Decision 154/2013 Mr John MacInnes and South Lanarkshire Council
Disability related expenditure
Reference No: 201300357
Decision Date: 30 July 2013
Summary
On 7 December 2012, Mr MacInnes requested from South Lanarkshire Council (the Council) a list of disability related expenditure accepted by the Council for the purposes of financial assessments over the previous 12 months. The Council withheld the information under the exemption in section 38(1)(b) of FOISA (personal data). Following an investigation, the Commissioner found that the Council had correctly applied the exemption in section 38(1)(b), being satisfied that the information comprised personal data the disclosure of which would breach the first data protection principle.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)
Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); 2(e) (Sensitive personal data); Schedules 1 (The data protection principles, Part 1: the principles) (the first data protection principle) and 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: Recital 26
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.
Background
1. On 7 December 2012, Mr MacInnes emailed the Council seeking the following information:
"A full list of disability related expenditure accepted by the Council in relation to qualifying expenditure for the purposes of financial assessments over the past 12 month period. For the purposes of this request please note any personal information may be redacted in order to comply with the requirements of the Data Protection Act 1998 in order that no person may be identified from the information requested."
2. The Council responded on 21 December 2012, informing Mr MacInnes that it was withholding the information under section 38(1)(b) of FOISA (Personal information).
3. On 24 December 2012, Mr MacInnes wrote to the Council requesting a review of its decision. He did not believe the information he had requested would include personal data.
4. The Council notified Mr MacInnes of the outcome of its review on 24 January 2013. With further reasoning, the Council upheld its original decision.
5. On 24 January 2013, Mr MacInnes wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
6. The application was validated by establishing that Mr MacInnes made a request for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to that request. The case was then allocated to an investigating officer.
Investigation
7. The investigating officer subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions related to its application of section 38(1)(b) of FOISA. The Council was also asked to provide a sample of the withheld information.
8. The Council provided the withheld information to the investigating officer, with its submissions on section 38(1)(b).
9. Mr MacInnes also provided submissions to the investigating officer, in support of his argument that the information should be disclosed.
Commissioner's analysis and findings
10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr MacInnes and the Council. She is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) - Personal data
11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), exempts information from disclosure if it is personal data and if its disclosure to a member of the public otherwise than under FOISA would breach any of the data protection principles set out in Schedule 1 to the DPA.
12. The exemption in section 38(1)(b) is an absolute exemption, not subject to the public interest test laid down by section 2(1)(b) of FOISA.
13. In this case, the Council provided further submissions on why it considered the withheld information to be personal data. It argued that disclosure of the information would contravene the first data protection principle. It also explained that it considered the information to be sensitive personal data.
Is the information (sensitive) personal data?
14. The Commissioner will first consider whether the withheld information comprises personal data and, if so, whether it comprises sensitive personal data. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix). The DPA gives effect to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive) and so the DPA should, where possible, be interpreted in a manner which is consistent with the Directive.
15. Section 2 of the DPA provides that certain types of personal data are to be considered sensitive personal data, which is afforded additional protection under the DPA. This includes, at section 2(e), information as to the data subject's physical or mental health or condition.
16. In considering the definition of personal data, the Commissioner has also taken account of the opinion delivered by the House of Lords in Common Services Agency v Scottish Information Commissioner[1].
17. The Commissioner notes that Mr MacInnes stated he did not require information identifying any individual. What he did require was a broader overview of types of qualifying expenditure already taken into account by the Council as acceptable. He provided the following examples, not intended to be exhaustive, of types of expenditure:
Transportation - broken down into taxis, private car expenses, public transport (bus and train)
Personal care - broken down into types, meals on wheels, tuck-in services, escort, buddy system, etc.
Hobbies and leisure pursuits - broken down by type allowed as an expense.
18. The Commissioner also notes the Council's view that, because of the relatively small number of cases involved, and because the expenditure in question related to the specific circumstances of each individual case, it would be possible to identify the individuals concerned even with their names omitted. The Council submitted that, even without their names, the information sought by Mr MacInnes would still be the personal data of those individuals. It considered it likely that disclosure of the information, combined with knowledge of people with disabilities in the area, would allow those individuals to be identified.
19. Recital 26 of the Directive states that, when determining whether a person is identifiable, account should be taken of all the means likely reasonably to be used to identify the data subject. Guidance entitled "Determining what is personal data [2]" which has been issued by the (UK) Information Commissioner (who is responsible for enforcing the DPA throughout the UK) states that, in considering whether a person can be identified, it should be assumed that it is not just the means reasonably likely to be used by the ordinary man in the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual.
20. The Commissioner has considered the information withheld and acknowledges that it relates to a very small number of individuals and to very specific personal circumstances. In the circumstances, she accepts that information addressing Mr MacInnes's request adequately could not be provided without presenting a real risk of the individuals concerned being identified, applying the tests set out in the preceding paragraph.
21. In the specific circumstances present in this case, and taking account of all means likely reasonably to be used to identify the individuals concerned, the Commissioner is satisfied that the withheld information (taken with other information) would enable the identification of the individuals concerned. She is also satisfied, having considered the information, that it relates to those individuals, and therefore that it is their personal data.
22. As the personal data relate to the individuals' physical or mental health or condition, the Commissioner is satisfied that they are sensitive personal data as defined in section 2(e) of the DPA.
23. Having concluded that the information comprises sensitive personal data, the Commissioner has gone on to consider whether disclosure of the information would breach the first data protection principle.
Would disclosure breach the first data protection principle?
24. Personal data is not exempt from disclosure under FOISA simply because it is personal data. It will, however, be exempt from disclosure in line with section 38(1)(b) (as read with section 38(2)(a)(i) or (b)) if disclosure to a member of the public, otherwise than under FOISA, would contravene one or more of the data protection principles.
25. The Council argued that disclosure of the personal data would breach the first data protection principle. This principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met. Given that the conditions in Schedule 3 are, intentionally, much more stringent than those in Schedule 2, the Commissioner considers it appropriate to look at these first.
26. The conditions listed in Schedule 3 to the DPA have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000[3].
27. In guidance issued by the Commissioner regarding the exemption in section 38(1)(b)[4], it is noted that the conditions in Schedule 3 are very restrictive in nature and, as a result, generally only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.
28. Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the processing (which in this case would be disclosure in response to Mr MacInnes's request). Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
29. Having considered these conditions, the Commissioner has concluded that it would not be reasonable or appropriate to seek consent from the data subjects for the release of the information. The Commissioner has therefore concluded that condition 1 could not be met in this case. She is also satisfied that none of the information under consideration has been made public as a result of steps deliberately taken by the data subjects, and so condition 5 could not be met in this case.
30. Having reached these conclusions, and also finding that no other condition in Schedule 3 is applicable in the circumstances of this case, the Commissioner finds that there are no conditions in Schedule 3 which would permit disclosure of the sensitive personal data under consideration here.
31. As the Commissioner is satisfied that there are no conditions in Schedule 3 to the DPA which would permit disclosure, she is not required to consider whether disclosure would be permitted by any of the conditions in Schedule 2 to the DPA.
32. In the absence of a condition permitting it, the Commissioner also finds that disclosure of the withheld sensitive personal data would be unfair. In the absence of such a condition, disclosure would also be unlawful. Disclosure would therefore contravene the first data protection principle, and consequently the Commissioner finds that the information is exempt from disclosure under section 38(1)(b) of FOISA.
33. The Commissioner therefore finds that the Council was entitled to withhold the information requested by Mr MacInnes under section 38(1)(b) of FOISA.
DECISION
The Commissioner finds that South Lanarkshire Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr MacInnes.
Appeal
Should either Mr MacInnes or South Lanarkshire Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
30 July 2013
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that-
(a) the provision does not confer absolute exemption; and
?
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -
?
(e) in subsection (1) of section 38 -
?
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38 Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
?
Data Protection Act 1998
1 Basic interpretative provisions
(1) In this Act, unless the context otherwise requires -
?
"personal data" means data which relate to a living individual who can be identified -
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
2 Sensitive personal data
In this Act "sensitive personal data" means personal data consisting of information as to-
?
(e) [the data subject's] physical or mental health or condition.
?
Schedule 1 - The data protection principles
Part I - The principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
?
Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data
1. The data subject has given his explicit consent to the processing of the personal data.
?
5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
?
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Recital 26
Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable ?
[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm
[2] ttp://www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/
PERSONAL_DATA_FLOWCHART_V1_WITH_PREFACE001.ashx
[3] http://www.legislation.gov.uk/uksi/2000/417/pdfs/uksi_20000417_en.pdf
[4] Http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38.aspx
