Home Decisions

Decision 218/2011

Decision 218/2011 Mr Ralph Lucas and Glasgow Caledonian University

Information relating to graduating students

Reference No: 201001405
Decision Date: 4 November 2011

Summary

Mr Ralph Lucas requested from Glasgow Caledonian University (the University) statistical data relating to certain students who had graduated from the University in the academic years 2006/7 to 2008/9 inclusive. The University responded by advising Mr Lucas that it considered the information to be exempt from disclosure in terms of section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA), on the basis that the disclosure of the information would identify individual graduates and disclosure would be unlawful under Data Protection Act 1998 (the DPA).Following a review, Mr Lucas remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the exemption did not apply to the statistical data. While he accepted that it was possible that disclosure would identify individuals (and he therefore agreed that the statistical data requested by Mr Lucas comprised personal data), he did not consider that disclosure would breach the DPA. He therefore required the University to provide Mr Lucas with the requested information.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 12(1) (Excessive cost of compliance) and 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions ? definition of "personal data") and 2(a), (c) and (e) (Sensitive personal data) and Schedules 1 (The data protection principles ? the first and second principles) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations) regulations 3 (Projected costs) and 5 (Excessive cost ? prescribed amount)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: Recital 26 and Article 8.1

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

Department of Health v Information Commissioner [2011] EWHC 1430 (Admin) http://www.bailii.org/ew/cases/EWHC/Admin/2011/1430.html

Craigdale Housing Association and others v Scottish Information Commissioner [2010] CSIH 43 http://www.scotcourts.gov.uk/opinions/2010CSIH43.html

Campbell v Mirror Group Newspapers [2002] EWHC 299

Background

1.On 5 January 2010, Mr Lucas emailed the University requesting the following information:

a)For each student graduating from an undergraduate course in the academic years 2006/7 to 2008/9 inclusive who has consented to having their data published:

Gender

School (where known, as whatever variant or combination of the five digit school code, the seven digit school code, the school name and postcode come most easily to hand)

Faculty

wherever students of a given gender graduating from a faculty came from at least 10 different schools; and

b)For each student graduating from an undergraduate course in the academic years 2006/7 to 2008/9 inclusive who has consented to having their data published but whose data has not been disclosed above:

Gender

School (where known, as whatever variant or combination of the five digit school code, the seven digit school code, the school name and postcode come most easily to hand).

2.The University responded on 5 February 2010. The University explained that it was in the process of migrating the data which it held regarding its students to a new system. However, as the information sought by Mr Lucas was still contained within an older in-house system, it considered the cost of complying with the request would exceed the ?600 limit set out in the Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations) and, therefore, that it was not obliged to comply with the request.

3.Also on 5 February 2010, Mr Lucas emailed the University explaining that, if the process of migrating the data was to be completed within a reasonable timescale, he was content to wait for that process to be completed in order that the University could provide a response to his request at a lower cost.

4.On 13 May 2010, the University provided Mr Lucas with a further response to his request of 5 January 2010. This time, the University did not rely on cost grounds for withholding the information, but advised Mr Lucas that it considered the information that he had requested to be personal data and that its disclosure would breach the first data protection principle in the DPA. Accordingly, the University considered the information to be exempt from disclosure in terms of section 38(1)(b) of FOISA. However, the University did provide Mr Lucas with the requested information relating to those schools which had five or more students of the same gender graduating from the same faculty, during the period detailed in the request. Where the numbers were less than five, the University provided the gender, but not the actual number.

5.Also on 13 May 2010, Mr Lucas emailed the University requesting a review of its decision. In particular, Mr Lucas contended that the information that he had requested did not comprise personal data on the basis that there was no reasonable possibility of any person being identified from it.

6.The University notified Mr Lucas of the outcome of its review on 3 June 2010, upholding its previous decision without modification.

7.On 12 July 2010, Mr Lucas wrote to the Commissioner, stating that he was dissatisfied with the outcome of the University's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

8.The application was validated by establishing that Mr Lucas had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

9.On 14 July 2010, the University was notified in writing that an application had been received from Mr Lucas and was asked to provide the Commissioner with any information withheld from him. The University responded with the information requested and the case was then allocated to an investigating officer.

10.The investigating officer subsequently contacted the University on 27 August 2010, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.

11.The University responded on 15 September 2010, providing submissions on its application of the exemption in section 38(1)(b) of FOISA to the information requested by Mr Lucas.

12.The investigating officer subsequently sought (and received) additional submissions from the University concerning the application of section 38(1)(b) and examples of how individuals could be identified through the disclosure of the requested information.

13.The investigating officer also contacted Mr Lucas during the investigation, seeking his submissions on the matters to be considered in the case. The submissions received from both Mr Lucas and the University are summarised and considered (where relevant) in the Commissioner's analysis and findings section below.

Commissioner's analysis and findings

14.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Lucas and the University and is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA ? Personal information

15.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, where appropriate, 38(2)(b)), exempts information from disclosure if it is "personal data" as defined by section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA. This exemption is absolute in that it is not subject to the public interest test laid down by section 2(1)(b) of FOISA.

16.The University argued that the information comprised personal data and, in some cases, sensitive personal data. It submitted that disclosure of this information would breach the first and second data protection principles of the DPA.

Are the statistics personal data?

17.The Commissioner will first consider whether the information withheld is personal data."Personal data" is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).The DPA gives effect to Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (the Directive) and so the DPA should, if possible, be interpreted in a manner which is consistent with the Directive.

18.In considering the definition of "personal data", the Commissioner has also taken account of the opinions delivered by the House of Lords in Common Services Agency v Scottish Information Commissioner, by the High Court of England and Wales in Department of Health v Information Commissioner and by the Court of Session in Craigdale Housing Association and others v Scottish Information Commissioner.

19.In its submissions, the University argued that the information comprised personal data as it could be used to identify individual graduates from other information held by the University (as data controller).

20.In the Commissioner's view, this argument suggests that, if a data controller holds underlying identification data, information will always be personal data, regardless of the size of the statistic. (The Commissioner notes that the University chose to disclose data relating to those schools which had five or more students of the same gender graduating from the same faculty during the period detailed in Mr Lucas's request. If it were the case that the statistics were personal data simply because the University held the identifying information, then the figures which were disclosed would also have been personal data.)

21.This approach to the definition of personal data has not been followed by the courts. In the Common Services Agency case, which involved a request for statistics relating to childhood leukaemia statistics in Dumfries and Galloway, the House of Lords concluded that the definition of "personal data" in the DPA must, in terms of recital 26 of the Directive, be taken to permit the disclosure of information which had been rendered fully anonymous in such a way that individuals were no longer identifiable from it, without having to apply the data protection principles.

22.Lord Hope's view (which attracted majority support in the Common Services Agency case) was that the definition of personal data under section 1(1) of the DPA provides for two means of identification: identification will either be from the data itself (which would not apply in the case of anonymous statistics) or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

23.Lord Hope's approach is to ask whether the "other information" (if provided to a hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals.If the answer is no, the statistics are not personal data.The words in italics are important: if identification can be achieved from the "other information" in isolation (i.e. rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data.

24.This approach was considered by the High Court of England and Wales in the Department of Health case.That case involved a request for abortion statistics held by the Department of Health.As the University originally did here, the Department of Health argued that, because it held the data which would identify individual patients, the numbers of abortions which had been carried out were, given definition (b), personal data.However, this approach was rejected by the High Court by Cranston J, who commented:

"If that were the case, any publication would amount to the processing of ? personal data ?Thus, the statistic that 100,000 women had an abortion ? would constitute personal data about each of these women, provided that the body that publishes this statistic has access to information which would enable it to identify each one of them.That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics."

25.It is therefore clear that the fact that a data controller holds the identifying information lying behind statistics does not automatically mean that the statistics are personal data.(In providing submissions to the Commissioner, the University also argued that, given the small numbers of students (i.e. less than five) involved, it would be possible to triangulate data already available in the public domain to identify those students.Those arguments are considered in more detail below.)However, in deciding whether the disclosure of apparently anonymous statistics could identify an individual, what matters should be considered?

26.The Commissioner has noted the approach taken by the Court of Session in the Craigdale Housing Association case.The Court of Session referred to Recital 26 of the Directive, which states that, when determining whether a person is identifiable, account should be taken of all the means likely reasonably to be used to identify the data subject.As noted by the Court of Session, the test is therefore whether disclosure of the information would lead to the identification of an individual or whether there is other information in the public domain which, when taken with the information, would reasonably allow for such identification.

27.Guidance entitled "Determining what is personal data[1]" which has been issued by the (UK) Information Commissioner (who is responsible for enforcing the DPA throughout the UK) states that, in considering whether a person can be identified, it should be assumed that it is not just the means reasonably likely to be used by the ordinary man in the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual.

28.The Commissioner therefore considered whether the numbers requested by Mr Lucas, together with other information already in the public domain (or as a result of action likely to be taken by a determined person to identify the individuals if the numbers were to be disclosed) would reasonably allow individual graduates to be identified.If disclosure of the numbers would reasonably allow for identification, then the numbers comprise personal data and cannot be disclosed unless there is a condition in Schedule 1 to the DPA which would permit the numbers to be disclosed.If disclosure of the numbers would not reasonably allow for identification, then the numbers do not comprise personal data and the exemption in section 38(1)(b) would not apply.

29.In its submissions to the Commissioner, the University contended that the disclosure of the information could, when triangulated with other information disclosed to Mr Lucas in respect of previous information requests and other information already in the public domain, identify individuals.

30.As an illustration, the University explained how the information sought by Mr Lucas, when used in tandem with information already in the public domain including (for example) from the Scottish Schools Online website, the Higher Education Statistics Agency (HESA), information released by other universities, information on social networking sites and the electoral register, could be used to identify individuals within the statistical data sought by Mr Lucas.

31.The Commissioner has considered the information which would be provided by disclosure of the statistics. This would comprise, in each academic year requested by Mr Lucas, the name of a school, the name of a faculty and the number of male and female students who had attended that school and who had graduated from each faculty.

32.If this information is viewed in isolation, it appears to be anonymous, in that it does not permit the identification of any individual graduate represented by the statistics. However, the Commissioner must examine whether there are other factors or information which, considered alongside the statistics, would "unlock" the figures and permit identification of any of the individuals represented within the statistical data.

33.The Commissioner has considered the range of information that might potentially be available to the public about the individuals represented by the statistics.In this case, the statistical information under consideration only relates to graduates who have consented to their names and qualification results being published in "The Herald" newspaper (this is the reference to "consent" in the wording of Mr Lucas's request).

34.The Commissioner accepts that, where a person already knows that an individual is a graduate of the University, disclosure of the statistics in question may permit that person to identify the individual graduate as one of the statistical cohort. However, this in itself does not make the statistical information personal data; it is not the disclosure of the statistics which would identify the individual.The Commissioner must be able to satisfy himself that disclosure of the statistics would be the decisive factor leading to the identification of a specific graduate or would make identification possible where it was previously impossible.

35.As noted above, the University has provided examples of how it considers individual graduates can be identified by the triangulation of the data sought by Mr Lucas, the information published in the Herald newspaper and other publicly available information. The Commissioner has considered the examples supplied by the University and accepts that it is possible to identify an individual graduate through a combination of these information sources, albeit through a complex route.

36.The Commissioner is therefore satisfied that the statistical data sought by Mr Lucas does clearly relate to the individuals in question and comprise personal data as defined in section 1(1) of the DPA.

37.He will therefore go on to consider whether disclosure would breach the first and second data protection principles, as the University has argued.Given that compliance with the "lawfulness" aspect of the first data protection principle relies on there being no breach of the second data protection principle, he will consider the second data protection principle first.

Would disclosure breach the second data protection principle?

38.The second data protection principle provides that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be processed in any manner incompatible with that purpose or those purposes.

39.The sections on the interpretation of the Second Principle (in Part II of schedule 2 of the DPA) further provide that, in deciding whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, consideration will be given to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

40.The University has submitted that it does not notify its students that their personal data may be processed for the purposes of providing it to the general public or commercial organisations. It therefore contended that, by releasing the requested personal information to Mr Lucas, it would be in breach of the second data protection principle.

41.The Commissioner has considered the University's submissions along with comments made in decisions from the Information Commissioner (responsible for the enforcement of both the DPA and the Freedom of Information Act 2000 (FOIA)) that address the interpretation of the second data protection principle in the context of requests made under freedom of information law.

42.In Decision FS50087443 (Maldon District Council), the Information Commissioner briefly considered whether the second data protection principle would be breached by release of certain personal data in response to a request under FOIA.Maldon District Council had argued that, because disclosure of information in response to freedom of information requests had not been specified in a fair collection notice issued to the data subjects concerned, disclosure of the information gathered in response to a request under FOIA would breach the second data protection principle.The Information Commissioner commented on this argument as follows:

The [Information] Commissioner considers that this is not a correct interpretation of the Data Protection Act.If [Maldon District] Council were correct in its interpretation, no disclosures of third party data would be permitted in response to FOI requests except where data subjects had been given prior notice.This would include cases where requests for information identified individuals acting in a public or official capacity in addition to information relating to their private lives.

The [Information] Commissioner considers that the correct interpretation of Principle 2 in this context is that the disclosure of third party data in response to a request submitted in accordance with other statutory rights is not inherently incompatible with any other lawful purpose for which information may be obtained.Principle 2 may, however, restrict the purposes for which a third party to whom personal data are disclosed may subsequently process those data.

The [Information] Commissioner considers that the central issue in considering whether or not the FOI Act requires the disclosure of personal data is not the second data protection principle but rather the first principle.

43.The Commissioner considers this reasoning to be relevant also in this case. He does not consider the processing of data in response to requests under FOISA to be incompatible with the other purposes for which the data was gathered by the University. The Commissioner also notes that the University has already disclosed relevant data in relation to figures of five or greater (in the circumstances notes at paragraph 4 above) in response to Mr Lucas's request. It is not clear to him why the disclosure that the University has already made to Mr Lucas would not breach the second principle, but the disclosure of a figure below five would.

44.Having considered the University's submissions, the Commissioner is unable to accept that disclosure of the information sought by Mr Lucas would breach the second data protection principle.

Would disclosure breach the first data protection principle?

45.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.

46.In its submissions, the University has also argued that some of the information comprises sensitive personal data on the basis that some of its graduates had attended denominational schools. It argued that some Roman Catholic schools could be easily identified by their names and that disclosure of the information would, particularly in the West of Scotland, where the University is based, identify a student's religious affiliation.

47.The University also submitted that students with disabilities could be identified from knowledge of the school that they had attended. However, the University did not provide the Commissioner with the names of any such schools contained within the data sought by Mr Lucas, nor did the University confirm whether any of the graduates whose data was included within the statistics sought by Mr Lucas had a disability or had special educational requirements.

48.The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA, and he is not satisfied that the disclosure of personal data in this case can be said to comprise the processing of sensitive personal data.In coming to this conclusion, he has noted the wording of Article 8 of the Directive, which prohibits Member States from processing personal data revealing (emphasis added) a person's religious or philosophical beliefs.

49.He has also noted the (UK) Information Commissioner's guidance "Key definitions of the Data Protection Act[2]". In the section headed "What is personal data?", the guidance states:

"Religion or ethnicity, or both, can often be inferred with varying degrees of certainty from dress or name. For example, many surnames are associated with a particular ethnicity or religion, or both, and may indicate the ethnicity and religion of the individuals concerned. However, it would be absurd to treat all such names as "sensitive personal data", which would mean that to hold such names on customer databases you had to satisfy a condition for processing sensitive personal data.Nevertheless, if you processed such names specifically because they indicated ethnicity or religion, for example to send marketing materials for products and services targeted at individuals of that ethnicity or religion, then you would be processing sensitive personal data.In any event, you must take care when making assumptions about individuals as you would be collecting inaccurate personal data."

50.Finally, the Commissioner took account of the view of the (English and Welsh) High Court in the case of Naomi Campbell v Mirror Group Newspapers[3] which confirmed the view of the Information Commissioner: photographs of Ms Campbell did indeed disclose sensitive personal data concerning her racial origin, but that was incidental to the purpose for the publication of the photographs.

51.The Commissioner therefore takes the view that whether disclosure of the information requested by Mr Lucas amounts to the processing of sensitive personal data will depend on the purpose of the processing and that, in any event, for processing to amount to processing of sensitive personal data, the processing should reveal sensitive personal data.

52.In this case, Mr Lucas is not seeking the numbers of children of any specified religion or faith, who have gone on to attend and later graduate from the University.He is simply interested in finding out which subjects children chose to study from which schools.There is no targeting of a specific religion or faith.If the disclosure of this information would reveal a person's religious beliefs (which the Commissioner does not believe to be the case ? see below), then that would be incidental to the purpose for which the information is being processed.In the words of the Information Commissioner, it would be "absurd" to treat such information as sensitive personal data.

53.The Commissioner does not consider that disclosing the information would reveal a person's religious beliefs. Whilst it may be more likely that individuals attending a denominational school or originating from an area where the population largely comprises one particular religious faith will be a member of that particular faith, the disclosure of the numbers sought by Mr Lucas will not by themselves reveal an individual's faith.

54.Denominational or faith schools cannot refuse to accept prospective pupils on the basis that they are of a different faith (although the faith of the child may be relevant if the school is oversubscribed).There are a number of reasons why parents with no religious beliefs or with different religious beliefs place their children in a particular denominational or faith school (or, indeed, a non-denominational school), e.g. proximity to the home, the belief that the school will provide a better education for their child or the fact that a relative also attends that school.In any event, the Commissioner does not consider that the fact of attendance at a denominational school some years before graduating (in some of the figures Mr Lucas has asked for, three years will have passed since graduation) can be construed as information as to a person's religious beliefs.

55.Having concluded that he cannot accept that any of the information under consideration comprises sensitive personal data, it is therefore not necessary for the Commissioner to consider the conditions in Schedule 3 of the DPA in this case.

Can any of the conditions in Schedule 2 to the DPA be met?

56.When considering the conditions in Schedule 2 to the DPA, the Commissioner has noted Lord Hope's comment in the case of the Common Services Agency v Scottish Information Commissioner[4] (the Collie judgement) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

57.The Commissioner considers condition 6 to be the only condition in Schedule 2 which might permit disclosure in this case. Condition 6 permits personal data to be processed if the processing (which in this case would be by disclosure in response to Mr Lucas's information request) is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights, freedoms or legitimate interests of the data subject (the individual(s) to whom the withheld information relates). It is clear from the wording of this condition that each case will turn on its own facts and circumstances.

58.There are, therefore, a number of different tests which must be considered before condition 6 can be met. These are:

a.Does Mr Lucas have a legitimate interest in obtaining the withheld personal data?

b.If yes, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the individual in question?

c.Even if the processing is necessary for Mr Lucas's legitimate purpose, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the individual?As noted by Lord Hope in the Collie judgement there is no presumption in favour the release of personal data under the general obligation laid down in FOISA. Accordingly, the legitimate interests of Mr Lucas must outweigh the rights, freedoms or legitimate interests of the data subject before condition 6(1) will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the University was correct to refuse to disclose the personal data to Mr Lucas.

Does Mr Lucas have a legitimate interest?

59.In his submissions to the Commissioner, Mr Lucas argued that the information would help parents understand the qualities of schools that they are considering sending their children to (it should be noted that Mr Lucas is the author of "The Good Schools Guide", which provides information and advice about schools throughout the United Kingdom). He considered that the best way to judge an educational institution was by its pupils and, although exam results were one part of this picture, more was revealed by the pattern of university courses that pupils chose. He considered this showed something of the pupils' ambitions, expectations and mindsets as well as their achievements.

60.Mr Lucas also submitted that the data would be used, in his view, to provide an insight into a specific school that was not available elsewhere and provided a base from which to enquire into the ambitions, capabilities and spirit which the school had inculcated into its pupils. He explained that he intended making the information about schools which was produced as a result of obtaining information from the University available on the Good Schools Guide website.

61.In its submissions, the University stated that Mr Lucas had not informed it of the reason for his request. Hence, the University did not consider it could judge whether or not he had a legitimate interest in obtaining the requested information.

62.Having considered the submissions of both parties, the Commissioner accepts that Mr Lucas's role as author of the Good School Guide leads to him obtaining and publishing information which affects, and is of interest to, the wider public. In the circumstances, the Commissioner accepts that Mr Lucas has a legitimate interest (as do the wider public) in obtaining the requested information.

Is disclosure of the information necessary to achieve those legitimate interests?

63.The Commissioner must now consider whether disclosure is necessary for those legitimate interests and in doing so he must consider whether these interests might reasonably be met by any alternative means.

64.In its submissions, the University argued that any member of the public can obtain information relating to a school's performance from HESA, Scottish Schools Online or individual schools and disclosure of the information requested by Mr Lucas was therefore not necessary for the purposes of Mr Lucas's legitimate interests.

65.The Commissioner has considered the information that is available through the organisations suggested by the University, but has concluded that the exact information sought by Mr Lucas is not available to him from these organisations.

66.In this case, the Commissioner can identify no viable means of meeting Mr Lucas's legitimate interests which would interfere less with the privacy of the relevant data subjects other than by obtaining the information requested.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

67.As the Commissioner is satisfied that disclosure of the personal data would be necessary to fulfil Mr Lucas's legitimate interests, the Commissioner is now required to consider whether that disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject. As noted above, this involves a balancing exercise between the legitimate interests of Mr Lucas and the data subjects in question. Only if the legitimate interests of Mr Lucas outweigh those of the data subjects in question can the information be disclosed without breaching the first data protection principle.

68.In the Commissioner's briefing on section 38 of FOISA[5], he notes a number of factors which should be taken into account in carrying out this balancing exercise. These include:

a)whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

b)the potential harm or distress that might be caused by disclosure;

c)whether the individual has objected to the disclosure;

d)the reasonable expectations of the individuals as to whether the information would be disclosed.

69.Mr Lucas submitted that his request merely asked for the last school that a graduate had attended and that all the other data was already a matter of public record in published graduation lists. He stated that he had not requested any information on an individual's present location. He also submitted that the school that an individual had attended is data that is widely and publicly available in that it will be known to all who were at the same school at the same time, to most who were in the same community at that time and, in most cases, to that person's friends and relatives.

70.Mr Lucas also argued that the likelihood of an individual being identified from the information being sought was very small, given the additional information that would need to be known in order to narrow down the list of possible schools that an individual had attended.

71.In its submissions, the University argued that its students expect the University to process their personal information in line with the DPA and that none would expect the University to disclose their personal information to a commercial company or the general public. The University contended that some of its students are estranged from their parents, some are pretending to continue at University when they have failed, some are being harassed by previous partners and some are being stalked. Accordingly, the University submitted that it is aware of that the release of personal information would prejudice the right to privacy of students in these situations. On that basis, the University considered that the rights, freedoms and legitimate interests of the data subjects outweighed those of Mr Lucas.

72.The Commissioner recognises that the individuals whose data is under consideration have not given specific consent for the information sought by Mr Lucas to be released. The Commissioner is also aware that there may often be publicity surrounding successful graduates, for example through a local newspaper.

73.In this case, the University has argued that identification of an individual graduate may result from disclosure of the sought information and that a dedicated individual may use the information to try and trace an individual graduate. However, the Commissioner is not persuaded that the disclosure of the information would represent an unwarranted interference given that disclosure would only, in extremely limited circumstances, allow an individual to be identified through an elaborate process which, in any case, would require a considerable element of personal knowledge of a data subject's personal life.He also considers that the level of harm which is likely to come about would be low and there is nothing in the information supplied to the Commissioner by the University which would lead him to conclude that harm would arise as a result of the withheld information being disclosed.

74.The Commissioner has balanced the legitimate interests of the data subject against the legitimate interests identified by Mr Lucas. Having done so, the Commissioner finds that the legitimate interests served by disclosure to Mr Lucas (and the wider public) outweigh the unwarranted prejudice that would be caused to the rights, freedoms or legitimate interests of the data subjects. The Commissioner is therefore satisfied that condition 6 of schedule 2 of the DPA can be met in this case.

75.Having reached this conclusion, the Commissioner has gone on to consider whether (as required by the first data protection principle) disclosure of the information concerning the data subject would be fair and lawful.

76.In its submissions, the University has argued that disclosure would be unfair as its students had not been advised that their personal data would be disclosed to the general public or commercial companies and it would not be within their reasonable expectations that their personal data would be released for purposes for which they had not consented.

77.However, the Commissioner considers that disclosure would be fair, for the reasons already outlined in relation to condition 6 above. Whilst the University has not provided any separate submissions to argue that disclosure would be unlawful (other than that disclosure would breach the second data protection principle, which the Commissioner does not agree with), the Commissioner, in any case, is unable to identify (having also concluded that condition 6 of schedule 2 to the DPA can be met) any specific law forbidding disclosure.

78.Having found disclosure of the information sought by Mr Lucas to be both fair and lawful, and in accordance with condition 6(1), the Commissioner therefore concludes that disclosure of this information would not breach the first data protection principle.

79.As the Commissioner has found that disclosure would not breach the first or second data protection principles, he therefore concludes that the exemption in section 38(1)(b) has been wrongly applied by the University to the withheld information in this case and so it breached section 1(1) of FOISA by withholding the information under this exemption.

Section 12 ? Excessive cost of compliance

80.As noted above, in its initial response to Mr Lucas on 5 February 2010, the University stated that the cost of complying with the request would exceed the ?600 limit set out in the Fees Regulations and, therefore, that it was not obliged to comply with the request.

81.The University subsequently provided Mr Lucas with some of the information that he had requested but made no mention of the cost of complying with the request. Similarly, the University made no mention of the cost of complying with the request in its response of 3 June 2010 to Mr Lucas's requirement for review or in its initial submissions to the Commissioner.

82.However, given that public authorities are not required to comply with a request where the cost of complying exceeds ?600, during the investigation, the Commissioner asked the University to provide details of the cost of complying with the request in the event that the Commissioner were to require the information to be supplied to Mr Lucas without the inclusion of any sensitive personal data.

83.In its submissions on this point, the University's calculations indicated that the estimated cost of removing any sensitive personal data and providing the remainder of the requested information to Mr Lucas would exceed ?600. However, as noted above, the Commissioner has concluded that none of the information under consideration in this case comprises sensitive personal data and it is not therefore necessary to include these additional costs within the overall calculation.

84.Once these additional costs have been discounted, the estimates provided to the Commissioner by the University indicated that the cost of complying with requests a) and b) would not exceed ?600. It should be noted that the University's original estimate provided to Mr Lucas on 5 February 2010 included an element which took account of the time and cost of anonymising the data where the requested figures were less than five. However, as the Commissioner has concluded in this case that the disclosure of the information requested by Mr Lucas would not breach any of the data protection principles, it would also not be necessary for this anonymising activity to take place.

85.Having taken into account the submissions that have been made by the University, together with the terms of the Fees Regulations, the Commissioner is satisfied that the request is not one which the University would not have been obliged to comply with on the basis of section 12(1) of FOISA.

DECISION

The Commissioner finds that Glasgow Caledonian University (the University) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Lucas. The Commissioner finds that by incorrectly applying the exemption in section 38(1)(b) to Mr Lucas's information requests, the University breached the requirements of Part 1 and, in particular, section 1(1) of FOISA.

The Commissioner therefore requires the University to provide Mr Lucas with the information sought in requests a) and b) by 20 December 2011.

Appeal

Should either Mr Lucas or the University wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Kevin Dunion
Scottish Information Commissioner
4 November 2011

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

?

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

?

(e) in subsection (1) of section 38 ?

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

12 Excessive cost of compliance

(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed such amount as may be prescribed in regulations made by the Scottish Ministers; and different amounts may be so prescribed in relation to different cases.

?

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

?

Data Protection Act 1998

1 Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a)the racial or ethnic origin of the data subject,

?

(c)[the data subject's] religious beliefs or other beliefs of a similar nature,

?

(e)[the data subject's] physical or mental health or condition.

?

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

...

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

?

Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004

3 Projected costs

(1) In these Regulations, "projected costs" in relation to a request for information means the total costs, whether direct or indirect, which a Scottish public authority reasonably estimates in accordance with this regulation that it is likely to incur in locating, retrieving and providing such information in accordance with the Act.

(2) In estimating projected costs ?

(a) no account shall be taken of costs incurred in determining ?

(i) whether the authority holds the information specified in the request; or

(ii) whether the person seeking the information is entitled to receive the requested information or, if not so entitled, should nevertheless be provided with it or should be refused it; and

(b) any estimate of the cost of staff time in locating, retrieving or providing the information shall not exceed ?15 per hour per member of staff.

5 Excessive cost - prescribed amount

The amount prescribed for the purposes of section 12(1) of the Act (excessive cost of compliance) is ?600.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Recital 26

Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable?.

Article 8: The processing of special categories of information

1.Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.


[1] http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PERSONAL_DATA_FLOWCHART_V1_WITH_PREFACE001.ashx

[2] http://www.ico.gov.uk/for_organisations/data_protection/the_guide/key_definitions.aspx

[3] [2002] EWHC 499 (QB)

[4] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[5] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=3085&sID=133