Decision 258/2024: Pastoral notes in SEEMiS (creation, altering and deletion of, including metadata)
Authority: East Dunbartonshire Council
Case Ref: 202200008
Summary
The Applicant asked the Authority for information related to the creation, altering of existing and deletion of pastoral notes in SEEMiS, including information on what etadata this generates. The Authority informed the Applicant that it did not hold some of the information and withheld some information on the basis that it was confidential. The Commissioner investigated and found that the Authority had partially breached FOISA in responding to the request. Although some of the information had been correctly withheld by the Authority, he found that it was not entitled to withhold other information and that it had wrongly informed the Applicant that it did not hold some of the information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 17(1) (Notice that information is not held); 36(2) (Confidentiality); 47(1) and (2) (Application for decision by Commissioner)
Background
1. On 29 October 2021, the Applicant made a request for information to the Authority. He asked for all information held in relation to the creation, altering of existing and the deletion of pastoral notes in SEEMiS. To include but not limited to:
(i) User manuals and training materials
(ii) All guidance provided to staff (any user including management and those with SEEMiS administration rights)
(iii) The options to back date pastoral notes in SEEMiS to make them look like they were recorded at the time of an event rather than a later date. To include the creation
and any subsequent changes to a pastoral note.
(iv) The creation of pastoral notes in SEEMiS on behalf of another user
(v) What metadata is collected and retained following the creation, altering or deletion of a pastoral note in SEEMiS
2. The Authority responded on 29 November 2021. It apologised for the delay in its response and confirmed that in relation to parts (i) to (iv) of his request it held the SEEMiS manuals, training material and guidance, but stated that it was withholding the information under section 36(2) (Confidentiality) of FOISA. In relation to part (v) of the request, the Authority responded in terms of section 17(1) of FOISA informing the Applicant that it did not hold the information.
3. On 29 November 2021, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because he did not consider the Authority was entitled to apply section 36(2). He also considered that further information such as internal Authority documents would be covered by the request and should be held. The Applicant argued that section 17(1) had been wrongly applied as he had not asked if metadata was held by the Authority but
rather what metadata was created and retained by the SEEMiS system.
4. The Authority notified the Applicant of the outcome of its review on 22 December 2021. It upheld its original decision and directed the Applicant to make a request for the information covered by all parts of his request to SEEMiS.
5. On 23 December 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not agree the Authority was correct to rely in section 17(1) or section 36(2) of FOISA in its response to him.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 24 January 2022, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information, and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to the reasons for its reliance on sections 17(1) and 36(2) of FOISA in its response to the Applicant’s request.
9. Further submissions were sought and received from the Authority during the course of the investigation.
Commissioner’s analysis and findings
10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Background information – what is SEEMiS?
11. The request concerns information relating to SEEMiS (Scottish Education Management Information System). SEEMiS group is an Education Management Information System (MIS) provider. The SEEMiS software system is the standard MIS within Scottish Education that is used to process and manage all local student data. SEEMiS group is owned by its members who are made up of the 32 Scottish local authorities.
Withheld information
12. The information falling within the scope of the Applicant’s request identified by the Authority and withheld under section 36(2) of FOISA comprised of three SEEMiS
documents:
- Document 1 – Training booklet
- Document 2 – Guidance Note
- Document 3 – Guidance Note 2
Section 36(2) - Confidentiality
13. Section 36(2) of FOISA provides that information is exempt from disclosure if it was obtained by a Scottish public authority from another person (including another authority) and its disclosure by the authority obtaining it, to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any person. Section 36(2) is an absolute exemption and is not, therefore subject to the public interest test in section 2(1)(b) of FOISA. However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain disclosure of information which is necessary in the public interest.
Information obtained from another person
14. Section 36(2) contains a two-stage test, both parts of which must be fulfilled before the exemption can be relied upon. The first is that the information must have been obtained by a Scottish public authority from another person. “Person” is defined widely and means another individual, another Scottish public authority or any other legal entity, such as a company or partnership.
15. The Authority, in its submissions, explained that it did not produce its own manuals for the use of the SEEMiS system, but that the manuals were produced by SEEMiS. It explained that controlled access was provided to relevant employees within its schools and the wider education service, and that to access the manuals employees use their own approved credentials and login to the SEEMiS system.
16. The Commissioner has viewed the information being withheld which the Authority argued was only available to relevant staff via the SEEMiS system (who require to have an active user name and password) and some of which is branded with the SEEMiS logo. The Commissioner is therefore satisfied that this was obtained by the Authority from another person and that the first part of the section 36(2) test has therefore been fulfilled.
Actionable breach of confidence
17. The second part of the test is that disclosure of the information by a public authority must constitute a breach of confidence actionable, either by the person who gave the information to the public authority or by any other person. The Commissioner takes the view that "actionable" means that the basic requirements for a successful action must appear to be fulfilled.
18. There are three main requirements which must be met before a claim for breach of confidence can be established to satisfy the second element to this test. These are:
(i) The information must have the necessary quality of confidence;
(ii) The public authority must have received the information in circumstances which imposed an obligation on it to maintain confidentiality; and
(iii) Unauthorised disclosure must be to the detriment of the person who communicated the information.
Necessary quality of confidence
19. The Commissioner’s briefing on section 36 of FOISA provides more detail on what will need to be considered when deciding whether information has the necessary quality of confidence:
(i) The information must not be common knowledge; a member of the public would have to apply skills and labour to produce the information;
(ii) The passage of time will be relevant, particularly for contractual information relating to pricing, which often loses relevance (and any element of confidentiality) with the passage of time; (not relevant in this case)
(iii) Where the information can be ascertained from other information, which is in the public domain with relative ease, the necessary quality of confidence may not exist, even if the information was, at one point, confidential.
20. The withheld information comprises of training notes and guidance notes on the use of pastoral notes function within the SEEMiS system produced by the owners of the system.
21. The Applicant submitted that he did not believe the information had the necessary quality of confidence. He argued that he had been able to find similar information online, published by others, and that if it was so confidential this would not have been allowed to happen.
22. The Applicant suggested that some of the withheld information had been published by other authorities and individuals. In his submissions the Applicant provided the Commissioner with a copy of an email he had sent to SEEMiS dated February 2022 with two out of the three withheld documents attached (documents 2 and 3) that he had found by searching on the internet.
23. The Authority submitted that the contents of the withheld information was likely the intellectual property of SEEMiS.
24. With regard to some of the information already being publicly available the Authority acknowledged that if the information was already in the public domain, then the Confidentiality Agreement allowed for disclosure. However, it argued that it was not aware that these were the same documents that the Applicant had requested and that the Authority had access to.
25. The Authority further submitted that it had approached SEEMiS on this point, and it had advised the Authority that it was unaware that such information had been published, and that it would not have been done with its permission. The Authority noted that the information was no longer available through the link that the Applicant had provided.
26. During the investigation, at various points, the investigating officer searched the internet for similar information and at different times, as recently as 4 October 2024, was able to find either Documents 2 and 3, or rather, the more up to date version of them.
27. The Commissioner cannot find that the information in documents 2 and 3 has the necessary quality of confidence if it has been and continues to be in the public domain and therefore could be seen to be common knowledge. He has considered the argument by the Authority that this has been done without the permission of SEEMiS, the owner of the information. However, the Commissioner’s view is that if the information was of such importance, and the harm would be of such consequence that it was imperative that this information was not in the public domain, then he would have expected there to have been robust measures in place to prevent this. It is clear from the correspondence provided to the Commissioner during the investigation that the owner of the information was aware that the information had been in the public domain, as the Applicant emailed it to them in February 2022. The information (or rather its updated version) is still accessible via a simple online search as of 4 October 2024.
28. With regard to document 1, there has been no evidence provided by the Applicant, or found by the investigating officer to indicate that the information contained within this document has been in the public domain, and therefore common knowledge.
29. Having found that the information in documents 2 and 3 do not have the necessary quality of confidence for the exemption in section 36(2) to be engaged, the Commissioner is not required to go on to consider the remaining tests. However, as the information in document 1 does have the necessary quality of confidence, the Commissioner will consider the remaining tests with regard to this information only.
Obligation to maintain confidentiality
30. The Applicant submitted that he did not believe that there was a confidentiality agreement stopping the Authority from sharing the information sought. He argued that in his correspondence with SEEMiS, it had been willing to answer his questions relating to pastoral notes, and that it was unlikely to do this if the information was as such a confidential nature.
31. The Authority explained that within the Service Agreement between itself and SEEMiS was a confidentiality clause that stated that confidential information disclosed under the agreement should not be disclosed by either party. The Agreement provided a definition of what constituted confidential information which included “information and materials concerning the process, training, procedures, systems and manuals”.
32. The Authority submitted that in responding to the Applicant’s information request it had approached SEEMiS for its view in relation to the release of the manuals in question. In response SEEMiS had advised the Authority that this material should not be released by it, as these materials belonged to SEEMiS.
33. The Authority’s view was that it was not its place to comment on the actions taken by other third parties in relation to the information, but that it was clear that its contractual obligations were to honour the Confidentiality Agreement that it had entered into with SEEMiS, who had expressly denied its permission to disclose the
information.
34. The Commissioner has seen a copy of the agreement entered into by the Authority with the owner of the information. He notes that part of that agreement does allow either party to disclose the confidential information of the other if such confidential information is already in the public domain.
35. Given the existence of a Confidentiality Agreement between the Authority and the owner of the information in document 1, the Commissioner finds that there was an express obligation of confidentiality with respect to this information.
Unauthorised disclosure would cause detriment
36. The third requirement is that unauthorised disclosure of the information must be to the detriment of the person who communicated it. The damage need not be substantial and indeed could follow from the mere fact of unauthorised use or disclosure in breach of confidence.
37. In that respect, the test of detriment is different to establishing whether, for example, disclosure would prejudice substantially the commercial interests of any person when considering the exemption in section 33(1)(b) of FOISA.
38. The Authority submitted that it was concerned that if it disclosed this information having been expressly asked not to by SEEMiS that it would have an impact on its relationship with SEEMiS. It was concerned that SEEMiS would be more reticent about sharing other, perhaps more controversial, or less formal information with the Authority in future. The Authority also submitted that it was concerned that a disclosure would be a breach of its terms of agreement with an external partner, that would have
significant risks, not just with that partner, but more widely as being seen to freely break agreements would reputationally damage the Authority.
39. The Authority also noted that SEEMiS has a commercial interest in these manuals and an inherent value exists in these manuals should they become available to an organisation which has or has the capability to develop a similar system.
40. The Applicant’s submissions with respect to detriment focused on the nature of the information itself and the fact that he did not consider there would be any commercial detriment from disclosure of the material. He submitted that SEEMiS had responded to his questions about pastoral notes in SEEMiS which he did not consider it would have done if the information was commercially confidential.
41. The Commissioner has considered the submissions from both the Authority and the Applicant. The Commissioner must consider whether there would be detriment to the party who communicated the information, in this case that would be SEEMiS. The test for detriment in this exemption does not require the Authority to demonstrate that any harm would be likely or substantial, just that it is possible. The Commissioner notes that the Authority’s arguments focused on the detriment that would be caused to its relationship with SEEMiS, as well as the detriment that would be caused to SEEMiS by disclosure of the information. The Commissioner accepts the Authority’s argument that if it were to disclose information that is covered by a confidentiality agreement without the permission of the information owner, it may harm SEEMiS and any intellectual rights they hold to the information.
42. The Commissioner is therefore satisfied that, for the information in document 1, the tests for an actionable breach of confidence are met in this case.
43. Having found that all of the tests for the exemption in section 36(2) of FOISA have been met, in relation to the information in document 1, and the exemption is properly engaged, the Commissioner must now go on to consider where the balance of public interest lies in disclosure of the information.
Public interest defence – section 36(2)
44. As noted above, the exemption in section 36(2) of FOISA is an absolute exemption in terms of section 2(2) of FOISA and not subject to the public interest test in section 2(1)(b). However, the law of confidence recognises that, in certain circumstances, the strong public interest in maintaining confidences may be outweighed by the public interest in disclosure of the information. In deciding whether to enforce an obligation of confidentiality, the courts are required to balance these competing interests, but there is no presumption in favour of disclosure. This is generally known as the public interest defence.
45. The courts have identified a relevant public interest defence in cases where withholding information would cover up serious wrongdoing, and where it would lead to the public being misled on or would unjustifiably inhibit public scrutiny of a matter of genuine public concern.
46. The Authority’s submissions when asked about the public interest defence focused on the reasons why the material should not be disclosed, concentrating on the impact on its relationship with partner organisations if it were to be seen to disclose confidential information.
47. The Applicant’s submitted that his concerns related to the functionality of the SEEMiS system with respect to pastoral notes, and whether this allowed for information to not be recorded contemporaneously. He has argued that there is a public interest in knowing whether records can be tampered with. The Applicant believes that the SEEMiS application is putting children at risk, as he believes it is open to abuse.
48. The Commissioner has carefully considered the submissions from both the Applicant and the Authority, as well as the information in document 1. Whilst the Commissioner appreciates the seriousness of the issues the Applicant has raised, he does not consider that the information document 1 would add to the public scrutiny that the Applicant would wish. Therefore, the Commissioner finds that there are no compelling reasons for the withheld information in document to be disclosed into the public
domain, in the face of the obligation of confidentiality identified above.
49. In conclusion, the Commissioner find that the Authority was correct to withhold document 1 under section 36(2) of FOISA but that it had breached section 1(1) by wrongly withholding documents 2 and 3 under section 36(2) as they did not have the necessary quality of confidence. As the Applicant already has these documents in his possession, the Commissioner does not require the Authority to take any action.
Section 17(1) – Notice that information is not held by the Authority
50. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allows Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable here.
51. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). This is not necessarily to be equated with information an applicant believes an authority should hold. If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to this effect.
52. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.
53. The Commissioner also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. While it may be relevant as part of this exercise to explore the expectation about what the authority should hold, ultimately the Commissioner’s role is to determine what relevant recorded information is (or was, at the time the request was received) actually held.
54. The Applicant’s information request in this case is set out in full in paragraph 1 above but included guidance and training material on the creation, alteration or deletion of pastoral notes, as well as information on what metadata is collected and retained following the creation altering or deletion of a pastoral note in SEEMiS.
Part (v) of Applicant’s request
The Authority’s submissions
55. The Authority explained its understanding of the Applicant’s request was for metadata it held for the entry of records. In other words, the pastoral note will be a record entered into the system (SEEMiS) by a user, for example, the narrative of an incident. The Authority understood that the Applicant was seeking the data that sits behind this record, i.e. when it was created, if it was altered or deleted.
56. The Authority submitted that, at the time of the request, it understood that this information was not held by it. Its view was that if SEEMiS held this information, then this information was owned by SEEMiS and not held on behalf of the Authority. Its position was that it had not requested metadata be held, and prior to this request had never had any use for any metadata, accordingly it was the Authority’s view that this information was not held on behalf of it.
57. During the investigation, the Authority became aware that there was some audit information on the SEEMiS system that it had access to that recorded the date on which an entry was first created, which user created the entry, the date of any changes to the entry, and the user making the change. The Authority also discovered that SEEMiS holds additional audit information which provided a precise timestamp of when an entry was created and a timestamp of any changes.
58. The Authority was asked about the steps it had taken on receipt of the Applicant’s request to find out about the metadata. It submitted that the officers who had responded to the request and requirement for review were familiar with the SEEMiS system and were not aware that this function was available to Authority staff who were users of SEEMiS. Its view at that time was that any metadata collected by SEEMiS was not of interest to the Authority and accordingly no steps were taken to establish with SEEMiS
what metadata was collected.
59. The Authority submitted that following further interaction with the Applicant and SEEMiS it became apparent that the History tab did exist and was available for users within the Authority to access and that the back-end data was collected by SEEMiS.
60. The Authority submitted that the officers responding to the Applicant’s request and request for review did not realise either of these functions were available and as such the responses provided were their belief at that time.
The Applicant’s submissions
61. The Applicant explained that he had requested information on the metadata in order to find out if functionality was available to backdate/alter pastoral notes. The Applicant had discovered through correspondence with SEEMiS and from the information in document 3 that users within the Authority were able to easily access this type of information that showed who had created the record, when and if it had been altered and by whom.
62. The Applicant also found out from SEEMiS that as well as this metadata that front end users within the Authority can easily see, there is also metadata that was referred to as back-end data. SEEMiS explained to the Applicant that this back-end data contained similar information to that in the front-end history who created or changed data and on what date, and also the time of the change.
The Commissioner’s view
63. The Commissioner has considered the submissions from both the Applicant and the Authority. With regard to the metadata that is easily accessible to the users of SEEMiS within the Authority, and that is described within document 3 of the withheld information, that is used to instruct staff on how to use SEEMiS, it is impossible for the Commissioner to find that this information was not held by the Authority at the time of the request. Those responding to the request and requirement for review have been
described as knowing SEEMiS well, however, a simple reading of the guidance provided to staff would have informed them of the existence of this function. The Commissioner is disappointed that even at the review stage, no extra steps, such as asking SEEMiS, were taken to establish that the position adopted in the initial response was correct.
64. As far as the back-end data that is collected by the SEEMiS system and accessible to SEEMiS is concerned, the Commissioner’s view is that when the request was made, and definitely by the review stage, it was incumbent on the Authority to take reasonable steps to determine if this information existed and was held. The Applicant appears to have established this by simply asking SEEMiS, and it is not clear why the Authority could not have done the same. The data collected at the back end would not exist if
it were not for the actions of the Authority’s staff at the front end, and the Commissioner can see there being occasions, for example as the result of a complaint or dispute, when the Authority could approach SEEMiS to access this data.
65. The Commissioner is not satisfied that adequate steps were taken by the Authority at the time of the request, or requirement for review to establish what information was held. As such, he finds that the Authority was not entitled to rely on section 17(1) of FOISA when responding to the request. As the Applicant has established the situation with regard to metadata at both the front end and back end of the system during the course of this investigation, the Commissioner does not require the Authority to
take any action.
Information falling within the scope of the request other than that produced by SEEMiS
66. The Authority identified the three SEEMiS documents that have been discussed earlier in this decision. However, both parts (i) and (ii) of the Applicant’s request would encompass any other material that may have been produced by the Authority itself, such as material relating to the management of bullying or pupil wellbeing, that might be expected to address the creation and use of pastoral notes.
67. During the course of the investigation, the Applicant provided the Commissioner with the Authority’s document, Anti-Bullying Policy and Guidance dated as having been amended in September 2022 where the creation and use of pastoral notes is mentioned.
68. The Applicant also raised correspondence he had received as part of the Authority’s complaints process that had suggested, following the investigation of a complaint in 2019 relating to pastoral notes and record keeping, that improvements had been made to record keeping. The Applicant considered that there should be a written record of steps taken to ensure these improvements.
69. The Authority submitted that the SEEMiS documents identified and withheld were the only materials held by the Authority. It stated that other than ascertaining what SEEMiS guidance was held, no further searches were carried out.
70. In relation to improvements in record keeping, the Authority informed the Commissioner that after further checks, there was no written record of these actions but rather advice had been provided verbally to relevant staff.
The Commissioner’s view
71. In considering whether a Scottish public authority holds the requested information in any given case, the Commissioner must be satisfied that the authority has carried out adequate, proportionate searches in the circumstances, taking account of the terms of the request and all other relevant circumstances. He will consider the scope, quality, thoroughness and results of those searches, applying the civil standard of proof (the balance of probabilities). Where appropriate, he will also consider any reasons offered by the public authority to explain why it does not, or could not reasonably be expected to, hold the information.
72. In all cases, it falls to the public authority to persuade the Commissioner, with reference to adequate, relevant descriptions and evidence, that it does not hold the information (or holds no more information than it has identified and located in response to the request). In this case, having considered the Authority’s submissions, the Commissioner is not satisfied that the Authority has achieved this.
73. The Commissioner has considered all of the submissions from both the Applicant and the Authority.
74. With regard to the document provided to the Commissioner by the Applicant during the investigation, this document postdates the Applicant’s request and so does not itself fall within the scope of his request. However, it is not clear whether any previous versions of this document also mentioned pastoral notes, or if there is any other similar mention in any other guidance for staff.
75. The Commissioner understands the Authority’s position that those responding to the request were best placed to be aware of guidance available for staff. However, it is also his view that it would have been reasonable to carry out some simple searches to establish whether pastoral notes were mentioned in any other Authority documentation, if not at the review stage, then during the Commissioner’s investigation.
76. Given the lack of searches carried out by the Authority in this case the Commissioner is not satisfied that the Authority has demonstrated, on the balance of probability, that it does not hold the information requested by the Applicant. He must, therefore, conclude that the Authority was not entitled to give the Applicant notice, under section 17(1) of FOISA, that the information was not held.
77. He requires the Authority to carry out fresh searches for the information requested by the Applicant.
Decision
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that by withholding some information (document 1) under section 36(2) of FOISA, the Authority complied with Part 1.
However, by applying the exemption in section 36(2) of FOISA to certain information (documents 2 and 3), and by informing the Applicant, in line with section 17 of FOISA that no relevant recorded information was held to fulfil parts (ii) and (v) of his request the Authority failed to comply with Part 1.
Given that the Applicant already has documents 2 and 3, albeit from another source, the Commissioner does not require the Authority to take any action in respect of the failure relating to section 36(2) of FOISA. As the Applicant has the information which would fulfil part (v) of his request, the Commissioner does not require the Authority to take any action in relation to its failure in respect of its application of section 17.
However, the Commissioner requires the Authority to carry out adequate, proportionate searches for information other than that produced by SEEMiS falling within the scope of the Applicant’s request, and to issue a new review outcome to the Applicant, by 6 January 2025.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
David Hamilton
Scottish Information Commissioner
12 November 2024
