Decision 263/2014: Mr Y and South Lanarkshire Council Name of a dog owner Reference No: 201402395 Decision Date: 19 December 2014 Summary On 3 July 2014, Mr Y asked South Lanarkshire Council (the Council) for the name of the legal owner of a specific dog. The Council withheld this information. Following a review, Mr Y remained dissatisfied and applied to the Commissioner for a decision. The Commissioner investigated and accepted that the Council was entitled to withhold the name of the owner on the basis that disclosure would breach the Data Protection Act 1998.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedules 1 (The data protection principles, Part I: the principles) (the first data protection principle) and 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 3 July 2014, Mr Y made a request for information to the Council. He explained that he wished to petition the court to have a neighbour's dog banned from entering his garden, and to do so had to know the identity of the dog's owner. He asked for information about the legal owner of the dog.

2. The Council responded on 10 July 2014. It withheld the information Mr Y had requested in terms of section 38(1)(b) of FOISA, considering it to be personal data, the disclosure of which would breach the data protection principles.

3. On 12 July 2014, Mr Y wrote to the Council requesting a review of its decision on the basis that he needed the information in order to petition the court to have the dog legally banned from his garden, as he feared attack from the dog. He suggested that the Council could forward the forms on his behalf to the court. He stated that he wished to appeal the decision of the Council not to confirm that [named person] owned a specified breed of dog at the specified address.

4. The Council notified Mr Y of the outcome of its review on 12 August 2014. The Council upheld its original decision to withhold the information. The Council stated that it had received no complaints about the dog in question, or evidence from Mr Y of any threat from the dog. Its officers had investigated Mr Y's concerns and found no basis on which the Council could, or should, take action. The Council did not believe it would be appropriate to give out personal data relating to the dog owner in these circumstances.

5. On 10 October 2014, Mr Y applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Y stated he was dissatisfied with the outcome of the Council's review because he required the name of the owner of the dog so he could petition the court to have the dog prevented from accessing his property.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr Y made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

Commissioner's analysis and findings

8. In coming to a decision on this matter, the Commissioner considered all the relevant submissions, or parts of submissions, made to her by both Mr Y and the Council. She is satisfied that no matter of relevance has been overlooked.

Consideration of section 38(1)(b)

9. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data where disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

10. The Council withheld information in terms of section 38(1)(b) on the basis that the name of the dog owner was the personal data of an individual ("the data subject"), disclosure of which would breach the first data protection principle. In considering the application of this exemption, the Commissioner will consider firstly whether the information in question is personal data as defined in section 1(1) of the DPA and then, if it is, whether disclosure would breach the first data protection principle. The Council did not seek to rely upon any other exemption in FOISA.

Is the information under consideration personal data?

11. Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller (the full definition is set out in the Appendix). The information is the data held by the Council and is the name of the legal owner of the dog described in Mr Y's request.

12. Mr Y's request was for the identity of legal owner of a dog at a specific address. In his requirement for review he quoted a name and expressed dissatisfaction that the Council would not confirm whether the person he named was the legal owner of the dog.

13. The Council submitted that details of the ownership of the dog amounted to the personal data of the data subject as disclosure of the name would involve releasing information which relates to a living person identifiable to the Council as data controller. The Council also referred to the Court of Appeal decision in respect of the equivalent section in the Freedom of Information Act 2000 in Efifiom Edem and the Information Commissioner and the Financial Services Authority [2014] EWCA Civ 92[1] at paragraph 20 where it was stated:

"A name is personal data unless it is so common that without further information such as its use in a work context, a person would remain unidentifiable despite its disclosure."

14. The Council submitted that it was the added context that moved a name into being personal data, and suggested that in this case it was the ownership of the dog in question that provided the context.

15. The Commissioner is satisfied that the withheld information is personal data. The name, together with the contextual information of ownership of a specified breed of dog at a specified address, would allow identification of a person (the data subject).

The first data protection principle

16. The first data protection principle states that personal data shall be processed fairly and lawfully. It also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA is also met.

17. The Commissioner is of the view that the requested information is not sensitive personal data as defined by section 2 of the DPA, and it is therefore not necessary to consider whether any of the conditions in Schedule 3 could be met.

18. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47^[2] that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

19. Condition 1 applies when the data subject (i.e. the individual to whom the data relate) has consented to the release of the information. The Council explained that Condition 1 was discounted because the Council had not sought to obtain the dog owner's consent for their name to be disclosed.

20. The Commissioner accepts that consent has not been given by the data subject in this case, and that condition 1 in Schedule 2 therefore cannot be met here.

21. The Council submitted that disclosure of the personal data to the public would neither be fair nor lawful (in so far as the Council would be unable to meet a condition set down in Schedule 2 of the DPA). The Council commented that the DPA does not define "fairness" but one of the considerations is whether the individual has been deceived or misled about the
purposes to which the Council would use the information, including making the information available to the public. (Information disclosed under FOISA is considered to be disclosed into the public domain and accessible to everyone.) The Council stated that it had to consider whether the individual would know that the Council could or would give out their personal information to the public, or should reasonably expect that to be the case.

22. The Council explained that the information in question (the dog owner's name) was received by the Council when investigating a complaint made by Mr Y. The Council was of the view that an individual voluntarily providing information to the Council through an investigation would not expect the Council to subsequently disclose that information to the public. Therefore, under those circumstances, the Council submitted it would not be fair to disclose the personal data to the public.

23. The Commissioner is of the view that only condition 6 in Schedule 2 to the DPA might be considered to apply in this case. Condition 6 allows personal data to be processed (in this case, disclosed into the public domain in response to Mr Y's information request) if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

24. There are a number of tests which must be met before condition 6(1) can apply. These are:

? Is Mr Y pursuing a legitimate interest?

? If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject?

? Even if disclosure is necessary for the legitimate purposes of the applicant, would disclosure nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject?

25. As noted by Lord Hope (above), there is no presumption in favour of the release of personal data under the general obligation laid down in FOISA. Accordingly, the legitimate interests of Mr Y must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Y.

Is Mr Y pursuing a legitimate interest?

26. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has a legitimate interest should be distinguished from matters about which he or she is simply inquisitive. In her published guidance^[3] on section 38 of FOISA, the Commissioner states:

"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

27. Mr Y has stated that his interest was to know the name of the legal owner of the dog so he could petition the court to have the dog banned from entering his garden. He referred in his request to section 49 of the Civic Government (Scotland) Act 1982 and stated that any breach of a court order he would obtain could result in a criminal prosecution.

28. The Council's review stated that, whilst Mr Y has a personal interest in knowing the identity of the owner of the dog, this does not fulfil the test of being a "legitimate" interest. The Council said that, in terms of the Control of Dogs (Scotland) Act 2010 (the 2010 Act), it is the responsibility and function of the Council to take action in respect of a dog which is out of control and causing alarm to any individual, but only if the individual's alarm is, in all the circumstances, reasonable. Council Officers had investigated Mr Y's concerns and found no basis on which the Council could, or should, take action and the Council did not consider it would be appropriate to give out the personal data of the dog owner in these circumstances.

29. In its submission of 19 November 2014 to the Commissioner, the Council accepted that Mr Y did have a legitimate personal interest in obtaining the information requested, for the reasons he had given. Again, the Council questioned whether there was any public interest in releasing the information, but acknowledged this may be a moot point as it had accepted Mr Y's personal interest in obtaining the information.

30. The Commissioner accepts that the information sought by Mr Y is not information about which he is merely curious or inquisitive. Rather, he wishes to take action by way of a court process which he believes is necessary to ensure his safety and private life, and he understands that this cannot be done without obtaining the name of the dog's legal owner. Given the seriousness of Mr Y's concern, the Commissioner is satisfied that Mr Y is pursuing a legitimate interest.

Is disclosure of the information necessary for the purposes of this legitimate interest?

31. The Commissioner must now consider whether disclosure of the name of the dog owner is necessary in terms of the legitimate interest identified above. In doing so, she must consider whether that legitimate interest might reasonably be met by any alternative means. Is disclosure of the name an action which is proportionate as a means and fairly balanced as to ends, or could the legitimate aim be achieved by means which interfere less with the privacy of the data subject?

32. The Council's view was that the test is whether the disclosure of the information is necessary to advance Mr Y's legitimate interests regardless of whether the disclosure is through FOI or other means. The Council noted this differed from the Commissioner's view (as indicated by the questions put to the Council).

33. The Council accepted that Mr Y would need the name of the dog owner to begin a court action. It could not see any other way that Mr Y could obtain the information in a less obtrusive manner, and therefore accepted that disclosure of the information to Mr Y would be necessary to meet his legitimate interest. The Council, however, argued that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject.

34. Mr Y stated that obtaining the information under FOISA was necessary as he had "no other legal means of finding out the name of the person" who owned the dog. He commented that the Council had refused to issue a dog control notice (which could be issued without Mr Y knowing the dog owner's name). Mr Y's application to the Commissioner also referred to his preference not to go to court, and indicated that he would rather the Council removed permission for the dog to be kept by the owner. Mr Y's correspondence indicates that he has considered actions other than having the personal data disclosed to him in terms of FOISA, and that is seeking to obtain a name to commence a court case only as a last resort.

35. Having considered all relevant submissions, the Commissioner accepts that disclosure of the personal data Mr Y has requested is necessary for the purposes of his legitimate interest (which is as stated above).

Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

36. Having decided that that disclosure of the specific information requested by Mr Y is necessary to achieve his legitimate interests, the Commissioner must go on to decide whether disclosure would cause unwarranted prejudice to the rights, freedoms and legitimate interests of the data subject. This involves a balancing exercise between the legitimate interests of Mr Y and those of the data subject. Only if the legitimate interests of Mr Y outweigh the interests of the data subject can the information be disclosed without breaching the first data protection principle.

37. In the Commissioner's briefing on section 38 of FOISA, the Commissioner notes a number of factors which should be taken into account in carrying out this balancing exercise. These include:

? whether the information relates the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

? the potential harm or distress that may be caused to by the disclosure;

? whether the individual has objected to the disclosure; and

? the reasonable expectations of the individual as to whether the information would be disclosed.

38. The Commissioner is satisfied that the information in question pertains wholly to the data subject's private life: i.e. their ownership of a dog.

39. The Council did not make any submission on whether disclosure of the data subject's name would cause the owner harm or distress. It focused on the question of whether disclosure would be "fair processing"; in other words, whether the data subject would know or reasonably expect that the Council could or would give out their personal data in response to an information request.

40. The Council explained that the name of the dog owner was received by the Council during its investigation of Mr Y's complaint. The Council confirmed that it does not provide any information to people involved in such investigations either to say to whom information would or would not be disclosed. However, the Council was of the view that an individual providing information to the Council through an investigation of a complaint would not expect that the Council would subsequently disclose that information to the public. Therefore, under those circumstances, the Council submitted it would not be fair to disclose the personal data to the public.

41. The Commissioner accepts that in terms of disclosure through FOISA - which is disclosure into the public domain - a person about whom a complaint has been made would not expect information obtained about them as a result of an investigation into a complaint, to be disclosed, unless it had previously been made clear that this was a possibility. In this context, the Commissioner accepts that the data subject would have a reasonable expectation that their identity would not be disclosed, or confirmed or denied, to the complainant or to any other member of the public.

42. In the circumstances, the Commissioner accepts that disclosure would have the potential to cause distress and would be unwarranted.

43. Having concluded that disclosure of the withheld information would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject, the Commissioner must also conclude that disclosure would be unfair. In the absence of a condition permitting disclosure, she would also regard disclosure as unlawful. In all the circumstances, therefore, she finds that disclosure would breach the first data protection principle and that the information was properly withheld under section 38(1)(b) of FOISA.

Decision The Commissioner finds that South Lanarkshire Council (the Council) complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Y. The Commissioner does not require the Council to take any action.

Appeal

Should either Mr Y or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
19 December 2014

 

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

?

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

?

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

?

(e) in subsection (1) of section 38 -

?

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

?

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

?

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

?.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

.

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

?

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

?

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1. The data subject has given his consent to the processing.

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.bailii.org/ew/cases/EWCA/Civ/2014/92.html

[2]

[3]