Home Decisions

Decision 159/2019

Decision 159/2019: Investigation carried out under Grievance Procedures

Public authority: Fife Council
Reference No: 201900540

Summary

The Council was asked about an investigation and fact finding exercises carried out following a complaint. The Council refused to disclose the information under a number of exemptions in FOISA.

Following investigation, the Commissioner was satisfied that the Council had complied with FOISA. The information was personal data which, in this case, was exempt from disclosure.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 38(1)(a) and (b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing" and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 4(1) and (11) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing); 10 (Processing of personal data relating to criminal convictions and offences); 15(1) (Right of access by the data subject)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data); 10(4) and (5) (Special categories of personal data and criminal convictions etc data); 11(2)(a) (Special categories of personal data etc: supplementary)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 10 December 2018, the Applicants made a request for information to Fife Council (the Council). The information requested was:

All documents (including witness statements) of the recent investigation carried out by [named Council staff] relating to a [specific incident].

All documents relating to the two "fact finding exercises" carried out by [named Council staff] following the initial report of the [specific incident] mentioned in point 1.

2. The Council responded on 19 December 2018. It advised the Applicants that it was withholding the information under sections 36(2) (Confidentiality), 38(1)(b) (Personal information) and 34(1) (Investigations by Scottish public authorities and proceedings arising out of such investigations) of FOISA.

3. On 17 January 2019, the Applicants wrote to the Council requesting a review of its decision, submitting that personal data could be redacted from the information held and that the exemptions in sections 36(2) and 34(1) of FOISA did not apply in the circumstances.

4. The Council notified the Applicants of the outcome of its review on 13 February 2019. It upheld the original decision. It advised that section 38(1)(b) of FOISA was engaged as disclosure would breach the data protection principles in Article 5(1) of the GDPR, noting that a summary of the outcome of the enquiry had been provided to them at the time. It provided further explanation as to why it considered sections 34(1) and 36(2) of FOISA also applied.

5. On 20 March 2019, the Applicants wrote to the Commissioner. The Applicants applied to the Commissioner for a decision in terms of section 47(1) of FOISA. They stated that they were dissatisfied with the outcome of the Council's review because they disagreed with the exemptions applied by the Council and believed the public interest favoured disclosure of the information.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicants made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 7 May 2019, the Council was notified in writing that the Applicants had made a valid application. The Council was asked to send the Commissioner the information withheld from the Applicants. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions, with a view to explaining its reliance on any provisions of FOISA it considered applicable to the information requested.

9. In response to questions from the Commissioner, the Council submitted that all the information withheld was personal data and withheld under section 38(1)(b) of FOISA. It confirmed that it also considered the information to be exempt from disclosure under sections 34(1) and 36(2) of FOISA, providing reasons why it considered each exemption to be applicable.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicants and the Council. He is satisfied that no matter of relevance has been overlooked.

11. The Council explained that the withheld information related to specific individuals who were the subject of a complaint and subsequent investigation and also, in part, to other individuals. As such, it considered the information to be the personal data of the individuals concerned, which were (in the circumstances) exempt under section 38(1)(b) of FOISA. To the extent that it related to the Applicants, the information was also exempt under section 38(1)(a) of FOISA.

12. The Commissioner will first of all consider whether the information can properly be withheld under section 38(1)(a) and (b) of FOISA. Only where he finds that the information does not fall to be exempt under section 38 will he go on to consider the other exemptions claimed by the Council.

Section 38(1)(a) - Personal information

13. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. (The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.)

14. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the GDPR/DPA 2018. This route is more appropriate for individuals accessing their personal data as it ensures the information is disclosed only to the individual. As submitted by the Council, disclosure under FOISA is considered disclosure into the public domain.

15. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the correct legislation (the GDPR/DPA 2018) and not under FOISA.

Is the information withheld personal data?

16. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:

" … any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

The definition of personal data is set out in full in Appendix 1.

17. The Commissioner has considered the information that falls within the scope of the Applicants' request and the submissions received. While the Commissioner cannot give full reason, as to do so would involve referencing the information that has been withheld, it is apparent that some of the information held is the personal data of the Applicants and therefore would be their own personal data as defined in section 3(2) of the DPA 2018.

18. In the circumstances, the Commissioner is satisfied that the Council was entitled to withhold that information under section 38(1)(a) of FOISA.

Section 38(1)(b) - Personal information

19. The Council submitted that the remaining information withheld related to the individuals subject to investigation or providing information for it. The Council submitted that disclosure would immediately identify, both directly and indirectly, the individuals concerned, with the result that the information constituted their personal data. It was applying section 38(1)(b) of FOISA to this information.

20. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" and its disclosure would contravene any of the data protection principles in the GDPR or in the DPA 2018.

21. The Council submitted that disclosure of the personal data would breach the first data protection principle, which requires the processing of personal data to be lawful and fair, and to be carried out in a transparent manner (Article 5(1)(a) of the GDPR).

22. The Council explained that it had a duty to conduct the required investigations in compliance with its Grievance Procedure and the information gathered for the purposes of the investigation was considered personal and confidential throughout the process. It considered that the information should not be publicly shared outwith its internal processes and release into the public domain would likely cause significant harm and distress to the individuals named within the document. The Council provided a copy of its Grievance Procedure, which clearly states that "All investigations will be carried out with sensitivity, discretion and confidentiality".

Is the information personal data?

23. The definition of personal data is set out at paragraph 16 above and, while the Commissioner cannot give full reasoning without alluding to the information that has been withheld, he accepts that the information withheld is personal data: it relates to identifiable living individuals. Given the subject matter of the request, which names individuals and makes clear their connection to the Council and the investigation in question, the withheld information would clearly relate to identifiable individuals. The Commissioner therefore accepts that the information is personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

24. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject." The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

25. The Council submitted that the information held relating to the individuals subject to investigation related to allegations of a criminal nature.

Criminal offence data

26. Information relating to criminal convictions and offences is given special status in the GDPR: Article 10 makes it clear that the processing of this type of personal data can be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of the data subjects. Relevant provision is to be found in section 10 of the DPA, supplemented by section 11.

27. Section 11(2)(a) of the DPA 2018 makes it clear that references to criminal convictions and offences, for the purposes of section 10 and Article 10, include personal data relating to the alleged commission of offences by the data subject

28. Having considered the withheld information, the Commissioner accepts that some of the information withheld relates to an allegation of a criminal offence. He considers this information to be personal data covered by Article 10 of the GDPR and section 10 of the DPA ("criminal offence data").

29. Criminal offence data can only be processed if one of the stringent conditions in Parts 1 to 3 of Schedule 1 to the DPA 2018 can be met (section 10(5) of the DPA 2018).

30. The Commissioner has considered each of these conditions and whether any of them could be relied on to disclose the criminal offence data. Having done so, and having taken into account the restrictive nature of the conditions, he has concluded that they could not.

31. As noted above, the Council argued that disclosure would breach the first data protection principle (Article 5(1)(a) of the GDPR) which requires that personal data shall be processed lawfully and fairly. As none of the conditions required for processing criminal offence data are satisfied, there can be no legal basis for its disclosure. Consequently, information held by the Council relating to the criminal offence allegation is exempt from disclosure under section 38(1)(b) of FOISA.

32. The Commissioner will now consider whether the disclosure of remaining information, which is not criminal offence data, would contravene Article 5(1)(a) of the GDPR. As mentioned above, personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions for lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(a) and (f) of the GDPR

33. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the personal data to be disclosed. The Council took the view that no conditions in Article 6 applied in the circumstances of this case. The Commissioner considers conditions (a) and (f) of Article 6(1) of the GDPR to be the only conditions which could possibly apply in this case.

Condition (a): consent

34. Condition (a) states that processing will be lawful if the data subject has given consent to the processing of the data for one or more specific purposes. "Consent" is defined in Article 4 of the GDPR as:

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

35. The Council confirmed during the investigation it did not think it appropriate to ask data subjects for their consent in such circumstances.

36. The Commissioner is satisfied that there was no requirement on the Council to seek consent to disclosure. In the absence of consent, condition (a) could not be met.

Condition (f): legitimate interest

37. Condition (f) states that processing will be lawful if it "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child".

38. Although Article 6 states that this condition cannot apply to processing carried out by public authorities in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

39. The tests which must be met before Article 6(1)(f) can be met are as follows:

a) Do the Applicants have a legitimate interest in obtaining the personal data?

b) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

40. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicants must outweigh the rights and freedoms or legitimate interests of the data subjects before condition (f) will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to the Applicants.

Does the person making this request have a legitimate interest in obtaining the personal data?

41. In their application to the Commissioner, the Applicants submitted that they were unaware of the outcome of the fact finding exercises and unaware of the conclusions of the investigation. They submitted that it was in the public interest to know how Council management and its Human Resource team handled the investigation and the outcome thereof.

42. The Council submitted that it was clear from the Applicants' communication to the Council when making requests for information that they had a legitimate interest in obtaining feedback in relation to their part of the investigation. They explained that the Applicants originated the complaint and believed they should now be provided with full details of the investigation. The Council advised that the report showed their legitimate interest was considered and that information relevant to them was provided to them at that time. The Council provided details of the correspondence they provided to the Applicants at the time.

43. The Council also submitted that the information relating to the other parties was not considered to meet the interest of the Applicants, or the public interest.

44. Having considered all relevant submissions he has received on this point, along with the withheld personal data, the Commissioner accepts that the Applicants, as individuals connected to the allegations and subsequent investigation, have an interest in the investigative process and whether, in any given case, that process has been conducted fairly. In this regard, the Commissioner notes that the Council provided the Applicants, as individuals who were involved in the investigation, with a brief summary of the investigation and its outcome. He considers this explanation goes some way to satisfying any legitimate interest the Applicants might have.

45. However, the Commissioner does not accept that any legitimate interest that the Applicants have in the allegations and their investigation would extend to the personal data under consideration in this case. While he cannot comment on the specific content of the information, he does not consider information at that level of detail to be relevant to fulfilling the legitimate interest he has identified.

46. In the circumstances of this particular case, therefore, in the absence of a relevant legitimate interest, the Commissioner concludes that condition (f) in Article 6(1) of the GDPR cannot be met in relation to the withheld personal data. Disclosure would therefore be unlawful.

Fairness and transparency

47. Given the Commissioner's finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.

48. The Commissioner therefore finds no condition in Article 6(1) of the GDPR can be met and disclosure of the information requested would contravene Article 5(1)(a) of the GDPR. The information was therefore properly withheld under section 38(1)(b) of FOISA.

49. Given that the Commissioner has concluded that all of the information was properly withheld under section 38(1)(a) and 38(1)(b) of FOISA, he is not required to consider whether any of the withheld information was also exempt under sections 34(1) or 36(2) of FOISA.

Decision

The Commissioner finds that the Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicants.

Appeal

Should either the Applicants or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
30 October 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the Applicant is the data subject;

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 4 Definitions

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indications of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Article 10 Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority of when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Article 15 Right of access by the data subject

1 The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed, and where that it the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing to the data subject.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom

personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

10 Special categories of personal data and criminal convictions etc data

(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

11 Special categories of personal data etc: supplementary

(2) In Article 10 of the GDPR and section 10, references to personal data relating to

criminal convictions and offences or related security measures include personal data

relating to-

(a) the alleged commission of offences by the data subject, or