Home Decisions

Decision 135/2018

Decision 135/2018: Mr K and the Scottish Prison Service

Critical incident review

Reference No: 201800890
Decision Date: 28 August 2018

 Summary

The SPS was asked for the critical incident review regarding a named prisoner.

The SPS disclosed the first part of the review report, but withheld the second part in full, on the basis that disclosure would be contrary to the Data Protection Act.

The Commissioner agreed that the SPS was correct to take this approach.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provision) (definition of personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provision etc - paragraph 56)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 23 February 2018, Mr K made a request for information to the Scottish Prison Service (the SPS). He asked for the critical incident review regarding a named prisoner.

2. The SPS responded on 26 March 2018. It notified Mr K that it was withholding the information under section 38(1)(b) (Personal information) and section 30 (Prejudice to effective conduct of public affairs) of FOISA. It argued that disclosure of the report might prejudice any ongoing investigations being undertaken by MAPPA (multi-agency protection arrangements).

3. On 28 March 2018, Mr K wrote to the SPS requesting a review of its decision. He argued that, because the SPS had already shared the report with MAPPA, disclosure could not prejudice their decision-making, as they already knew its content. He argued that disclosure of the report was clearly in the public interest.

4. The SPS notified Mr K of the outcome of its review on 22 May 2018. It explained that the report was written in two sections and it provided him with the first section of the report. However, the SPS continued to withhold the second section of the report under the same exemptions it had previously relied upon, arguing that the information was biographical and concerned the management of the named prisoner. The SPS also maintained that disclosure into the public domain, at that time, would undermine and prejudice the conduct of the significant case review, which would involve a number of agencies.

5. On 25 May 2018, Mr K applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr K was dissatisfied with the outcome of the SPS's review because he did not accept that the entirety of section two of the report could be biographical, and he argued that the report could be disclosed with redactions.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr K made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 1 June 2018, the SPS was notified in writing that Mr K had made a valid application. The SPS was asked to send the Commissioner the information withheld from Mr K. The SPS provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPS was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr K and the SPS. He is satisfied that no matter of relevance has been overlooked.

Withheld information

10. The withheld information in this case comprises the majority of section two of the critical incident review, along with Annex 1 to the report. Paragraphs 39, 40 and 43 of the report and Annex 2 contain publicly accessible information and Mr K has excluded this information from the Commissioner's considerations. As a result, the Commissioner will not consider it any further in this Decision Notice.

Section 38(1)(b) of FOISA (Personal information)

11. The SPS withheld section two of the report on the basis that it was exempt from disclosure under section 38(1)(b) of FOISA.

Data Protection Act 2018 (Transitional provisions)

12. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. The DPA 2018 amended section 38 of FOISA and also introduced a set of transitional provisions which set out what should happen where a public authority dealt with an information request before FOISA was amended on 25 May 2018, but where the matter is being considered by the Commissioner after that date.

13. In line with paragraph 56 of Schedule 20 to the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here - the review response was issued on 22 May 2018), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with Part 1 of FOISA.

14. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with Part 1 of FOISA (as it stood before 25 May 2018), he cannot require the authority to take steps which it would not be required to take in order to comply with Part 1 of FOISA on or after 25 May 2018.

15. The Commissioner will therefore consider whether the SPS was entitled to apply the exemption in section 38(1)(b) of FOISA under the old law. If he finds that the SPS was not entitled to withhold the information under the old law, he will only order the SPS to disclose the information if disclosure would not now be contrary to the new law.

The exemption

16. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA 1998) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA 1998.

17. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

18. In order to rely on this exemption, the SPS must show that the information being withheld is personal data for the purposes of the DPA 1998 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA 1998. The SPS considered disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

19. "Personal data" are defined in section 1(1) of the DPA 1998 as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

20. The SPS submitted that disclosure of the withheld information would identify a living individual by virtue of the purpose and focus of the report. It notes that section two of the report is biographical and concerns the management of the named prisoner by the SPS whilst in custody.

21. Having considered the submissions received from the SPS and the withheld information, the Commissioner accepts the arguments put forward by the SPS, and is satisfied that section two of the report contains the personal data of an identifiable living individual. He notes that the withheld information clearly relates to the named prisoner. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA 1998.

Is the information under consideration sensitive personal data?

22. The SPS submitted that the withheld information constituted sensitive personal data. The SPS argued that the information is sensitive personal data as it concerns the named prisoner's criminal offence and conviction, as well as his mental and physical health.

23. In this case, the Commissioner is satisfied that all of the withheld personal data falls into the categories of sensitive personal data listed in section 2(e), (f) and (g) of the DPA 1998 (see Appendix 1).

Would disclosure of the personal data contravene the first data protection principle?

24. In its submissions, the SPS argued that disclosure of the withheld personal data would contravene the first data protection principle, which requires that personal data are processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA 1998 is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA 1998 must also be met. The processing in this case would comprise making the information publicly available in response to Mr K's request.

25. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions.

26. The conditions listed in Schedule 3 to the DPA 1998 have been considered by the Commissioner, as have additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000. The Commissioner has not identified any of these additional conditions as potentially applicable in this case.

27. The Commissioner's guidance on section 38(1)(b)[1] of FOISA notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

28. Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the processing (which in this case would be disclosure into the public domain in response to Mr K's request). Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

29. The Commissioner has concluded that it would not be reasonable or appropriate to seek consent from the data subject for disclosure of the personal data, and that condition 1 could not be met in this case. He is also satisfied that the information under consideration has been made public as a result of steps deliberately taken by the data subject, and so condition 5 could not be met in this case.

30. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed.

31. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data would contravene the first data protection principle. The Commissioner therefore finds that the SPS was correct to withhold the information requested by Mr K, as it was exempt from disclosure under section 38(1)(b) of FOISA.

32. The Commissioner notes Mr K's views that it should be possible to provide a redacted version of the report with personal data withheld, but he does not agree. Mr K has specifically asked for information about the prisoner identified in his request. Given the content of the information and the context of the request it is impossible for the Commissioner to identify any information from the second part of the report which does not comprise the named prisoner's personal data. The focus of the requested information is the named prisoner. Any information regarding the decision-making processes of SPS staff or other individuals in relation to the named prisoner, or their engagement with the named prisoner, is necessarily the personal data of the named prisoner and must be treated as such.

33. As the Commissioner has found all of the withheld information to be exempt under section 38(1)(b) of FOISA, he is not required to consider the application of any other exemptions in FOISA to the same information.

Transitional provisions

34. Given that the Commissioner has found that the SPS complied with Part 1 of FOISA (as it stood before 25 May 2018) in responding to the request by Mr K, insofar as it concerns the personal data of the named prisoner, he is not required to go on to consider whether disclosure of the personal data would breach Part 1 of FOISA as it currently stands.

Section 30 of FOISA (Prejudice to effective conduct of public affairs)

35. Given that the Commissioner has concluded that the information is exempt from disclosure, he is not required to go on to consider the exemptions in section 30 of FOISA.

Decision

The Commissioner finds that the Scottish Prison Service complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr K.

Appeal

Should either Mr K or the Scottish Prison Service wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse 
Head of Enforcement

28 August 2018

 

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

 

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(e) [the data subject's] physical or mental health or condition,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

Data Protection Act 2018

Schedule 2 - Transitional provision etc

56 Freedom of Information (Scotland) Act 2002

(1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 ("the 2002 Act") before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.

(3) To the extent that the request was dealt with before the relevant time -

(a) the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act as amended by Schedule 19 to this Act, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.

(4) In this paragraph -

"Scottish public authority" has the same meaning as in the 2002 Act;

"the relevant time" means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/section38briefing2018.aspx