Decision 141/2014 | Scottish Information Commissioner

Home Decisions

Decision 141/2014

Decision 141/2014 Mr James Gill and Audit Scotland

Auditors' report

Reference No: 201401034
Decision Date: 25 June 2014

Summary

On 5 August 2013, Mr Gill asked Audit Scotland for a copy of the external auditors' report on the handling of a complaint by Scottish Borders Council (the Council). Audit Scotland provided some information, withholding the rest on the basis that it was personal data and disclosure would breach the first data protection principle.

Following an investigation, the Commissioner found that Audit Scotland dealt with Mr Gill's request for information in accordance with Part 1 of FOISA.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part I: the principles) (the first data protection principle) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1. On 5 August 2013, Mr Gill wrote to Audit Scotland. He asked for the full report of the Council's external auditors on the Council's handling of a complaint. He had received a summary of the report already.

2. Audit Scotland responded on 11 October 2013. It informed Mr Gill that the report requested was not yet in its final state. Having considered the public interest test, it concluded that the report should be withheld in terms of section 40(b) of FOISA. Audit Scotland further informed Mr Gill that, once the report had been finalised, it intended to consider his request again, without the need for him to submit a new information request.

3. On 13 March 2014, Audit Scotland provided Mr Gill with a further response to his request. It provided Mr Gill with the information requested, redacted in terms of section 38(1)(b) of FOISA. In Audit Scotland's view, disclosure of the redacted information would breach the first data protection principle.

4. On 10 April 2014, Mr Gill wrote to Audit Scotland, requesting a review of its decision. He believed it was critical to answering his complaint for the information to be disclosed.

5. Audit Scotland notified Mr Gill of the outcome of its review on 29 April 2014. It upheld its decision that the information was properly withheld in terms of section 38(1)(b) of FOISA.

6. On 12 May 2014, Mr Gill wrote to the Commissioner, stating that he was dissatisfied with the outcome of Audit Scotland's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

7. The application was validated by establishing that Mr Gill made a request for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

8. On 27 May 2014, Audit Scotland was notified in writing that an application had been received from Mr Gill and was asked to provide the Commissioner with any information withheld from him. Audit Scotland provided the information and the case was then allocated to an investigating officer.

9. The investigating officer subsequently contacted Audit Scotland, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. The investigating officer's questions focused on Audit Scotland's application of section 38(1)(b) of FOISA: Audit Scotland responded with full submissions on these points.

10. Mr Gill also provided submissions to the Commissioner.

Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Gill and Audit Scotland. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal Information

12. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate) exempts personal data if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

13. Audit Scotland submitted that the withheld information was personal data for the purposes of the DPA and that its disclosure would contravene the first data protection principle. Therefore, it argued that the information was exempt under section 38(1)(b) of FOISA.

14. In considering the application of this exemption, the Commissioner will first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether disclosure of the information would breach the first data protection principle as claimed.

15. This is an absolute exemption, which means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

16. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in the Appendix).

17. The Commissioner has considered the submissions received from Audit Scotland on this point, along with the withheld information. She is satisfied that living individuals could be identified from the information, either by itself or with other information reasonably likely to be accessible to Mr Gill (and others). Given the nature of the information (the handling of a complaint raised by Mr Gill against a named individual), the Commissioner finds that it relates to the individual concerned. Consequently, the Commissioner accepts that the information would be that individual's personal data, as defined by section 1(1) of the DPA.

The first data protection principle

18. The first data protection principle states that personal data shall be processed fairly and lawfully. The processing in this case would be disclosure of the information into the public domain in response to Mr Gill's request. The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, as defined in section 2 of the DPA, at least one of the conditions in schedule 3 to the DPA is also met.

19. The Commissioner will first consider whether there are any conditions in Schedule 2 which would permit the withheld personal data to be disclosed. If any of these conditions can be met, she must then consider whether the disclosure of the personal data would be fair and lawful.

20. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. These three aspects are interlinked. For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

Can any of the conditions in Schedule 2 be met?

21. In the circumstances, it appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr Gill. In any event, neither Mr Gill nor Audit Scotland has argued that any other condition would be relevant. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (the individual(s) to whom the data relate).

22. There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

a. Is Mr Gill pursuing a legitimate interest or interests?

b. If yes, is the processing involved necessary for the purposes of those interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subject?

c. Even if the processing is necessary for Mr Gill's legitimate interests, is that processing nevertheless unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

23. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of Mr Gill must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Audit Scotland was correct to refuse to disclose the personal data to Mr Gill.

Is the applicant pursuing a legitimate interest or interests?

24. Audit Scotland accepted that Mr Gill was pursuing a legitimate interest in the withheld information, given his direct involvement in the subject matter of the report. It also acknowledged a wider public interest in knowing that the Council had adopted and followed correct internal procedures.

25. Mr Gill submitted that he had a legitimate interest in the auditors' findings, specifically on the Council's handling of the matter as a corporate body.

26. Having considered all relevant submissions she has received on this point, together with the withheld information, the Commissioner accepts that Mr Gill, as the complainant, has a legitimate interest in the matters considered by the auditors in their report. Given that the report relates to the handling of a complaint under the Council's whistleblowing policy, the Commissioner also accepts there is a wider public interest in its content.

Is disclosure necessary for the purposes of these interests?

27. The Commissioner must now consider whether disclosure of the requested information is necessary for achieving the legitimate interests she has identified, and in doing so she must consider whether these interests might reasonably be met by any alternative means.

28. Audit Scotland submitted that disclosure was not necessary for the purposes of any legitimate interest. It submitted that any legitimate interest Mr Gill had in knowing how his complaint was handled had been met by him being given the information it had disclosed already. This included a summary of the auditors' report, in addition to the redacted version provided on review.

29. On the other hand, Mr Gill submitted that he had not received full answers to the complaints he had raised. He could identify no means of obtaining this information, other than in a full response to this information request.

30. Having considered the report and the summary released to Mr Gill, along with the submissions she has received, the Commissioner does not consider disclosure of the redacted personal data to be necessary to meet Mr Gill's legitimate interests. It is possible to understand the auditors' investigation and its outcome adequately without having the withheld data. These data may provide some additional evidential background to the auditors' conclusions, but the Commissioner does not believe they add materially to understanding of those conclusions, the way in which they were reached or the underlying reasons. Considering the remaining information available to Mr Gill, neither does she believe what has been redacted would add materially to understanding of what the Council did in dealing with Mr Gill's original complaint.

31. In all the circumstances, the Commissioner concludes that disclosure of the withheld personal data would not be necessary to meet the legitimate interests identified above.

32. The Commissioner must therefore conclude that condition 6 cannot be met in this case. In the absence of a condition permitting disclosure, she must also conclude that disclosure would be unlawful. The Commissioner therefore finds that the first data protection principle would be breached by disclosure, and so the information under consideration was properly withheld by Audit Scotland under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Audit Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Gill.

Appeal

Should either Mr Gill or Audit Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
25 June 2014

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.