|
Decision 166/2012 Mr H and the Scottish Prison Service
Incident at HMP Peterhead
Reference No: 201201422
Decision Date: 10 October 2012 |
Summary
Mr H asked the Scottish Prison Service (the SPS) for information relating to a specific incident at HMP Peterhead.The SPS responded by informing Mr H that any information it held was personal data, the disclosure of which would breach the data protection principles set out in the Data Protection Act 1998.Following an investigation, the Commissioner accepted this.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)
Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data") and2(h) (Sensitive personal data); Schedules 1 (The data protection principles, Part I ? the principles) (the first data protection principle); and 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.
Background
1.On 30 April 2012, Mr H wrote to the SPS and, in relation to a specified incident at HMP Peterhead, requested the following information:
i)confirmation whether any prisoner or member of SPS staff was charged with a breach of discipline/conduct or a criminal offence due to the event, and if so;
ii)whether any prisoner or member of SPS staff was found guilty of an offence, and if so, to specify the breach or act for which he or she was found responsible;
iii)details of any punishment imposed; and
iv)confirmation whether any person was harmed as a result of a crime or a breach of discipline/conduct, and if so, whether it was a prisoner or a member of SPS staff.
Mr H advised that he was not seeking "any personal information pertaining to any individual, only the information detailed above".
2.The SPS responded on 22 May 2012.It informed Mr H that all the information it held and which fell within the scope of his request was exempt from disclosure in terms of section 38(1)(b) of FOISA, in that it was the personal data of a third party and disclosing it would breach the data protection principles.
3.On 28 May 2012, Mr H wrote to the SPS requesting a review of its decision. In particular, Mr H informed the SPS that it had not stipulated in its response which data protection principle would be breached by disclosure and submitted that there was a public interest in disclosure.
4.The SPS notified Mr H of the outcome of its review on 11 July 2012.The SPS upheld its original decision that all the information held was exempt in terms of section 38(1)(b) of FOISA.It explained that once personal data was excluded from that information, no further information would be held.
5.On 19 July 2012, Mr H wrote to the Commissioner, stating that he was dissatisfied with the outcome of the SPS's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
6.The application was validated by establishing that Mr H had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.
Investigation
7.The SPS is an agency of the Scottish Ministers (the Ministers) and, on 9 August 2012, in line with agreed procedures, the Ministers were notified in writing that an application had been received from Mr H and were asked to provide the Commissioner with any information withheld from him.The Ministers responded with the information requested and the case was then allocated to an investigating officer.Subsequent references to contact with or submissions from the SPS are therefore references to contact with or submissions made by the Ministers on behalf of the SPS.
8.The investigating officer subsequently contacted the SPS, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.
9.The relevant submissions received from both the SPS and Mr H will be considered fully in the Commissioner's analysis and findings below.
Commissioner's analysis and findings
10.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to her by both Mr H and the SPS and is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) ? personal data
11.The SPS submitted that the information held was personal data for the purposes of the DPA and that its disclosure would contravene the first, second and sixth data protection principles.Consequently, it argued that the information was exempt under section 38(1)(b) of FOISA.
12.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts information from disclosure where that information is personal data and its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles in Schedule 1 to the DPA.
13.In considering the application of this exemption, the Commissioner must first determine whether the information in question is personal data as defined in section 1(1) of the DPA and then, if it is, whether any of it is sensitive personal data as defined in section 2 of the DPA.If she is satisfied that the information is personal data, she will go on to consider whether its disclosure would breach any of the data protection principles, considering the implications of its status as sensitive personal data as and where appropriate.
14.It must be borne in mind that this particular exemption is an absolute exemption.This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
Is the information under consideration personal data?
15.The Commissioner has considered whether the information withheld is personal data for the purposes of section 1(1) of the DPA; that is, data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the definition is set out in full in the Appendix).
16.The Commissioner has considered the submissions received from the SPS on this point.In the circumstances, she is satisfied that any information held and falling within the scope of Mr H's request relates to living individuals (i.e. the individuals involved in the incident) who could be identified from those data.She therefore accepts that the information would be those individuals' personal data, as defined by section 1(1) of the DPA.
17.Disclosure under FOISA is, to all intents and purposes, disclosure into the public domain.Having considered the withheld information, the Commissioner does not believe it would be possible to disclose any of that information without a strong risk of identification (by others, if not by Mr H) remaining.In all the circumstances, therefore, the Commissioner accepts the SPS's contention (as communicated to Mr H in the review outcome) that to exclude personal data from the information would be to exclude all of the relevant information held by the SPS: as it advised Mr H, no information would be held.The Commissioner has, however, gone on to consider whether the withheld information could be disclosed without breaching any of the data protection principles.
Sensitive personal data
18.The SPS submitted that the information sought was also sensitive personal data, in terms of section 2(h) of the DPA, because it related to charges and sentencing.
19.Section 2 of the DPA provides that certain types of personal data are to be considered as sensitive personal data, which is afforded additional protection under the DPA.This includes, at section 2(h), personal data consisting of information as to any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.The Commissioner is satisfied that the information under consideration here clearly relates to these matters and is therefore sensitive personal data.
20.The Commissioner will now consider whether disclosure of the information would breach the data protection principles as submitted by the SPS.
Consideration of the first data protection principle
21.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.The processing in this case would be disclosure in response to Mr H's information request.
22.The Commissioner will first of all consider whether any of the conditions in Schedule 3 can be met, to allow the processing of the personal sensitive data.If none of these conditions can be met, there will be no requirement to go on to consider the application of the conditions in Schedule 2.
Can any of the conditions in Schedule 3 to the DPA be met?
23.There are 10 conditions listed in Schedule 3 to the DPA.One of these, condition 10, allows sensitive personal data to be processed in circumstances specified in an order made by the Secretary of State, and the Commissioner has therefore considered the additional conditions for processing sensitive personal data as contained in secondary legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.None of these are applicable in this case.
24.The Commissioner's guidance[1] on the section 38 exemption concludes that (in practical terms) there are only two conditions in Schedule 3 which would allow sensitive personal data to be processed in the context of a request for information under FOISA, namely:
Condition 1 ? the data subject has given explicit consent to the release of the information; or,
Condition 5 ? the information contained in the personal data has been made public as a result of steps taken deliberately by the data subject.
25.In relation to the withheld information, the Commissioner accepts that the data subjects have not given explicit consent to the release of the information and she would not expect the SPS to attempt to obtain such consent.Consequently, she is satisfied that condition 1 in Schedule 3 cannot be met.
26.Similarly, from the information available to her, the Commissioner is unable to conclude that condition 5 in Schedule 3 can be met in this case.
27.Having also considered the other conditions in Schedule 3, and (as indicated above) the additional conditions contained in secondary legislation, the Commissioner has come to the conclusion that there is no condition which would permit disclosure of the sensitive personal data under consideration here.In the absence of a condition permitting disclosure, that disclosure would be unlawful.Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.
28.In the circumstances, the Commissioner is not required to go on to consider whether disclosure would breach either the second or the sixth data protection principle.
DECISION
The Commissioner finds that the SPS complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr H.
Appeal
Should either Mr H or the Scottish Prison Service wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.
Margaret Keyse
Head of Enforcement
10 October 2012
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?
(a) the provision does not confer absolute exemption; and
...
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?
?
(e) in subsection (1) of section 38 ?
?
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
38Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
?
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
?
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
?
Data Protection Act 1998
1Basic interpretative provisions
(1)In this Act, unless the context otherwise requires ?
?
"personal data" means data which relate to a living individual who can be identified ?
(a)from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
2 Sensitive personal data
In this Act "sensitive personal data" means personal data consisting of information as to-
?
(h)any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Schedule 1 ? The data protection principles
Part I ? The principles
1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?
(a)at least one of the conditions in Schedule 2 is met, and
(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
?
Schedule 3 ? Conditions relevant for purposes of the first principle: processing of sensitive
personal data
1. The data subject has given his explicit consent to the processing of the personal data.
?
5.The information contained in the personal data has been made public as a result of steps
deliberately taken by the data subject.
?
[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx
