Home Decisions

Decision 140/2015

Decision 140/2015: Mr Ian W Baxter and Aberdeenshire Council

Alleged Blue Badge misuse

Reference No: 201500684
Decision Date: 1 September 2015

Summary

On 10 September and 9 October 2014, Mr Baxter asked Aberdeenshire Council (the Council) for information relating to the possible misuse of a Blue Badge.

The Council refused to provide the information, considering it to be personal data, disclosure of which would breach the data protection principles. Following a review, the Council provided some information. Mr Baxter remained dissatisfied and applied to the Commissioner for a decision.

The Commissioner investigated and found that the Council had generally responded to Mr Baxter's requests for information in accordance with Part 1 of FOISA, although it should not have notified Mr Baxter that it held no information in relation to his request of 9 October.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); 2 (Sensitive personal data); Schedules 1 (The data protection principles) (the first data protection principle); 3 (Conditions relevant for the purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

Request 1

1. On 10 September 2014, Mr Baxter made a request for information to the Council. He referred to a complaint, previously submitted to the Council, alleging possible misuse of a Blue Badge. Mr Baxter stated he wished to receive information regarding any resulting enquiry conducted and stressed, with regard to data protection, he was not interested in learning the identity of any persons involved. The information requested was:

(i) Was an enquiry conducted into the allegation contained in my letter of 14 May 2014?

(ii) If not, then why not?

(iii) If an enquiry was so conducted then was it concluded that the misuse of a Blue Badge had occurred?

(iv) If not, then why not?

(v) If it was so concluded, what action, if any, was taken regarding the person(s) identified or presumed to be responsible?

(vi) Was the person who I observed the holder of the Blue Badge?

(vii) Did this action as at question number 5 involve a Blue Badge being confiscated or cancelled or revoked or similar?

(viii) If it was concluded that no misuse of a Blue Badge had occurred, then what is the explanation for an apparently able-bodied person who is capable of walking several hundred metres without manifest difficulty being allowed to use a Blue Badge?

2. The Council responded on 23 September 2014, confirming that it held the information requested. The Council refused to provide this information as it considered it to be personal data relating to third parties, which it considered to be exempt from disclosure under section 38(1)(b) (Personal information) of FOISA.

3. On 1 October 2014, Mr Baxter wrote to the Council, requesting a review as he was dissatisfied with the Council's refusal. He believed a response could be provided without the disclosure of personal data.

4. The Council notified Mr Baxter of the outcome of its review on 30 October 2014, upholding its original decision. It provided a response to parts (i) and (ii) of Mr Baxter's request and, for parts (iii) to (viii), upheld its original decision to withhold the information under section 38(1)(b) of FOISA. The Council did not consider Mr Baxter had any legitimate interest in having this information disclosed to him.

Request 2

5. On 9 October 2014, Mr Baxter made a further request for information to the Council. He referred to the same complaint and requested a copy of the report relating to the resulting enquiry, which he presumed, the Council had conducted. Mr Baxter again stated, with regard to data protection, he had no interest in the identities of the persons involved.

6. The Council responded on 22 October 2014, confirming that it did not hold the information requested.

7. On 24 October 2014, Mr Baxter wrote to the Council, requesting a review of its decision. He did not believe the information did not exist, and referred to the Council's response to Request 1 which appeared to contradict this.

8. The Council notified Mr Baxter of the outcome of its review on 26 November 2014, upholding its original decision in full.

Application to Commissioner

9. On 10 April 2015, Mr Baxter wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. Mr Baxter stated he was dissatisfied with the outcome of the Council's review outcomes because the Council had:

(i) provided a contradictory review outcome for Request 1.

(ii) conjoined the terms "legitimate interest" and "personal data", using this as an excuse for its refusal to provide the information for Request 1. Mr Baxter stressed he had no legitimate interest in obtaining personal data - his legitimate interest was in holding the Council to account with regard to its investigation following the complaint of alleged Blue Badge misuse.

(iii) informed him that it did not hold a report which could meet Request 2: he could not believe this was the case.

10. The Commissioner notes point (i) above. She acknowledges that the review outcome in respect of Request 1 purports to uphold the original decision (applying section 38(1)(b) of FOISA to the request in its entirety), while providing Mr Baxter with some information. On the other hand, the outcome of the review is clear enough from the notice given to Mr Baxter on 30 October 2014, read as a whole. She does not consider there to be a breach of Part 1 of FOISA for her to investigate in this connection.

11. Mr Baxter also made suggestions as to how the Commissioner might conduct her investigation. The Commissioner has noted these, but the manner in which any investigation is conducted is a matter for her, following the requirements of FOISA and the procedures she has developed for that purpose.

Investigation

12. The application was accepted as valid. The Commissioner confirmed that Mr Baxter made requests for information to a Scottish public authority and asked the authority to review its responses to those requests before applying to her for a decision.

13. On 30 April 2015, the Council was notified in writing that Mr Baxter had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr Baxter. The Council provided the information and the case was allocated to an investigating officer.

14. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions. Broadly, these related to its application of section 38(1)(b) of FOISA and the searches carried out to identify and locate any information falling within the scope of Mr Baxter's requests.

15. As the Council was withholding some information under the exemption in section 38(1)(b) of FOISA, Mr Baxter was also invited to comment on his legitimate interest in obtaining this information.

16. Mr Baxter wrote to the Commissioner on 17 June 2015. He confirmed he had no interest, legitimate or otherwise, in the personal information of the data subject. His interest, he emphasised, was in holding the Council to account with regard to the enquiry it had undertaken. Mr Baxter again raised his dissatisfaction that "legitimate interest" had been conjoined with "personal data".

17. The Commissioner notes that Mr Baxter is aggrieved that "legitimate interest" has been linked to "personal information". A key element of this case, however, is the Council's application of section 38(1)(b) of FOISA. That exemption applies only if the information concerned is third party personal data, so the Commissioner must consider whether it is in this case. Assuming it is, whether it should be disclosed may depend on whether the requester has a legitimate interest in it: for the purposes of FOISA, the term "legitimate interest" has no relevance except in the context of considering whether personal data should be disclosed.

18. The Council provided its submissions to the Commissioner on 26 June 2015, including background information regarding qualification for a Blue Badge.

Commissioner's analysis and findings

19. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Baxter and the Council. She is satisfied that no matter of relevance has been overlooked.

Whether information held

20. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received.

21. Under section 17(1) of FOISA, where an authority receives a request for information it does not hold, it must give an applicant notice in writing to that effect. In this case, the Council issued Mr Baxter with such a notice.

22. The standard proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining this, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. She also considers, where appropriate, any reason offered by the public authority to explain why the information is not held. While it may be relevant as part of this exercise to explore what information should be held, ultimately, the Commissioner's role is to determine what relevant information is (or was, at the time the request was received) held by the public authority.

Request 2 - Investigation Report

23. As noted above, the Council confirmed to Mr Baxter that it held information falling within the scope of Request 1 and, in its notice of the review outcome, confirmed that an enquiry had been carried out. In responding to Request 2, the Council informed Mr Baxter that it did not hold a report of the enquiry.

24. Mr Baxter did not believe that no report existed, given the Council's response to Request 1.

25. In its submissions to the Commissioner, the Council explained the steps it had taken when conducting its enquiry, following receipt of the complaint of alleged misuse of the Blue Badge. It maintained that no actual investigation report was held and explained the searches carried out in reaching this conclusion.

26. In relation to these searches, the Council explained that the relevant Council staff who deal with Blue Badge misuse were asked for, and provided, all information held, namely copies of emails and letters. The Council confirmed that this was the information withheld in relation to Request 1. The Council submitted it was not considered necessary to conduct further searches, given the information was identifiable by the staff who knew all the facts, and whether any relevant information would be held.

27. The Council submitted that, in this case, it was clear what Mr Baxter was requesting in Request 2. No investigation report was held and the Council considered there was no requirement to give any advice and assistance to Mr Baxter about any other information which might have fallen within the scope of this request.

Commissioner's views - whether information was held

28. The Commissioner notes the explanations provided by the Council.

29. Having considered all the relevant submissions and the terms of Mr Baxter's requests, the Commissioner is satisfied that the Council took adequate, proportionate steps to establish what information it held, and which fell within the scope of these requests. She accepts, on balance, that any information relevant to the requests was capable of being identified using the searches described by the Council. She is therefore satisfied that the Council does not (and did not, on receiving the request), hold any further information falling within the scope of Mr Baxter's requests.

30. However, the Commissioner has considered the Council's interpretation of Request 2 carefully. Although the Council maintained it did not hold information in the format of a stand-alone report, the Commissioner considers it would have been reasonable to approach Request 2 as a request for recorded information conveying the results of the investigation: she considers that to be an ordinary interpretation of the request, and not as outlandish as the Council appears to think. It would be all too easy to avoid requests of this kind if authorities confined themselves to formal descriptions or titles, rather than the actual content of the information concerned.

31. Having examined the information withheld in relation to Request 1, the Commissioner is satisfied that it conforms, at least in part, to the broader definition of a report she has outlined in the previous paragraph. In her view, it should have been identified and addressed as such, and so the Council was incorrect to notify Mr Baxter that it held no information falling within the scope of Request 2. In doing so, it misapplied section 17(1) of FOISA and failed to deal with Request 2 in accordance with Part 1 of FOISA.

32. Given that the Commissioner has concluded that the same information falls within the scope of both requests, the Commissioner will now go on to consider the application of section 38(1)(b) of FOISA to all of the withheld information.

Section 38(1)(b) - Personal information

33. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, (2)(b)) exempts information from disclosure if it is "personal data", as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

34. In order to rely on this exemption, the Council must show, firstly, that any such information would be personal data for the purposes of the DPA and, secondly, that disclosure of that data would contravene one or more of the data protection principles to be found in Schedule 1.

Is the information under consideration personal data?

35. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

36. The Commissioner has considered the submissions received from the Council on this point, along with the withheld information. She is satisfied that the information withheld is personal data: it is possible to identify a living individual from the information itself, in line with the definition of personal data. In this case, the information is being used to inform decisions affecting the data subject, and therefore can be said to relate to him or her. In the circumstances, the Commissioner does not consider it would be possible to disclose any of the withheld information without a real risk remaining that the data subject could be identified: consequently, it would remain his or her personal data even following any redaction.

Is the withheld information sensitive personal data?

37. During the investigation, the Council submitted that the information comprised sensitive personal data.

38. The definition of sensitive personal data is contained in section 2 of the DPA (see Appendix 1).

39. The Commissioner has reviewed the information withheld. The Commissioner is satisfied that all of the personal data withheld in this case falls into at least one of the categories in section 2 of the DPA and therefore should be considered to be the sensitive personal data of the data subject. (The Commissioner is unable to confirm which of the categories of sensitive personal data are relevant here, without, in effect, disclosing sensitive personal data.)

Would disclosure contravene the first data protection principle?

40. In its submissions, the Council argued that the disclosure of the withheld personal data would contravene the first data protection principle. This requires that personal data are processed fairly and lawfully and, in particular, are not processed unless at least one of the conditions in Schedule 2 to the DPA is met. For sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met. The processing in this case would be disclosure in response to Mr Baxter's information requests.

The first data protection principle: sensitive personal data

41. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is appropriate in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions. The conditions listed in Schedule 3 have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in secondary legislation, such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

42. Guidance issued by the Commissioner regarding the exemption in section 38(1)(b)[1], notes that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA. Condition 1 would allow personal data to be disclosed where the data subject has given explicit (i.e. specific, fully informed and freely given) consent to their release. Condition 5 would allow the personal data to be disclosed if the data had been made public as a result of steps deliberately taken by the data subject.

43. The Council informed the Commissioner that it had not considered it appropriate in the circumstances to ask the data subject if he or she consented to the disclosure of the personal data. In the circumstances, the Commissioner does not consider the requirements for explicit consent to be capable of being fulfilled. She is also satisfied that the data subject has not taken steps to place this information into the public domain, with the result that neither of conditions 1 and 5 could be met in this case.

Commissioner's conclusions - Section 38(1)(b)

44. Having reached this conclusion, and having concluded that no other condition in Schedule 3 applies in this case, the Commissioner finds that the disclosure of the data subject's sensitive personal data would breach the first data protection principle. She therefore finds that the Council was correct to withhold the information requested by Mr Baxter under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Aberdeenshire Council (the Council) generally complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information requests made by Mr Baxter. However, the Council was not entitled to notify Mr Baxter, in terms of section 17(1) of FOISA, that it did not hold any information falling within the scope of his second request.

Appeal

Should either Mr Baxter or Aberdeenshire Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

1 September 2015

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

?

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

?

(e) in subsection (1) of section 38 -

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

?

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

?

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

?

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

?

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

?

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

?

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

?

5 The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

...

[1]