Decision 182/2016 | Scottish Information Commissioner

Home Decisions

Decision 182/2016

Decision 182/2016: Mr F and the Scottish Prison Service

Policy information

Reference No: 201600336
Decision Date: 24 August 2016

Summary

On 22 December 2016, Mr F asked the Scottish Prison Service (the SPS) for all information concerning policy and practice in relation to its obligations as data controller pursuant to the Seventh Data Protection Principle. The SPS provided some information to Mr F.

Following an investigation, the Commissioner found that the SPS had failed to provide Mr F with all of the information that it held.

Given that all of the information had since been provided to Mr F, the Commissioner did not require the SPS to take any action.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 22 December 2015, Mr F made a request for information to the SPS. The information requested was all information held by SPS concerning policy and practice in relation to its obligations as a data controller pursuant to the Seventh data Protection Principle (Article 17 of the EU Data Protection Directive 95/46/EC), including both technical and organisational measures such as:

(a) monitoring of staff,

(b) controlling physical access to IT systems,

(d) preventing or restricting the use of employees' personal devices from being used for work purposes, and

(e) adopting appropriate techniques for the destruction of electronically held personal data,

(f) restricting the use of personal data on a "need to know" basis within the organisation.

2. The SPS responded on 25 January 2016. It informed Mr F that it held no information falling within the scope of part (a) of his request. In response to the remaining parts, the SPS provided Mr F with extracts from Governors and Managers Action Notices (GMA).

3. On 29 January 2016, Mr F wrote to the SPS, requiring a review of its decision on the basis that surprisingly little information had been provided as to the measures actually implemented in accordance with the obligations imposed by the EU directive. Mr F also made reference to a previous request he had made in 2014, where information had been withheld in terms of section 29 and 30 of FOISA. He asked whether some of the information previously withheld fell within the scope of this current request and whether the information could now be disclosed.

4. Mr F stated that the response gave him no assurance that personal data such as visitor address details or telephone contact lists were not accessible to any SPS employee with access to the relevant systems. He also asked whether there were procedures which allowed staff to request personal data not ordinarily accessible to them.

5. The SPS notified Mr F of the outcome of its review on 17 February 2016. It provided Mr F with copies of further GMAs, considered to fall within the scope of his earlier request. In relation to that request, it confirmed that section 30 of FOISA still applied to other information.

6. The SPS also provided further explanation regarding staff access to visitor address details and telephone numbers, confirming that there were no procedures to request information that a staff member would not ordinarily have access to.

7. On 17 February 2016, Mr F wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr F stated he believed the SPS had failed to provide all the relevant information it held. He drew attention to the review outcome, which suggested to him that further information should be held.

Investigation

8. The application was accepted as valid. The Commissioner confirmed that Mr F made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

9. On 10 March 2016, the SPS was notified in writing that Mr F had made a valid application. The SPS was asked to send the Commissioner the information withheld from Mr F. The SPS provided the information that had been withheld in relation to the previous request for information (as mentioned in Mr F's request for review) and the case was allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPS was invited to comment on this application and to answer specific questions, in particular to explain the steps it had taken to identify and locate the information requested.

11. Mr F provided submissions as to why he believed that further information should be held by the SPS. This included a reference to the content of the SPS's "Internet Acceptable use Policy", which he submitted fell within the scope of his request. The SPS was asked to provide the Commissioner with a copy of this Policy, with any comments it considered applicable.

12. The SPS provided submissions to the effect that the information previously withheld under section 30 of FOISA (in response to the earlier request of 2014) and the Internet Access Policy referred to above did not fall within the scope of Mr F's current request. Having considered the content of this information and the relevant submissions made by both Mr F and the SPS, the Commissioner accepts that neither category of information does fall within the scope of Mr F's current request (see below).

13. Following further correspondence with the investigating officer, the SPS conducted further searches and provided further information and explanations to Mr F. It provided Mr F with a document relating to access to its prisoner records and desktop intelligence systems, from which it redacted information. It explained to Mr F that the redacted information did not fall within the scope of his request.

14. Mr F acknowledged receipt of the further disclosure during the investigation, but disputed that the redacted information fell outwith the scope of his request. He continued to believe further information would be held by the SPS.

15. The Commissioner considered the information disclosed during the investigation and, in particular, the information that had been redacted. The Commissioner is satisfied that the redacted information did fall within the scope of the request, as it relates to accessing the prisoner records system. Following further communications, the SPS provided Mr F with the information that had previously been redacted. Mr F acknowledge receipt of the information.

16. The Commissioner notes that in providing further information to Mr F, the SPS explained to Mr F that it did not consider any information created as a result of any of the technical and organisational measures in place (to comply with the Seventh Principle) fell within the scope of the request. She will consider this further below.

Commissioner's analysis and findings

17. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to her by both Mr F and the SPS. She is satisfied that no matter of relevance has been overlooked.

Information held by the SPS

18. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable in this case.

19. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). This is not necessarily to be equated with information an applicant believes the authority should hold. If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to that effect.

20. The Commissioner notes the submissions provided by Mr F, in which he provides reasons why he considers the SPS should hold further information falling within the scope of his request.

21. The seventh Data Protection Principle states that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

22. The SPS drew reference to the ICO's website[1], which, in relation to the seventh data protection principle states:

"In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

? design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;

? be clear about who in your organisation is responsible for ensuring information security;

? make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and

? be ready to respond to any breach of security swiftly and effectively."

23. The SPS submitted that the Internet Acceptable Use Policy, referred to by Mr F, did not fall within the scope of the request as he suggested. It explained that this policy did not concern the security arrangements for access to the SPS's IT systems (to which the seventh principle relates) but "acceptable use" of the internet by staff, covering such matters as the time spent accessing the internet, inappropriate material and use impacting on network capacity. Having considered the content of this Policy and the submissions by both Mr F and the SPS, and while the Seventh Principle can properly be considered to cover the security of all personal data processed by a data controller and not just data in IT systems, the Commissioner accepts that this particular information did not fall within the scope of Mr F's request.

24. The Commissioner takes the same view in relation to the information withheld in response to the earlier request referred to by Mr F, which focuses on disaster recovery rather than the security of personal data. The SPS has also argued that reports and other information produced as a result of the measures taken in implementation of the Seventh Principle would not fall within the scope of Mr F's request. The Commissioner accepts this, too, as a reasonable interpretation of the request. Although Mr F appears to consider a wider interpretation reasonable, the Commissioner is satisfied that it is focused on information evidencing the existence of these measures, whether in policy or less formal practice, rather than information evidencing their implementation.

25. In its submissions to the Commissioner, the SPS explained the searches and enquiries it undertook during the investigation to ascertain whether it held any information falling within the scope of Mr F's request. It identified the resources searches and the search terms used. It confirmed that further information was identified located and provided to Mr F during the investigation.

26. As mentioned above, during the investigation, the SPS provided Mr F with further information and this included a redacted copy of a document on the basis that the information redacted therefrom fell outwith the scope of the request. Having considered the redacted information, which relates to accessing the prisoner records system, the Commissioner accepts that this should be considered policy or practice to ensure compliance with the seventh principle. As such, the SPS was incorrect to say that it fell outwith the scope of Mr F's request.

27. Having considered all relevant submissions and the terms of Mr F's request, the Commissioner accepts that (by the close of the investigation) the SPS carried out adequate, proportionate steps to establish whether it held any further information falling within the scope of the request. She is satisfied that the additional information located has now been provided to Mr F.

28. However, it is evident that adequate searches were not carried out in dealing with Mr F's information request and requirement for review. It also appears to the Commissioner that the scope of the request was read unduly narrowly in relation to the information contained in the document eventually disclosed in full during the investigation. Adequate searches, on a reasonable interpretation, should have located this document earlier: the Commissioner is concerned that it was not.

29. Taking account of all of the circumstances, the Commissioner concludes that the SPS failed to comply fully with section 1(1) of FOISA, by failing (in dealing with Mr F's request and requirement for review) to identify, locate and provide all of the information it held and which fell within the scope of Mr F's request.

Decision

The Commissioner finds that the Scottish Prison Service failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr F.

Appeal

Should either Mr F or the Scottish Prison Service wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

24 August 2016

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

[1] https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/