Decision 184/2016 | Scottish Information Commissioner

Home Decisions

Decision 184/2016

Decision 184/2016: Mr A and the Scottish Prison Service

Parole Handbook / Governors and Managers Action Notice

Reference No: 201600802
Decision Date: 26 August 2016

Summary

On 16 February 2016, Mr A asked the Scottish Prison Service (the SPS) for the latest version of its Parole Handbook and a specified Governors and Managers Action Notice (GMA).

The SPS cited section 25(1) of FOISA, informing Mr A that all the information he sought was already accessible in the prison library. A review confirmed this, but Mr A could not locate the information and he appealed to the Commissioner.

During the investigation, the SPS acknowledged it had misdirected Mr A to the library and disclosed all the information he requested, except for five pages of computer screen shots. It continued to withhold these from Mr A under section 35(1)(f) of FOISA (Law enforcement). The SPS explained this was to prevent computer attacks.

The Commissioner found that the SPS was wrong to tell Mr A the information was in the library when it was not (while recognising that the SPS took appropriate steps to rectify matters and disclose information) by the end of her investigation. She was also satisfied that the SPS was entitled to withhold the computer screen shots under section 35(1)(f) of FOISA.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(a) (Effect of exemptions); 25(1) (Information otherwise accessible); 35(1)(f)(Law enforcement)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 16 February 2016, Mr A made a request for information to the SPS. The information requested was the latest version of its Parole Handbook and a particular GMA.

2. The SPS responded on 14 March 2016, stating that the information was already reasonably accessible to Mr A via the Prisoner Resource Library. It therefore applied section 25(1) of FOISA.

3. On 18 March 2016, Mr A wrote to the SPS, requesting a review of its decision on the basis that the information was not stocked in the library and so was not reasonably accessible.

4. The SPS notified Mr A of the outcome of its review on 5 April 2016, confirming its original decision without modifications. The reviewer indicated that he had confirmed with staff in the library that all the information requested was accessible there.

5. On 28 April 2016, Mr A wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr A stated he was dissatisfied with the outcome of the SPS's review because he still could not locate the information in the library.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr A made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 6 June 2016, the SPS was notified in writing that Mr A had made a valid application. The case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPS was invited to comment on this application and answer specific questions, with particular reference to the availability of the information in the library.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr A and the SPS. She is satisfied that no matter of relevance has been overlooked.

Section 25(1) of FOISA - Information otherwise accessible

10. Under section 25(1) of FOISA, information which a requester can reasonably obtain, otherwise than by requesting it under section 1(1) of FOISA, is exempt information. The exemption in section 25 is absolute, in that it is not subject to the public interest test in section 2(1)(b) of FOISA.

11. In its response and review outcome, the SPS informed Mr A that all the information he requested was already accessible to him in the Prisoner Resource Library.

12. In his application, Mr A complained this was simply not the case. He explained that he visited the library and been told that the information was not held and was not registered for use by prisoners on the library database.

13. During the investigation, the SPS acknowledged that it was wrong to inform Mr A that the information in question was in the library. Consequently, it recognised that section 25(1) was incorrectly applied.

14. The Commissioner finds that the SPS was not entitled to apply section 25(1) to the information requested by Mr A and that, in doing so, it failed to deal with the request in accordance with section 1(1) of FOISA.

15. The SPS acknowledged that those tasked with responding to this request did not fully understand the correct application of the exemption. It commented that it provided training in April 2016 to address this. The Commissioner welcomes this step in rectifying matters, but must comment further on this issue.

16. It is essential that public authorities understand the requirements of any exemption before applying it. In relation to section 25(1), in particular, public authorities must check that the information is where they say it is and that it is actually reasonably obtainable by the person making the request, before applying the exemption. They should note that the requester's particular circumstances may have a bearing on any assessment of what is reasonably obtainable, and that guidance on retrieval may also be necessary. Confirming the location of the information is a basic step when handling any information request, whether section 25(1) applies or not.

Section 35(1)(f) - Law enforcement

17. During the investigation, the SPS disclosed all the information covered by Mr A's request, except for five pages of the Parole Handbook. These pages are computer screen shots of the fields in the SPS Prisoner Records Database. The SPS argued that they gave insight into the structure and layout of the database. It was acknowledged, however, that none of these pages contained actual data held in the system. The SPS continued to withhold these screen shots under section 35(1)(f) of FOISA.

18. Mr A submitted that the computer screen shots were capable of being disclosed to him under FOISA. He commented that the SPS must, by law, have the appropriate technical and organisational security measures in place to prevent unauthorised or unlawful access of its database. He submitted that he had other screen shots already provided by the SPS to him and argued there was no reason to withhold these screen shots as he did not believe their disclosure would compromise computer security.

19. If a Scottish public authority applies the exemption in section 35(1)(f) of FOISA, it must be able to show that disclosure would affect both the maintenance of security in prisons and good order there. It must be able to show that the risk of harm arising from disclosure of the information is real or very likely, not merely hypothetical. It must be able to show that the harm caused (or likely to be caused) by disclosure would be significant, not marginal, occurring (or likely to occur) in the near foreseeable future and not in some distant time.

20. The Commissioner cannot provide full details of the arguments put forward by the SPS, as this would be likely to disclose some of the information which has been withheld. However, the Commissioner can provide an overview of the key points from the SPS's submission.

21. The SPS explained why it believed the computer screen shots, if made known to the public at large (which they would be under FOISA), would divulge key aspects of its prisoner record system. It highlighted that it would allow an understanding of the database's structure and where to target attempts to access, manipulate, disrupt or delete data. This, in turn, would prejudice its ability to manage prisoners, potentially extending to premature release. The SPS emphasised that it had a number of practitioners of serious and organised crime in prisons, for whom the deletion of such information would be very attractive.

22. The SPS concluded that the integrity of this database was fundamental to the management of prisoners, the security or prisons and the safety of prison staff, prisoners and the public.

23. The Commissioner has considered the withheld information here, together with the arguments presented by the SPS and Mr A. Clearly this is a highly specialised system, created for the management of particularly sensitive data. The Commissioner acknowledges that its inappropriate manipulation could have very serious consequences for the maintenance of good order and security in prisons and, by extension, for the safety of the public.

24. In general terms, the Commissioner understands the risk computer hackers pose when they become aware of how a computer system is configured and structured. This is a means by which vulnerabilities, if they exist, can be identified by hackers. It is also the basis on which hackers can formulate techniques for targeted attacks. Minimising such risks is clearly a key element of computer security and, by extension (with reference to this particular database), of maintaining good order and security in prisons.

25. The Commissioner has considered carefully whether, and how, a potentially successful attack would be likely to happen here, if these particular screen shots were disclosed. Mr A submitted that security measures would (or ought to) exist already. This is not something the SPS disputes. The issue is whether these measures would, or would be likely to, be undermined by disclosure.

26. The SPS has not given specific examples to suggest this system has been hacked before, or has been at immediate risk of being hacked. However, it does not follow that a successful attack is not a real possibility. The SPS has explained why these areas would be at risk of being targeted.

27. Having considered all relevant submissions carefully, the Commissioner accepts that access to these screen shots would facilitate a more targeted attack than would otherwise be possible. The Commissioner is satisfied that the risk of a targeted attack is real, and would be likely to occur if this withheld information were disclosed under FOISA.

28. The Commissioner therefore finds that the SPS correctly applied the exemption in section 35(1)(f) of FOISA to the computer screen shots withheld here.

29. As the Commissioner has found that the exemption in section 35(1)(f) was correctly applied to the withheld information, she has gone on to consider the public interest test in section 2(1)(b) of FOISA. This requires consideration of whether, in all the circumstances of the case, the public interest in disclosing the withheld information is outweighed by the public interest in maintaining the exemption in section 35(1)(f).

Public Interest Test

30. During the investigation, on 19 July 2016, the SPS wrote to Mr A in relation to the withheld information. It argued that that whilst there might be a public interest in understanding the information held by the SPS in relation to individuals, it considered that the public interest was better served by minimising the risk of harm to the database and to the maintenance of security in prisons.

31. Mr A confirmed receipt of this letter and provided submissions on the withheld information, summarised above. He did not explain why he considered disclosure of this particular information to be in the public interest.

32. In considering the public interest in favour of disclosure, the Commissioner recognises the general public interest in disclosing information held by Scottish public authorities, for reasons of transparency and accountability.

33. In this case, the Commissioner finds that there is only a limited public interest in disclosure of the withheld screen shots. It may be interesting to some, but that does not (in itself) create a significant public interest.

34. On the other hand, having accepted the harm identified by the SPS in relation to disclosure, the Commissioner must find that there is a strong public interest in not disclosing the information. That it is of interest to those intent on compromising the system, and thus threatening good order and security in prisons and the safety of the wider public, is a clear factor supporting the public interest in maintaining the exemption.

35. On balance, the Commissioner is satisfied that, in all the circumstances of this particular case, the public interest in disclosing the withheld information is outweighed by that in maintaining the exemption in section 35(1)(f) of FOISA.

Decision

The Commissioner finds that the Scottish Prison Service (the SPS) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr A.

The Commissioner accepts that the SPS was entitled to withhold computer screen shots under section 35(1)(f) of FOISA.

However, she also finds that the SPS was not entitled to apply section 25(1) of FOISA to the information described by Mr A his request. As the SPS failed to disclose information covered by the request, in response to Mr A's information request and his requirement for review, it failed to comply with section 1(1) of FOISA.

Given that the SPS disclosed the information Mr A sought during the investigation, with the exception of the screen shots, the Commissioner does not require the SPS take any action in respect of this failure in response to Mr A's application.

Appeal

Should either Mr A or the SPS wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

26 August 2016

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(a) section 25;

25 Information otherwise accessible

(1) Information which the applicant can reasonably obtain other than by requesting it under section 1(1) is exempt information.

35 Law enforcement

(1) Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice substantially-

(f) the maintenance of security and good order in prisons or in other institutions where persons are lawfully detained;