Home Decisions

Decision 141/2021

Decision 141/2021: Complaints about land at Lennel, Coldstream

Public authority: Scottish Borders Council
Case Ref: 202001401

Summary

The Council was asked for the names of complainants. The Council disclosed the name of a Councillor, but withheld a private individual's name. The Commissioner found that the Council was entitled to withhold the individual's name in the circumstances.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 4 October 2020, the Applicant made a request for information to Scottish Borders Council (the Council) concerning land at Lennel, Coldstream. The Applicant asked who the complainant(s) were in "a complaint made to planning enforcement regarding alleged unauthorised works carried out at the property".

2. The Council responded on 16 October 2020, confirming it held the names of two complainants. It withheld both names under section 38(1)(b) of FOISA, explaining that disclosure would contravene the first data protection principle.

3. On 21 October 2020, the Applicant wrote to the Council requesting a review of its decision. The Applicant explained why he did not consider section 38(1)(b) to apply.

4. The Council notified the Applicant of the outcome of its review on 18 November 2020, modifying its original position by disclosing one of the names (a Councillor who was undertaking constituency work). The Council stated why it was continuing to withhold the other name under section 38(1)(b).

5. On 23 November 2020, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated that he was dissatisfied with the outcome of the Council's review, explaining why he believed the withheld name was capable of disclosure under FOISA.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 3 December 2020, the Council was notified in writing that the Applicant had made a valid application. The Council was asked to send the Commissioner the information withheld from the Applicant. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related to the application of section 38(1)(b), including any expectations of privacy or confidentiality on the complainant's part.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.

10. The Council confirmed that it considered the information withheld to be the personal data of a complainant and exempt under section 38(1)(b).

Section 38(1)(b) - third party personal data

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the withheld information personal data?

13. The first question that the Commissioner must address is whether the information withheld is personal data for the purposes of section 3(2) of the DPA 2018 - see the definition in Appendix 1.

14. At review, the Council disclosed to the Applicant the name of an elected representative (a Councillor) but continued to withhold the name of a private individual who had lodged a complaint with the Council about the specified property. Having considered the information still withheld from the Applicant under section 38(1)(b), the Commissioner is satisfied that it is personal data: it clearly (and inevitably) relates to an identified or identifiable individual.

Would disclosure contravene one of the data protection principles?

15. The Council submitted that disclosure of this data would breach Article 5(1)(a) of the UK GDPR, which requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject". The definition of "processing" is wide and includes "disclosure by transmission, dissemination or otherwise making available" (section 3(4)(d) of the DPA 2018). In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one or more of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

16. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. Generally, when considering whether personal data can lawfully be disclosed under FOISA, only condition (f) (legitimate interests) is likely to be relevant.

Condition (f): legitimate interests

17. Condition (f) states that processing will be lawful if it "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data …"

18. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

19. The tests which must be met before Article 6(1)(f) can be met are as follows:

  • Does the Applicant have a legitimate interest in obtaining the personal data?
  • If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
  • Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

20. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the data subject before condition (f) will permit the data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to the Applicant.

21. From reasons provided by the Applicant, specific to the site in question, the Council accepted that the Applicant was pursuing a legitimate interest in seeking the withheld personal data. Having considered all relevant submissions, the Commissioner agrees.

22. Having accepted that the Applicant has a legitimate interest, the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might be reasonably be met by any alternative means.

23. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[1]. In this case, the Supreme Court stated (at paragraph 27):

A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

24. As the Supreme Court also noted in the same paragraph, "necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant's legitimate interests can be met by means which interfere less with the privacy of the data subject.

25. The Commissioner notes that the Applicant's stated reason for obtaining the name is to allow the investigation of alleged acts of criminality in relation to the land. That would be a matter for Police Scotland (in the circumstances, the Commissioner can see no legitimate interest in the private investigation of such matters) and it is not clear why investigation of any of the Applicant's concerns should require the public disclosure (and that is the effect of disclosure under FOISA) of the name of the complainant. Indeed, such disclosure might well be counter-productive to the effective conclusion of any relevant investigation.

26. Consequently, the Commissioner does not consider it necessary for the withheld personal data (an individual's name) to be disclosed in order to satisfy the legitimate interests identified.

27. The Commissioner must therefore conclude that condition (f) in Article 6(1) of the UK GDPR cannot be met in relation to the withheld personal data. In the absence of any other conditions allowing disclosure, disclosure would therefore be unlawful.

Fairness and transparency

28. Given the Commissioner's finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.

29. The Commissioner finds that disclosure of the withheld personal data would contravene Article 5(1)(a) of the UK GDPR. The information is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Scottish Borders Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
27 September 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

4 Definitions

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

5 Principles relating to processing of personal data(1)

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

6 Lawfulness of processing

(1) Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).