Home Decisions

Decision 145/2019

Decision 145/2019: Police investigation

Public Authority: The Chief Constable of the Police Service of Scotland
Reference No: 201900629

Summary

Police Scotland were asked whether a named individual had faced prosecution or was due to face prosecution under section 112 of the Local Government Finance Act 1992. Police Scotland refused to provide any information, stating that information about an individual's offences or possible convictions was exempt from disclosure.

The Commissioner found that Police Scotland were correct to withhold the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a) and(5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (Personal information)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 10 (Processing of personal data relating to criminal convictions and offences)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3), (4)(d) (Terms relating to the processing of personal data); 10(4) and (5) (Special categories of personal data and criminal convictions etc data); 11(2) (Special categories of personal data etc: supplementary)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 21 December 2018, the Applicant made a request for information to the Chief Constable of the Police Service of Scotland (Police Scotland). He asked for the following information:

  • whether a named ex-councillor faced prosecution or was due to face prosecution for the alleged criminal act under section 112 of the Local Government Finance Act 1992 (the 1992 Act)
  • if so, the outcome regarding this case, and
  • if they did not face prosecution, the reasons why.

2. Section 112 of the 1992 Act makes it an offence for a councillor in council tax arrears (with at least two months' arrears) to vote on financial matters relating to council tax at a meeting of the Council or one of its committees. It is also an offence, if any such councillor present, who is aware of the arrears, fails to disclose that they are in such arrears of council tax.

3. Police Scotland responded on 11 January 2019. Police Scotland refused to provide the information, citing the exemption in section 38(1)(b) of FOISA (Personal information). Police Scotland explained that the information requested would reveal information about an individual's offences and any possible criminal conviction. Police Scotland highlighted that, whilst not special category personal data, section 10 of the DPA 2018 made it clear that such information should be treated in a similar manner.

4. On 30 January 2019, the Applicant wrote to Police Scotland requesting a review of their decision. He stated that the councillor had been named in the media in respect of the alleged offences and the weekly local newspapers disclose the names of individuals prosecuted.

5. Police Scotland notified the Applicant of the outcome of their review on 18 March 2019. The review response upheld Police Scotland's reliance on section 38(1)(b), but also referred to section 18(1) of FOISA (which allows public authorities neither to confirm nor deny whether they hold information) and identities of police officers and staff.

6. On 10 April 2019, the Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant was dissatisfied with the outcome of Police Scotland's review because he had not been provided with the information requested. He also questioned the fact that the review referred to withholding the identities of police officers and staff.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request requests before applying to him for a decision.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. Police Scotland were invited to comment on this application and to answer specific questions.

9. The Applicant also provided information and arguments to support his position that Police Scotland were not entitled to withhold the information he had requested.

10. During the investigation, Police Scotland acknowledged and apologised for the administrative error in their review which referred to section 18 and the identity of police officers and staff.

11. Police Scotland confirmed they wished to rely on section 38(1)(b) of FOISA to withhold the requested information on the basis that disclosure would reveal information about an individual's offences and any possible criminal convictions.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and Police Scotland. The Commissioner is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

13. Police Scotland withheld the information sought by the Applicant under section 38(1)(b) read with section 38(2A)(a). This exempts information from disclosure if it is "personal data" and its disclosure would contravene any of the data protection principles in the GDPR or in the DPA 2018.

Is the information personal data?

14. The first question the Commissioner must address is whether the information the Applicant requested is personal data.

15. Personal data is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual".

16. Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

17. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

18. The Applicant named the individual in his request and sought information about that individual, in particular in respect of an alleged offence. Given that, and the subject matter of the request, information captured by this request would clearly relate to that named individual. The information clearly relates to a living person and is capable of identifying them directly. The Commissioner is therefore satisfied that the information is personal data as defined in section 3(2) of the DPA 2018.

Criminal offence data

19. Information relating to criminal convictions and offences is given special status in the GDPR: Article 10 makes it clear that the processing of this type of personal data can be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of the data subjects.

20. Section 11(2) of the DPA 2018 makes it clear that proceedings for an offence committed by a data subject or the disposal of such proceedings, including sentencing, is criminal offence data. The Applicant's request relates to information about an alleged breach of section 112 of the 1992 Act, which is a section with a penalty for a criminal offence.

21. The Commissioner is satisfied that the personal data the Applicant has asked for clearly falls within the definition of criminal offence data.

22. Criminal offence data can only be processed if one of the stringent conditions in Part 1 to 3 of Schedule 1 to the DPA 2018 can be met (section 10(5) of the DPA 2018).

23. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.

24. Parts 1 to 3 of Schedule 1 to the DPA contain a wide range of conditions which allow personal data to be disclosed, but there are very limited conditions which would allow a public authority to disclose criminal offence data into the public domain in response to a FOI request.

25. In submissions, the Applicant highlighted the importance of transparency. In many previous decisions - including some related to Council tax arrears by elected representatives - the Commissioner has recognised the importance in the scrutiny of the performance and processes of public bodies. The scrutiny of the actions of elected members and the processes followed by public authorities in matters concerning alleged offences by elected representatives is a legitimate and important function. The subject of the Applicant's scrutiny (broadly, any actions in respect of an alleged offence in respect of voting on tax) is an important area of concern.

26. However, as stated above, criminal offence data can only be processed if one of the stringent conditions in Parts 1 to 3 of Schedule 1 to the DPA 2018 can be met. The Commissioner has considered each of these conditions and whether any of them could be relied on to disclose the criminal offence data in this case. Having done so, and having taken into account the restrictive nature of the conditions, he considers that they could not.

27. As noted above, Police Scotland argued that disclosure would breach the data protection principle (Article 5(1)(a) of the GDPR) which requires that personal data shall be processed lawfully and fairly. Police Scotland acknowledged that some information was in the public domain at the time of the request but as a Data Controller it has statutory obligations to abide by in respect of the DPA and the GDPR and disclosure in this case would contravene the first principle.

28. The Commissioner is satisfied that none of the conditions required for processing personal data of this nature are satisfied; consequently, there can be no legal basis for its disclosure and the information requested by the Applicant is exempt from disclosure under section 38(1)(b) of FOISA.

29. The Commissioner therefore finds that Police Scotland complied with Part 1 of FOISA by withholding the information.

30. The Commissioner notes that the review response contained administrative errors which Police Scotland acknowledged and apologised for.

Decision

The Commissioner finds that the Chief Constable of the Police Service of Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or Police Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
1 October 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 10

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried our only under the control of official authority of when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

10 Special categories of personal data and criminal convictions etc data

(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

11 Special categories of personal data etc: supplementary

(3) In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to -

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.