Home Decisions

Decision 127/2017

Decision 127/2017: Mr Mark Howarth and Glasgow City Council

Information relating to two Initial Case Reviews

Reference No: 201700644
Decision Date: 2 August 2017

Summary

The Council was asked for information relating to two Initial Case Reviews (ICR) to which reference was made in the Multi Agency Public Protection Arrangements (MAPPA) annual report of the Glasgow Community Justice Authority.

The Council withheld the information, which it considered to be sensitive personal data and exempt from disclosure.

After investigation, the Commissioner accepted that disclosure of the information could lead to the identification of the subjects of the ICRs. She accepted that the sensitive personal data was correctly withheld.

  Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data); 2(g) and (h) (Sensitive personal data); Schedules 1 (The data protection principles) (the first data protection principle); 3 (Conditions relevant for the purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

All references in this decision to "the Commissioner" are to Margaret Keyse, who has been appointed by the Scottish Parliamentary Corporate Body to discharge the functions of the Commissioner under section 42(8) of FOISA.

  Background

1. On 13 February 2017, Mr Howarth made a request for information to Glasgow City Council (the Council). He referred to a statement within the 2015-16 MAPPA Annual Report of Glasgow Community Justice Authority[1], which said: ""within the reporting period Glasgow received two Initial Case Reviews (ICR) when a MAPPA offender was charged with a further serious crime". Mr Howarth asked the Council to provide "the charges involved and an indication as to whether these charges were subsequently successfully prosecuted".

2. The Council responded on 28 February 2017. It withheld the requested information under section 38(1)(b) of FOISA (Personal information). It considered the information to be personal data, disclosure of which would breach the Data Protection Principles in Schedule 1 to the DPA. The Council explained that the information related to living individuals who could be identified from the data or from the data in combination with other information likely to be publicly available. The Council also explained why it considered the information to be "sensitive personal data".

3. On the same day, 28 February 2017, Mr Howarth wrote to the Council requesting a review of its decision. He challenged its view that an individual could be identified from information comprising only a type of crime and an indication of whether or not that crime was successfully prosecuted.

4. The Council notified Mr Howarth of the outcome of its review on 28 March 2017. The Council upheld its decision that the information should be withheld under section 38(1)(b) of FOISA. It confirmed its view that, given the low numbers involved and the information already publicly available, disclosure could lead to the identification of those involved. The Council stated that this, in turn, "would allow linkage of the individuals committing those offences to the fact that they previously have been managed under MAPPA arrangements."

5. On 4 April 2017, Mr Howarth applied to the Commissioner for a decision in terms of section 47(1) of FOISA. He did not accept that an individual could be identified from the information he had asked for. He also challenged the Council's view that disclosure would reveal that these individuals had previously been managed under MAPPA. He pointed out that it is already known that ICRs are only carried out where the offender is subject to MAPPA arrangements.

  Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr Howarth made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 20 April 2016, the Council was notified in writing that Mr Howarth had made a valid application and was asked to send the Commissioner the information withheld from him. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested by Mr Howarth.

  Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Howarth and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

10. The Council withheld information about the charges against the two individuals who were the ICR subjects and information showing whether those charges were prosecuted successfully. The Council believed this information to be exempt from disclosure under section 38(1)(b) of FOISA (read in conjunction with section 38(2)(a)(i)). Section 38(1)(b) of FOISA exempts personal data if disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

Is the information personal data?

11. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

12. Mr Howarth did not accept that an individual could be identified from the information he had requested.

13. The Council was asked to explain how disclosure of the information would make identification possible.

14. The Council stated that both cases had been reported in the media. It provided the Commissioner with a search strategy which would return the names of a few individuals, and submitted that further searching on these names would reveal whether those individuals had been charged with similar serious crimes before; if so, they were likely to be subject to MAPPA arrangements and to be one of the two individuals referred to in the MAPPA annual report.

15. The Commissioner has reviewed the search strategy provided by the Council. She has taken account of the guidance from the (UK) Information Commissioner (the ICO), who regulates the DPA throughout the UK. The ICO has issued the following guidance on determining what is personal data[2]:

"When considering identifiability it should be assumed that you are not looking just at the means reasonably likely to be used by the ordinary man in the street, but also the means that are likely to be used by a determined person with a particular reason to want to identify individuals."

16. The Commissioner accepts that there is likely to be local knowledge about the crimes and who was charged. The Council has confirmed that both cases were reported in the media. On the balance of probabilities, the Commissioner accepts that there is a reasonable possibility that a determined individual in possession of the information withheld by the Council, and in combination with information which is already publicly available, could identify one or both of the individuals in question. She is therefore satisfied that the information is the personal data of those individuals.

17. Mr Howarth asked whether the charges were successfully prosecuted. The Commissioner considered whether this information on its own would be personal data (i.e. if disclosed without details of the crime). She concluded that, when combined with details in media reports, identification would become likely even from this limited information. (The Council provided reasons to support this view, specific to the two cases. The Commissioner cannot discuss these reasons in this decision, but has taken them into account in reaching her decision.)

18. Having concluded that the withheld information is personal data, the Commissioner is satisfied that all of the personal data withheld in this case falls into the categories of sensitive personal data listed in section 2(g) and (h) of the DPA (see Appendix 1).

Would disclosure contravene the first data protection principle?

19. In its submissions, the Council argued that disclosure of the withheld personal data would contravene the first data protection principle. This principle requires that personal data are processed fairly and lawfully and, in particular, are not processed unless at least one of the conditions in Schedule 2 to the DPA is met. For sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met.

20. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions. The conditions listed in Schedule 3 have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in secondary legislation, such as the Data Protection (Processing of Sensitive Personal Data) Order 2000. The Commissioner has not identified any of these additional conditions as potentially applicable in this case.

21. Guidance[3] issued by the Commissioner regarding the exemption in section 38(1)(b) notes that, in most cases, only the first and fifth conditions listed in Schedule 3 are likely to be relevant when considering a request for sensitive personal data under FOISA. Condition 1 would allow personal data to be disclosed where the data subject has given explicit (i.e. fully informed and freely given) consent to their disclosure. Condition 5 would allow the personal data to be disclosed if the data had been made public as a result of steps deliberately taken by the data subject.

22. The Council submitted that neither condition 1 nor condition 5 applies. The data subjects have not consented to the release of personal data and have not taken steps to place this information into the public domain. The Commissioner accepts that conditions 1 and 5 were not met in this case.

23. Having reached this conclusion and finding that no other condition in Schedule 3 applies in this case, the Commissioner accepts that disclosure of the sensitive personal data would breach the first data protection principle. She therefore finds that the Council was correct to withhold the information requested by Mr Howarth, as it was exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Glasgow City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Howarth.

Appeal

Should either Mr Howarth or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Acting Scottish Information Commissioner

2 August 2017

  Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

 

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

 

Schedule 3 - Conditions relevant for the purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.



[1] https://www.glasgowcja.org.uk/CHttpHandler.ashx?id=36195&p=0

[2] https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf

[3] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx