Decision 277/2013 Mr Brian Shannan and Scottish Environment Protection Agency

Named individual and conflict of interest

Reference No: 201301565
Decision Date: 6 December 2013

Summary

On 16 and 19 May 2013, Mr Shannan asked the Scottish Environment Protection Agency (SEPA) for confirmation that a named individual was an employee of SEPA and for information relating to how the authority handled conflicts of interest. SEPA provided information on its procedures with regard to conflicts of interest, but refused to reveal whether it held information relating to the named individual, on the grounds that providing such confirmation would breach the first data protection principle.

Following an investigation, the Commissioner found that SEPA had dealt with Mr Shannan's request for information in accordance with the EIRs. She concluded that revealing whether the information existed or was held would breach the first data protection principle.

 Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(3) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 11(2), (3)(a)(i), (3)(b) and (6) (Personal data)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions: definition of "personal data"); Schedule 1 (The data protection principles, Part I: the principles (the first data protection principle)) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1. On 16 and19 May 2013, Mr Shannan wrote to SEPA requesting confirmation that a named individual, residing at a particular location, and who was named in a planning application, was the same named individual as was identified as an employee of SEPA on its website. Mr Shannan also sought information relating to SEPA's procedures for handling conflicts of interest concerning employees and planning applications.

2. SEPA responded on 29 May 2013, stating that it was processing this request under the terms of the EIRs. It responded to that part of the request relating to conflicts of interest. Mr Shannan did not take issue with this response and this aspect of his request will not be considered further.

3. In response to the remaining part of the request, relating to the named individual, SEPA stated that it was relying on regulation 11(6) of the EIRs; neither confirming or denying whether it held any relevant information.

4. On 30 May 2013, Mr Shannan wrote to SEPA seeking a review of its decision, arguing that it was in the public interest for the confirmation he sought to be provided.

5. SEPA notified Mr Shannan of the outcome of its review on 27 June 2013. SEPA confirmed its original response to Mr Shannan's request and maintained its reliance on regulation 11(6) of the EIRs.

6. On 8 July 2013, Mr Shannan wrote to the Commissioner's office, stating that he was dissatisfied with the outcome of SEPA's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA. By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to certain specified modifications. Mr Shannan did not challenge SEPA's decision to deal with his request under the EIRs.

7. The application was validated by establishing that Mr Shannan made a request for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to those requests.

Investigation

8. On 19 July 2013, the investigating officer contacted SEPA, giving it opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. In particular, SEPA was asked to justify its reliance on any provisions of the EIRs it considered applicable to the information requested, with specific reference to its application of regulation 11(6).

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to her by both Mr Shannan and SEPA. She is satisfied that no matter of relevance has been overlooked.

Regulation 11(6) of the EIRs

10. Regulation 11 of the EIRs relates to personal data. Regulation 11(6) allows a Scottish public authority to respond to a request for information by not revealing whether the requested information exists or is held by it (whether or not it actually holds that information), if giving such confirmation would involve making information available in contravention of regulation 11.

11. Regulation 11(2), read in conjunction with regulation 11(3)(a)(i) (or regulation 11(3)(b), as appropriate) provides that, to the extent that the environmental information requested includes personal data (as defined in section 1(1) of the DPA) of which the applicant is not the data subject, the data does not have to be made available if disclosure would breach any of the data protection principles contained in Schedule 1 to the DPA.

12. Where regulation 11(6) is applied in conjunction with these provisions, the Commissioner must consider two separate matters:

a. would revealing whether the requested information exists or is held make available any personal data of a third party?

b. would that disclosure (i.e. revealing whether the information exists or is held) breach any of the data protection principles?

Would revealing whether the information exists or is held make available personal data?

13. Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. The definition is set out in full in the Appendix.

14. In this instance, Mr Shannan sought confirmation as to whether an individual was employed by SEPA. In making his request, Mr Shannan made reference to the location of the individual's home address and a planning application associated with the individual. SEPA argued that confirming whether the information was held, together with the information contained in by Mr Shannan's request, would amount to the individual's personal data.

15. The Commissioner, although accepting that names will not always be personal data, is satisfied that the combination of the information in Mr Shannan's request and the information he sought in relation to that individual amounts to that individual's personal data. She accepts that the individual would be identifiable from this combination.

16. The Commissioner also accepts that either confirming or denying that the requested information exists or is held by SEPA would reveal information about that individual and their potential involvement or otherwise in a particular planning application, in a private capacity. That would relate to the individual.

Would revealing whether the information exists or is held breach any of the data protection principles?

17. SEPA argued that providing the requested confirmation would breach the first data protection principle.

18. The first data protection principle requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 (to the DPA) is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 (again, to the DPA) is also met.

19. There are therefore three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the Schedules. However, these three aspects are interlinked. If there is a specific condition which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

20. The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA and is satisfied that revealing whether or not the information requested by Mr Shannan exists or is held would not make available personal data falling into any of the relevant categories. It is therefore not necessary in this case to consider the conditions in Schedule 3 to the DPA.

21. The Commissioner will now go on to consider whether there are any conditions in Schedule 2 to the DPA which would permit the personal data to be disclosed. If any of these conditions can be met, she must then consider whether the disclosure of this personal data would be fair and lawful.

Can any of the conditions in Schedule 2 of the DPA be met?

22. SEPA argued that none of the conditions in Schedule 2 were met. In all the circumstances of the case, the Commissioner is of the view that it is only condition 6 which might potentially apply.

23. Condition 6 allows personal data to be processed (in this case, revealing - publicly, as is the effect of making information available under the EIRs - whether or not the information requested by Mr Shannan existed or was held by SEPA) if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (i.e. the person to whom the data relate, assuming there to be such a person).

24. There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

a. Is Mr Shannan pursuing a legitimate interest or interests?

b. If yes, is the confirmation in question necessary for the purposes of these legitimate interests? In other word, is that confirmation proportionate as a means and fairly balanced as to ends, or could the legitimate interests be achieved by means which interfere less with the privacy of the data subject?

c. Even if the confirmation is necessary, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? This will involve a balancing exercise between the legitimate interests of Mr Shannan and those of the data subject. Only if (or to the extent that) the legitimate interest of Mr Shannan outweigh those of the data subject can the personal data be disclosed.

Is Mr Shannan pursuing a legitimate interest or interests?

25. Mr Shannan argued that there was a significant interest in making the information he sought available. His request related to a planning application and the confirmation that he sought would highlight any potential conflict of interests in the handling of the planning application, given SEPA's involvement in this particular application. He argued that all of those concerned in the handling of the application should be made aware of any potential conflict, bearing in mind the Nolan Principles and the inherent requirement for transparency in the planning process.

26. SEPA accepted that Mr Shannan was pursuing a legitimate interest. In the circumstances, having considered the submissions received from both parties, the Commissioner accepts this.

Is the confirmation necessary for the purposes of these legitimate interests?

27. SEPA argued that confirming whether the information existed or was held was not necessary, as Mr Shannan's legitimate interest could be met by other means that would interfere less with the privacy of the data subject (assuming there to be one).

28. SEPA stated that the alternative means of obtaining this information would be through its customer complaints procedure. SEPA made reference to the judgement of the Supreme Court in South Lanarkshire Council v. The Scottish Information Commissioner[1], which stated at para 27:

" ? in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

It considered making the information SEPA available through the customer complaints procedure (which would not involve disclosure to the world at large) to involve a lesser degree of disclosure.

29. The Commissioner is satisfied, having taken into account all the relevant submissions, made by both Mr Shannan and SEPA, that Mr Shannan's legitimate interests could be served by providing the relevant confirmation using another method, which would interfere less with the privacy of the data subject (assuming there to be one).

30. Consequently, the Commissioner does not accept that revealing whether the requested information existed or was held would be necessary for the purposes of the legitimate interest pursued by Mr Shannan.

31. Given this conclusion, the Commissioner finds there is no condition in Schedule 2 which would permit SEPA to reveal whether the requested information existed or was held. In the absence of such a condition, making that information available would be unlawful. Consequently, the Commissioner finds that revealing whether the information existed or was held would breach the first data protection principle.

32. The Commissioner is therefore satisfied that revealing whether the requested information existed or was held would involve making information available in contravention of regulation 11(2) of the EIRs, and therefore that SEPA was entitled to refuse to do so in terms of regulation 11(6) of the EIRs.

DECISION

The Commissioner finds that, in the respects stipulated in Mr Shannan's application, the Scottish Environment Protection Agency complied with the Environmental Information (Scotland) Regulations 2004 in responding to the information request made by Mr Shannan.

Appeal

Should either Mr Shannan or the Scottish Environment Protection Agency wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
6 December 2013

Appendix

Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004

2 Interpretation

?

(3) The following expressions have the same meaning in these Regulations as they have in the Data Protection Act 1998, namely-

(a) "data", except that for the purposes of regulation 10(3) and 11, a public authority referred to in paragraph (e) of the definition of data in section 1(1) of that Act means a Scottish public authority within the meaning of these Regulations;

(b) "the data protection principles";

(c) "data subject"; and

(d) "personal data".

?

5 Duty to make available environmental information on request

(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.

(2) The duty under paragraph (1)-

?

(b) is subject to regulations 6 to 12.

?

11 Personal data

?

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject and in relation to which either the first or second condition set out in paragraphs (3) and (4) is satisfied, a Scottish public authority shall not make the personal data available.

(3) The first condition is-

(a) in a case where the information falls within paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998[] that making the information available otherwise than under these Regulations would contravene-

(i) any of the data protection principles; or

?

(b) in any other case, that making the information available otherwise than under these Regulations would contravene any of the data protection principles if the exemptions in section 33A(1) of the Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded.

?

(6) For the purposes of this regulation, a Scottish public authority may respond to a request by not revealing whether information exists or is held by it, whether or not it holds such information, if to do so would involve making information available in contravention of this regulation.

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

?

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

?

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

?

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] [2013] UKSC 55