Decision 230/2011 | Scottish Information Commissioner

Home Decisions

Decision 230/2011

Decision 230/2011 Mr M Lillico and the University of Strathclyde

Qualification held by specified person

Reference No: 201100866
Decision Date: 15 November 2011

Summary

Mr Lillico requested from the University of Strathclyde (the University) confirmation as to whether a specified degree had been awarded to a specified individual.The University responded by withholding the information under section 38(1)(b) of FOISA, which relates to personal data, because it believed disclosure would breach certain of the data protection principles.Following a review, Mr Lillico remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the University was correct to withhold the information under section 38(1)(b) of FOISA given the circumstances at the time it conducted its review.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions) and 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles: Part 1 ? The principles) (the first data protection principles) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision.The Appendix forms part of this decision.

Background

1.It may be helpful to explain that, during an interview, which appeared on a media website, a holder of certain public offices in another state was reported as having commented on their educational background with reference to a specified qualification from the University.

2.On 15 March 2011, Mr Lillico wrote to the University requesting information as to "whether, and if so, when" it had ever awarded a specific qualification to a named individual (further details of whom he provided).

3.The University responded on 6 April 2011, stating that it could neither confirm nor deny whether any particular individual had graduated from the University, without first obtaining their signed consent.It considered that disclosure in the circumstances would breach the first and second data protection principles, and consequently that the information was exempt under section 38(1)(b) of FOISA.

4.On 6 April 2011, Mr Lillico wrote to the University requesting a review of its decision.He believed that information as to whether an individual had been awarded a degree would have been made public at the time of the award or graduation, and therefore was no longer entitled to protection as personal information.

5.The University notified Mr Lillico of the outcome of its review on 9 May 2011, explaining that, having considered the points raised by Mr Lillico, it was upholding its original decision as it could not identify grounds for disclosure.

6.On 12 May 2011, Mr Lillico wrote to the Commissioner, stating that he was dissatisfied with the outcome of the University's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

7.The application was validated by establishing that Mr Lillico had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

8.On 16 May 2011, the University was notified in writing that an application had been received from Mr Lillico and was asked to provide the Commissioner with any information withheld from him. The University responded with the information requested and the case was then allocated to an investigating officer.

9.The investigating officer subsequently contacted the University, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.These were focused on the requirements of section 38(1)(b) of FOISA.

10.On 24 June 2011, the University provided its submissions, confirming its reliance upon section 38(1)(b) of FOISA as read with section 38(2)(a)(i) or (b).It argued that the first and second data protection principles would be breached by disclosure.It also commented on its understanding of information already in the public domain.

11.Following his application, the investigating officer also invited Mr Lillico to comment further on his legitimate interest in obtaining the withheld personal data.Further submissions were received from him on this point.

12.The relevant submissions received from both the University and Mr Lillico will be considered further in the Commissioner's analysis and findings below.

Commissioner's analysis and findings

13.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Lillico and the University and is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) ? personal information

14.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (as appropriate) section 38(2)(b), exempts information if it is personal data and if its disclosure to a member of the public otherwise than under FOISA would breach any of the data protection principles set out in Schedule 1 to the DPA.

15.The exemption in section 38(1)(b) is an absolute exemption, not subject to the public interest test laid down by section 2(1)(b) of FOISA.

Is the information personal data?

16.Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

17.The Commissioner accepts that the withheld information is personal data as defined in section 1(1) of the DPA, as it clearly relates to a living individual who can be identified from that information.The Commissioner will now go on to consider whether this information is exempt from disclosure under section 38(1)(b) of FOISA.

Would disclosure breach the first data protection principles?

18.The University argued that disclosure of the information requested by Mr Lillico would breach the first data protection principle, which requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met.In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met.The processing in this case would be disclosure of the information in response to Mr Lillico's request.

19.The Commissioner does not consider any of the personal data withheld in this case to be sensitive personal data as defined by section 2 of the DPA.He will therefore consider only whether any of the conditions in Schedule 2 to the DPA would permit disclosure of the information.

Can any of the conditions in Schedule 2 to the DPA be met?

20.The Commissioner considers that condition 6 in Schedule 2 of the DPA would appear to be the only condition which might permit disclosure of the personal data requested by Mr Lillico.The University's submissions also referred to condition 1, noting that this could not be met as it did not have the data subject's consent to disclosure.In the circumstances, the Commissioner accepts that the University could not reasonably have been expected to seek that consent (and that no consent had in fact been given) and therefore does not consider condition 1 to be relevant.

21.Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

22.There are a number of different tests which must therefore be satisfied before condition 6 can be met.These are:

Does Mr Lillico have a legitimate interest in obtaining the personal data?

If he does, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject (the individual to whom the data relate)?

Even if the processing is necessary for Mr Lillico's legitimate purposes, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject?

23.There is no presumption in favour of the release of personal data under the general obligation laid down by FOISA.Accordingly, the legitimate interests of Mr Lillico must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed.If the two are evenly balanced, the Commissioner must find that the University was correct to refuse to disclose the personal data to Mr Lillico.

Does Mr Lillico have a legitimate interest?

24.In its response to Mr Lillico's request, the University acknowledged that Mr Lillico felt there was a public interest in verifying the claims of those standing for office, but submitted that there was nothing within the DPA which would permit it to assist Mr Lillico with such a verification process in this instance.In its submissions to the Commissioner, it contended that it was aware of no personal legitimate interest which the applicant had in disclosure, or of any wider public interest in that disclosure.

25.In his application, Mr Lillico advanced his view that it was a matter of substantial public interest that the claims of those seeking public office should be capable of being verified, noting that he considered the data subject to have claimed in a public document to have been awarded a certain qualification by the University.He also submitted that the awarding of a degree by a publicly funded University was a matter of public record and therefore did not qualify for protection as personal information.

26.The Commissioner has noted, however, that the data subject did not appear on their party's list of candidates standing in the most recent elections to the relevant authority.This was scheduled for publication on 26 April 2011 and Mr Lillico acknowledged that it had been published on or around that date.He also advised, however, that he did not become aware that the individual was not standing until the time of the elections (at the end of May): he indicated that he believed the data subject "fully expected" to stand in these elections, although no evidence was provided to substantiate this belief.In any event, it appears clear that the party lists (which did not provide backing for any such expectation) were in the public domain at the time the University carried out its review in respect of Mr Lillico's request.

27.The Commissioner has considered very carefully the sequence of events and the particular circumstances of this case with regard to the question of legitimate interest.While he is prepared to accept there may have been a legitimate interest in disclosure at the time Mr Lillico initially submitted his request, he must also find that that by the time the University communicated the outcome of its review to Mr Lillico the position had changed.It had become apparent that the data subject was no longer pursuing public office.

28.Mr Lillico has pointed out that the data subject continues to occupy a position in a local association for foreign residents, but the Commissioner cannot accept that this (voluntary) role gives rise to a legitimate interest in disclosure in the same way as the pursuit or holding of public elected office.While there may well be circumstances in which the public interest in relation to scrutiny and accountability in respect of the fitness and probity of public office holders gives rise to a legitimate interest in disclosure of information of this kind, the Commissioner cannot accept that this is such a case.In the circumstances outlined above, the Commissioner considers that any legitimate interest Mr Lillico may have had when he initially submitted his request no longer existed at the time the University was carrying out its review.

29.Having reached this conclusion, the Commissioner is not required to (and consequently will not) go on to consider the remaining tests set out in paragraph 22 above.In the absence of a legitimate interest in obtaining the information, he must conclude that condition 6 in Schedule 2 to the DPA could not have been met in the event that the withheld personal data had been disclosed in response to Mr Lillico's request for information.In the absence of a condition permitting disclosure, he would also find that disclosure to be unlawful.In all the circumstances, therefore, the Commissioner is satisfied that the University was entitled to withhold the requested information under the exemption in section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that the University of Strathclyde complied with Part 1 (and in particular section 1(1)) of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Lillico.

Appeal

Should either Mr Lillico or the University of Strathclyde wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
15 November 2011

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

...

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b)in any other case, that such disclosure would contrive any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.