|
Decision 162/2016: Mr S and City of Edinburgh Council
Pupil exclusions
Reference No: 201600498
Decision Date: 19 July 2016
Summary
On 6 November 2015, Mr S asked the City of Edinburgh Council (the Council) for information regarding pupil exclusions at a named school during a specified period.
The Council disclosed some information, but withheld statistical information under section 38(1)(b) of FOISA, on the basis that it was personal data and disclosure would breach the data protection principles. Following a review, Mr S remained dissatisfied and applied to the Commissioner for a decision.
The Commissioner investigated and found that the Council was entitled to withhold the information.
|
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)
Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 6 November 2016, Mr S made a request for information to the Council. The information requested related to a named school during a specified period in 2014. Mr S asked for:
(i) The number of pupils excluded from school for offences in connection with drugs and alcohol.
(ii) The number of those pupils as stated in (i) who received a fixed-term exclusion.
(iii) The number of those pupils as stated in (i) who received permanent exclusion.
(iv) The number of those pupils as stated in (i) who received neither fixed-term or permanent exclusion, but did return to school.
(v) The number of those pupils as stated in (i) who received neither fixed-term or permanent exclusion, but did not return to school.
(vi) The number of pupils in the cohort in (i) who received a fixed-term exclusion and who had a formal record made in their personal school file for drugs and alcohol as being the reason for exclusion.
(vii) The number of pupils in the cohort in (i) who received permanent exclusion and who had a formal record made in their personal school file for drugs and alcohol as being the reason for exclusion.
(viii) The number of pupils in the cohort (i) who had no formal record made in their personal school file for drugs and alcohol offences.
(ix) A copy of the school's published policy on substance misuse in force at the time.
2. The Council responded on 25 November 2015. The Council provided Mr S with a copy of the school's policy on substance misuse, but it withheld all other information on the basis that it was personal data and was exempt from disclosure under section 38(1)(b) of FOISA.
3. On 3 December 2015, Mr S wrote to the Council requesting a review of its decision. He did not consider that disclosure of the information would breach any of the data protection principles in the Data Protection Act 1998 (the DPA). Mr S noted that he was only seeking numerical values and not the names of persons.
4. The Council notified Mr S of the outcome of its review on 12 January 2016. The Council upheld its initial response and maintained that the information was exempt from disclosure under section 38(1)(b) of FOISA.
5. On 17 March 2016, Mr S applied to the Commissioner for a decision in terms of section 47(1) of FOISA. He was dissatisfied with the outcome of the Council's review because it had not provided him with all of the information he had requested.
Investigation
6. The application was accepted as valid. The Commissioner confirmed that Mr S made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.
7. On 1 April 2016, the Council was notified in writing that Mr S had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr S. The Council provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.
Commissioner's analysis and findings
9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr S and the Council. She is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) - Personal Data
10. The Council withheld information under section 38(1)(b) of FOISA.
11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, section 38(2)(b)) exempts information from disclosure if it is "personal data", as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.
12. In order to rely on this exemption, the Council must show, firstly, that any such information would be personal data for the purposes of the DPA and, secondly, that disclosure of that data would contravene one or more of the data protection principles to be found in Schedule 1. The Council argued that disclosure would breach the first and second data protection principles.
13. This exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
Is the statistical information under consideration personal data?
14. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".
15. The Council submitted that the withheld information is personal data as it relates to living individual(s), in this case, a child or children identified, at a specific school, as being involved with drugs and alcohol within a 14 week timeframe. The Council submitted that, for reasons explained to the Commissioner but not included here, it considered it likely that such an incident would be known within the school community. Given this, the Council argued that disclosure of the number of children who were excluded during the specified timeframe would enable the individual(s) to be identified.
16. Given the restricted and relatively recent timeframe of the incident along with the relatively small number of pupils at the school, the Commissioner accepts it is likely that there will be many individuals at the school who would be able to identify living individual(s) from the numerical values withheld from Mr S. The Commissioner considers that the information (given the detail provided in Mr S' questions) relates to the individual(s) in a biographical sense and is their personal data.
Would disclosure contravene the first data protection principle?
17. Non-sensitive personal data can only be disclosed if one of the conditions in Schedule 2 to the DPA can be met.
18. The Council argued that disclosure would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met, and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met. "Processing" here means disclosing the personal data into the public domain in response to Mr S' information request.
Can any of the conditions in Schedule 2 of the DPA be met?
19. Guidance[1] issued by the Commissioner on section 38(1)(b) states that, generally, only the first and sixth conditions in Schedule 2 of the DPA are likely to be relevant when considering a request for personal data under FOISA.
20. The first condition allows personal data to be disclosed where the data subject(s) has or have given consent to the processing. The Council submitted that it has not sought permission from the data subject(s) to disclose the information. The Commissioner is satisfied that condition 1 cannot be met in this case.
21. Condition 6(1) allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
22. The tests which must be met before condition 6(1) can apply are:
(i) Does Mr S have a legitimate interest in obtaining the personal data?
(ii) If so, is the disclosure necessary for the purposes of those interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could the interests be met by means which interfere less with the privacy of the data subject(s)?
(iii) Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s)? As noted by Lord Hope in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[2], there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr S must outweigh the rights and freedoms or legitimate interests of the data subject(s) before condition 6 permits personal data to be disclosed.
Does Mr S have a legitimate interest in obtaining the personal data?
23. The Council acknowledged that Mr S may have a legitimate interest to the information.
24. Mr S provided the Commissioner with a detailed explanation of why he had a legitimate interest in obtaining the personal data. The Commissioner will not repeat that explanation in this decision, but, in the circumstances, she is satisfied that Mr S does have a legitimate interest in obtaining the personal data.
Is disclosure of the information necessary for the purposes of these legitimate interests?
25. The Commissioner must now consider whether disclosure of the personal data is necessary for Mr S' legitimate interests. In doing so, she must consider whether these interests might reasonably be met by any alternative means.
26. The decision by the Supreme Court in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[3] stated (at paragraph 27 of the judgment):
"? A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."
27. Disclosure of the withheld information would allow Mr S to know how many individuals were excluded in connection with drug and alcohol offences and it would also enable him to see whether the punishment varied between individuals. This would provide transparency in relation to school's actions and decisions. The Commissioner has accepted that disclosure is necessary to meet his legitimate interests: Mr S could not acquire knowledge of the punishments handed out, other than through disclosure of the personal data.
Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s)?
28. The Commissioner must consider whether disclosure would be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s). This involves a balancing exercise between the legitimate interests of Mr S and those of the data subject(s). Only if the legitimate interests of Mr S outweigh those of data subject(s) can the information be disclosed without breaching the first data protection principle.
29. The Council argued that disclosure is unwarranted as it would clearly prejudice the rights and freedoms of the data subject(s). Disclosure would lead to the identification of the data subject(s), who would have a reasonable expectation that their personal data would not be disclosed. The Council submitted that Mr S' legitimate interests do not outweigh those of the data subject(s). It argued that while disclosure could increase transparency and public accountability, it also has the potential to cause significant distress to the data subject(s).
30. Mr S summarised what he understood about the withheld information and explained why he required access to it (his summary is not included in this decision notice).
31. In her briefing on section 38[4] of FOISA, the Commissioner notes a number of factors which should be taken into account in carrying out the balancing exercise relating to legitimate interests. These include:
(i) whether the information relates the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);
(ii) the potential harm or distress that may be caused to by the disclosure;
(iii) whether the individual has objected to the disclosure; and
(iv) the reasonable expectations of the individual as to whether the information would be disclosed.
32. The Commissioner is satisfied that disclosure of the information has the potential to cause considerable harm or distress to the data subject(s), who would have a reasonable expectation of privacy in relation to their personal data. The Commissioner considers that the data subject(s) would expect the information be kept confidential, and not to be disclosed into the public domain in response to a request under FOISA.
33. The Commissioner accepts that Mr S has strong personal reasons for requiring disclosure of the personal information. However, having considered the competing interests in this particular case, she finds that his legitimate interests are outweighed by the prejudice to the rights and freedoms of the data subject(s) that would result from disclosure. While disclosure would increase transparency about the punishments given to pupil(s) and would reveal how many individual(s) received a punishment as well as the nature of the punishment, it would also enable the public to identify the child or children who received a punishment and possibly to identify what their punishment was.
34. While Mr S has made it clear he is not seeking the names or identities of the pupil(s) who received punishments, the Commissioner considers that disclosing the information he requested would lead to the identification of the pupil(s). If the pupil(s) were to be identified, she considers that this would constitute an unfair intrusion into their privacy, as data subject(s). On balance, the Commissioner finds that the requirements of condition 6 of Schedule 2 of the DPA cannot be met here.
35. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 of the DPA which would permit disclosure of the information. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently the Commissioner finds that disclosure of the information would breach the first data protection principle and that the information is therefore exempt from disclosure and was properly withheld under section 38(1)(b) of FOISA.
36. In the circumstances, the Commissioner is not required to, and will not go on to, consider whether disclosure would also breach the second data protection principle.
|
Decision
The Commissioner finds that City of Edinburgh Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr S.
|
Appeal
Should either Mr S or City of Edinburgh Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
19 July 2016
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -
(a) the provision does not confer absolute exemption; and
?
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -
?
(e) in subsection (1) of section 38 -
?
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38 Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
?
Data Protection Act 1998
1 Basic interpretative provisions
(1) In this Act, unless the context otherwise requires -
?
"personal data" means data which relate to a living individual who can be identified -
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
Schedule 1 - The data protection principles
Part I - The principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
?.
Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data
1. The data subject has given his consent to the processing.
...
6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
