Home Decisions

Decision 169/2018

Decision 169/2018: Employee misconduct proceedings

Public authority: Stirling Council
Reference No: 201800993

Summary

Stirling Council was asked for details of misconduct proceedings relating to two identified employees.

The Council refused to confirm or deny whether it held relevant recorded information, or whether such information existed. Following an investigation, the Commissioner found that the Council was entitled to do this.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provisions as respects responses to request); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provisions) (definition of personal data); 2(g) (Sensitive personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provision etc - paragraph 56)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. Mr Y had been in correspondence with Stirling Council (the Council), regarding the treatment of two identified employees.

2. On 13 April 2018, Mr Y made a request for information to the Council. Mr Y asked the Council to confirm that neither of these two individuals were involved in any criminal behaviour, theft or otherwise, whilst employed by the Council, that resulted in them receiving a written warning for their behaviour from the Council.

3. The Council responded on 19 April 2018. The Council refused to confirm or deny whether it held the information requested or whether it existed, relying on section 18(1) of FOISA. The Council informed Mr Y that it was applying section 18(1) in conjunction with section 38(1)(b) of FOISA (Personal information).

4. On 20 April 2018, Mr Y wrote to the Council requesting a review of its decision. He believed that the information should be disclosed, as he considered the way in which the two employees were treated was different from the treatment of another employee, which he described as discriminatory. He believed it was in the public interest for the information to be disclosed.

5. The Council notified Mr Y of the outcome of its review on 16 May 2018, upholding its original decision without modification.

6. On 12 June 2018, Mr Y applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Y submitted that the Council was trying to cover up its failure to comply with its own Financial Regulations[1]; specifically, the regulation relating to "Prevention and Detection of Fraud and Corruption". He considered that there was a public interest in disclosing the information as he considered that the Council were actively practicing a discriminatory policy in dealing with employees, and this should be made public so matters could be put right.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr Y made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 31 July 2018, the Council was notified in writing that Mr Y had made a valid application. The case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions, focusing on the provisions of FOISA cited in its responses to Mr Y.

10. The Council confirmed that it considered any information covered by Mr Y's request, if it existed and was held, would be exempt from disclosure in terms of section 38(1)(b) of FOISA.

11. During the investigation, Mr Y provided further submissions to the Commissioner in support of his application, focusing on the public interest in disclosure of the information.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both Mr Y and the Council. He is satisfied that no matter of relevance has been overlooked.

Section 18(1) of FOISA - "neither confirm nor deny"

13. The Council relied on section 18 of FOISA, refusing to confirm or deny whether it held any information falling within the scope of Mr Y's request, or whether that information existed. Section 18(1) allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

(i) a request has been made to the authority for information which may or may not be held by it; and

(ii) if the information were held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

(iii) the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

14. Section 18(1) makes it clear that the authority must be able to give a refusal notice under section 16(1), on the basis that any relevant information it held would be exempt information under one or more of the listed exemptions. It is not sufficient for the public authority to simply claim that one or more of the relevant exemptions applies.

15. Where a public authority has chosen to rely on section 18(1) of FOISA, the Commissioner must first establish whether, if the information existed and was held by the public authority, the authority would be justified in refusing to disclose the information by virtue of any of the exemptions provided for by sections 28 to 35, 38, 39(1) or 41 of FOISA (including any relevant public interest test). If so, he must then go on to establish whether the authority is justified in stating that to reveal whether the information exists or is held would be contrary to the public interest.

16. While doing this, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority. This means that he is unable to comment in any depth on the reliance by the public authority on any of the exemptions listed in section 18(1), or on other matters which could have the effect of indicating whether the information existed or was held by the authority.

17. In this case, the Council submitted that if it did hold any information falling within the scope of Mr Y's request, it could be withheld under section 38(1)(b) of FOISA.

18. The Commissioner must first consider whether, in relation to section 38(1)(b), the Council could have given a refusal notice under section 16(1) of FOISA if the information existed and was held.

Data Protection Act 2018 (Transitional provisions)

19. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. The DPA 2018 amended section 38 of FOISA. It also introduced a set of transitional provisions which set out what should happen where a public authority dealt with an information request before FOISA was amended on 25 May 2018, but where the matter is being considered by the Commissioner after that date.

20. In line with paragraph 56 of Schedule 20 to the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with Part 1 of FOISA.

21. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with Part 1 of FOISA (as it stood before 25 May 2018), he cannot require the authority to take steps which it would not be required to take in order to comply with Part 1 of FOISA on or after 25 May 2018.

22. The Commissioner will therefore consider whether the Council was entitled to apply the exemption in section 38(1)(b) of FOISA under the old law to the requested information, if held or not. If he finds that the Council would not be entitled to withhold the information (if held) under the old law, he will only order the Council to confirm whether the information is held if disclosure would not now be contrary to the new law.

Section 38(1)(b) - personal data

23. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA 1998) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA 1998.

24. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

25. In order to rely on this exemption, the Council must show that if the information was held, it is the personal data for the purposes of the DPA 1998 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA 1998. The Council considered disclosure of the information, if held would breach the first data protection principle.

Is the information personal data?

26. "Personal data" are defined in section 1(1) of the DPA 1998 as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

27. The Council submitted that disclosure of the withheld information (if held) would identify living individuals.

28. Having considered the circumstances of this case, including the fact that the Council's correspondence with Mr Y identified the two individuals, the Commissioner is satisfied that living individuals could, if the information is held, be identified from the information, on its own or together with other information likely to be accessible to Mr Y (and others). The requested information clearly relates to living individuals. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA 1998.

Is the information under consideration sensitive personal data?

29. The Council submitted that the withheld information, if held, constituted sensitive personal data. The Council provided reasons, and referred to the definition of sensitive personal data within section 2 of the DPA 1998.

30. In this case, the Commissioner is satisfied that all of the withheld personal data, if held, falls into the category of sensitive personal data listed in section 2(g) of the DPA 1998 (see Appendix 1).

Would disclosure of the personal data contravene the first data protection principle?

31. In its submissions, the Council argued that disclosure of the withheld personal data would contravene the first data protection principle, which requires that personal data are processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA 1998 is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA 1998 must also be met. The processing in this case would comprise making the information, if held, publicly available in response to Mr Y's request.

32. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions.

33. The conditions listed in Schedule 3 to the DPA 1998 have been considered by the Commissioner, as have additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000. The Commissioner has not identified any of these additional conditions as potentially applicable in this case.

34. The Commissioner's guidance on section 38(1)(b) of FOISA (the guidance in force when the Council issued its review response) notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

35. Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the processing (which in this case would be disclosure into the public domain in response to Mr Y's request). Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

36. The Commissioner has concluded that it would not be reasonable or appropriate to seek consent from the data subjects for disclosure of the personal data, if held, and that condition 1 could not be met in this case. He is also satisfied that none of the information under consideration (if held) has been made public as a result of steps deliberately taken by the data subjects, and so condition 5 could not be met in this case.

37. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed, if held.

38. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data, if held, would contravene the first data protection principle. The Commissioner therefore finds that the Council would have been entitled to withhold the information requested by Mr Y, as it was exempt from disclosure under section 38(1)(b) of FOISA, if it existed and was held.

Transitional provisions

39. Given that the Commissioner has found that the Council complied with Part 1 of FOISA as it stood before 25 May 2018 in responding to the request by Mr Y, in relation to its decision to withhold personal data (if it exists and is held) under section 38(1)(b), he is not required to go on to consider whether disclosure would breach Part 1 of FOISA as it currently stands.

Section 18(1) - the public interest

40. Having accepted that the Council could have given a refusal notice under section 16(1) of FOISA on the basis that any relevant information, if it existed and was held, would be exempt information by virtue of section 38(1)(b) of FOISA, the Commissioner must go on to consider the Council's application of the remaining element of section 18. He is required by section 18(1) to consider whether the Council was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

41. The Council explained why it had concluded that, on balance, it would not be in the public interest to reveal whether it held the information, or whether the information existed. Its reasons were in line with its submissions regarding the application of section 38(1)(b) of FOISA: i.e. if it confirmed whether it held the information requested by Mr Y, it would be disclosing information about criminal matters relating to two identifiable individuals.

42. Mr Y provided detailed reasons why the requested information should be disclosed. He considered that the Council was not adhering to its own policy and was actively discriminating against employees in reporting some to the police and sacking them for criminal behaviour, and only issuing written warnings to others. He considered that this "illegal practice" and "discriminatory treatment" of employees should be brought into the public domain.

43. In reaching a conclusion in this case, the Commissioner has taken into account the restrictions around the disclosure of sensitive personal data. He is aware that if the Council was to confirm that it held the requested information, this would amount to a disclosure of sensitive personal data relating to the two identifiable individuals even if the Council refused to disclose the information it held. By simply confirming that it held information covered by Mr Y's request, the Council would reveal sensitive personal data.

44. Mr Y has provided cogent public interest arguments. However, given the legal protection afforded to sensitive personal data, even if disclosure would offer the insight into the Council's practices which Mr Y expects, the Commissioner considers that there would be a greater public interest in ensuring that sensitive personal data is not disclosed contrary to data protection laws; either directly by providing the requested information (if it was held), or indirectly by confirming that it exists and is held by the Council.

45. Having considered the submissions of both parties, the Commissioner is satisfied, in all the circumstances of this case, it would have been contrary to the public interest for the Council to reveal whether the information requested by Mr Y exists or was held by the Council.

46. As a result, the Commissioner is satisfied that, in line with section 18(1) of FOISA, the Council was entitled to refuse to confirm or deny whether it held the information requested by Mr Y, or whether such information existed.

Decision

The Commissioner finds that Stirling Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Y.

Appeal

Should either Mr Y or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

29 October 2018

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(g) the commission or alleged commission by [the data subject] of any offence, or

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

 

Data Protection Act 2018

Schedule 2 - Transitional provision etc

56 Freedom of Information (Scotland) Act 2002

(1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 ("the 2002 Act") before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 10 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.

(3) To the extent that the request was dealt with before the relevant time -

(a) the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act as amended by Schedule 19 to this Act, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.

(4) In this paragraph -

"Scottish public authority" has the same meaning as in the 2002 Act;

"the relevant time" means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.

[1] https://www.stirling.gov.uk/__documents/democracy/governance/financialregulationsoctober2018.pdf