Home Decisions

Decision 193/2021

Decision 193/2021: Names of history graduates

Public authority: University of Aberdeen
Case Ref: 202100807

Summary

The University was asked for the names of individuals who had graduated in history in 2007. The University withheld the information as it considered this to be third party personal data and, in this case, exempt from disclosure. The Commissioner investigated and found that the University was entitled to withhold the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions), 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "personal data" and "processing", "the UK GDPR") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of "personal data") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 20 May 2021, the Applicant made a request for information to the University of Aberdeen (the University). He asked for a list of graduates in history for 2007.

2. On 21 May 2021, there followed an exchange of correspondence between the University and the Applicant:

  • The University asked the Applicant why he wanted these third party personal data and what he intended to do with them, to allow it to weigh this against the graduates' privacy rights and reach an informed judgement on disclosure.
  • The Applicant stated he had a general interest in Arts graduates from that year and could have been less specific about the year. He noted the University had previously disclosed similar information to another individual in response to a request dated 25 July 2012. The Applicant further argued that the information was already in the public domain in the Press and Journal (amongst other newspapers) but was not readily obtainable, whereas the University had typed lists produced for graduations.
  • The Applicant subsequently commented that a person making an information request did not have to give a reason for wanting the information, and that all requests (except vexatious requests) must be treated equally.
  • The University agreed with the Applicant's point about providing reasons, but explained it had to balance a requester's legitimate interest with the data subjects' right to privacy, to comply with data protection legislation: while it was good practice for authorities to ask, requesters were not obliged to provide such reasons. The University invited him to elaborate on his reasons further if he wished to do so.
  • The Applicant provided no further explanation.

3. The University responded on 10 June 2021. It refused to provide the information requested under section 38(1)(b) and (2A)(a) (Personal information) of FOISA, on the basis that the Applicant's interest in disclosure of the personal data did not outweigh the privacy interests of the graduates. Disclosure would therefore breach the first data protection principle and would be unlawful.

4. The University explained it had taken into account information published in the press at the time of graduation, and its response to the earlier information request referred to by the Applicant, but it did not consider either tipped the balance in favour of disclosure in this case. Further, as only some of the information had been published, the publication was of limited extent, and the law recognised that individuals had an expectation of privacy that grew with the passage of time.

5. On 11 June 2021, the Applicant wrote to the University, requesting a review of its decision as he disagreed with the application of the exemption. The Applicant argued that the information was already in the public domain, although it was difficult to obtain, especially during the COVID?19 pandemic when access to microfiche facilities was limited.

6. On 20 June 2021, the Applicant again wrote to the University, stating he had obtained the information requested which was in the public domain. The Applicant provided a weblink to where he had posted this information online on a social media site.

7. The University notified the Applicant of the outcome of its review on 29 June 2021, fully upholding its original decision. In doing so, it explained that:

  • The full list of names requested had not been published - only the names of those who indicated they would attend a graduation ceremony had been published.
  • The list in the Press and Journal was not in the public domain. The University stated that, in line with guidance issued by the UK Information Commissioner (the ICO), the information had to be realistically accessible at the time of the request without using specialised knowledge. This was not the case, as indicated in both the Applicant's request and request for review.
  • Publication of some of the information in 2007 did not tip the balance in favour of disclosure. Graduates had a reasonable expectation that the University would respect their privacy after graduation, as reflected in its commitment not to disclose personal information other than in exceptional circumstances. The University considered that the Applicant's stated "general interest" did not justify disclosure on the basis of "exceptional circumstances".

8. On 3 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the University's review because he disagreed with its statement that the information was not in the public domain. He argued that the information was clearly in the public domain as, following the relaxation of COVID?19 restrictions, he had been able to obtain the information from Aberdeen Central Library on 16 June 2021. He also commented on the University's request for him to provide reasons for wanting the information, submitting there was no provision for this in FOISA and therefore it had no legal standing. He did not, in his view, have to give a reason.

Investigation

9. The application was accepted as valid. The Commissioner confirmed that the Applicant had made a request for information to a Scottish public authority and had asked the authority to review its response to that request before applying to him for a decision.

10. On 12 July 2021, the University was notified in writing that the Applicant had made a valid application and the case was subsequently allocated to an investigating officer.

11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The University was invited to comment on this application and to answer specific questions. These focused on its justification for withholding the information requested under the exemption in section 38(1)(b) of FOISA.

12. The Applicant was also invited to comment on why he believed accessing this information was important to him or of value to the public.

13. Both parties provided submissions to the Commissioner.

Commissioner's analysis and findings

14. In coming to a decision on this matter, the Commissioner has considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the University. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

16. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. To rely on this exemption, the University must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

18. In his request, the Applicant sought a list of the University's history graduates for 2007.

19. The University explained that the information in question comprised the names of individuals who were awarded a degree in history from the University in 2007. It included those recorded as having attended a summer or autumn graduation ceremony in person, those who had graduated "in absentia" when there was a summer or autumn graduation ceremony, and those who had graduated on a date when there was no graduation ceremony.

20. The University submitted that disclosure would contravene the first data protection principle.

21. The Commissioner must decide whether the University was correct to withhold the information requested under section 38(1)(b).

Is the withheld information personal data?

22. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 ? see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix 1.)

23. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

24. In its submissions to the Commissioner, the University stated that the information was personal data as it was information about the educational background of identified individuals, assumed to be living, where the individual's name was the identifier. The University submitted that individuals who graduated 14 years ago, many of whom were now likely to be between 35?40 years of age, might be assumed to be living, based on the accepted sectoral practice that a lifespan equals 100 years where the date of death is not known (as rehearsed in paragraph 70 of the National Archives Guide to Archiving Personal Data[1]).

25. Having considered the information withheld in this case (i.e. the names of the 2007 history graduates), the Commissioner accepts that it "relates to" identifiable individuals who may be assumed to be living. The Commissioner therefore concludes that the information withheld is personal data, for the purposes of section 3(2) of the DPA 2018.

Which of the data protection principles would be contravened by disclosure?

26. The University stated that disclosure of this personal data would contravene the first data protection principle (Article 5(1)(a) of the UK GDPR). Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

27. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request for information.

28. The University considered that disclosure would be both unfair to the data subjects concerned and unlawful, as there was no lawful basis for processing the data.

29. The Commissioner must now consider if disclosure of the personal data would be lawful (Article 5(1)(a)). In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed. The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstances of this case.

Condition (f): legitimate interests

30. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

31. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

32. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

33. In his application to the Commissioner, the Applicant explained he had told the University he had a "general interest" in the information. Acknowledging it was "good practice" for authorities to ask requesters their reasons for wanting the information, he commented there was no provision for this in FOISA, so it had no legal standing and he did not have to give a reason. (Guidance issued by the Commissioner[2] makes it clear that, when assessing whether a requester has a legitimate interest, it is good practice to public authorities to ask the requester why they want the information, unless it is already clear from the information request or from previous correspondence with the requester. However, requesters are not required to explain why the information if they do not wish to do so.)

34. During the investigation, the Applicant made further submissions. In these, he explained he wanted to check the qualifications of a politician (a major figure in the Scottish Parliament) who claimed to have an MA degree in history from the University. He believed this to be of public interest, as claiming qualifications not held was a serious matter in any employment, let alone the Scottish Parliament. The Applicant submitted there could be no risk of damage to the individual as, if they held the degree as claimed, there was no issue: if they did not hold it, then they would be claiming qualifications they did not possess, which would be a disciplinary matter.

35. In the interests of natural justice, the Investigating Officer provided the University with a copy of the Applicant's further submissions on his legitimate interest. This was to allow the University to make fully informed submissions to the Commissioner on any legitimate interest the Applicant might have in obtaining the information, which the University might not have been aware of already.

36. The University submitted, and provided supporting evidence to show, that it had asked the Applicant twice, in the initial stages of the request, to explain why he wanted the personal information. In response, the Applicant stated he had a "general interest" in the personal information but that he would not elaborate further.

37. The University considered the Applicant had a further opportunity to articulate his interest when making his requirement for review, given that the University had made clear, in its initial response, that his interest in the personal data was material to its decision. However, the Applicant did not comment on this in his requirement for review.

38. In responding to the Applicant's initial request and requirement for review, the University submitted that it had concluded his "general interest" could constitute only a general legitimate interest in transparency, exercising his freedom of information rights via an online website in order to publish information held by the University. In the absence of any further explanation from the Applicant at that stage, the University could not identify any other interest sufficient to consider it "legitimate".

39. Turning to the Applicant's more specific interest in the information (i.e. that disclosed by the Applicant during the investigation, which the Investigating Officer made University aware of), the University commented that it was clearly unaware of that interest when responding to the Applicant's initial request and requirement for review.

40. The University submitted it now understood that the Applicant's interest related to a graduate who now serves as a politician, and the purpose of his request was to verify claims made about that politician's academic qualifications. The University commented that, had the request been framed in those terms, its purpose would have been recognised as a specific legitimate interest, and balancing that with the data subject's interests might well have led to a different response being issued.

41. Having fully considered the submissions from both parties on this point, the Commissioner accepts that disclosure of the information requested, pertaining to the individual referenced in the Applicant's submissions (i.e. the politician), would facilitate transparency and accountability to the Applicant (and the wider public) regarding whether or not this individual did hold the qualification claimed. Given the public profile of such an individual, there is clearly a legitimate interest in the public being aware of such matters, particularly with regard to the expectations of the public surrounding the honesty and integrity of such individuals in public office. Consequently, the Commissioner accepts that the Applicant has a legitimate interest in disclosure of these personal data pertaining to the individual in question.

42. However, as regards the remaining information (i.e. the names of the other individuals who graduated in history from the University in 2007), the Commissioner is not satisfied that the Applicant has demonstrated any legitimate interest in obtaining this information. While the Commissioner recognises that there may be a wider public interest in being satisfied, more generally, that individuals have the qualifications they claim to have, he does not believe that the "general interest" in this information, put forward by the Applicant, amounts to that. Rather, it appears to be more of a broad expression of curiosity, in relation to individuals who may or may not make claims about the qualifications they hold. In the Commissioner's view, disclosure of the remaining information would not advance, to any other degree, the legitimate interest identified above in relation to that one individual.

43. In the circumstances, therefore, the Commissioner finds that the Applicant does not have a legitimate interest in obtaining the remaining personal information requested.

Is disclosure of the personal data necessary?

44. The Commissioner will now consider whether disclosure of the personal data requested is necessary for the Applicant's identified legitimate interest. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

45. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[3]. In this case, the Supreme Court stated (at paragraph 27):

A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

46. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject(s).

47. In both his application and further submissions to the Commissioner, the Applicant disagreed with the University's view that the information was not in the public domain, submitting that it had been published in the columns of Scottish newspapers at the time of graduation. However, due to COVID?19 restrictions, public libraries that held this information on microfiche had been closed and, in his view, it was much easier for the University to provide the information.

48. The Applicant confirmed that, following the relaxation of COVID?19 restrictions, he had been able to obtain the information via a personal appointment at Aberdeen Central Library on 16 June 2021, and this confirmed that the individual did have the degree claimed.

49. In its submissions to the Commissioner, the University explained that the information requested by the Applicant was wider than that published in the press. A number of individuals had not attended a graduation ceremony in person, and so their names were not included in the list of graduates who attended the summer graduation ceremonies, as published in the press at the time.

50. In addition, having compared the information held by University with that published in the press at the time (which the Applicant provided to the University on 20 June 2021), the University submitted that this set of information was not synonymous with that held by the University: it identified discrepancies.

51. Furthermore, the University submitted that it did not consider the information published by the media to be in the public domain, on the basis that it was not readily obtainable by the Applicant. In support of its position on this, the University referred to the Applicant's statements to this effect in his initial request and requirement for review, and his comment that the information was very difficult to obtain, especially during a pandemic. In the University's view, this indicated that the COVID-19 pandemic had exacerbated rather than caused that difficulty.

52. The University offered a number of arguments in support of its view that the information sought and obtained by the Applicant did not meet the test of being "reasonably accessible to the general public". These included -

  • The information was not published online by the University, and Aberdeen Journals Ltd did not publish, or make available through the British Newspaper Archive, back copies of newspapers online - therefore, the information was not readily available via an internet search.
  • Neither the University's Guide to Information nor descriptions of the content of newspapers (such as that produced by Aberdeen Central Libraries) gave an indication of where information about graduates might be published in media publications held elsewhere.
  • Information in back copies of newspapers held at Aberdeen Central Library was only available via a visit to the library in person, where the individual had to be prepared to scroll manually through records to determine whether reports on graduation ceremonies were published in editions of newspapers preserved (noting the number of different geographical editions of the Press and Journal published before June 2011). To have a reasonable chance of locating the information during such a time-limited research visit, the individual would need to have obtained prior knowledge of when the graduation ceremonies had taken place, as any speculative search would likely encounter difficulty in locating the information.

53. For these reasons, the University agreed with the Applicant's analysis that the information was not reasonably accessible to the general public.

54. Turning to the Applicant's specific legitimate interest in the personal data of the politician referenced in his submissions, the University did not accept that this explanation justified disclosure of the information requested. In the University's view, compliance with the request would require it to unlawfully disclose the personal information of the other 98 graduates. The University did not consider such a disclosure was necessary to meet the Applicant's specific legitimate interest, and submitted that there was no justification for the University to process the personal data in this way.

55. The University submitted that the only way this could be avoided would be for the Applicant to limit his request to information about the individual he was investigating.

56. Further, the University did not believe it was possible to disclose the information requested in a way that would not lead to the identification of individuals, given that the request specifically sought the identities of the 2007 history graduates.

57. In this case, the Commissioner must consider the information requested against the legitimate interest he has identified (in relation to the identified politician), and whether disclosure of that information is necessary to achieve the Applicant's identified legitimate interest.

58. While the Commissioner notes certain information regarding graduates is publicly available, as published in the Press and Journal around the time of the summer 2007 graduations, he accepts the University's position that this published information does not accurately reflect all those who graduated in 2007, for the reasons stated.

59. The Commissioner also acknowledges the Applicant's arguments in relation to the information in the public domain, published in newspapers of the time, and the difficulties he experienced in accessing this published information at the material time due to COVID?19 restrictions. The Commissioner would comment that, in more normal circumstances, he would be unlikely to accept the contention that information published in what is effectively a newspaper of record, for a large part of the country, would be so unlikely to be accessible to the general public. He considers it would be relatively easy to access such information held on record in a public library for the relevant area, simply with knowledge of the graduation dates themselves (which could easily be obtained from the University). It would be unlikely to require a great deal of educated guesswork to identify the appropriate local edition.

60. However, notwithstanding the publication of this certain information, the Commissioner does not consider that it was necessary for the University to disclose the names of all the history graduates in 2007, in order to satisfy the Applicant's identified legitimate interest for one individual. He can see no requirement for the University to fulfil the general information request made by the Applicant at the outset, which was the only one the University could address, given the Applicant had not identified, to the University, the individual in whom his main interest lay. In any event, at no point did the Applicant attempt to narrow the scope of his request in any way.

61. As the Commissioner is satisfied that full disclosure of the information requested is not necessary for the purposes of the identified legitimate interest of the Applicant, he finds that that the University properly withheld the information requested under section 38(1)(b) of FOISA. In any case, he notes that the Applicant has now obtained the information he actually requires.

Decision

The Commissioner finds that the University of Aberdeen complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the University wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
13 December 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation:

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.