Home Decisions

Decision 199/2021

Decision Notice 199/2021: Information Sharing Agreements: date of agreement

Public authority: City of Edinburgh Council
Case Ref: 202100494

Summary

The Council was asked for the dates when it entered into Information Sharing Agreements with Police Scotland. The Council responded, but confirmed that it did not held exact dates for all agreements.

The Commissioner investigated and found that the Council was entitled to notify the Applicant that it did not hold the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement); 17(1) (Notice that information is not held)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 23 January 2021, the Applicant made a request for information to the City of Edinburgh Council (the Council). The Applicant requested the date(s) on which the Council entered into Information Sharing Agreements (ISAs) with Police Scotland, with respect to sensitive information.

2. The Council asked for clarification of the request on 1 February 2021. It stated:

The Council does not have one data sharing agreement which will cover the sharing of special category data with the police in all scenarios. Data sharing agreements are normally entered into in relation to a specific activity, and will define individually, what personal data is required to be shared in order to support that activity. It would be helpful if you could provide more information in relation to which data sharing activity you wish to receive information on.

3. On 2 February 2021, the Applicant confirmed she was seeking details of the any ISA that related to the sharing of sensitive personal information and referred to a number of examples of multi-agency working that she expected to see the dates of the ISAs for.

4. On 5 March 2021, the Applicant wrote to the Council requesting a review on the basis that it had failed to respond to her request.

5. The Council notified the Applicant of the outcome of its review on 6 April 2021. The Council apologised for its delay in responding to the request. It provided the dates on which certain ISAs were entered into; provided approximate dates (years) when other ISAs were put into place, but where it was unable to provide exact dates and confirmed, with respect to some ISAs, that it did not hold the dates they were entered into.

6. On 18 April 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of the Council's review. The Applicant submitted that the Council should be able to provide exact dates when the ISAs were signed as they should, in her view, have been updated after 25 May 2018 which is when the General Data Protection Regulations (GDPR) became enshrined in UK law within the Data Protection Act 2018.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request requests before applying to him for a decision.

8. On 4 May 2021, the Council was notified in writing that the Applicant had made a valid application, and the case was then allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. The questions raised with the Council related to the searches conducted, and why it was satisfied that it had disclosed the relevant information held.

10. The Council provided an explanatory response to the questions raised, and also provided similar response and associated documents to the Applicant on 6 October 2021.

11. The Applicant remained dissatisfied with the updated response issued by the Council. Her comments will be considered below.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.

13. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

14. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to that effect.

15. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority.

The Council's submissions

16. Having considered all of the relevant information and in discussion with various colleagues the Council explained that there is not always a specific date in which an ISA was entered into as these were considered as ongoing collaborative relationships. Therefore, it was unable to provide any further exact dates for the agreements noted as these are not held by the Council. However, it was able to provide further explanatory responses as to the ISAs held. In summary:

Children's Services and Criminal Justice - in relation to Adult Protection, the legislation puts a "duty to co-operate" on the Council and Police Scotland as part of the Council's duty to make inquiries where there is a suspicion of risk of harm. A written agreement is not held.
Criminal Justice - the Council stated that it had discussed this with the Community Justice Senior Manager, who works directly to the Council's Chief Social Worker and Service Director for Children's Services & Criminal Justice. The Community Justice Senior Manager has responsibility for information sharing with the Police Scotland in this area and checked her own emails and electronic files to identify the current information sharing agreements. She has also approached the appropriate colleagues for additional information. She confirmed that she is the appropriate officer in relation to this matter and that all of the relevant information available has been captured.
Children's Services - the two managers (Manager of Through Care and After Care and Services for Young People and Children's Practice Teams Manager) who have responsibility for information sharing with the Police Scotland in this area checked their own emails and electronic files to identify the current information sharing agreements. They also approached appropriate colleagues for additional information. They confirmed that they are the appropriate officers in relation to this matter and that all of the relevant information available has been captured.

17. In addition to the review response dated 6 April 2021, the following information could be documented:

MAPPA, where criminal offending data and allegations of criminality of data subjects is shared, was entered into in 2007. The first MAPPA meeting was on 27th April 2007. The Council provided a copy of the first Memorandum of Understanding that was signed off in 2009.
The Council also entered into a multi-agency arrangement in 2013 with the MARAC (multi-agency risk assessment conference) pilot, following which MARAC was rolled out across the city. The pilot started on 18 April 2013. Roll-out began in October 2014. The Council provided a copy of the original Information Sharing Protocol, although it did not contain a date when it was signed off, and no relevant individual currently worked for the Council. It provided a copy of the most recent Terms of Relationship which was agreed by Chief Officers on 13 December 2018, and a copy of the Data Protection Impact Assessment for MARAC and the assessment report, but confirmed that the updated ISA remains outstanding. The COVID pandemic had impacted the completion of this work.
The Council stated that it had entered into a multi-agency arrangement in 2013/2014 and Disclosure Scheme for Domestic Abuse Scotland (Police Scotland led) in 2015. However, given that this was a Police Scotland initiative, the Council did not hold an exact date. It provided a copy of what has recently been drafted and remains in draft.
IRDs - the Council submitted that there may have been data sharing agreements for IRDs from years ago, but it does not hold exact dates of for these and they have since been replaced by national guidance. The Scottish Government has recently published new guidance in relation to Child Protection (including IRDs) which covers information sharing[1]. Prior to that, information sharing guidance was covered in the previous Lothian and Borders Child Protection procedures[2].

18. In response to the Applicant's view that ISAs should be dated after 25 May 2018, when GDPR and DPA 2018 came into force, the Council confirmed that the practice at that time was in line with guidance from the UK Information Commissioner and that information sharing which was lawful under the previous legislation would continue to be so when the

19. The Council provided a copy of its response above and the supporting documents to the Applicant on 6 October 2021.

The Applicant's submissions

20. The Applicant argued the DPA 2018/GDPR required Police Scotland and local authorities to record in detail any justification for data sharing and that the Council should have stopped what it was doing and bring the documentation into compliance with DPA 2018.

The Commissioner's conclusions

21. The Commissioner's decision is on the basis of the actual information requested. He has taken a reasonable interpretation of the request, allowing for the fact that the Applicant would have been unlikely to know exactly how information is recorded by the Council.

22. It is not the role of the Commissioner to comment on whether an authority's documents are in line with GDPR, or should have been updated since 18 May 2018 - rather, his role in a case such as this is to determine whether the authority holds recorded information, i.e. the dates on which ISAs were agreed.

23. Having considered the response provided to the Applicant by the Council and the submissions from both parties, the Commissioner is satisfied that the Council provided the Applicant with the information it holds and that, on the balance of probabilities, the Council does not hold the specific dates for every ISA it holds.

Decision

The Commissioner finds that the City of Edinburgh Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
13 December 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

…

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

…

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

…

[1] National Guidance for Child Protection in Scotland 2021: Stakeholder Supportive Statements (www.gov.scot)

[2] child-protection-procedures (edinburgh.gov.uk)