the information provided by them under a subject access request, if a disciplinary hearing is not held.

85.The Council advised that from this it understands that it is clear to the individuals that the information is being collected solely for the purpose of the disciplinary process and any subsequent tribunal. Despite this purpose not being stated explicitly in writing to these individuals, the Council considers that they are fully aware of this.

86.The Council submitted that it does not consider that the information collected as part of the disciplinary process is collected for any other purpose, and as a consequence disclosure of the information to the public under FOISA would represent a breach of the second principle.

87.In considering these arguments, the Commissioner has first of all noted that the emails in documents 20 and 21 existed prior to the Council's investigations.They were sent to staff for purposes other than those investigations, but were later included within the investigations files having had some relevance to those investigations.The individuals whose data is currently under investigation were only indirectly involved in those investigations, and so the Council's arguments are not directly relevant to the consideration of whether their identities should be disclosed.

88.Nonetheless, the Commissioner has considered the Council's arguments alongside comments made in decisions from the UK Information Commissioner (who is responsible for the enforcement of both the DPA and the Freedom of Information Act 2000 (FOIA)), which address the interpretation of the second data protection principle in the context of requests made under freedom of information law.

89.In decision FS50087443 (Maldon District Council), the Information Commissioner briefly considered whether the second data protection principle would be breached by release of certain personal data in response to a request under FOIA.Maldon District Council had argued that, because disclosure of information in response to freedom of information requests had not been specified in a fair collection notice issued to the data subjects concerned, disclosure of the information gathered in response to a request under FOIA would breach the second data protection principle.The Information Commissioner commented on this argument as follows:

The [Information] Commissioner considers that this is not a correct interpretation of the Data Protection Act.If [Maldon District] Council were correct in its interpretation, no disclosures of third party data would be permitted in response to FOI requests except where data subjects had been given prior notice.This would include cases where requests for information identified individuals acting in a public or official capacity in addition to information relating to their private lives.

The [Information] Commissioner considers that the correct interpretation of Principle 2 in this context is that the disclosure of third party data in response to a request submitted in accordance with other statutory rights is not inherently incompatible with any other lawful purpose for which information may be obtained.Principle 2 may, however, restrict the purposes for which a third party to whom personal data are disclosed may subsequently process those data.

The [Information] Commissioner considers that the central issue in considering whether or not the FOI Act requires the disclosure of personal data is not the second data protection principle but rather the first principle.

90.The Commissioner is aware that the Council has not made any arguments in relation to a fair processing notice; however, it has indicated that it considers that those individuals whose information was collected as part of the investigation process were clear regarding how that information would be processed, and the circumstances under which it would be disclosed, and these were not in response to an FOI request.Therefore, the Council has argued that disclosure of the information would be inconsistent with the purpose for which the information was obtained.

91.The second data protection principle provides that data controllers must specify the purposes for which they are processing personal data.This can be achieved either through a fair processing notice provided directly to data subjects (as discussed above) or by including the purpose on its entry on the Register of Data Controllers, a public register available for inspection on the Information Commissioner's website.

92.The Commissioner recognises that public authorities need to collect personal data in order to pursue their business objectives.It is only these purposes which the public authority has to specify.Public authorities do not obtain personal data so that they can provide it in response to a request made under section 1 of FOISA.This is not one of their business purposes.It follows, therefore, that there is no requirement to specify that disclosure may be made under FOISA in either a fair processing notice or the Register of Data Controllers.

93.However, even although public authorities are not required to specify that they may disclose personal data under FOISA, the second principle still prohibits them from further processing personal data (including in response to information requests) in any manner which would be incompatible with the public authorities' business purposes.

94.The Commissioner considers that account needs to be taken of the ethos behind FOISA, which aims to promote the public's understanding of, and confidence in, the public authorities that serve them, which in turn will drive up standards in the public sector

95.On this basis, it is difficult to see how a disclosure of personal data, which would not breach any of the remaining data protection principles, and would not involve the disclosure of information which is covered by another exemption under FOISA, could be incompatible with the public authority's business purposes.In fact, such a disclosure should actually support the specified business purpose by promoting confidence, driving up standards etc.

96.Further support for this approach can be taken by consideration of the second data protection principle in the broader context of the DPA, i.e. the protection of the privacy of individuals.There may be an argument that the Commissioner should interpret the second data protection principle in a way which focuses on whether any further processing would be incompatible with the privacy rights of the data subjects rather than on the business purposes of the data controller, despite this straying away from a literal interpretation of the principle.Such an approach would mean that if, in all other respects, the disclosure is compatible with the remaining data protection principles then it would not contravene the second principle.

97.Whichever approach is taken, the Commissioner is satisfied that disclosure of the names of the sender and three of the recipients to the emails in documents 20 and 21 would not be incompatible with the purpose for which the information was originally obtained.

98.While the Commissioner notes that, where the email in each of these documents is contained in the investigation file for each of the three employees concerned, it would be incorrect, in the Commissioner's view, for the Council to argue that this information was obtained solely for the purpose of these investigations.It is coincidental that the information contained in documents 20 and 21 (including the identities of the sender and three of the recipients) is of relevance to the investigation and disciplinary proceedings that were undertaken.It is clear that this information was created for the purpose of those employees carrying out their professional duties in ensuring that key staff are aware of correct practice and procedure.For these reasons, the Commissioner cannot accept that those individuals would only reasonably have expected this information to be processed, and potentially disclosed, for the purpose of any subject access request or during an employment tribunal.As a result, he finds that the disclosure of the information would not breach the second data protection principle.

99.As he has found that disclosure would not breach the second data protection principle, it follows that, in the absence of any other submissions from the Council as to the legality of the disclosure of the information, disclosure would not be unlawful in terms of the first data protection principle.Consequently he must find that disclosure of the information would not breach the first data protection principle.

100.The Commissioner has therefore concluded that the Council has misapplied the exemption in section 38(1)(b) in relation to the names of the sender and three of the recipients of the emails comprising documents 20 and 21.

101.As noted above, the Commissioner finds, in relation to remaining information that he accepted to be personal data in this case, that it was properly withheld under section 38(1)(b) of FOISA.

102.Since the Commissioner did not accept that the information in the documents referred to in paragraphs 24 and 26 above is exempt in terms of section 38(1)(b) of FOISA, he has gone on to consider whether this information is exempt under section 30(c) of FOISA.

Section 30(c) ? Effective conduct of public affairs

103.Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs".The use of the word "otherwise" distinguishes the harm required from that envisaged by the exemptions in section 30(a) and (b).This is a broad exemption and the Commissioner expects any public authority citing it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by release of the information, and how that harm would be expected to follow from release.

104.Section 30(c) applies where the harm caused, or likely to be caused, by disclosure is at the level of substantial prejudice.There is no definition in FOISA of what is deemed to be substantial prejudice, but the Commissioner considers the harm in question would require to be of real and demonstrable significance.The authority must also be able to satisfy the Commissioner that the harm would, or would be likely to, occur and therefore needs to establish a real risk or likelihood of actual harm occurring as a consequence of disclosure at some time in the near (certainly the foreseeable) future, not simply that the harm is a remote possibility.

105.In its submissions, the Council explained that, at the time of Mr Richardson's request, one of the employees was still going through aspects of the disciplinary process and to release the information whilst this process was ongoing (which it still was during the Commissioner's investigation) would have prevented the appropriate staff within the Council from giving the individual concerned a fair hearing.

106.The Council has also provided submissions in support of its contention that section 30(c) applies regarding other matters which are ongoing, which, if the information were released, would be likely to prejudice substantially the effective conduct of public affairs.The Council has explained that it considers that there is a significant probability that the harm it has identified will occur if the information was disclosed.

107.Mr Richardson has provided submissions as to why he considers that the withheld information is not exempt under section 30(c) of FOISA.In line with his comments on the exemption in section 38(1)(b), he acknowledgedthe need of an employer (in this case, the Council) to try and protect its individual employees by excluding the public from disciplinary proceedings (and relying on data protection provisions), but commented that he could see no reason why the mechanics of such investigations and hearings should be kept private.

108.Having considered the information outlined in paragraphs 24 and 26 above, the Commissioner does not accept that release of this information would, or would be likely to, prejudice substantially, the effective conduct of public affairs.In each case, the documents set out general protocols or guidance for Council staff or members of the public.Each provides no information specific to the Council's disciplinary investigations of the staff concerned.He would note the following in relation to the particular documents under consideration:

Document 8

This document contains general guidance on the building warrant process, and is readily available, in full, from the Council's own website.

Documents 20 and 21

These documents are email communications providing guidance to staff on the current protocol regarding the submission of planning applications and building warrants.They contain no information about the substance or process of the investigations into particular staff members' conduct.

Document 22

This document contains extracts from the Council's code of conduct for employees and a "protocol for relations between Councillors and employees in Scottish Councils".The latter is extracted from the "Councillors Code of Conduct" which was published by the Scottish Executive and is available in its entirety on the Scottish Government's website.

Document 63

This document contains guidance for Council staff on other employment.

109.Having considered each of these documents, and noted that (parts of) some contain information that is publicly accessible, while others contain general policy or guidance on how employees should conduct themselves, the Commissioner is unable to accept the Council's submissions with respect to the application of section 30(c) of FOISA.

110.None of these documents contain any information that would reveal details of the particular investigations undertaken in relation to staff conduct.In the circumstances, the Commissioner is not persuaded that disclosure would, or would be likely to, prejudice substantially the ability of the Council to undertake investigations and carry out disciplinary hearings where there may have been inappropriate behaviour by staff.

111.As the Commissioner has concluded that the exemption does not apply, he is not required to go on to consider the public interest test in section 2(1)(b) of FOISA.

DECISION

The Commissioner finds that Perth and Kinross Council (the Council) generally complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Richardson.

The Commissioner finds that all of the information withheld from Mr Richardson, except for (1) the information in documents 8, 22 and 63 and (2) excluding the name of one member of staff, the information in documents 20 and 21, is exempt from disclosure under section 38(1)(b).

The Commissioner went on to consider whether the information which he had found not to be exempt under section 38(1)(b) of FOISA was exempt under section 30(c) and found that it was not.He therefore finds that, in failing to disclose this information to Mr Richardson, the Council failed to comply with Part 1 and, in particular, section 1(1) of FOISA.

The Commissioner requires the Council to disclose the information in documents 8, 22 and 63 in their entirety and to disclose the information in documents 20 and 21 to Mr Richardson, subject to the redaction of the name of the member of staff appearing after the word "To" in the heading of each of the documents.

This information should be disclosed to Mr Richardson by Monday 25 July 2011.

Appeal

Should either Mr Richardson or the Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
8 June 2011

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

?

(c)would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

?

Data Protection Act 1998

1 Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

?

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

?

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Recital 26Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable?.


[1] [2008] UKHL 47: http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[2] http://www.ico.gov.uk/.../PERSONAL_INFORMATION.ashx