Decision 138/2013 Mr X and Scottish Borders Council
Contract with Citizens Advice Bureau
Reference No: 201300731
Decision Date: 12 July 2013
Summary
On 14 November 2012, Mr X asked Scottish Borders Council (the Council) for a copy of the current contract between it and Central Borders Citizens Advice Bureau (the CAB). The Council disclosed the information to Mr X, but redacted certain signatures on the contract.
Following an investigation, the Commissioner agreed with the Council that the signatures were personal data, the disclosure of which was exempt under section 38(1)(b) of FOISA. The Commissioner also found that the Council failed to deal with Mr X's requirement for review within the relevant statutory timescale.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 21(1) (Review by Scottish public authority); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)
Data Protection Act 1998 (the DPA) section 1(1) (definition of "personal data") (Basic interpretative provisions); Schedules 1 (The data protection principles, Part I - the principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.
Scottish Ministers' Code of Practice on the Discharge of Functions by Scottish Public Authorities under the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 (the Section 60 Code)
Background
1. On 14 November 2012, Mr X emailed the Council via the Whatdotheyknow website[1]. Mr X requested a copy of the current contract between the Council and the CAB.
2. The Council responded on 10 December 2012. The Council disclosed the majority of the contract to Mr X. The Council withheld the Pricing Schedule on the basis that it was considered exempt from disclosure under section 33(1)(b) of FOISA. The Council also redacted certain signatures from the contract, but gave no indication of why this had been done.
3. On 12 December 2012, Mr X emailed the Council requesting a review of its decision. Mr X considered the Pricing Schedule should be disclosed on the basis that it concerned the use of public money. Mr X also considered the signatures that had been redacted by the Council should be disclosed.
4. The Council did not respond to Mr X's requirement for review. Following an application to the Commissioner, the Council carried out a review and notified Mr X of the outcome on 13 March 2013. Following consultation with the CAB, the Council disclosed the Pricing Schedule to Mr X. The Council also informed Mr X that it considered the signatures on the contract to be exempt from disclosure in terms of section 38(1)(b) of FOISA.
5. On 20 March 2013, Mr X wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
6. The application was validated by establishing that Mr X had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request. The case was then allocated to an investigating officer.
Investigation
7. The investigating officer subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. The Council was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested.
8. The Council responded on 1 July 2013.
9. The relevant submissions received from both the Council and Mr X will be considered fully in the Commissioner's analysis and findings below.
Commissioner's analysis and findings
10. In coming to a decision on this matter, the Commissioner has considered all of the submissions made to her by both Mr X and the Council. She is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) - Personal information
11. Section 38(1)(b), read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.
12. In order to rely on this exemption, therefore, the Council must show firstly that the information being withheld is personal data for the purposes of the DPA, and secondly that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.
Is the information personal data?
13. Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller (the full definition is set out in the Appendix).
14. The Council has applied the exemption in section 38(1)(b) to the signatures on the basis that it comprises the personal data of the signatories.
15. The Commissioner is satisfied that the information under consideration is the personal data of the individuals concerned as they can be identified from it and it relates to them. She will go on to consider whether this information is exempt from disclosure under section 38(1)(b) of FOISA.
Would disclosure of the personal data contravene the first data protection principle?
16. The Council argued that disclosure of the personal data would breach the first data protection principle. This requires that personal data be processed fairly and lawfully and, in particular, that it shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing under consideration in this case is disclosure of the personal data into the public domain in response to Mr X's information request
17. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. However, these three aspects are interlinked. For example, if there is a specific condition in the schedules which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.
18. The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed.
Can any of the conditions in Schedule 2 to the DPA be met?
19. When considering the conditions in Schedule 2, the Commissioner notes Lord Hope's comment in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[2] that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights and freedoms or legitimate interests of the data subject.
20. Having considered all the conditions in Schedule 2, the Commissioner finds that only condition 6 might be applicable in the circumstances of this case.
21. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s) (i.e. the individual(s) to whom the data relate).
22. There are a number of different tests which must therefore be satisfied before condition 6 can be met. These are:
does Mr X have a legitimate interest in obtaining the personal data?
if yes, is disclosure necessary to achieve these legitimate interests? In other words, is the disclosure proportionate as a means and fairly balanced as to its ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subjects?
even if processing is necessary for Mr X's legitimate interests, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?
23. There is no presumption in favour of the release of personal data under the general obligation laid down in FOISA. Accordingly, the legitimate interests of Mr X must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr X.
Does Mr X have a legitimate interest?
24. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's published guidance on section 38 of FOISA[3] states:
"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."
25. In this case, Mr X submitted that the signatures on the contract were made as evidence of certification to the public. He submitted that the public should be allowed to see these signatures, especially given that these signatures were inscribed by those in public office. In Mr X's view, the signatures should be disclosed on the basis that the names of the people who had signed the documents had already been disclosed.
26. The Council submitted that it was necessary to redact the signatures of individuals in order to avoid the possibility of identity theft. The Council stated that this was best practice, based on advice from the (UK) Information Commissioner's Office. The (UK) Information Commissioner is responsible for the enforcement the DPA throughout the UK.
27. Having considered all relevant submissions she has received on this point, the Commissioner does not accept that Mr X could be said to have a legitimate interest in the withheld personal data (i.e. the signatures of certain individuals). The Commissioner acknowledges that Mr X believes these signatures should be in the public domain, but she fails to see how this could extend to a legitimate interest in the personal data under consideration here for the purposes of condition 6.
28. The Commissioner considers that, to the extent there is a legitimate public interest in scrutinising the contract or knowing the identities of the signatories, this could be achieved from the information already made available to Mr X without the need to disclose the signatures of the individuals involved.
29. As the Commissioner considers that Mr X does not have a legitimate interest in obtaining the information withheld by the Council, she is satisfied that Condition 6 of Schedule 2 is not met in this case. Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.
Timescales for compliance
30. In his application to the Commissioner, Mr X expressed dissatisfaction with the Council's failure to respond timeously to his requirement for review.
31. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review, subject to certain exceptions which are not relevant in this case.
32. In its submissions to the Commissioner, the Council apologised for its mishandling, on two separate occasions, of Mr X's requirement for review. The Council explained that, due to an oversight, a meeting of the Council's FOI Advice Group (which conducts reviews within the Council) had not been organised on receipt of Mr X's requirement for review.
33. Since the Council did not provide a response to Mr X's requirement for review within 20 working days, the Commissioner finds that it failed to comply with section 21(1) of FOISA.
34. Given that the Council has now responded to Mr X's requirement for review, the Commissioner does not require it to take any further action in this case, in response to Mr X's application.
Additional matter raised in Mr X's application
35. In his application, Mr X expressed concern at the fact that the Council had consulted with the CAB when responding to his requirement for review. In Mr X's view, it was unethical for the Council to allow the CAB to regulate how much information the public was allowed to see.
36. The Commissioner has considered the guidance on consulting with third parties contained within the Section 60 Code[4]. Section 3 of Part 2 of the Code provides guidance, and suggests best practice, when dealing with requests for information where another person or body may be affected by the disclosure of the requested information.
37. The Code states that, in some cases, good practice suggests that the views of third parties should be sought on the possible sensitivities of the information requested, such as potentially confidential information or personal data.
38. The Code recommends consultation (with third parties) where the views of the third party may help an authority determine whether an exemption applies to the information requested and where the public interest lies in disclosure.
39. In this case, the Commissioner finds nothing untoward in the Council choosing to consult with the CAB regarding the requested information. Indeed, she considers this demonstrates that the Council has followed good practice in dealing with the request.
DECISION
The Commissioner finds that, in respect of the matters specified in the application, Scottish Borders Council (the Council) generally complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr X.
The Commissioner finds that the Council correctly withheld information under section 38(1)(b) of FOISA.
However, the Council failed to comply with the requirements of section 21(1) of FOISA in responding to Mr X's requirement for review and, in doing so, failed to comply with Part 1 of FOISA. The Commissioner does not require the Council to take any steps in relation to this failure in response to Mr X's application.
Appeal
Should either Mr X or Scottish Borders Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
12 July 2013
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
..
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -
(a) the provision does not confer absolute exemption; and
?
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -
?
(e) in subsection (1) of section 38 -
?
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
21 Review by Scottish public authority
(1) Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later than the twentieth working day after receipt by it of the requirement.
?
38 Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
?
Data Protection Act 1998
1 Basic interpretative provisions
(1) In this Act, unless the context otherwise requires -
?
"personal data" means data which relate to a living individual who can be identified -
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
Schedule 1 - The data protection principles
Part I - The principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and
?
Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data
6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
?
[1] https://www.whatdotheyknow.com/request/sbc_and_centeral_borders_cab_con#outgoing-260288
[2] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm
[3] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.asp?lID=661&sID=133
[4] http://www.scotland.gov.uk/Resource/Doc/933/0109425.pdf
