Decision 149/2019: Expenses claimed by Children's Panel Area Convenor (and others)

Public authority: Children's Hearings Scotland
Case Ref: 201900430

Summary

Children's Hearings Scotland (CHS) was asked for the expense claims of three officers of the Glasgow Children's Hearing Panel. CHS withheld the expense claims, as it considered them to be the personal data of the officers involved and exempt from disclosure.

The Commissioner investigated and agreed that the expense claims were exempt from disclosure.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 4(1) and (11) (definition of "personal data" and "consent") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and 10 (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 6 July 2018, the Applicant asked Children's Hearings Scotland (CHS) for "Detailed (loss of employment income, travel, phone bills etc) expenses claim[s] of [the] Area Convenor, Deputy Area Convenor and Lead Panel Representative of the Glasgow Children's Hearing System (Children's Panel) from 1st April 2017 - 1st April 2018 financial year."

2. CHS responded on 31 July 2018, and stated that it did not hold the information.

3. Later the same day, the Applicant emailed CHS requesting a review of its decision. The Applicant stated that he had been advised by Glasgow City Council to contact CHS for this information.

4. On 1 March 2019, following issue of Decision 003/2019: Mr N and Children's Hearings Scotland[1], CHS responded and stated that it was relying on section 38(1)(b) of FOISA to withhold the information as it was the personal data of third parties and disclosure would breach multiple data protection principles.

5. On 6 March 2019, the Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of CHS's review. He argued that the information could be disclosed while respecting the data protection principles.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 8 May 2019, CHS was notified in writing that the Applicant had made a valid application. CHS was asked to send the Commissioner the information withheld from the Applicant. CHS provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. CHS was invited to comment on this application and to answer specific questions.

9. CHS provided its submissions on 26 July 2019.

10. The Applicant was asked for, and provided comments as to his legitimate interests in the withheld information.

Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and CHS. He is satisfied that no matter of relevance has been overlooked.

12. As noted above, CHS withheld the information requested on the basis that section 38(1)(b) of FOISA applied.

Section 38(1)(b) - Personal information

13. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

14. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

15. To rely on this exemption, CHS must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

16. The Applicant sought the expense claims for the Area Convenor, Deputy Area Convenor and Lead Panel Representative of the Glasgow Children's Hearing, all volunteer roles.

17. CHS submitted that disclosure would breach the data protection principles, which requires the processing of personal data to be lawful and fair (Article 5(1)(a) of the GDPR).

Is the information personal data?

18. The first question for the Commissioner is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR, also set out in Appendix 1.)

19. CHS submitted that the roles identified in the request are undertaken by one individual per role within the Glasgow area; consequently, they are identifiable individuals by reference to that role. CHS also noted that the expenses claims contained names, contact information and location data.

20. Having considered the information being withheld, the Commissioner accepts that the information is personal data: the identified roles are clearly related to identifiable living individuals. The Commissioner therefore accepts that the information is personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

21. In its submissions, CHS made reference to Article 5 of the GDPR. Amongst other data protection principles, it referred to that in Article 5(1)(a) of the GDPR. Article 5(1)(a) states that personal data shall be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

22. In terms of section 3(4)(d) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

23. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed.

24. The Commissioner considers conditions (a) and (f) in Article 6(1) are the only conditions which could potentially apply in the circumstances of this case.

Condition (a): Consent

25. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

26. "Consent" is defined in Article 4 of the GDPR as-

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

27. In terms of Article 7(1), the data controller (in this case, CHS) must be able to demonstrate that the required consent exists.

28. CHS confirmed that the individuals did not provide consent for disclosure. The Commissioner is satisfied that, in the absence of consent, condition (a) cannot be met.

Condition (f): legitimate interests

29. Condition (f) states that processing shall be lawful if it "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

30. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

31. The tests which must be met before Article 6(1)(f) can be met are as follows:

a. Does the Applicant have a legitimate interest in obtaining the personal data?

b. If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

c. Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

32. The Applicant argued that the information related to public funds and that there was an expectation that claims of any person holding a public office should be disclosed and open to public scrutiny. The Applicant considered that, when individuals apply to become a member of the Hearing System, they should only do so to help vulnerable children and families; they should only submit legitimate expenses and not try to gain anything from being a member.

33. CHS did not have reason to believe that there was a legitimate reason to disclose the information. It stated that there was no established precedent for disclosing the expenses of individual volunteers. CHS considered what could be gained from disclosure of the requested information, and could not identify any reason that would outweigh the negative consequences of this course of action.

34. The Commissioner accepts that the Applicant has (and, indeed, the wider public would have) a legitimate interest in disclosure of the personal data. The information requested would allow the Applicant (and the wider public) to understand what expenses were being claimed and would create transparency and accountability in relation to the expenditure of public funds. The Commissioner also considers that the scrutiny of Scottish public authorities, including their finances and how monies are claimed and spent, is an important facet of FOISA.

Is disclosure of the personal data necessary?

35. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means. As CHS did not consider the Applicant had a legitimate interest in the withheld information, it follows that its view would be that disclosure of the personal data is not necessary.

36. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[2]. In this case, the Supreme Court stated (at paragraph 27):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

"Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

37. CHS offered to disclose total expenses for each role for the time period specified so the Applicant could, to an extent, assess the monies being spent on expenses and weigh this against the funds available to CHS and consider whether such expenses are appropriate. The Applicant did not accept that such summaries would include the detail required.

38. The Commissioner has taken into account CHS's offer to supply the Applicant with the annual total of expenses claimed for each role. This goes some way towards satisfying the Applicant's legitimate interests but the Commissioner accepts that disclosure of the expenses claimed, in detail, would be required to meet the Applicant's legitimate interests.

The data subjects' interests or fundamental rights and freedoms

39. It is necessary to balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subjects would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

40. CHS explained that the roles identified were volunteers and as an organisation they only published the expenses of senior employees. CHS submitted that disclosure of the roles' expenses would be unfair as it related to three easily identifiable members of the volunteer community and their claims were made in good faith and in line with the CHS Volunteer Expense Policy.

41. The Commissioner's guidance[3] on section 38 of FOISA notes factors that should be taken into account in balancing the interests of parties. These factors include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

(iv) the reasonable expectations of the individual as to whether the information should be disclosed.

42. The Commissioner accepts that, to some degree, the personal data under consideration relates to the individuals' private lives, in that the individuals incurred the expenses by undertaking public service in a voluntary capacity. Although there are no absolute rules in this regard, generally it will be the case that where information relates to an individual's private life (i.e. their home, family, social life or finances) it will deserve greater protection than information about them acting in an official or work capacity (i.e. their public life). However, the Commissioner also accepts that, even though the identified roles are voluntary, they carry with it important public responsibilities. The personal data in question therefore cannot be regarded as relating solely to the individual's private life.

43. The Commissioner has considered the request for expenses carefully and is cognisant of the fact that authorities should be accountable for their expenditure, and demonstrate that checks and balances are in place to ensure such expenditure is valid and justifiable.

44. As part of its submissions, CHS explained that it has a robust expense claim process and policy, and monitor claims processing to ensure that the policy and guidance is being followed properly. CHS submitted that expense claims are processed by Local Authority Clerks who are provided with training and support to identify and query any claims that do not meet the CHS criteria for processing. CHS stated that, through the monitoring of these processes, it is confident that they are functioning appropriately.

45. In support of its submissions, CHS provided the Commissioner with a copy of its Volunteer Expense Policy which states that volunteers should never be left out of pocket for the time that they commit to the system. CHS highlighted that the vast majority of panel members choose not to claim expenses and that if it were to publish the requested claims, it believed that this would discourage other volunteers from claiming reimbursement where it was due. CHS stated that is committed to building a diverse community of volunteers that reflects all aspects of Scottish society. It argued that disclosure would unfairly impact on those volunteers who required reimbursement to enable their continued commitment to children and young people.

46. CHS highlighted that the Applicant had already been offered the total sum claimed by the volunteers and the combined total for the three volunteer roles, but this offer was rejected. CHS suggested that the request was intended to cause embarrassment or harm to the individuals concerned.

47. CHS also confirmed that it publishes some information relating to volunteer expenses in its board minutes [one example 19 June 2018[4]].

48. The Commissioner notes that there appears to be sufficient procedures in place to ensure adequate scrutiny of the expenses of the volunteers. He does not find that disclosure of the personal data in question would be required in order to be satisfied on this point.

49. The Commissioner has also considered the fact that the roles performed by the identified individuals are voluntary, and that, accordingly, the individuals may have had no expectation that their personal data would be disclosed. CHS submitted that at the point of collection, volunteers were not informed that their data may be shared with the public.

50. The Commissioner concludes that, in these circumstances, disclosure would have a detrimental effect on the data subject and on the organisation and could discourage other individuals from volunteering.

51. Having carefully balancing the legitimate interests of the individuals concerned against those of the Applicant, the Commissioner finds that the legitimate interests served by disclosure of the withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subjects. Condition (f) in Article 6(1) of the GDPR cannot, therefore, be met in relation to the withheld personal data.

52. In the absence of a condition in Article 6 of the GDPR allowing the personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful.

Fairness

53. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

54. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Children's Hearing Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or CHS wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
9 October 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

…

(e) in subsection (1) of section 38 -

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

….

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

…

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation:

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

…

11 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

…

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

…

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

…

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to section 14(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier, such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

…

(d) disclosure by transmission, dissemination or otherwise making available,

…

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

…

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

…

---