Home Decisions

Decision 115/2007

As noted in the text of the decision, this decision replaces an earlier version of the decision. If you would like a copy of the earlier version, please contact enquiries@itspublicknowledge.info.

Decision 115/2007 Mr Joseph Millbank and Dundee City Council

Criminal convictions of staff in the Council's Criminal Justice Social Services Department

Reference No: 200700092
Decision Date: 10 November 2009

Summary

Mr Joseph Millbank requested information from Dundee City Council (the Council) relating to criminal convictions of employees in its Criminal Justice Social Services department. The Council refused to supply the information requested on the basis that it was personal data, disclosure of which would breach the first data protection principle.As such, the Council maintained that it was exempt under the terms of section 38(1)(b) of FOISA.Having considered this case, the Commissioner issued a decision on 18 July 2007, in which he concluded that the information requested by Mr Millbank was not personal data, and so it was not exempt in terms of section 38(1)(b) of FOISA.The Commissioner required the Council to supply the withheld information to Mr Millbank.

The Council appealed that decision to the Court of Session, on the grounds that the Commissioner was wrong to find that the information requested by Mr Millbank was not personal data.On review, the Commissioner considered that he had not applied the correct tests to determine whether the information was in fact personal data and he conceded the appeal.The Court subsequently granted a motion seeking to have the appeal allowed, the decision quashed, and the decision remitted for reconsideration by the Commissioner.

Following further investigation, the Commissioner found that the information requested by Mr Millbank was personal data and, since it related to offences committed by the individuals concerned, that it was also sensitive personal data.He found that disclosure of this sensitive personal data would breach the first data protection principle, and so it was exempt from disclosure in terms of section 38(1)(b) of FOISA.He therefore concluded that the Council had acted in accordance with Part 1 of FOISA when responding to Mr Millbank's information request.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions) and 38(1)(b), (2)(a)(i) and (b) (Personal information)

Data Protection Act 1998 (DPA): sections 1(1) (Basic interpretative provisions) (definition of personal data) and 2(g) (Sensitive personal data); Schedule 1 (The data protection principles) (the first condition) and Schedule 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.On 24 September 2006, Mr Millbank wrote to the Council requesting information relating to criminal convictions of those employed in the Criminal Justice Social Work Services. Mr Millbank specifically requested: offences committed; the numbers involved and the range of positions held.He went onto specify that this should include the numbers having had a driving license endorsed under the Road Traffic Act 1998 as a result of paying a fixed penalty, or had paid a fixed penalty under the Vehicle Excise and Registration Act 1994.

2.The Council responded on 23 October 2006.The Council refused to supply Mr Millbank with the information on the basis that the information was exempt under section 38(1)(b) of FOISA (as read in conjunction with section 38(2)(a)(i)).

3.On 26 November 2006, Mr Millbank wrote to the Council requesting a review of its decision. In particular.

4.On 4 January 2007, the Council notified Mr Millbank of the outcome of its review. The Council informed Mr Millbank that it was upholding its original decision without modification.

5.On 16 January 2007, Mr Millbank wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying for a decision in terms of section 47(1) of FOISA.

6.The application was validated by establishing that Mr Millbank had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation, decision and appeal

7.On 25 January 2007, the Council was notified in writing that an application had been received from Mr Millbank and asked to provide the Commissioner with any information withheld from him. The Council responded with the information requested and the case was then allocated to an investigating officer.

8.The investigating officer subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.

9.Following this investigation, the Commissioner found that the Council had failed to act in accordance with Part 1 of FOISA, on the basis that the information requested by Mr Millbank was not personal data, and as such it could not be exempt from disclosure in terms of section 38(1)(b).That decision (issued on 18 July 2007) required the Council to disclose the information under consideration to Mr Millbank.

10.The Council subsequently appealed this decision to the Council of Session on the basis that the Commissioner had erred in law by concluding that the information requested by Mr Millbank was not personal data.

11.The Commissioner sought legal advice and reconsidered his decision in the light of this appeal, and he conceded that the decision was based on the incorrect application of the definition of personal data. He agreed that the Court should be asked to quash his decision and remit it back to him for further consideration of the case.As a result, this decision now replaces the decision previously issued on 18 July 2007.

Commissioner's analysis and findings

12.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Millbank and the Council and is satisfied that no matter of relevance has been overlooked.

13.The Council withheld the information requested by Mr Millbank in terms of section 38(1)(b) of FOISA.This section, read in conjunction with section 38(2)(a)(i) or (b), exempts personal data from disclosure if the disclosure of the data to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles contained in the DPA.

14.In this case, the Council argued that the disclosure of the information would breach the first data protection principle, which requires that personal data shall be processed fairly and lawfully and, in particular, that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

15.The exemption in section 38(1)(b) of FOISA, as read with section 38(2)(a)(i), is an absolute exemption in terms of section 2(e)(ii) of FOISA.This means that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.

16.The following matters must now be considered before the Commissioner can determine whetherthe information requested by Mr Millbank is exempt under section 38(1)(b) of FOISA:

is the information personal data?

if so, is it sensitive personal data?

would disclosure of the information breach the first data protection principle?

17."Personal data" is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified (a) from those data or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

18.The Commissioner originally took the view that the information requested by Mr Millbank was not personal data, on the basis that the individuals involved could not be identified.The Commissioner noted that Mr Millbank requested details of the offences committed, the numbers involved and the range of the positions held. He did not request that information correlate to a specific individual or a specific post.Given the number of employees who work for the relevant department, the Commissioner concluded that this would not allow the identification of any specific individual.

19.However, in reaching this view, the Commissioner did not take into consideration other information which is in the possession of the Council as data controller.The Commissioner accepts that the Council is able to identify the individuals concerned from the information requested by Mr Millbank along with other information in its possession as the data controller and employer of those individuals.

20.Having re-considered the definition of personal data and the information requested by Mr Millbank, the Commissioner is satisfied that the information relates to living individuals (by confirming that they were convicted of a criminal offence) and that those individuals can be identified from that information along with other information in the possession of the data controller.He is therefore satisfied that the information is personal data as defined by section 1(1) of the DPA.

Is the information sensitive personal data?

21.The Council have submitted that the information under consideration is sensitive personal data for the purposes of section 2 of the DPA.This is an important distinction to make, given that, as the Commissioner has noted in his briefing on the exemption in section 38 of FOISA[1], the processing of sensitive personal data is subject to much tighter restrictions than non-sensitive personal data and, unless the data subject has given explicit consent to the disclosure of the information, or the information has been made public as a result of steps taken by the data subject, it is unlikely that it will be lawful to disclose sensitive personal data under FOISA.

22.In this case, the Commissioner is satisfied that the information requested by Mr Millbank amounts to sensitive personal data in terms of section 2(g) of the DPA, given that the personal data relates to the commission of offences by the individuals concerned.

Would disclosure breach the first data protection principle?

23.As noted above, the Council has argued that disclosure of the information requested by Mr Millbank would breach the first data protection principle.This requires that personal data shall be processed (in this case, disclosed into the public domain as a result of Mr Millbank's information request) fairly and lawfully and that they shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.Given that the Commissioner has already determined that the information constitutes sensitive personal data, he will firstly consider whether there are any conditions in Schedule 3 which would permit the sensitive personal data to be processed.

24.The Commissioner has considered all of the conditions in Schedule 3, including those in the Data Protection (Processing of Sensitive Personal Data) Order 2000 (the 2000 Order) made by the Secretary of State for the purposes of condition 10 of Schedule 3.

25.The Commissioner has noted that neither condition 1 of Schedule 3 (explicit consent to the processing of the personal data by the data subject), nor condition 5 of Schedule 3 (information made public as a result of steps deliberately taken by the data subject) apply here.Having considered all of the other conditions, the Commissioner found none to be relevant in the circumstances of this case.

26.The Commissioner has therefore concluded that there are no conditions in Schedule 3 to the DPA which would permit the sensitive personal data requested by Mr Millbank to be disclosed to him.As a result, he has not found it necessary to go on to consider whether there are any conditions in Schedule 2 which would permit the sensitive personal data to be disclosed to Mr Millbank or whether the disclosure of the information is otherwise fair and lawful.As a result of finding that there are no conditions in Schedule 3 which can be fulfilled, he must find that the disclosure of the information would breach the first data protection principle and, consequently, that the information sought by Mr Millbank is exempt from disclosure in terms of section 38(1)(b) of FOISA, as read with section 38(2)(a)(i) or (b).

DECISION

The Commissioner finds that Dundee City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Millbank.

Appeal

Should either Mr Millbank or the Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Kevin Dunion
Scottish Information Commissioner
10 November 2009

 

Appendix

 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

 

Data Protection Act 1998

1 Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

?

(g)the commission or alleged commission by [the data subject] of any offence, or

?

 

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 ? Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

?

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

?