Decision 199/2010 | Scottish Information Commissioner

Home Decisions

Decision 199/2010

Decision 199/2010 Scottish Rural Schools Network and Angus Council

Consultation on Arbroath Schools Project

Reference No: 201001460
Decision Date: 2 December 2010

Summary

Scottish Rural Schools Network (SRSN) requested from Angus Council (the Council) information relative to the consultation on the Arbroath Schools Project.The Council responded by stating that the information was personal data and that release would breach the Data Protection Act 1998. Following a review, SRSN remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, while accepting that the Council did not hold certain of the requested information, the Commissioner found that the Council had partially failed to deal with SRSN's request for information in accordance with Part 1 of FOISA; the Commissioner was not satisfied that the information in question was personal data and he therefore found that it was not exempt from disclosure under section 38(1)(b) of FOISA.He required the Council to provide SRSN with the information withheld.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Information not held); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data")

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.

Background

1.On 22 March 2010, SRSN wrote to the Council requesting the following:

(a)all information contained in each of the response forms to the recent consultation on the Arbroath Schools Project

(b)information contained in every response which does not include a name or address

(c)information contained in all communications between officials in the Education Department of Angus Council regarding the current consultation process, and also information in all communications between elected members and education officials on the same subject matter.

2.On 27 March 2010, SRSN again wrote to the Council modifying request (b) above to include a summary of the number of unique IP (Internet Protocol) addresses.

3.The Council acknowledged the modified request on 30 March 2010 and on 19 April 2010 responded to SRSN's request.In relation to the first request, the Council provided a copy of comments received for each of the surveys with the redaction of personal data about individual respondents.In relation to the second request, it provided a list showing the number of unique IP addresses for each survey area.This list indicated that for Inverbrock, Hayshead and Warddykes schools there were a total of 30 unique IP addresses.The Council also provided a copy of all correspondence held in relation to the third request.

4.On 20 April 2010, SRSN wrote again to the Council with two further requests.The first asked for the numbers of paper and electronic returns for each area and how many of each of these were anonymous, while the second asked whether any of the unique IP addresses had more than six survey responses attributed to them.

5.On 17 May 2010, the Council responded and, in relation to the first request of 20 April indicated, that only one electronic return had been received for Inverbrock, Hayshead and Warddykes schools: this contradicted the earlier response stating a total of 30 unique IP addresses were recorded against these schools.Responding to the second request of 20 April, the Council provided a table which showed that a total of 10 unique IP addresses had more than six survey responses attributed to them: the table also set out the number of responses attributable to each address.

6.On 24 May 2010, SRSN again wrote to the Council, asking it to explain the discrepancy in the figures provided and also requesting the following information:

Given that there is a chance that the multiple responding IP addresses are "fixed" I would like the full IP address of all those listed in the table headed "Enquiry 2" in your recent response. I would also like the dates, times and comments listed against these multiple responses in order that we can determine if an automated response system has been employed.

7.The Council responded on 17 June 2010 and, in relation to the discrepancies in the figures, explained that the data supplied in the response of 19 April 2010 was the number of IP addresses which accessed the Council webpage on which each of the surveys were hosted: it explained that there was no way of monitoring which visits to the webpage actually resulted in responses to the surveys.This, it believed, explained the perceived anomaly between the number of visits and the number of online responses.

8.In relation to the request for information as outlined at paragraph 6 above, the Council withheld the information and informed SRSN that, since the IP addresses constituted personal information, any release would be contrary to the DPA.

9.On 17 June 2010, SRSN wrote to the Council, requesting a review of its decision.Specifically, SRSN asked the Council to review its response of 17 June 2010 and also the earlier response of 19 April 2010.

10.The Council notified SRSN of the outcome of its review on 14 July 2010.Whilst the Council referred to SRSN's request for review of 17 June 2010, the response only mentioned the decision relative to the IP addresses and upheld the decision that the release would breach the DPA, citing section 38 of FOISA.The Council made no reference to the request for review regarding the earlier response of 19 April 2010.

11.On 22 July 2010, SRSN wrote to the Commissioner, stating that they were dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

12.The application was validated by establishing that SRSN had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

13.On 17 August 2010, the Council was notified in writing that an application had been received from SRSN and was asked to provide the Commissioner with any information withheld from SRSN.The Council responded with the information requested and the case was then allocated to an investigating officer.In providing the withheld information, the Council explained that since the surveys submitted could not be linked to an actual visit to the website by a particular IP address, it did not hold the information requested at paragraph 6 above.

14.The investigating officer subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.In particular, the Council was asked to justify its reliance on any provisions of FOISA it considered applicable to the information requested, and specifically to clarify and justify its application of section 38 of FOISA to the withheld information.

15.The Council was also asked to comment on whether it considered it had responded fully to SRSN's request for review.It was suggested to the Council that since the table provided on 17 May 2010 was compiled using IP addresses which visited the website, the IP addresses held did in fact fall within the scope of the request.

16.The Council responded to the investigating officer's questions.Insofar as relevant, its comments will be considered fully in the Commissioner's analysis and findings below.

17.The Council intimated that any application to the Commissioner in relation to SRSN's request for information dated 22 March 2010 (as subsequently modified on 27 March 2010) was not valid in terms of section 47 of FOISA.In subsequent correspondence, it clarified that it did not consider the request for review of 17 June 2010 to relate to the earlier response of 19 April 2010 and therefore a review was not carried out.It confirmed that, even if it had been, the request for review would have been time-barred in terms of section 20(5) of FOISA.

18.Whilst the Commissioner is satisfied that the request for review of 17 June 2010 included a request for review relative to the response of 19 April 2010, he accepts that (as the response in question was provided by the Council on 19 April 2010 and, in terms of section 20(5) of FOISA, a requirement for review must be made by not later than the fortieth working day after receipt of the authority's response) SRSN had until 16 June 2010 to request a review.

19.As outlined above, SRSN did not submit a request for review until 17 June 2010.Whilst section 20(6) provides that a Scottish public authority may comply with a requirement for review after the expiry of the 40 working days, the Council does not appear to have done so, and consequently the request for review cannot be considered valid in terms of section 20(5) of FOISA.Given that a review was not carried out, the Commissioner cannot consider any application to him insofar as it relates to the request of 22 March 2010.It is perhaps unfortunate, however, that the Council did not advise SRSN that this request for review was considered invalid.

20.This investigation and subsequent decision by the Commissioner will therefore consider whether the Council complied with Part 1 of FOISA in dealing with SRSN's request of 24 May 2010, as outlined at paragraph 6 above.

Commissioner's analysis and findings

21.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both SRSN and the Council and is satisfied that no matter of relevance has been overlooked.

Scope of the request

22.In its initial response to the Commissioner, the Council explained that since the surveys submitted could not be linked to an actual visit to the website by an IP address, it did not hold the information requested in the request described at paragraph 6 above.This was reiterated during the investigation, where the Council confirmed that any relevant information it held related to IP addresses recorded for any visit to its consultation webpage, and not IP addresses relating to submitted responses (as it considered had been requested by SRSN).

23.The Commissioner notes that the Council provided SRSN with a table of results on 17 May 2010, in response to a request of 20 April 2010.The request of 24 May 2010 asks for the information held in relation to the figures contained in that table.It does not ask for IP addresses related to "submitted responses", as suggested by the Council in correspondence with the Commissioner.

24.The request of 24 May 2010, can be broken down into two parts:

a)Given that there is a chance that the multiple responding IP addresses are "fixed" I would like the full IP address of all those listed in the table headed "Enquiry 2" in your recent response.

b) I would also like the dates, times and comments listed against these multiple responses in order that we can determine if an automated response system has been employed.

25.The request set out at 24 a) above is for the full IP address "of all those listed in the table headed "Enquiry 2" in your recent response".The Council has provided the Commissioner with a list of the IP addresses which were used to produce the table headed "Enquiry 2" and therefore the Commissioner is satisfied that the Council holds information which falls within the scope of the request and therefore falls to be considered in this investigation.

Section 17 of FOISA ? information not held

26.In relation to the second part of SRSN's request as outlined at paragraph 24 b) above, the Council stated that the multiple visits to the webpage could not be linked to survey responses it had received.From the submissions received from the Council on this point, the Commissioner accepts that the number of visits to the website by these IP addresses cannot be linked to the dates, times and comments of specific responses to the surveys.Therefore, he is satisfied that the information requested as outlined at 24 b) is not held by the Council, and was not held by it at the time it received the request.

27.The Commissioner also notes, however, that while it might be understood from the Council's responses to the SRSN that this information was not held, this point could have been made clearer.

Section 38(1)(b) ? Personal information

28.The Council stated that the IP addresses it held constituted personal data and that their release would be contrary to the DPA, referring to section 38 of FOISA.

29.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts information from disclosure where that information is personal data and its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles in Schedule 1 to the DPA.As noted above, on the assumption that the exemption in section 38(1)(b) was considered relevant, the Council was asked to explainwhy it considered the list of IP addresses to constitute personal data for the purposes of section 1(1) of the DPA and which of the data protection principles would be breached by the release of the data.

30.In considering the application of this exemption, the Commissioner will first consider whether the information in question is personal data as defined in section 1(1) of the DPA and, if it is, whether any of it is sensitive personal data as defined in section 2 of the DPA.If he is satisfied that the information is personal data, he will go on to consider whether its disclosure would breach any of the data protection principles, considering the implications of its status as sensitive personal data if and where appropriate.

31.It must be borne in mind that this particular exemption (i.e. section 38(1)(b) read in conjunction with section 38(2)(a)(i) or (b)) is an absolute exemption.This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

32."Personal data" is defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."

33.The Council submitted that an IP address contains various items of information including hostname (absolutely and uniquely identifying a computer), geographic location information, telephone area code and a location specific map.For illustration purposes, the Council drew the Commissioner's attention to a specific website.This website offers a specific service which employs "user-entered" location data from sites that ask web visitors to provide their geographic location. The Council provided no evidence to suggest that it used such a service asking the visitors to the survey webpage to provide this "user-entered" location data.The Council made no submissions that it held further information relative to the IP addresses which would lead to the identification of a living individual.

34.The Council also submitted that, where a person has been allocated a Static IP address, the IP address information could be used to identify an individual more easily, as Static IP addresses were easier to track, for example by using data mining companies.

35.In relation to the IP addresses, the Council stated that it did not know whether the addresses were "static" or otherwise.The Information Commissioner, who has responsibility for the DPA throughout the UK, has issued a Data Protection Good Practice Note[1] relative to collecting personal data using websites. This good practice note states that:

Many IP addresses, particularly those allocated to individuals, are "dynamic".This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time. So if it is only the ISP who can link the IP address to an individual it is difficult to see how the [DPA} can cover collecting dynamic IP addresses without any other identifying or distinguishing information.

Some IP addresses are "static", and these are different.Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the [DPA]. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling.

36.The Council stated that it had no way of knowing whether the IP addresses logged during visits to its website were static or otherwise and, as mentioned above, provided no submissions as to any other information it held relative to the individuals who had accessed the webpage via the IP addresses in question.The investigating officer also carried out a series of checks with data mining companies in an effort to identify individuals with the specific IP addresses provided by the Council, with no success.

37.The Council submitted (as the Commissioner has accepted) that the list of IP addresses which visited the survey webpage could not be linked to any of the surveys submitted.Consequently, whilst it holds the IP addresses, whether static or otherwise, it has not provided any evidence which would indicate that a living individual can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (taken for these purposes to be the Council itself).

38.Based on the submissions by the Council, and in the absence of any further evidence to the contrary, the Commissioner is not satisfied that the IP addresses under consideration in this case constitute personal data for the purposes of section 1(1) of the DPA.

39.The Commissioner therefore concludes that the Council incorrectly applied section 38(1)(b) of FOISA to the list of IP addresses requested by SRSN and requires the Council to provide SRSN with the IP addresses listed in the table headed "Enquiry 2".

DECISION

The Commissioner finds that Angus Council (the Council) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Scottish Rural Schools Network.

The Commissioner finds that, by indicating that it did not hold certain information, the Council complied with Part 1.

However, by incorrectly applying section 38(1)(b) to the IP addresses, the Council failed to comply with Part 1, and in particular section 1(1), of FOISA.The Commissioner therefore requires the Council to provide SRSN with the list of the IP addresses referred to in the table headed "Enquiry 2" in its response of 17 May 2010, by 18 January 2011.

Appeal

Should either Scottish Rural Schools Network or Angus Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
2 December 2010

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

...

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

[1] http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf