Home Decisions

Decision 156/2018

Decision 156/2018: Israel and Palestine Learning and Teaching Resource

Public authority: Glasgow City Council
Reference No: 201800679

Summary

The Council was asked for information regarding the Israel and Palestine Learning and Teaching Resource. It disclosed some information but it withheld some personal data.

During the investigation, the Council acknowledged that it should have disclosed some of the information it had withheld, and it disclosed a password. The Council also indicated that it was willing to disclose several other pieces of information that it had wrongly withheld under section 38(1)(b) of FOISA.

The Commissioner found that the Council had correctly withheld the remainder of the information under section 38(1)(b) of FOISA and that no further information was held by the Council. The Commissioner requires the Council to disclose the information that it wrongly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal information") (Personal information)

Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provision) (definition of personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 2 (Conditions relevant for purposes of the first principle: processing of any personal data (conditions 1 and 6))

Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provision etc - paragraph 56)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 12 November 2017, X made the following request for information to Glasgow City Council (the Council):

"In relation to the Israel-Palestine Learning & Teaching Resource and any involvement of Glasgow City Council and the City Council's education department with organisations and individuals external to the City Council, the following information is requested:

(i) Details of all meetings on or after 11 February 2017 to the present day. This should include dates, names of individuals, and organisations represented, and any actions undertaken arising from decisions taken at the meetings.

(ii) Copies of all correspondence/emails from April 2017 to the present day.

(iii) Copies of all correspondence/emails to [a named person] to the present day.

In relation to the progress of the Israel-Palestine Learning & Teaching Resource details of all meetings involving Councillors and officers of the Council is requested. This should include dates, names and designations of those present and include any actions undertaken arising from the meetings."

2. The Council responded on 11 December 2017. It provided X with some information, but it withheld other information under section 38(1)(b) of FOISA, as it comprised the personal data of third parties.

3. On 4 January 2018, X wrote to the Council requesting a review of its decision on the basis that it had failed to respond to part (iii) of their information request and that information was also missing from the response to parts (i) and (ii) of their request.

4. The Council notified X of the outcome of its review on 24 January 2018. It explained that additional searches had been carried out and no further information was identified. The Council upheld the decision to withhold some information under section 38(1)(b) of FOISA..

5. On 15 April 2018, X applied to the Commissioner for a decision in terms of section 47(1) of FOISA. X were dissatisfied with the outcome of the Council's review because they believed that the information supplied was incomplete and that part (iii) of their request had been ignored. X later asked the Commissioner to challenge the Council's reliance on section 38(1)(b) of FOISA to withhold information.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that X made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 14 May 2018, the Council was notified in writing that X had made a valid application. The Council was asked to send the Commissioner the information withheld from X. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both X and the Council. He is satisfied that no matter of relevance has been overlooked.

The withheld information

10. The Council withheld information under section 38(1)(b) of FOISA, on the grounds that it was personal data of third parties or members of staff below Grade 9, and disclosure would breach the data protection principles in Schedule 1 to the DPA 1998. The Council withheld the names, job titles and contact details of individuals. A password also appeared to have been withheld under this exemption, along with a generic job title and some comments in document 7.

11. During the investigation, the Commissioner questioned why the Council was withholding all of this information under section 38(1)(b) of FOISA. Some of the individuals held quite senior posts; one of the withheld the job titles was generic (and did not appear to identify a living individual); the comments on document 7 appeared to be innocuous; and he queried whether the password was personal data should have been withheld under section 38(1)(b) of FOISA.

12. In response, the Council agreed to withdraw its reliance on section 38(1)(b) of FOISA to withhold the information relating to senior individuals, as well as the generic job title and the comments made in document 7.

13. The Council subsequently argued that the password was exempt under section 30(b) of FOISA (Prejudice to effective conduct of public affairs). The Commissioner contacted the applicant to advise X of this change of exemption and X provided the Commissioner with evidence that they had already obtained the password from another Scottish public authority, prior to making this information request. The Council was notified of this fact and it decided to withdraw its reliance on section 30(b) of FOISA; it disclosed the password to X.

14. The Commissioner finds that the Council wrongly applied section 38(1)(b) to the information described in paragraph 10, specifically the names, job titles and contact details of individuals, along with a password, a generic job title and some comments in document 7. He requires it to disclose the names of two senior individuals, the generic job title, and the limited comments in document 7 to X (noting that the Council has now withdrawn its reliance on section 38(1)(b) to withhold this information). Given that the Council has disclosed the password to X, he does not require it to take any action in relation to this information.

Information held by the Council

15. In their application to the Commissioner, X expressed dissatisfaction with the information provided to them by the Council. In particular, the X argued that the information was incomplete and that the Council had not responded to part (iii) of their information request.

16. The Council submitted that it had responded to all parts of the X's request for information, including part (iii), but that it had redacted the name and contact details of the person named in part (iii) under section 38(1)(b) of FOISA. The Council submitted that the named person had not given consent for his personal data to be disclosed and disclosure would have breached the privacy rights of the named individual. The Council recognised that it had not explicitly referred to part (iii) of the request in its responses to the X.

17. The Council explained that two Council officers were consulted in relation to the request: the Executive Director of Education (the Director) and the International Officer (the Officer). Both of these employees conducted searches for correspondence relating to this request. The Officer had not had any contact with the person named in part (iii) of the information request and so she had not conducted any searches for that person's name. The Director had had contact with the named individual, and so she had carried out searches. The results of those searches were disclosed to the X (with personal data redactions).

18. The Council noted that the Director had conducted searches of her Outlook Calendar as well as all of her Outlook mailboxes for relevant search terms, and the Council provided a list of the search terms used. The Commissioner reviewed the search terms used by the Director and, while he considered that the terms were reasonable, he felt that there were other search terms that might also locate relevant information. The Council was asked to conduct additional searches, using the search terms suggested by the Commissioner.

19. In response, the Council explained why it had used the specific search terms it had identified and why it was satisfied that these terms would have retrieved all relevant information. The Council then went on to conduct the searches suggested by the Commissioner and confirmed that no additional information was identified as a result of these searches. The Council provided the Commissioner with copies of emails which evidenced its submission that no further information was located.

20. The Commissioner has considered all of the submissions provided by the Council and the X. He is satisfied that the Council did provide X with information falling within the scope of part (iii) of their request. He acknowledges that this was not made clear to X for data protection reasons. The Commissioner understands why the Council did not indicate which particular documents were provided in response to part (iii) of X's information request, but he considers that its actions were responsible for X's belief that this part of their request had not been addressed. It would have been helpful to X if the Council had explained the approach it was taking, in relation to part (iii) of the request.

21. Having reviewed all of the unredacted documents, the Commissioner is satisfied that the Council responded to all parts of the X's request for information.

22. The Commissioner has also considered the searches that have been undertaken by the Council, those that were carried out in response to the original request and request for review and those that were carried out at his instigation. He considers the searches to be thorough and he accepts that, on the balance of probabilities, the Council does not hold any further information that falls within the scope of X's request for information.

23. The Commissioner will now go on to consider the information that has been withheld from X under section 38(1)(b) of FOISA.

Section 38(1)(b) of FOISA (Personal information)

24. The Council withheld names, job titles and contact details under section 38(1)(b) of FOISA.

Data Protection Act 2018 (Transitional provisions)

25. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. The DPA 2018 amended section 38 of FOISA and also introduced a set of transitional provisions which set out what should happen where a public authority dealt with an information request before FOISA was amended on 25 May 2018, but where the matter is being considered by the Commissioner after that date.

26. In line with paragraph 56 of Schedule 20 to the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here - the review response was issued on 24 January 2018), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with Part 1 of FOISA.

27. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with Part 1 of FOISA (as it stood before 25 May 2018), he cannot require the authority to take steps which it would not be required to take in order to comply with Part 1 of FOISA on or after 25 May 2018.

28. The Commissioner will therefore consider whether the Council was entitled to apply the exemption in section 38(1)(b) of FOISA under the old law. If he finds that the Council was not entitled to withhold the information under the old law, he will only order the Council to disclose the information if disclosure would not now be contrary to the new law.

The exemption

29. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA 1998) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA 1998.

30. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

31. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA 1998 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA 1998. The Council argued that disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

32. "Personal data" are defined in section 1(1) of the DPA 1998 as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

33. The Council submitted that disclosure of the withheld information would identify a living individual as it consisted of the names, contact details and job titles of living individuals.

34. Having considered the submissions received from the Council and the withheld information, the Commissioner accepts the arguments put forward by the Council, and is satisfied that the withheld information contains the personal data of identifiable living individuals. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA 1998.

Would disclosure of the personal data contravene the first data protection principle?

35. In its submissions, the Council argued that disclosure of the withheld personal data would contravene the first data protection principle, which requires that personal data are processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA 1998 is met.

36. It appears to the Commissioner that conditions 1 and 6 in Schedule 2 are the only ones which might permit disclosure of the personal data to X. In any event, neither X nor the Council have suggested that any other condition would be relevant.

37. Condition 1 allows personal data to be processed if the data subject has given their consent to the processing. In this particular case, the Council has not asked all of the data subjects for consent as they number in excess of 50 individuals. The Council did ask the individual named in part (iii) of the request if they would consent to their information being disclosed in response to X's information request. The Commissioner notes that the named person has not given consent, which means that condition 1 of Schedule 2 cannot be met, in relation to any of the withheld personal data.

38. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

39. There are a number of different tests which must be satisfied before condition 6 can be met. These are:

(i) Does X have a legitimate interest or interests in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subjects?

(iii) Even if the processing is necessary for X's legitimate interests, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

40. There is no presumption in favour of disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. The legitimate interests of X must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to X.

Does X have a legitimate interest in obtaining the personal data?

41. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[1] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

42. X argued that the withheld information should be disclosed as the correspondence they are seeking is between the Director and representatives, officials, or spokespersons of political lobby groups and/or community groups adopting the role of political lobbyists. X argued that while it may seem that the Director was corresponding with third parties whose data is eligible for redacting, the reality is that she was corresponding with groups which sought to influence her professional decisions. X argued that these groups have no entitlement to the exemption being cited.The Council acknowledged that X may have a legitimate interest in obtaining information about the Israel Palestine Teaching and Learning Resource, but it argued that condition 6 of Schedule 2 to the DPA was not met, in relation to the information withheld under section 38(1)(b) of FOISA.

43. The Commissioner has considered the views of both parties and he is satisfied that X have a legitimate interest in information which would enable them to understand the discussions that the Council have had with third party groups regarding the Israel and Palestine Learning and Teaching Resource.

Is the processing necessary for the purposes of these interests?

44. In reaching a decision on this, the Commissioner must consider whether X's legitimate interests might reasonably be met by any alternative means.

45. The Council argued that X's legitimate interest in obtaining information about the Israel Palestine Teaching and Learning Resource had already been satisfied by the information provided in its original response, in which only limited redactions (of personal data) were made. The Council contended that disclosure of the withheld names, job titles and contact details was not necessary to achieve X's legitimate interests.

46. Having considered all relevant arguments carefully, the Commissioner accepts that the information provided to X in the Council's response to their request goes some way to fulfil their legitimate interests. However, the Commissioner is satisfied that the withheld personal data would give X a clearer understanding of the parties who have had contact with the Council regarding the Israel Palestine Teaching and Learning Resource and what views had been expressed. The Commissioner notes that the content of the emails and other documents have been disclosed to X, but that does not permit them to know which parties voiced which views to specific Council employees.

47. The Commissioner finds that, in the circumstances of this case, X's legitimate interests could not reasonably be met by alternative means. He is satisfied that disclosure of the personal data is necessary to meet X's legitimate interests.

Would disclosure cause unwarranted prejudice to the legitimate interest of the data subjects?

48. As the Commissioner is satisfied that disclosure of the withheld personal data would be necessary to fulfil X's legitimate interests, he is now required to consider whether that disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of X and those of the data subjects. Only if the legitimate interests of X outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

49. The Commissioner must approach this balancing exercise on the basis that disclosure under FOISA is disclosure to the world at large and not simply to X.

50. As noted above, there were over 50 individuals whose personal details have been withheld from X. The Council submitted that some of the individuals are employees of the Council or are members of external organisations. The Council noted that X appears to be specifically concerned with correspondence involving the named person in part (iii) of their request for information.

51. The Council noted that the named person has explicitly advised that they do not consent to their personal data being disclosed in response to this request. In particular, the named individual has raised security concerns if this information was released into the public domain. The Council provided the Commissioner with an email from the named person in which they set out their concerns and their opposition to disclosure.

52. The Council argued that disclosure of the information would be unwarranted by reason of prejudice to the rights and freedoms of all the individuals concerned. It reiterated its view that disclosure is not necessary to meet X's legitimate interests and argued that X's legitimate interests do not outweigh those of the data subjects. The Council noted that it is not withholding all of the personal data contained in the documents.

53. The Commissioner accepts that the person named in part (iii) of the request has made it clear to the Council that they do not want their personal data disclosed in response to a FOI request, and provided the Council with these views after being asked if they would consent to their details being disclosed. In the circumstances, the Commissioner considers that the named person has a reasonable expectation that the Council will protect their personal data. After giving weight to the arguments about potential harm to the rights and privacy of the data subject, and having balanced the legitimate interests of the data subject against those of X, the Commissioner is satisfied that any legitimate interests served by disclosure of the personal data would not outweigh the unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject.

54. Having accepted that disclosure of the withheld personal data would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects, as described above, the Commissioner must also conclude that its disclosure would be unfair. As none of the conditions in Schedule 2 to the DPA 1998 can be met in relation to the personal data of the named person, the Commissioner has concluded that disclosure would be unlawful. He has concluded that this information was correctly withheld under section 38(1)(b) of FOISA.

55. In relation to the personal data of the other data subjects, the Commissioner notes that the other individuals are relatively junior Council employees or belong to third party organisations, groups or individuals. In all cases, the Commission has balanced the legitimate interests of the data subjects against those of X, and he finds that any legitimate interests served by disclosure of the withheld personal data would not outweigh the unwarranted prejudice that would result in this case to the rights and freedoms or legitimate interests of the individuals in question. Again, having accepted that disclosure of the withheld personal data would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects, as described above, the Commissioner must also conclude that its disclosure would be unfair.

56. In the circumstances of this particular case, the Commissioner concludes that condition 6 in Schedule 2 to the DPA cannot be met in relation to the remaining withheld personal data, and that the information was correctly withheld under section 38(1)(b) of FOISA.

57. The Commissioner notes that the Council has also argued that some of the personal data it was withholding is sensitive personal data. As the Commissioner has determined that there is no condition in Schedule 2 to the DPA to permit disclosure of any of the personal data, he is not required to consider whether there is any condition in Schedule 3 to the DPA that would permit disclosure of the sensitive personal data.

58. As noted above, the Council has accepted that some personal data was wrongly withheld under section 38(1)(b). The Commissioner now requires disclosure of that information.

Decision

The Commissioner finds that Glasgow City Council (the Council) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by X.

The Commissioner finds that the Council was entitled to withhold some personal data under section 38(1)(b) of FOISA.

However, by wrongly withholding other information under section 38(1)(b) of FOISA, the Council failed to comply with section 1(1) of FOISA.

The Commissioner therefore requires the Council to provide X with the information described in paragraph 10, by 23 November 2018.

Appeal

Should either X or Glasgow City Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Council fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Council has failed to comply. The Court has the right to inquire into the matter and may deal with the Council as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

9 October 2018

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

Basic interpretative provisions

In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1 The data subject has given his consent to the processing.

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Data Protection Act 2018

Schedule 2 - Transitional provision etc

56 Freedom of Information (Scotland) Act 2002

(1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 ("the 2002 Act") before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.

(3) To the extent that the request was dealt with before the relevant time -

(a) the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act as amended by Schedule 19 to this Act, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.

(4) In this paragraph -

"Scottish public authority" has the same meaning as in the 2002 Act;

"the relevant time" means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx