Home Decisions

Decision 156/2019

Decision 156/2019: Comments on an investigation

Public Authority: The University of Dundee
Case Ref: 201900624

Summary

The University was asked, in the context of a specified investigation, to provide a copy of communications between committee members in arriving at the conclusions. The University refused to disclose the information under FOISA on the basis that as it was the Applicant's own personal data and therefore exempt from disclosure. The University also relied on other exemptions.

The Commissioner investigated and found that the University was entitled to withhold the information in terms of FOISA, as the Applicant's personal data. 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(i) (Effect of exemptions); 38(1)(a) and (5) (definitions of "the GDPR", "data subject", "personal data" and "processing") (Personal information)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3) and (5) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 28 January 2019, the Applicant made a request for information to the University of Dundee (the University). The information requested was (in the context of a specified investigation) "the communication between committee members in arriving at the conclusions." In particular, the Applicant wanted any comments on the conclusions by two named persons.

2. The University responded on 20 February 2019 and withheld information under sections 30(b), 30(c), 35(1)(g), 36(2), 38(1)(a) and 38(1)(b) of FOISA.

3. On 28 February 2019, the Applicant wrote to the University requesting a review of its decision on the basis that he wished to know the opinions of external panel members on the outcome of the investigation.

4. The University notified the Applicant of the outcome of its review on 28 March 2019. The University upheld its original decision and continued to withhold the information under the same sections of FOISA.

5. On 11 April 2019, the Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant was dissatisfied with the outcome of the University's review because the investigation concerned him and he believed he had a right to know who said what in a crucial decision.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 23 May 2019, the University was notified in writing that the Applicant had made a valid application. The University was asked to send the Commissioner the information withheld from the Applicant. The University provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The University was invited to comment on this application and to answer specific questions.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the University. He is satisfied that no matter of relevance has been overlooked.

Section 38 - Personal information

10. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.

11. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the General Data Protection Regulation (the GDPR). This route is more appropriate for individuals accessing their personal data, as it ensures that it is disclosed only to the individual. As stated by the University in its correspondence with the Applicant, information disclosed under FOISA is considered to be disclosed into the public domain. Section 38(1)(a) does not deny individuals a right to access information about themselves, but ensures that the right is exercised under the correct legislation (the GDPR) and not under FOISA.

12. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:

"… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

13. The definition of personal data is also set out in full in Appendix 1.

Is the information the Applicant's personal data?

14. The University submitted that that the correspondence could comprise the Applicant's personal data. The University explained that the Applicant was the focus of the investigation and that the investigation concerned a matter with potentially significant outcomes for the Applicant. Therefore, the information was exempt under section 38(1)(a) as the Applicant's own personal data.

15. The University noted that it had considered the request as a subject access request under Article 15 of the GDPR.

16. The Commissioner has carefully considered the information that falls within the scope of the Applicant's request and the submissions received. It is apparent that the information in question relates to an investigation concerning the Applicant directly. It is also apparent that the Applicant can be identified from the information and, in the circumstances, the Commissioner is satisfied that the information is entirely the Applicant's own personal data. That being the case, the Commissioner finds that the University was entitled to withhold the information under section 38(1)(a) of FOISA.

17. As the Commissioner has upheld the application of section 38(1)(a) of FOISA, he is not required to go on to consider the other exemptions applied by the University.

18. As stated in previous decisions, the Commissioner's remit extends only to the consideration of whether a Scottish public authority has complied with Part 1 of FOISA in responding to a request. The Commissioner cannot comment on whether a Scottish public authority should provide information to an applicant under any other rights or legislation. The Applicant has been advised that it is the UK Information Commissioner's Office (the ICO) which is responsible for the DPA and, should it be necessary, that he can make contact with the ICO in order to seek advice in relation to access to his personal data.

Decision

The Commissioner finds that the University of Dundee complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the University wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Daren Fitzhenry
Scottish Information Commissioner
28 October 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(5) In this section-

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.