Decision 249/2011 | Scottish Information Commissioner

Home Decisions

Decision 249/2011

Decision 249/2011 Mr Ralph Lucas and the University of Strathclyde

Information relating to graduating students

Reference No: 201000920
Decision Date: 16 December 2011

Summary

Mr Ralph Lucas requested from the University of Strathclyde (the University) statistical data relating to certain students who had graduated from the University in the academic years 2006/7 to 2008/9 inclusive. The University responded by advising Mr Lucas that it considered the information to be exempt from disclosure in terms of section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA), on the basis that the disclosure of the information would identify individual graduates and disclosure would be unlawful under Data Protection Act 1998 (the DPA).Following a review, Mr Lucas remained dissatisfied and applied to the Commissioner for a decision.

Following an investigation, the Commissioner found that the exemption did not apply to the statistical data.While he accepted that it was possible that disclosure would identify individuals (and he therefore agreed that the statistical data requested by Mr Lucas comprised personal data), he did not consider that disclosure would breach the DPA.He therefore required the University to provide Mr Lucas with the requested information.

Relevant statutory provisions and other sources

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions) and 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions ? definition of "personal data"); 2(a), (c) and (e) (Sensitive personal data) and Schedules 1 (The data protection principles ? the first and second principles) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: Recital 26 and Article 8.1

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

Department of Health v Information Commissioner [2011] EWHC 1430 (Admin) http://www.bailii.org/ew/cases/EWHC/Admin/2011/1430.html

Craigdale Housing Association and others v Scottish Information Commissioner [2010] CSIH 43 http://www.scotcourts.gov.uk/opinions/2010CSIH43.html

Campbell v Mirror Group Newspapers [2002] EWHC 299

Background

1.On 5 January 2010, Mr Lucas emailed the University requesting the following information:

a)For each student graduating from an undergraduate course in the academic years 2006/7 to 2008/9 inclusive who has consented to having their data published:

Gender

School (where known, as whatever variant or combination of the five digit school code, the seven digit school code, the school name and postcode come most easily to hand)

Faculty

wherever students of a given gender graduating from a faculty came from at least 10 different schools; and

b)For each student graduating from an undergraduate course in the academic years 2006/7 to 2008/9 inclusive who has consented to having their data published but whose data has not been disclosed above:

Gender

School (where known, as whatever variant or combination of the five digit school code, the seven digit school code, the school name and postcode come most easily to hand).

2.The University responded on 15 February 2010. In relation to request a), the University provided Mr Lucas with data relating to those schools where there were five or more graduates of the same gender from the same school graduating from the same faculty. In relation to request b), the University provided Mr Lucas with the requested data, except that where there were less than five graduates of the same gender from the same school, the number was replaced with the symbol "<5". The University explained that the information that had been redacted and anonymised comprised personal data which it considered to be exempt from disclosure in terms of section 38(1)(b) of FOISA on the basis that its disclosure would breach the first and second data protection principles in the DPA.

3.On 26 February 2010, Mr Lucas emailed the University requesting a review of its decision. In particular, Mr Lucas argued that the information that he had requested did not comprise personal data.

4.The University notified Mr Lucas of the outcome of its review on 26 March 2010 upholding its previous decision without modification.

5.On 29 April 2010, Mr Lucas wrote to the Commissioner, stating that he was dissatisfied with the outcome of the University's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

6.The application was validated by establishing that Mr Lucas had made a request for information to a Scottish public authority and had applied to the Commissioner for a decision only after asking the authority to review its response to that request.

Investigation

7.On 4 May 2010, the University was notified in writing that an application had been received from Mr Lucas and was asked to provide the Commissioner with any information withheld from him. The University responded with the information requested and the case was then allocated to an investigating officer.

8.The investigating officer subsequently contacted the University, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions.

9.The University responded on 25 June 2010, providing submissions on its application of the exemption in section 38(1)(b) of FOISA to the information requested by Mr Lucas.

10.The investigating officer subsequently sought (and received) additional submissions from the University concerning the application of section 38(1)(b) and examples of how individuals could be identified through the disclosure of the requested information.

11.The investigating officer also contacted Mr Lucas during the investigation, seeking his submissions on the matters to be considered in the case. The submissions received from both Mr Lucas and the University are summarised and considered (where relevant) in the Commissioner's analysis and findings section below.

Commissioner's analysis and findings

12.In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the submissions made to him by both Mr Lucas and the University and is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA ? Personal information

13.Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, where appropriate, 38(2)(b)), exempts information from disclosure if it is "personal data" as defined by section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA. This exemption is absolute in that it is not subject to the public interest test laid down by section 2(1)(b) of FOISA.

14.The University has argued that the information sought by Mr Lucas comprised personal data and, in some instances, sensitive personal data. It submitted that the disclosure of this information would breach the first data and second data protection principles of the DPA.

Are the statistics personal data?

15.The Commissioner will first consider whether the information withheld is personal data. "Personal data" is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix). The DPA gives effect to Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (the Directive) and so the DPA should, if possible, be interpreted in a manner which is consistent with the Directive.

16.In considering the definition of "personal data", the Commissioner has also taken account of the opinions delivered by the House of Lords in Common Services Agency v Scottish Information Commissioner, by the High Court of England and Wales in Department of Health v Information Commissioner and by the Court of Session in Craigdale Housing Association and others v Scottish Information Commissioner.

17.In its submissions, the University argued that the information comprised personal data as it could be matched by the University itself as data controller to the original datasets or other information held by the University.

18.In the Commissioner's view, this argument suggests that, if a data controller holds underlying identification data, information will always be personal data, regardless of the size of the statistic. (The Commissioner notes that the University chose to disclose data relating to those schools which had five or more students of the same gender graduating from the same faculty during the period detailed in Mr Lucas's request. If it were the case that the statistics were personal data simply because the University held the identifying information, then the figures which were disclosed would also have been personal data.)

19.This approach to the definition of personal data has not been followed by the courts.In the Common Services Agency case, which involved a request for statistics relating to childhood leukaemia statistics in Dumfries and Galloway, the House of Lords concluded that the definition of "personal data" in the DPA must, in terms of recital 26 of the Directive, be taken to permit the disclosure of information which had been rendered fully anonymous in such a way that individuals were no longer identifiable from it, without having to apply the data protection principles.

20.Lord Hope's view (which attracted majority support in the Common Services Agency case) was that the definition of personal data under section 1(1) of the DPA provides for two means of identification: identification will either be from the data itself (which would not apply in the case of anonymous statistics) or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

21.Lord Hope's approach is to ask whether the "other information" (if provided to a hypothetical member of the public) add anything to the statistics which would enable them to identify the underlying individuals.If the answer is no, the statistics are not personal data.The words in italics are important: if identification can be achieved from the "other information" in isolation (i.e. rather than when added to the statistics) then the statistics themselves are truly anonymous, and are not personal data.

22.This approach was considered by the High Court of England and Wales in the Department of Health case.That case involved a request for abortion statistics held by the Department of Health.As the University did here, the Department of Health argued that, because it held the data which would identify individual patients, the numbers of abortions which had been carried out were, given definition (b), personal data.However, this approach was rejected by the High Court by Cranston J, who commented:

"If that were the case, any publication would amount to the processing of ? personal data ?Thus, the statistic that 100,000 women had an abortion ? would constitute personal data about each of these women, provided that the body that publishes this statistic has access to information which would enable it to identify each one of them.That is not a sensible result and would seriously inhibit the ability of healthcare organisations and other bodies to publish medical statistics."

23.It is therefore clear that the fact that a data controller holds the identifying information lying behind statistics does not automatically mean that the statistics are personal data. (In providing submissions to the Commissioner, the University also argued that, given the small numbers of students (i.e. less than five) involved, it would be possible to triangulate the data already available in the public domain to identify those students. Those arguments are considered in more detail below.) However, in deciding whether the disclosure of apparently anonymous statistics could identify an individual, what matters should be considered?

24.The Commissioner has noted the approach taken by the Court of Session in the Craigdale Housing Association case.The Court of Session referred to Recital 26 of the Directive, which states that, when determining whether a person is identifiable, account should be taken of all the means likely reasonably to be used to identify the data subject.As noted by the Court of Session, the test is therefore whether disclosure of the information would lead to the identification of an individual or whether there is other information in the public domain which, when taken with the information, would reasonably allow for such identification.

25.Guidance entitled "Determining what is personal data[1]" which has been issued by the (UK) Information Commissioner (who is responsible for enforcing the DPA throughout the UK) states that, in considering whether a person can be identified, it should be assumed that it is not just the means reasonably likely to be used by the ordinary man in the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual.

26.The Commissioner therefore considered whether the numbers requested by Mr Lucas, together with other information already in the public domain (or as a result of action likely to be taken by a determined person to identify the individuals if the numbers were to be disclosed) would reasonably allow individual graduates to be identified.If disclosure of the numbers would reasonably allow for identification, then the numbers comprise personal data and cannot be disclosed unless there is a condition in Schedule 1 to the DPA which would permit the numbers to be disclosed.If disclosure of the numbers would not reasonably allow for identification, then the numbers do not comprise personal data and the exemption in section 38(1)(b) would not apply.

27.In its submissions to the Commissioner, the University argued that the disclosure of the statistics requested by Mr Lucas in certain cases could, taken in combination with other information already in the public domain, identify a graduate of the University. The University also provided examples showing how it considered that individual graduates could be indentified from the information requested by Mr Lucas, when used in conjunction with other information.

28.As an illustration, the University explained how it believed the information sought by Mr Lucas, when used in tandem with information already in the public domain (e.g. through the Scottish Schools Online website, the websites of individual schools, social networking sites or data previously provided to Mr Lucas), could result in the identity of a graduate being disclosed. The University contended that, when combined with other information available in the public domain, triangulation could lead to an individual being identifiable within the statistical data sought by Mr Lucas.

29.The Commissioner has considered the information which would be provided by disclosure of the statistics. This would comprise, in each academic year requested by Mr Lucas, the name of a school, the name of a faculty and the number of male and female students who had attended that school and who had graduated from each faculty.

30.If this information is viewed in isolation, it appears to be anonymous, in that it does not permit the identification of any individual graduate represented by the statistics. However, the Commissioner must examine whether there are other factors or information which, considered alongside the statistics, would "unlock" the figures and permit identification of any of the individuals represented within the statistical data.

31.The Commissioner has considered the range of information that might potentially be available to the public about the individuals represented by the statistics. In this case, the statistical information under consideration only relates to graduates who have consented to their names and qualification results being published in "The Herald" newspaper (this is the reference to "consent" in the wording of Mr Lucas's request).

32.The Commissioner accepts that, where a person already knows that an individual is a graduate of the University, disclosure of the statistics in question may permit that person to identify the individual graduate as one of the statistical cohort. However, this in itself does not make the statistical information personal data; it is not the disclosure of the statistics which would identify the individual. The Commissioner must be able to satisfy himself that disclosure of the statistics would be the decisive factor leading to the identification of a specific graduate or would make identification possible where it was previously impossible.

33.As noted above, the University has provided examples of how it considers individual graduates can be identified by the triangulation of the data sought by Mr Lucas, the information published in the Herald newspaper and other publicly available information. The Commissioner has considered the examples supplied by the University and accepts that it is possible to identify an individual graduate through a combination of these information sources, albeit through a complex route.

34.The Commissioner is therefore satisfied that the statistical data sought by Mr Lucas does clearly relate to the individuals in question and comprise personal data as defined in section 1(1) of the DPA.

Would disclosure breach the second data protection principle?

35.The second data protection principle provides that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be processed in any manner incompatible with that purpose or those purposes.

36.The sections on the interpretation of the Second Principle (in Part II of schedule 2 of the DPA) further provide that in deciding whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, consideration will be given to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

37.The University submitted that the purposes which Mr Lucas has stated do not conform to the purposes for which the Universities and Colleges Admissions Service and the University itself obtained the personal data in question. The University argued that existing data cannot be used for new purposes without renewed consent and the University does not have consent for such processing. It considered that the disclosure of personal data for re-use for commercial purposes would breach the second data protection principle.

38.The Commissioner has considered the University's submissions along with comments made in decisions from the Information Commissioner (responsible for the enforcement of both the DPA and the Freedom of Information Act 2000 (FOIA)) that address the interpretation of the second data protection principle in the context of requests made under freedom of information law.

39.In decision FS50087443 (Maldon District Council), the Information Commissioner briefly considered whether the second data protection principle would be breached by release of certain personal data in response to a request under FOIA.Maldon District Council had argued that, because disclosure of information in response to freedom of information requests had not been specified in a fair collection notice issued to the data subjects concerned, disclosure of the information gathered in response to a request under FOIA would breach the second data protection principle.The Information Commissioner commented on this argument as follows:

The [Information] Commissioner considers that this is not a correct interpretation of the Data Protection Act.If [Maldon District] Council were correct in its interpretation, no disclosures of third party data would be permitted in response to FOI requests except where data subjects had been given prior notice.This would include cases where requests for information identified individuals acting in a public or official capacity in addition to information relating to their private lives.

The [Information] Commissioner considers that the correct interpretation of Principle 2 in this context is that the disclosure of third party data in response to a request submitted in accordance with other statutory rights is not inherently incompatible with any other lawful purpose for which information may be obtained.Principle 2 may, however, restrict the purposes for which a third party to whom personal data are disclosed may subsequently process those data.

The [Information] Commissioner considers that the central issue in considering whether or not the FOI Act requires the disclosure of personal data is not the second data protection principle but rather the first principle.

40.The Commissioner considers this reasoning to be relevant also in this case. He does not consider the processing of data in response to requests under FOISA to be incompatible with the other purposes for which the data was gathered by the University. The Commissioner also notes that the University has already disclosed relevant data in relation to figures of five or greater (in the circumstances notes at paragraph 2 above) in response to Mr Lucas's request. It is not clear to him why the disclosure that the University has already made to Mr Lucas would not breach the second principle, but the disclosure of a figure below five would.

41.Having considered the University's submissions, the Commissioner is unable to accept that disclosure of the information sought by Mr Lucas would breach the second data protection principle.

Would disclosure breach the first data protection principle?

42.The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met.

43.In its submissions, the University has also argued that some of the information sought by Mr Lucas comprised sensitive personal data, for example, linking the name of a school with an individual could identify that individual's religious affiliation. The University considered that this could be an emotive issue, particularly in the West of Scotland.

44.The University also submitted that students with disabilities could be identified from knowledge of the school that they had attended. The University explained that it had checked a small sample of secondary schools from the requested information and had identified one school with a special Autism unit and one school with specialist teaching methods, although the University did not confirm whether any of the graduates whose data was being sought by Mr Lucas had attended these schools as a result of a disability or special educational requirement.

45.Additionally, the University provided the Commissioner with a list of special schools which it had obtained from the internet. The University did not provide the Commissioner with any specific examples of graduates who had attended any of these schools. However, in previous submissions (in relation to a different application from Mr Lucas on a related subject), the University had indicated that its Student Support Services staff had provided an assurance that there were students attending the University who had previously attended special schools. The Commissioner notes that it is possible that some of those students will be included within the data being sought by Mr Lucas in his current request.

46.The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA, and he is not satisfied that the disclosure of personal data in this case can be said to comprise the processing of sensitive personal data. In coming to this conclusion, he has noted the wording of Article 8 of the Directive, which prohibits Member States from processing personal data revealing (emphasis added) a person's religious or philosophical beliefs.

47.He has also noted the (UK) Information Commissioner's guidance "Key definitions of the Data Protection Act[2]". In the section headed "What is personal data?", the guidance states:

"Religion or ethnicity, or both, can often be inferred with varying degrees of certainty from dress or name. For example, many surnames are associated with a particular ethnicity or religion, or both, and may indicate the ethnicity and religion of the individuals concerned. However, it would be absurd to treat all such names as "sensitive personal data", which would mean that to hold such names on customer databases you had to satisfy a condition for processing sensitive personal data.Nevertheless, if you processed such names specifically because they indicated ethnicity or religion, for example to send marketing materials for products and services targeted at individuals of that ethnicity or religion, then you would be processing sensitive personal data.In any event, you must take care when making assumptions about individuals as you would be collecting inaccurate personal data."

48.Finally, the Commissioner took account of the view of the (English and Welsh) High Court in the case of Naomi Campbell v Mirror Group Newspapers[3] which confirmed the view of the Information Commissioner: photographs of Ms Campbell did indeed disclose sensitive personal data concerning her racial origin, but that was incidental to the purpose for the publication of the photographs.

49.The Commissioner therefore takes the view that whether disclosure of the information requested by Mr Lucas amounts to the processing of sensitive personal data will depend on the purpose of the processing and that, in any event, for processing to amount to processing of sensitive personal data, the processing should reveal sensitive personal data.

50.In this case, Mr Lucas is not seeking the numbers of children of any specified religion or faith, who have gone on to attend and later graduate from the University.He is simply interested in finding out which subjects children chose to study from which schools. There is no targeting of a specific religion or faith. If the disclosure of this information would reveal a person's religious beliefs (which the Commissioner does not believe to be the case ? see below), then that would be incidental to the purpose for which the information is being processed. In the words of the Information Commissioner, it would be "absurd" to treat such information as sensitive personal data.

51.The Commissioner does not consider that disclosing the information would reveal a person's religious beliefs. Whilst it may be more likely that individuals attending a denominational school or originating from an area where the population largely comprises one particular religious faith will be a member of that particular faith, the disclosure of the numbers sought by Mr Lucas will not by themselves reveal an individual's faith.

52.Denominational or faith schools cannot refuse to accept prospective pupils on the basis that they are of a different faith (although the faith of the child may be relevant if the school is oversubscribed).There are a number of reasons why parents with no religious beliefs or with different religious beliefs place their children in a particular denominational or faith school (or, indeed, a non-denominational school), e.g. proximity to the home, the belief that the school will provide a better education for their child or the fact that a relative also attends that school. In any event, the Commissioner does not consider that the fact of attendance at a denominational school some years before graduating (in some of the figures Mr Lucas has asked for, three years will have passed since graduation) can be construed as information as to a person's religious beliefs.

53.Additionally, although the University has indicated that some of its graduates may have attended special schools, it has not provided the Commissioner with the names of any such schools or any evidence that any of the graduates in question did attend such a school as a result of a disability or special educational requirement.

54.Accordingly, the Commissioner does not consider that the University has demonstrated that disclosing the information sought by Mr Lucas would reveal whether any individual graduate has a disability.

55.Having concluded that, he cannot accept that any of the information under consideration comprises sensitive personal data, it is therefore not necessary for the Commissioner to consider the conditions in Schedule 3 of the DPA in this case.

Can any of the conditions in Schedule 2 to the DPA be met?

56.When considering the conditions in Schedule 2 to the DPA, the Commissioner has noted Lord Hope's comment in the case of the Common Services Agency v Scottish Information Commissioner[4] (the Collie judgement) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

57.The Commissioner considers condition 6 to be the only condition in Schedule 2 which might permit disclosure in this case. Condition 6 permits personal data to be processed if the processing (which in this case would be by disclosure in response to Mr Lucas's information request) is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights, freedoms or legitimate interests of the data subject (the individual(s) to whom the withheld information relates). It is clear from the wording of this condition that each case will turn on its own facts and circumstances.

58.There are, therefore, a number of different tests which must be considered before condition 6 can be met. These are:

a.Does Mr Lucas have a legitimate interest in obtaining the withheld personal data?

b.If yes, is the disclosure necessary to achieve these legitimate aims?In other words, is the disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the individual in question?

c.Even if the processing is necessary for Mr Lucas's legitimate purpose, would the disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the individual?As noted by Lord Hope in the Collie judgement there is no presumption in favour the release of personal data under the general obligation laid down in FOISA. Accordingly, the legitimate interests of Mr Lucas must outweigh the rights, freedoms or legitimate interests of the data subject before condition 6(1) will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the University was correct to refuse to disclose the personal data to Mr Lucas.

Does Mr Lucas have a legitimate interest?

59.In his submissions to the Commissioner, Mr Lucas argued that the information would help parents understand the qualities of schools that they are considering sending their children to (it should be noted that Mr Lucas is the author of "The Good Schools Guide", which provides information and advice about schools throughout the United Kingdom). He considered that the best way to judge an educational institution was by its pupils and, although exam results were one part of this picture, more was revealed by the pattern of university courses that pupils chose. He considered this showed something of the pupils' ambitions, expectations and mindsets as well as their achievements.

60.Mr Lucas also submitted that the data would be used, in his view, to provide an insight into a specific school that was not available elsewhere and provided a base from which to enquire into the ambitions, capabilities and spirit which the school had inculcated into its pupils. He explained that he intended making the information about schools which was produced as a result of obtaining information from the University available on the Good Schools Guide website.

61.In its submissions, the University pointed out that Mr Lucas had stated that he wishes to publish the data on the internet at the level of an individual student's data. The University also submitted that no general public interest or demand for this information had been evidenced.

62.Having considered the submissions of both parties, the Commissioner accepts that Mr Lucas's role as author of the Good School Guide leads to him obtaining and publishing information which affects, and is of interest to, the wider public. In the circumstances, the Commissioner accepts that Mr Lucas has a legitimate interest (as do the wider public) in obtaining the requested information.

Is disclosure of the information necessary to achieve those legitimate interests?

63.The Commissioner must now consider whether disclosure is necessary for those legitimate interests and in doing so he must consider whether these interests might reasonably be met by any alternative means.

64.In its submissions, the University argued that any general interest in such information is served by the Higher Education Statistics Agency (HESA) which provides fully anonymised statistics for all Universities.

65.The Commissioner has considered the information that is available through HESA, but has concluded that the exact information sought by Mr Lucas is not available to him from this organisation.

66.In this case, the Commissioner can identify no viable means of meeting Mr Lucas's legitimate interests which would interfere less with the privacy of the relevant data subjects other than by obtaining the information requested.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

67.As the Commissioner is satisfied that disclosure of the personal data would be necessary to fulfil Mr Lucas's legitimate interests, the Commissioner is now required to consider whether that disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject. As noted above, this involves a balancing exercise between the legitimate interests of Mr Lucas and the data subjects in question. Only if the legitimate interests of Mr Lucas outweigh those of the data subjects in question can the information be disclosed without breaching the first data protection principle.

68.In the Commissioner's briefing on section 38 of FOISA[5], he notes a number of factors which should be taken into account in carrying out this balancing exercise. These include:

a)whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

b)the potential harm or distress that might be caused by disclosure;

c)whether the individual has objected to the disclosure;

d)the reasonable expectations of the individuals as to whether the information would be disclosed.

69.Mr Lucas submitted that his request merely asked for the last school that a graduate had attended and that all the other data was already a matter of public record in published graduation lists. He stated that he had not requested any information on an individual's present location. He also submitted that the school that an individual had attended is data that is widely and publicly available in that it will be known to all who were at the same school at the same time, to most who were in the same community at that time and, in most cases, to that person's friends and relatives.

70.Mr Lucas also argued that the likelihood of an individual being identified from the information being sought was very small, given the additional information that would need to be known in order to narrow down the list of possible schools that an individual had attended.

71.In its submissions, the University argued that its students expect the University to keep their data confidential and made reference to its Data Protection Statement for Students. The University submitted that the information sought by Mr Lucas had been provided to it as part of an application process and as part of a course of study, with no expectation that the information would be linked and published subsequently.

72.The University also considered that students and graduates would not envisage their personal data being transferred to a private company for commercial purposes and in a context that might reflect on both their academic progress and the reputation of the school they attended. The University also considered that to provide linked biographical information of the type requested with no control over its future use or publication could lead to the fraudulent use of the data.

73.The University also indicated that it had consulted with the University of Strathclyde Students' Association (the Students' Association) in relation to a previous request from Mr Lucas on a related matter. The Students' Association had stated that it had grave concerns regarding the disclosure of information that had the potential to identify individual students against their will and without their prior consent. The Students' Association considered that the disclosure of the information by the University would jeopardise the relationship of trust between students and the University.

74.The Commissioner recognises that the individuals whose data is under consideration have not given specific consent for the information sought by Mr Lucas to be released. The Commissioner is also aware that there may often be publicity surrounding successful graduates, for example through a local newspaper.

75.In this case, the University has argued that identification of an individual graduate may result from disclosure of the sought information and that a dedicated individual may use the information to try and trace an individual graduate. The University considered this would cause detriment and harm to students, particularly those with disabilities or who had attended denominational schools. The University also submitted that there may be some students who regard their personal data as particularly sensitive or regard their course as sensitive. Additionally, the University provided examples ofsome students who may not wish their data to be disclosed because (for example) they do not wish to be traced by estranged family members or stalkers; they may be asylum seekers wishing their identities to be kept private, they may have deferred progress directly to University or may not have proceeded on their course of study, they consider their data may reflect on their academic progress and on the reputation of their former school or they fear their data may be used for fraudulent purposes.

76.However, the Commissioner is not persuaded that the disclosure of the information would represent an unwarranted interference given that disclosure would only, in extremely limited circumstances, allow an individual to be identified through an elaborate process which, in any case, would require a considerable element of personal knowledge of a data subject's personal life. He also considers that the level of harm which is likely to come about would be low and there is nothing in the information supplied to the Commissioner by the University which would lead him to conclude that harm would arise as a result of the withheld information being disclosed.

77.The Commissioner has balanced the legitimate interests of the data subject against the legitimate interests identified by Mr Lucas. Having done so, the Commissioner finds that the legitimate interests served by disclosure to Mr Lucas (and the wider public) outweigh the unwarranted prejudice that would be caused to the rights, freedoms or legitimate interests of the data subjects. The Commissioner is therefore satisfied that condition 6 of schedule 2 of the DPA can be met in this case.

78.Having reached this conclusion, the Commissioner has gone on to consider whether (as required by the first data protection principle) disclosure of the information concerning the data subject would be fair and lawful.

79.In its submissions, the University argued that, since students were not given any indication by the University that their data would be transferred to this type of third party and made publicly available, they have had no opportunity to object to its disclosure and such processing was unfair. In its view, as the University cannot guarantee that there will be no detriment to the rights, freedoms or legitimate interests of the data subjects, the processing would be unfair.

80.However, the Commissioner considers that disclosure would be fair, for the reasons already outlined in relation to condition 6 above. Whilst the University has not provided any separate submissions to argue that disclosure would be unlawful, the Commissioner, in any case, is unable to identify (having concluded that condition 6 of schedule 2 to the DPA can be met) any specific law forbidding disclosure.

81.Having found disclosure of the information sought by Mr Lucas to be both fair and lawful, and in accordance with condition 6(1), the Commissioner therefore concludes that disclosure of this information would not breach the first data protection principle.

82.As the Commissioner has found that disclosure would not breach the first or second data protection principle, he therefore concludes that the exemption in section 38(1)(b) has been wrongly applied by the University to the withheld information in this case and so it acted in breach of section 1(1) of FOISA by withholding this.

83.The Commissioner now requires the University to disclose to Mr Lucas the information sought in requests a) and b).

DECISION

The Commissioner finds that by incorrectly applying the exemption in section 38(1)(b) to Mr Lucas's information request, the University breached the requirements of Part 1 and in particular, section 1(1) of FOISA.

The Commissioner therefore requires the University to provide Mr Lucas with the information sought in requests a) and b) by 2 February 2012.

Appeal

Should either Mr Lucas or the University wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only.Any such appeal must be made within 42 days after the date of intimation of this decision notice.

Margaret Keyse
Head of Enforcement
16 December 2011

Appendix

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that ?

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption ?

(e) in subsection (1) of section 38 ?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1)In this Act, unless the context otherwise requires ?

"personal data" means data which relate to a living individual who can be identified ?

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a)the racial or ethnic origin of the data subject,

(c)[the data subject's] religious beliefs or other beliefs of a similar nature,

(e)his physical or mental health or condition.

Schedule 1 ? The data protection principles

Part I ? The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ?

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

...

Schedule 2 ? Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Recital 26

Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable?.

Article 8: The processing of special categories of information

1.Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

[1] http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PERSONAL_DATA_FLOWCHART_V1_WITH_PREFACE001.ashx

[2] http://www.ico.gov.uk/for_organisations/data_protection/the_guide/key_definitions.aspx

[3] [2002] EWHC 499 (QB)

[4] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[5] http://www.itspublicknowledge.info/nmsruntime/saveasdialog.aspx?lID=3085&sID=133