Decision 126/2013 | Scottish Information Commissioner

Home Decisions

Decision 126/2013

Decision 126/2013 Ms Nicola Frail and the University of Aberdeen

Itemised breakdown of expenses

Reference No: 201300782
Decision Date: 28 June 2013

Summary

On 21 December 2012, Ms Frail asked the University of Aberdeen (the University) for an itemised breakdown of specific expenses claimed by named former members of staff. The University provided Ms Frail with the total amounts paid. Following a review, the University informed Ms Frail that the itemised breakdown of expenses was personal data, the disclosure of which was exempt under section 38(1)(b) of FOISA. The Commissioner agreed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2) (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (definition of "personal data") (Basic interpretative provisions); Schedules 1 (The data protection principles, Part I - the principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1. On 21 December 2012, Ms Frail wrote to the University and requested information which included the following:

an itemised breakdown (showing details of the origin, destination, cost and date of all travel together with hotels/meals etc.) of all approved expense claims made by the following members of staff while employed by the University

Ms Frail then listed five former members of staff who had been employed within a specific University department.

2. The University responded on 1 February 2013. It provided Ms Frail with the total amount paid against each claim by the relevant former members of staff.

3. On 7 February 2013, Ms Frail wrote to the University requesting a review of its decision. She did not consider the University to have provided what she requested by way of an itemised breakdown.

4. The University notified Ms Frail of the outcome of its review on 8 March 2013. It explained that the information was personal data and exempt from disclosure in terms of section 38(2)(a)(ii) of FOISA.

5. On 24 March 2013, Ms Frail wrote to the Commissioner. She stated that she was dissatisfied with the outcome of the University's review and applied to the Commissioner for a decision in terms of section 47(1) of FOISA.

6. The application was validated by establishing that Ms Frail made a request for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

7. On 9 April 2013, the University was notified in writing that an application had been received from Ms Frail. It was asked to provide the Commissioner with the information withheld from her. The University responded with the information requested and the case was allocated to an investigating officer.

8. On 20 May 2013, the investigating officer contacted the University, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. The University was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested.

9. The University confirmed that it was withholding the information under section 38(1)(b) of FOISA, on the basis that disclosure would breach the first data protection principle.

10. Ms Frail also provided submissions to the effect that, in her view, disclosure of the information requested would not breach the data protection principles.

Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to her by both Ms Frail and the University. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - personal data

12. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data from release if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles. As noted above, the University believes that disclosure of the information would breach the first data protection principle.

13. In considering the application of this exemption, the Commissioner will therefore first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether disclosure of the information would breach the first data protection principle. The Commissioner will also consider whether any of the information is sensitive personal data as defined in section 2 of the DPA: if it is, she will consider the implications of that status for the application of the first data protection principle.

14. It must be borne in mind that this particular exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

15. "Personal data" are defined in section 1(1) of the DPA as:

data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

16. The Commissioner is satisfied that the itemised breakdown of specific expenses paid to named individuals falls within the definition of those individuals' personal data. The information clearly relates to those individuals, who are identifiable from it.

17. The Commissioner has considered whether any of the personal data in question are sensitive personal data as defined by section 2 of FOISA. Despite submissions to the contrary by the University, the Commissioner is satisfied that none of the personal data fall within any of the categories of sensitive personal data listed in section 2.

18. The Commissioner will therefore go on to consider whether disclosure of the personal data would breach the first data protection principle.

The first data protection principle

19. The first data protection principle states that personal data shall be processed fairly and lawfully. (The processing in this case would be disclosure of the information into the public domain in response to Ms Frail's request.) The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA must also be met. As noted above, the Commissioner is satisfied that the information is not sensitive personal data, so she is not required to consider the application of any of the conditions in Schedule 3.

20. Condition 6 would appear to be the only condition in Schedule 2 which might allow disclosure of the information to Ms Frail in the circumstances of this case. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. In this case, there are two data subjects, the two individuals named in Ms Frail's request.

21. There are, therefore, a number of tests which must be met before condition 6 can apply. These are:

Does Ms Frail have a legitimate interest in having these personal data?

If so, is the disclosure necessary to achieve these legitimate aims? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these aims be achieved by means which interfere less with the privacy of the data subjects?

Even if disclosure is necessary for the legitimate purposes of the applicant, would it still cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects? This will involve a balancing exercise between the legitimate interests of Ms Frail and those of the data subjects. Only if the legitimate interests of Ms Frail outweigh those of the data subjects can the personal data be disclosed.

Does the applicant have a legitimate interest?

22. Ms Frail was asked by the Commissioner to explain why she believed she had a legitimate interest in obtaining the information. Ms Frail stated that as a former graduate of the department in question and as a member of the public, she was concerned regarding the significant amount of expenses reimbursed to the individuals and questioned whether the payments were appropriate. She believed this was of particular importance given the severe financial constraints at the time.

23. Ms Frail also raised a number of issues regarding the management of, and communication within, the University. She believed the circumstances to be exceptional.

24. Responding to the Commissioner on this point, the University stated that, in the circumstances, it did not believe that any interest Ms Frail might have in the information amounted to legitimate interest for the purposes of condition 6. It explained that it considered that any legitimate public interest in the expenses claimed by and paid to the individuals had been satisfied by the release of the total for each claim in its initial response.

25. Having considered all relevant submissions she has received on this point, the Commissioner does not accept that Ms Frail could be said to have a legitimate interest in the withheld personal data (i.e. an itemised breakdown of the approved expenses for each individual). The Commissioner acknowledges that Ms Frail may have concerns (justified or otherwise) about aspects of the management of the University, but she fails to see how these could extend to a legitimate interest in the personal data under consideration here for the purposes of condition 6.

26. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 which would permit disclosure of the personal data under consideration. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that the University of Aberdeen complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Ms Frail.

Appeal

Should either Ms Frail or the University of Aberdeen wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
28 June 2013

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

...

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.