Decision 220/2011 Mr D and the City of Edinburgh Council
Processing of a letter
Reference No: 201101333
Decision Date: 8 November 2011
Summary
Mr D requested from the City of Edinburgh Council (the Council) certain details relating to the processing of a letter from one of his tenants.The Council initially responded by withholding the information under section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA), on the basis that it was third party data. Following a review, at the end of which the Council advised Mr D that it did not in fact hold the information he had requested, Mr D applied to the Commissioner for a decision.
Following an investigation, the Commissioner found that the Council did hold information falling within the scope of Mr D's request, but that it was entitled to withhold that information on the basis that it was personal data, the disclosure of which would breach the first data protection principle.The information the Council held was therefore exempt from disclosure under section 38(1)(b) of FOISA.
Relevant statutory provisions and other sources
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held) and 38(1)(b), (2)(a)(i) and (b), and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)
Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)
The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.
Background
1.It may be helpful to explain, by way of background, that in November 2005, Mr D delivered a letter to the Council in person, which was signed by one of his tenants.Mr D was given a receipt by the Council upon delivery of the letter.His request relates to processing of this letter.
2.On 13 May 2011, Mr D wrote to the Council describing the letter he handed in to the Council in 2005 and its delivery.He requested from the Council a "fully detailed account of the complete administrative process which was followed by local authority staff in dealing with this externally hand delivered document", after its initial handover to reception staff, including:
a.details of the individual stages of processing
b.details of all the specific actions and the procedures followed by all staff members in processing and administering the letter, including who had scanned the document and which individuals it had been allocated to within a specified section, with the names and job titles of the relevant staff members
c.all associated electronic data, including computer held dates, scanned dates, file dates, file access dates, timestamps and all audit logs, with the names and job titles of all staff members processing or viewing/accessing the documents on the Council's systems.
3.The Council responded on 10 June 2011 by withholding the information requested under section 38 of FOISA, explaining that it did not consider Mr D to be the data subject in respect of the information and that it believed its disclosure would contravene the data protection principles.
4.On 13 June 2011, Mr D wrote to the Council requesting a review of its decision.He commented that his request did not relate to the content of the letter (i.e. his tenant's personal data) but to details of the administration process applied to the letter after he had handed it in.
5.The Council notified Mr D of the outcome of its review on 12 July 2011, noting that his request was for a detailed account of the complete administrative process followed by the Council's staff in dealing with and administering his letter.It indicated that it did not hold such detailed information (in effect, an audit of the handling of the letter) for the handling of individual items of correspondence.
6.On 13 June 2011, Mr D wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.
7.The application was validated by establishing that Mr D had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.The case was then allocated to an investigating officer.
Investigation
8.On 4 August 2011, the Council was notified in writing that an application had been received from Mr D, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.In particular, the Council was asked to provide details of the steps it had taken to establish whether it held any relevant information, and also of any relevant protocols, guidance and recording systems.It was also asked to clarify whether it still wished to apply section 38 of FOISA in respect of any such information.
9.The Council provided detailed submissions (dated 1 September 2011) explaining that it had not carried out any searches when dealing with Mr D's information request or his request for review, noting that it had taken the view that any relevant information would be exempt under section 38 of FOISA.In addition, it had been in the process of implementing a document management system at the time and no document audit trail existed for any documents not recorded on the system.It had, however, carried out further searches during the investigation, which identified some information relevant to Mr D's request.The Council wished to withhold the information it held under section 38(1)(b) of FOISA.It also described its processes for handling and tracking incoming mail.
Commissioner's analysis and findings
10.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr D and the Council and is satisfied that no matter of relevance has been overlooked.
Information held by the Council
11.The Commissioner has considered the Council's submissions and is satisfied, on balance, that it held information falling within the scope of Mr D's request at the time that request was received.In claiming otherwise in response to Mr D's request for review, therefore, it breached section 1(1) of FOISA.The Council has also argued, however (as it did initially in response to Mr D's information request), that it was entitled to withhold any information it held under section 38(1)(b) of FOISA.
Section 38(1)(b) ? personal information
12.The Council withheld details of the process applied to the letter, including details of employees carrying out the processing, on the grounds that disclosure of these details would reveal the overall outcome of the Council's assessment of a third party's circumstances, thus disclosing that third party's personal data.It considered that Mr D was not entitled to be informed how the Council had assessed his tenant, nor did it consider that it should disclose the names of its staff or their job titles, explaining what effects disclosure would have on the staff concerned. The Council applied the exemption under section 38(1)(b) of FOISA to all the withheld information.
13.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), exempts information if it is personal data and if its disclosure to a member of the public otherwise than under FOISA would breach any of the data protection principles set out in Schedule 1 to the DPA.
14.The exemption in section 38(1)(b) is an absolute exemption, not subject to the public interest test laid down by section 2(1)(b) of FOISA.
Is the information personal data?
15.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).
16.The Commissioner accepts that the names of the employees involved in the processing is personal data as defined in section 1(1) of the DPA, as it relates to living individuals who can be identified from that information.He also accepts that information relating to assessment of the tenant's personal circumstances (e.g. finances, home address etc) is personal data as it too relates to a living individual, in this case the tenant, and to their personal circumstances.For this reason, the Commissioner is satisfied that details of the processing of the letter referred to in Mr D's request, given its content and marking, constitutes the personal data of the tenant. The Commissioner will go on to consider whether this information is exempt from disclosure under section 38(1)(b) of FOISA.
Would disclosure breach the first data protection principle?
17.The Council argued that disclosure of the information requested by Mr D would breach the first data protection principle, which requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.
18.The Commissioner does not consider any of the personal data withheld in this case to be sensitive personal data, as defined in section 2 of the DPA.He will therefore only consider whether any of the conditions in Schedule 2 to the DPA would permit disclosure of the information.
Can any of the conditions in Schedule 2 to the DPA be met?
19.When considering the conditions in Schedule 2, the Commissioner notes Lord Hope's comment in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1] that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights and freedoms or legitimate interests of the data subject.
20.The Commissioner considers that condition 6 of Schedule 2 of the DPA would appear to be the only condition which might permit disclosure of the personal data requested by Mr D. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
21.There are a number of different tests which must therefore be satisfied before condition 6 can be met.These are:
Does Mr D have a legitimate interest in obtaining the personal data?
If he does, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subjects?(In this case, the data subjects are the Council employees covered by the terms of Mr D's request and also the tenant.)
Even if the processing is necessary for Mr D's legitimate purposes, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?
22.There is no presumption in favour of the release of personal data under the general obligation laid down by FOISA.Accordingly, the legitimate interests of Mr D must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr D.
Does Mr D have a legitimate interest?
23.Mr D explained that he wished to know the names and job titles of the individual staff who had processed the correspondence, together with their sections, to verify that the letter had been processed as per the marking he had given it and in accordance with his expectations. He also confirmed his understanding that correspondence marked in this way could be expected to be processed by a particular section in the Council (and by inference with a particular outcome).He explained that his focus was not the tenant (whose letter was handed in by Mr D) but, rather, scrutiny of the actual processing involved.In particular, because Mr D handed the letter in and signed the receipt, he considered he was entitled to know how it had been processed, particularly as he had marked it in a particular way and wanted to be certain it reached the appropriate section with the expected outcome.
24.Having considered Mr D's submissions, the Commissioner accepts that he has a legitimate interest in the matters he has described.
Is disclosure necessary to achieve these legitimate aims?
25.The Council commented that Mr D had essentially requested a detailed audit trail, in respect of a particular piece of correspondence, knowledge of which, it claimed, would confirm the outcome of any assessment the Council made of another person (i.e. the tenant) by virtue of confirming which of the teams/job titles carried out the processing.
26.Having considered the points above, the Commissioner is not sufficiently satisfied that Mr D requires the names of individual staff (or their job titles) to confirm which section of the Council undertook processing.It would be sufficient to know which section processed the letter, without knowing which employees were involved or their job titles.Consequently, the Commissioner does not accept that disclosure of the names and job titles of the Council employees, or any other personal data indicating their participation in the processing of the letter, is necessary to meet Mr D's legitimate interests.He therefore finds that condition 6 of Schedule 2 to the DPA cannot be met in relation to these data.In the absence of a condition permitting disclosure, disclosure would be unlawful.Disclosure of these data would therefore contravene the first data protection principle, which means that such information is exempt from disclosure under section 38(1)(b) of FOISA.
27.The Commissioner must also consider the remaining information with a view to determining whether disclosure is necessary to achieve Mr D's legitimate aims.Having considered these aims, the nature of the information requested and all other circumstances of this case, he would conclude that (for certain purposes at least) there would be no other way of doing this.Consequently, he cannot identify a means of meeting Mr D's legitimate interests which would be less intrusive than disclosure of the remaining information (e.g. the details of the processing of the letter including confirmation of which team undertook the processing).
28.As the Commissioner is satisfied that disclosure of the withheld information would be necessary to achieve Mr D's legitimate interests, at least in part, he is required to go on to consider whether it would nevertheless cause unwarranted prejudice to the rights, freedoms or legitimate interests of the data subject (i.e. the tenant) whose data comprise that withheld information.
Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the tenant who is the subject of the processing?
29.The Council explained its systems for processing incoming mail.Its concern was that to divulge the detail of the processing to Mr D (i.e. how it was categorised and therefore which team undertook the processing) would in effect be disclosing to him how his tenant was assessed and, by implication, would place into the public domain the nature of the tenant's financial and home circumstances.
30.Having reviewed the supporting documentation supplied by the Council, the Commissioner is satisfied that disclosure would have the effect of releasing into the public domain information pertaining to the tenant's personal and financial circumstances and on this basis he considers that disclosure would constitute an unwarranted intrusion into the private life of the data subject (the tenant).
31.On balance, therefore, the Commissioner finds that any legitimate interests served by disclosure of the withheld information to Mr D would not outweigh the unwarranted prejudice that would be caused to the rights, freedoms or legitimate interests of the data subject.The Commissioner is therefore satisfied that condition 6 in Schedule 2 to the DPA is not met in this case.
32.Having accepted that disclosure of the withheld information would lead to unwarranted prejudice to the rights, freedoms and legitimate interest of the data subject (the tenant), as described above, the Commissioner must also conclude that disclosure would be unfair.As condition 6 is not met, he would also regard disclosure as unlawful.In all the circumstances, therefore, the Commissioner's conclusion is that the first data protection principle would be breached by disclosure and therefore that the personal data were properly withheld under section 38(1)(b) of FOISA.
DECISION
The Commissioner finds that the Council partially failed to comply with Part 1 (and in particular section 1(1)) of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr D.He finds that the Council held information falling within the scope of Mr D's request.He accepts, however, that the Council was entitled to withhold this information under section 38(1)(b) of FOISA and, in the circumstances, does not require the Council to take any action.
Appeal
Should either Mr D or the Council wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
8 November 2011
Appendix
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
?
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?
(a) the provision does not confer absolute exemption; and
?
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?
?
(e) in subsection (1) of section 38 ?
?
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
17 Notice that information is not held
(1) Where-
(a) a Scottish public authority receives a request which would require it either-
(i) to comply with section 1(1); or
(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),
if it held the information to which the request relates; but
(b) the authority does not hold that information,
it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.
...
38 Personal information
(1) Information is exempt information if it constitutes-
?
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
...
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
...
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
?
(5) In this section-
"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;
"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;
?
Data Protection Act 1998
1Basic interpretative provisions
(1)In this Act, unless the context otherwise requires ?
?
"personal data" means data which relate to a living individual who can be identified ?
(a)from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
?
Schedule 1 ? The data protection principles
Part I ? The principles
1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?
(a)at least one of the conditions in Schedule 2 is met, and
?
Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data
...
6(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
?
[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm
