Decision 160/2008 Alistair Alford and Culture and Sport Glasgow

Experience and qualifications of an employee

Reference No: 200800555
Decision Date: 19 December 2008

Summary

Mr Alford requested details of a named employee's experience and qualifications from Culture and Sport Glasgow (CSG). CSG responded by informing Mr Alford that any information it held was exempt in terms of section 38(1)(b) of the Freedom of Information (Scotland) Act 2002, given that the information was personal data and that it would breach the data protection principles to disclose the information.

Following an investigation, the Commissioner found that the information should be released.Given the role played by the employee, the Commissioner found that the disclosure of the information was justified and that the disclosure would not breach the data protection principles.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) (General entitlement); 2(1), (2)(e) (Effect of exemptions) and 38(1)(b), (2)(a)(i) and (b) (Personal information)

Data Protection Act 1998 (DPA): section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 The data protection principles, Part I The principles (the first, second and sixth data protection principles) and Part II (Interpretation of the principles in Part I) (paragraphs 5, 6, and 8) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6(1))

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1.On 21 February 2008, Mr Alford wrote to CSG requesting that he be notified of a named employee's experience with regard to previous positions and qualifications gained in this and other countries.

2.CSG responded on 27 February 2008, indicating that the information it held was exempt from disclosure in terms of section 38(1)(b) as the information was personal data and release would breach the data protection principles contained in the DPA.

3.On 2 March 2008, Mr Alford wrote to CSG requesting a review of its decision.

4.CSG notified Mr Alford of the outcome of its review on 20 March 2008 and upheld its decision to withhold the information in terms of section 38(1)(b) of FOISA.

5.On 16 April 2008, Mr Alford wrote to the Commissioner, stating that he was dissatisfied with the outcome of CSG's review and applying to him for a decision in terms of section 47(1) of FOISA.

6.The application was validated by establishing that Mr Alford had made a request for information to a Scottish public authority (i.e. CSG) and had applied to the Commissioner for a decision only after asking that authority to review its response to his request.

Investigation

7.On 5 May 2008, CSG was notified in writing that an application had been received from Mr Alford and was asked to provide the Commissioner with the information which it had withheld from Mr Alford. CSG responded with the information requested and the case was then allocated to an investigating officer.

8.CSG provided the information withheld from Mr Alford to the Commissioner, not all of which fell within the scope of Mr Alford's request.The Commissioner is satisfied that only part of this information falls within the scope of the request and it is this information that he will focus on in this Decision Notice.

9.Along with the documents which had been withheld from Mr Alford, CSG provided reasons as to why the information had been withheld.

10.The investigating officer subsequently contacted CSG, providing it with a further opportunity to provide comments on the application and asking it to respond to specific questions. In particular, CSG was asked to provide further reasoning as to why it considered that the first data protection principle would be breached by the disclosure of the information and, in particular, why it did not consider that the processing of the information would be allowed by virtue of condition 6 of schedule 2 to the DPA.CSG were also given the opportunity to comment as to why it considered that release of the information would also breach the second and sixth data protection principles.

Commissioner's analysis and findings

11.In coming to a decision on this matter, the Commissioner has considered all of the information and the submissions that have been presented to him by both Mr Alford and the CSG and is satisfied that no matter of relevance has been overlooked.

Submissions by CSG

12.CSG stated that the requested information is personal data as defined by the DPA.It is held within the employee's personnel file. CSG argued that release would breach the first, second and sixth data protection principles (which respectively require personal data to be processed fairly and lawfully, be obtained only for a specific and lawful purpose and be processed in accordance with the rights of the data subject) and as such was exempt in terms of section 38(1)(b) of FOISA.

13.In its response, CSG acknowledged that in the interests of openness, transparency and accountability, senior managers are, on occasion, obliged to make information of a personal nature publicly available due to the public profile which their post carries. CSG, however, argue that this particular employee's position is considered to be junior to middle management within the CSG and there is therefore no requirement to release the information requested to the general public.

14.CSG advised that it had taken account of one of the Commissioner's previous decisions, Decision 049/2008 Mr Jim Roberts and East Ayrshire Council, in which he held that a local authority had been correct to withhold the type of information sought by Mr Alford as disclosure would breach the first data protection principle.CSG also argued that information included in an application form submitted to a specific organisation in response to a job advertisement, such as qualifications obtained, is supplied in the expectation that it will be seen by only those involved in the recruitment process and that applicants would not normally expect this information to appear subsequently in the public domain. CSG states that it adheres to a recognised recruitment and selection process and, as such, will have taken the employee's previous experience and qualifications into account during the appointment process.

15.CSG indicated that it had also taken into account the employee's view that the information should not be released.

Submissions by Mr Alford

16.During the investigation, Mr Alford was asked by to provide specific submissions on the first data protection principle.His submissions are referred to below.

Application of the 38(1)(b) exemption

17.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate) exempts personal data from release if its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles.As noted above, CSG believe that disclosure of the information would breach the first, second and sixth data protection principles.

18.In considering the application of this exemption, the Commissioner will therefore first consider whether the information in question is personal data as defined in section 1(1) of the DPA and, if it is, whether he is satisfied that disclosure of the information would breach the first, second and sixth data protection principles.The Commissioner will also consider whether any of the information is sensitive personal data as defined in section 2 of the DPA and, if it is, the implications of its status as sensitive personal data for the application of the first data protection principle.

19.It must be borne in mind that this particular exemption (i.e. section 38(1)(b) read in conjunction with section 38(2)(a)(i) or (b)) is an absolute exemption.This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

20."Personal data" is defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."

21.The Commissioner is satisfied that details of an identifiable, living individual's professional qualifications and experience fall within the definition of personal data.The information is biographical in relation to the individual in question, in that it describes the qualifications and experience of an individual prior to their appointment in a particular role (some or all of which may have contributed to that appointment).It is clear in this case that the employee is the focus of the information.

22.The Commissioner has considered whether any of the personal data in question is sensitive personal data as defined by section 2 of FOISA, given its relevance to the first data protection principle. He is satisfied that none of the personal data is sensitive personal data.

23.The Commissioner will therefore go on to consider whether he is satisfied that disclosure of the information would breach the first, second or sixth data protection principles.

The first data protection principle

24.The first data protection principle states that personal data shall be processed fairly and lawfully.It also states that it shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA is also met.As noted above, the Commissioner is satisfied that the information is not sensitive personal data and so he is not required to consider whether any of the conditions in Schedule 3 to the DPA can be met.

25.The Commissioner considers that only condition 6(1) of Schedule 2 of the DPA might be considered to apply in this case.Condition 6(1) allows personal data to be processed (in this case, disclosed in response to Mr Alford's information request made under section 1(1) of FOISA) if the disclosure of the data is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case (which emphasises the need to treat each case on its own facts and circumstances) by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

26.There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

Does Mr Alford have a legitimate interest in having this personal data?

If so, is the disclosure necessary to achieve those legitimate aims?(In other words, is disclosure proportionate as a means and fairly balanced as to ends or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject?

Even if disclosure is necessary for the legitimate purposes of the applicant, would disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject?This will involve a balancing exercise between the legitimate interests of Mr Alford and those of the data subject.Only if the legitimate interests of Mr Alford outweigh those of the data subject can the personal data be disclosed.

27.Mr Alford was asked by the Commissioner to specify why he considered that he had a legitimate interest in knowing the qualifications, etc. of the employee in question.He commented with reference to the specific role played by the employee, and to the fact that parents have a legitimate interest in satisfying themselves in relation to the role of that employee, who may occasionally have to act in loco parentis.Given the responsibility placed on this specific employee, he did not see his request as being unreasonable in the circumstances.

28.The Commissioner accepts that Mr Alford has a legitimate interest in knowing the qualifications and experience of the employee in question for these reasons and to ensure that the employee has sufficient experience and relevant qualifications.

29.However, the Commissioner also notes that there were certain other issues raised by Mr Alford which he does not consider necessarily give him a legitimate interest to the information (and so will not be repeated here).However, the Commissioner remains satisfied, in the round, that Mr Alford does have a legitimate interest to the information and therefore the first test is met.

30.The second test is whether disclosure is necessary for those legitimate interests. In this case the Commissioner, in taking account of the specific information requested by Mr Alford, is satisfied that disclosure is proportionate and that the aims of Mr Alford cannot be achieved by any other mean which would interfere less with the privacy of the employee in question.

31.The Commissioner must now consider whether disclosure would nevertheless cause unwarranted prejudice to the rights, freedoms and legitimate interests of the employee in relation to the information withheld.As noted above, this will involve a balancing exercise between the legitimate interests of Mr Alford and those of the employee.Only if the legitimate interests of Mr Alford outweigh those of the employee can information relating to the employee's qualifications and experience be disclosed without breaching the first data protection principle.

32.The (UK) Information Commissioner considers the question of fairness in his Freedom of Information Act Awareness Guidance No 1 ? Personal Data(http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/awareness_guidance%20_1_%20personal_information_v2.pdf).Examples given in this guidance of the types of questions which should be asked when assessing whether the disclosure of personal data (which would be a form of processing) would be fair are set out below.They are useful tools in considering the rights, freedoms and legitimate interests of the employee in question.

1. Would disclosure cause unnecessary or unjustified distress or damage to the person who the information is about?
2. Would the third party expect that his or her information might be disclosed to others? Is disclosure incompatible with the purposes for which it was obtained?
3. Has the person been led to believe that his or her information would be kept secret?
4. Has the third party expressly refused consent to disclosure of the information?

e.Does the legitimate interest of a member of the public seeking information about a public authority, including personal information, outweigh the rights, freedoms and legitimate interests of the data subject?

33.The guidance distinguishes between information relating to an individual's private and public lives, suggesting that information about an individual acting in an official or work capacity is less likely to deserve protection.Potential damage or distress to the individual in a personal or private capacity should be taken into account, although the section 38(1)(b) exemption should not be used simply to spare officials embarrassment in their working lives.The guidance accepts that there will be information relating to a public authority's employees which it would be unfair to disclose, while also acknowledging that the strong public interest in the expenditure of public funds may mean that it is not unfair to disclose certain information about staff. In all of this, an important consideration will be the seniority of the staff concerned, it being less likely that disclosure will be unfair the more senior the official is.

34.The guidance referred to above is supplemented by Data Protection Technical Guidance: Freedom of Information ? Access to information about public authorities' employees. In considering the expectations of the employees concerned regarding disclosure, this document states that more senior staff and those carrying out public functions should expect more information about them to be disclosed. While asking authorities to consider whether the information requested can be edited to remove personally identifiable information, it concedes that this will not be feasible where (as in this case) the information is specifically about the qualifications and experience of a named employee.

35.Employees will normally have a reasonable expectation that information which is supplied as to a prospective employer during the recruitment process will not be disclosed to anyone outside the recruitment process.In this case, the Commissioner also noted that the employee has refused to permit CSG to disclose their qualifications and experience to Mr Alford.

36.CSG has argued that release of the data would be harmful to CSG, its employees, the relationship between CSG and their employees and would lead to difficulties in future recruitment, if data provided in confidence were to be released under FOISA.CSG also argued that it can only be in the public interest for a publicly-funded body to be able to demonstrate adhering to legislation, and it is not in the public interest for staff employed by public bodies to have their personal information compromised.

37.In considering theguidance referred to at paragraph 34 above, the Commissioner notes that this guidance not only considers that the seniority of staff is relevant when considering such staff's legitimate interests, but also that the nature of the organisation and role of the employees who are the subject of the information is relevant. In this case, whilst the Commissioner accepts that the employee in question may not occupy what is classed as a 'senior' position, the nature of the organisation and the role of the employee are relevant.

38.Whilst the Commissioner acknowledges the parallels with Decision 049/2008 Mr Jim Roberts and East Ayrshire Council, as mentioned at paragraph 14 above, each case has to be considered on its own merits.In Decision 049/2008 one of the deciding factors was that the employee in question did not hold a unique position as claimed by the applicant. The Commissioner, however, considers that in this case, regardless of the seniority of the employee within the organisation as a whole, the position and the role of that position are unique within the CSG organisation.

39.This was made clear by the Commissioner in an earlier case, Decision 055/2007 Professor Ronald MacDonald and Highland Council.In paragraph 44 of that decision, the Commissioner recognised that information included on an application form submitted in response to a job application, such as qualifications obtained, is normally supplied in the expectation that it will be seen only by those involved in the recruitment process.However, in paragraph 55, the Commissioner stated that the "cut-off point" between public and private information is highly dependant on the relevance of the qualification to the individual's position within a public authority.In Decision 055/2007, the Commissioner noted that the specialist nature of an employee's role within an organisation must also be considered and that while the level of an employee's post may not be of sufficient seniority to ensure that disclosure of qualifications, etc. would normally be expected, the specific nature and responsibilities of the post in question may well give rise to expectations of transparency and accountability.

40.Although the employee in question in this case has objected to the information being disclosed, that in itself is not conclusive in the circumstances.

41.In this case the Commissioner has come to the conclusion that given the nature of the position held by the employee, in terms of specialism, uniqueness and proficiency required in relationship to that individual's role with children, then the Commissioner considers that it would not be unreasonable for that individual to expect the personal data in question may be released as a consequence of an application under FOISA.Indeed, some of the information which would be disclosed as a result of this information request is already in the public domain, as reference to his appointment by the Glasgow City Council and Leisure Department (the precursor to CSG) has been circulated by the Council.

42.After balancing the legitimate interests of Mr Alford against the rights, freedoms or legitimate interests of the employee, the Commissioner is satisfied that the processing of the data would not be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the employee.

43.The Commissioner, being satisfied that the three tests as set out at paragraph 26 above are fulfilled, therefore finds that the processing is permitted by condition 6(1) of Schedule 2 to the DPA is met.

44.He must, in addition, consider whether the disclosure is otherwise unfair or unlawful.The Commissioner is satisfied, for the same reasons he has found that condition 6(1) permits the data to be processed that the disclosure of the information would not be unfair.Given that CSG did not put forward any arguments as to why the disclosure of the information would be unlawful (other than in terms of a breach of the data protection principles), the Commissioner is satisfied that the disclosure of the data under FOISA would not breach the first data protection principle.

The second data protection principle

45.The second data protection principle states that 'Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.'

46.In Part II of the DPA 'Interpretation of the principles in Part I' (see appendix) it states that in determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

47.CSG consider that disclosure of the personal data would breach the second data protection principle, and have commented that when candidates complete and submit an application form they are informed that if successful CSG will 'use the information provided for personnel administration, learning, discipline, absence management, career development, statistical and payroll purposes'.

48.Culture and Sport Glasgow argues that it is on the above understanding between employer and employee that this information was obtained which clearly outlined the purpose for which the information will be held. The employee has provided the information on the understanding that it will be used for the above purposes and if processed for any other purpose would breach the second principle.

49.Whilst release under a request under FOISA, is not listed as one of the purposes for which data is collected and processed, the Commissioner's view is that the processing of data, in respect of a request for information under FOISA is for a lawful purpose.Release therefore would not be incompatible with the purposes for which the data were obtained, given the purpose for which the information has been requested. As such the Commissioner is of the opinion that the second principle would not be breached by the release of the information.

The sixth data protection principle

50.The sixth data protection principle states that 'Personal data shall be processed in accordance with the rights of data subjects under this Act.'Paragraph 8 of Part II of Schedule 1 to the DPA sets out the contraventions of the DPA which are to be regarded as contravening the sixth principle, i.e. contraventions of section 7 (Right of access to personal data), 10 (Right to prevent processing likely to cause damage or distress), 11 (Right to prevent processing for purposes of direct marketing), 12 (Rights in relation to automatic decision-taking) and 12A (Rights of data subjects in relation to exempt manual data) of the DPA.

51.In relation to the sixth principle, CSG drew attention to the fact that the employee had been approached and refused consent for the release of the information, which it considered to be reasonable.Furthermore CSG has not been able to identify any other condition in schedule 2 which would justify disclosure in the absence of consent.

52.As outlined above, the Commissioner is satisfied that condition 6(1) of schedule 2 can be met and, as stated above, the employee's stated objection to the information being disclosed, however that in itself is not conclusive in the circumstances.

53.While the Commissioner is aware that the employee has stated that he does not want the information to be disclosed, the CSG has not advised the Commissioner of any formal notice being served on it by the employee in terms of either section 10 or 12A of the DPA (and of no action taken by CSG in response to such a notice) and the Commissioner does not consider, particularly in the light of a lack of evidence from the CSG, that disclosure would contravene sections 7, 11 or 12 of the DPA.

54.As such, the Commissioner is unable to find that the disclosure of the data would breach the sixth data protection principle.

55.Having found that disclosure would not breach either the first, second or sixth data protection principles and that condition 6(1) of Schedule 2 of the DPA can be met, the Commissioner does not accept that this information requested is exempt under section 38(1)(b) of FOISA.

56.Having considered the format in which the information is held, some of which is in the handwriting of the employee, the Commissioner requires that in order to satisfy Mr Alford's request for information, and to comply with the requirements of FOISA, that CSG write a letter to Mr Alford providing him with the known details which he requested as outlined at paragraph 1 above, namely, 'a named employee's experience with regard to previous positions and qualifications gained in this and other countries'.

57.Instructions as to the content of that letter will be given to CSG along with this Decision Notice. Whilst that instruction cannot be repeated within this decision, it forms the basis upon which the Commissioner's decision has to be complied with.

DECISION

The Commissioner finds that Culture and Sport Glasgow (CSG) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Alford by applying section 38(1)(b) to the information requested.

The Commissioner therefore requires CSG to provide Mr Alford with details of qualifications and experience of the employee in question by 02 February 2009.

Appeal

Should either Mr Alford or Culture and Sport Glasgow wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Kevin Dunion
Scottish Information Commissioner
19 December 2008

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1General entitlement

(1)A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

2Effect of exemptions

(1)To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a)the provision does not confer absolute exemption; and

(b)in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2)For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

?

(e)in subsection (1) of section 38 ?

?

(ii)paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b)in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

Data Protection Act 1998

1Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

?

"personal data" means data which relate to a living individual who can be identified ?

(a)from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

Schedule 1 ? The data protection principles

Part I ? The principles

1Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

?

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

?.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

Part IIInterpretation of the principles in Part I

The second principle

5 The purpose or purposes for which personal data are obtained may in particular be specified?

(a)in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or

(b)in a notification given to the Commissioner under Part III of this Act.

6In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

?.

The sixth principle

8A person is to be regarded as contravening the sixth principle if, but only if?

(a)he contravenes section 7 by failing to supply information in accordance with that section,

(b)he contravenes section 10 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section,

(c)he contravenes section 11 by failing to comply with a notice given under subsection (1) of that section, or

(d)he contravenes section 12 by failing to comply with a notice given under subsection (1) or (2)(b) of that section or by failing to give a notification under subsection (2)(a) of that section or a notice under subsection (3) of that section.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.