Decision 290/2024 | Scottish Information Commissioner

Home Decisions

Decision 290/2024

Decision Notice 290/2024: Audit and Inspection Reports

Authority: Glasgow City Council
Case Ref: 202400301

Summary

The Applicant asked the Authority for audit and inspection reports relating to named publicly owned companies.

The Authority disclosed some information but withheld other information on the basis that disclosure would

substantially prejudice the carrying out of its statutory functions and other information because it was the

personal data of a third party. The Commissioner investigated and was satisfied that all of the information

withheld by the Authority was exempt from disclosure.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 35(1)(g) and

2(a), (b) and (d) (Law enforcement); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data

subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2)

(Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to

processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) and 14(a), (c) and (d) (Terms

relating to the processing of personal data)

Background

1. On 17 November 2023, the Applicant made a request for information to the Authority. He asked for

all Reports produced by Audit and Inspection and provided to [the Authority] and, in the case of City Building (Glasgow) LLP (CBG),
the Wheatley Group, during 2022 and 2023 relating to alleged financial irregularities in CBG and City Building Contracts LLP (CBC), and
all Reports produced by Audit and Inspection relating to alleged financial irregularities in CBG and CBC during the above
period and provided to Grant Thornton UK LLP

2. The Authority responded on 18 December 2023. The Authority applied section 25(1) of FOISA and advised the

Applicant that some of the information he had asked for (papers from the Finance and Audit Scrutiny Committee) was

available online. The Authority disclosed some documents to the Applicant, with information redacted under

section 35(1)(a) and section 38(1)(b) of FOISA. It also withheld some documents in their entirety, withholding

the information under sections 30(c), 33(1)(b), 35(1)(a), 36(1) and 38(1)(b) of FOISA.

3. On 4 January 2024, the Applicant wrote to the Authority requesting a review of its decision. The

Applicant stated that he was dissatisfied with its response because the Authority was withholding information

falling within the scope of his request.

4. The Authority notified the Applicant of the outcome of its review on 1 February 2024. The Authority

upheld its reliance on section 25(1) of FOISA with respect to the online information that was publicly accessible.

However, it acknowledged that the previous links it had provided were not functional and it provided the Applicant

with new links to these online reports. The Authority also upheld its decision to withhold parts of some

documents under section 35(1)(a) and section 38(1)(b). In terms of the information identified but withheld in

full, the Authority withdrew its reliance on section 36(1) but upheld its decision to withhold this information

under sections 30(c), 33(1)(b) and 38(1)(b) of FOISA.

5. On 23 February, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1)

of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not

agree that the exemptions cited by the Authority applied, and he considered that the public interest favoured

disclosure.

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the

power to carry out an investigation.

7. On 18 March 2024, the Authority was notified in writing that the Applicant had made a valid application.

The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority

provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide

comments on an application. The Authority was invited to comment on this application and to answer specific

questions about its reasons for withholding information.

9. During the investigation the Authority changed its position and stated that it was also withholding some

information under sections 35(1)(g) and 39(1) of FOISA.

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

11. He has endeavoured to give as full account of his reasoning as he can, but, as recognised by Court of

Session in Scottish Ministers v Scottish Information Commissioner [2006] CSIH 8 , at paragraph [18]: "in giving

reasons for his decision, [the Commissioner] is necessarily restrained by the need to avoid, deliberately or

accidentally, disclosing information which ought not to be disclosed."

12. In this case, the Commissioner is unable to set out the Authority’s (or his own) reasoning in full as

doing so would reference the withheld information.

The withheld information

13. The withheld information comprises:

Documents 6, 7 and 9 – reports by the Director of Assurance and the Authority’s Head of Audit and Inspection updating the Group Audit Committee of the Wheatley Group on Internal Audit Activity at the meetings of 8 February 2023, 3 May 2023 and 8 November 2023, respectively.
Documents 11 to 15 – Internal Audit Investigation Reports, Fact Finding Reports, Interview Notes and correspondence
Document 16 to 54 – evidence gathered during the Internal Audit investigation.

14. The Authority is withholding parts of paragraph 4.8 of document 6, section 7 and 8 of document 9, and the

entirety of documents 11 to 54 under section 35(1)(g), read together with section 35(2)(a) and (b) of FOISA. Some

information in document 11 is also being withheld under section 35(1)(g), read together with section 35(2)(d), of

FOISA.

15. The Authority is withholding the entirety of documents 11 to 54 under section 39(1) of FOISA and the

entirety of documents 14 to 54 under section 30(c) of FOISA.

16. The Authority is withholding parts of documents 6, 11-12, 15-54 under section 38(1)(b) of FOISA, and it is

also withholding the entirety of documents 13 and 14 under this exemption.

17. The Authority is withholding information contained in documents 11, 13, 14 and 54 under section 33(1)(b)

of FOISA.

18. In document 7, the Authority is withholding parts of the table given at paragraph 5.18, along with

paragraph 5.22 and 5.27 under section 35(1)(a) of FOISA. During the investigation, the Applicant confirmed that

he was not challenging the Authority’s reliance on this exemption.

19. Given this, the Commissioner’s investigation will not consider document 7 and will solely focus on the

information being withheld in documents 6, 9 and 11 to 54.

Section 35(1)(g) – Law enforcement

20. As noted above, the Authority is withholding parts of documents 6 and 9, and the entirety of documents 11

to 54 under section 35(1)(g) of FOISA, read together with section 35(2)(a) and (b) of FOISA.

21. Under section 35(1)(g) of FOISA, information is exempt information if its disclosure under FOISA would, or

would be likely to, prejudice substantially the exercise by any public authority (as defined by the Freedom of

Information Act 2000) or by any Scottish public authority (as defined by FOISA) of its functions for any of the

purposes listed in section 35(2). (The Authority is a Scottish public authority for the purposes of FOISA.)

22. The Authority argued that disclosure of the information would, or would be likely to, prejudice

substantially the exercise of its functions of the purposes specified in section 35(2)(a) (to ascertain whether a

person has failed to comply with the law) and section 35(2)(b) (to ascertain whether a person is responsible for

conduct which is improper).

23. The exemptions in section 35 are all qualified exemptions, in that they are subject to the public interest

test in section 2(1)(b) of FOISA. In addition, the exemptions can only apply where substantial prejudice would,

or would be likely to, occur as a result of the disclosure of the information. There is no definition in FOISA of

what is deemed to be substantial prejudice, but the Commissioner's view is that the harm in question must be of

real and demonstrable significance. An authority must also be able to satisfy the Commissioner that the harm

would, or would be likely to, occur and therefore needs to establish a real risk or likelihood of actual harm

occurring as a consequence of disclosure, at some time in the near (certainly the foreseeable) future, not simply

that the harm is a remote possibility.

24. The Commissioner must therefore consider three separate matters:

does the Authority have functions in relation to the purpose mentioned in section 35(2)(a) and (b)?
if it does, would disclosure of the information prejudice substantially, or be likely to prejudice substantially, the Authority's ability to exercise that function?
if such prejudice would, or would be likely to, occur, does the public interest in maintaining the exemption outweigh that in disclosure of the information?

Does the Authority have functions in relation to sections 35(2)(a) and (b)?

25. The Authority submitted that disclosure of the information would substantially prejudice the ability of

its Internal Audit team to carry out its statutory functions. It explained that its Internal Audit team is

required to comply with the Public Sector Internal Audit Standards (PSIAS) which have been adopted by the Relevant

Internal Audit Standard Setters (RIASS). The RIASS includes, among others, HM Treasury, the Scottish Government

and the Chartered Institute of Public Finance and Accountancy (CIPFA). The Authority submitted that the prejudice

would primarily be suffered by the Authority but also to those other bodies which its Internal Audit team provide

audit services to.

26. The Commissioner is satisfied that the Authority has statutory functions that are carried out by its

Internal Audit team, and that these functions include those described in sections 35(2)(a) and (b) of FOISA.

Would disclosure prejudice the exercise of those functions?

The Authority’s submissions on the exemption

27. The Authority provided the Commissioner with detailed submissions explaining why, in its view, disclosure

of the information would substantially prejudice the exercising of its functions in relation to section 35(2)(a)

and (b) of FOISA.

28. While the Commissioner has considered these submissions in full, due to the nature of those submissions,

he is unable to replicate, or discuss them, in this decision as to do so would reveal the information that has

been withheld.

The Applicant's submissions on the exemption

29. The Applicant submitted that he could not understand why some reports had been withheld in their entirety

rather than redacted.

30. The Applicant submitted that the lack of information given to him in his capacity as an elected member had

meant that he found he was unable to judge the extent to which the disclosure of any further information

concerning the allegations would give rise to the prejudice claimed by the Authority.

31. Despite making it clear to the Authority that he was happy to accept anonymised information, the Applicant

submitted that he had received very limited information from the Authority on the background to the investigation

of CBG and CBC. The Applicant said he had concerns that the investigation was prolonged and that it did not

appear to have found anything of significance.

32. He submitted that his purpose throughout had been to try to be able to assess whether this major and

highly expensive investigation was justifiable, based on the existence of clear evidence rather than hearsay or

rumour.

The Commissioner's view on the exemption

33. The Commissioner acknowledges the Applicant’s frustration at information being unavailable to him,

especially in his capacity as an elected member seeking to hold the Authority to account and ensure that scarce

resources are directly appropriately. However, the Commissioner notes that the Authority has disclosed a

substantial amount of information falling within scope of the Applicant’s request.

34. While the Commissioner cannot publish the Authority’s full submissions or his full reasoning, as to do so

would involve referencing the information withheld, the Commissioner accepts that disclosure of the information

would prejudice substantially the conduct of future internal audit investigations, which would in turn prejudice

substantially the exercise of its auditing functions under the aforementioned statutory auditing standards.

35. The Commissioner is satisfied that disclosure of the information would have prejudiced substantially, or

would have been likely to prejudice substantially, the exercise of the Authority’s functions for the purposes

mentioned in section 35(2)(a) and (b) of FOISA.

36. He is therefore satisfied that the exemption in section 35(1)(g) applies.

Does the public interest in maintaining the exemption outweigh that in disclosure of the information?

37. The exemption in section 35(1)(g) is subject to the public interest test set out in section 2(1)(b) of

FOISA. This means that, even although the Commissioner is satisfied that the disclosure of the information

falling within scope of the Applicant’s request would, or would be likely to, prejudice substantially the carrying

out by the Authority, of its relevant functions, the Commissioner must still order the report to be disclosed

unless he is satisfied that, in all the circumstances of the case, the public interest in maintaining the

exemption outweighs the public interest in disclosure of the information.

The Authority’s comments on the public interest

38. The Authority acknowledged the significant public interest in openness and transparency, and it recognised

that any request for information is potentially in the public interest.

39. Specifically, in relation to the Applicant’s request, the Authority acknowledged that there was a public

interest in any matters of concern relating to its governance or financial functions. The Authority accepted that

the taxpayer and other stakeholders have a reasonable interest in any failings or concerns that could undermine or

threaten service delivery or the best use of public money.

40. The Authority explained that its ability to fully and freely investigate matters of concern was key to the

maintenance of an effective and robust system of governance and internal control though its Internal Audit

Function. The Authority argued that disclosure of the information captured by the Applicant’s request would

significantly undermine this function, other assurance functions and other investigations carried out by the

Authority.

41. The Authority submitted that this, in turn, would impact on its ability to demonstrate strong systems of

governance and control, and any deterioration in governance and control would very much not be in the public

interest. It commented that it is required, by statute, to maintain a robust system of governance and internal

control.

42. The Authority argued that disclosure of the information would have specific consequences for the current

investigation (the subject of the Applicant’s request), as well as any future investigations that it may carry

out. Specifically, the Authority submitted that

further investigation, under civil or criminal law may be required into the matters contained in the

information that has been withheld.

disclosure of the information could prejudice and/or hinder the progress of the current investigation.
any future, separate investigations may be undermined by wider public knowledge of how the Authority

carries out its investigations, and witnesses may feel less able to be candid in their statements if they knew

there was a risk that these could be disclosed to the public domain.

disclosure would risk the Internal Audit team (and potentially other public sector auditors) self-

censoring in future to avoid the negative impacts of disclosure and such self-censorship would reduce the value of

their reports. Reports would become much higher level and less detailed, which would be of detriment to the

Authority but also the wider assurance framework across public authorities.

43. For all of the reasons stated, the Authority submitted that the balance of public interest supported the

continued withholding of the information.

The Applicant's comments on the public interest

44. The Applicant submitted that, in his capacity as an elected member and Board member of City Building, he

had received only very limited information concerning the investigation, and it was that limited information which

gave rise to his concerns.

45. The Applicant explained that he had raised his concerns with the then Chief Executive of the Authority and

advised her that he felt he could not properly undertake his role as a member of that Board whilst he was being

deprived of even basic information about the investigation. The Applicant submitted that despite this, he

continued to receive very little information about the matter.

46. The Applicant submitted that his concern was always to try to establish whether this investigation was

justifiable based on evidence received. He argued that a huge amount of staff time and hundreds of thousands of

pounds had been spent on an investigation which does not appear to have found anything of major significance, and

he considered that it was legitimate, necessary and in the public interest for there to be an informed discussion

about whether this was justified.

The Commissioner's view on the public interest

47. The Commissioner has considered the submissions from both parties, together with the withheld information.

48. The Commissioner recognises the definite public interest in ensuring good governance, openness and

transparency in public authorities carrying out their statutory functions, especially when those functions relate

to the financial governance of other publicly funded organisations.

49. The Commissioner also acknowledges the Applicant’s concerns that a significant amount of public money has

been spent by the Authority in performing these statutory functions, and it is clear that there is public interest

in whether, or not, the carrying out of those functions gave value for money. He also notes the Applicant’s

frustration at his inability to access information as an elected member and a Board member, but what he can access

in these capacities (as opposed to under FOISA, where disclosure would be to the world at large and not to a more

discrete group) is not something he can concern himself with.

50. It is clear to the Commissioner that the information being withheld by the Authority, relates to an

investigation (or investigations) being carried out by it in performing its statutory functions.

51. While there is a public interest in the Authority carrying out its statutory Internal Audit functions in a

thorough and proper way, this must be balanced against the public interest in the Authority being able to conduct

an audit in a thorough and professional manner, including carrying out appropriate investigations, gathering

evidence and reaching conclusions, without fear that information relating to that audit would be disclosed before

the process is complete.

52. The Commissioner acknowledges that, in order to perform its functions, the Authority must have the ability

to investigate matters confidentially, safe in the knowledge that information will not routinely be publicly

disclosed, and where necessary, to allow matters to be referred to appropriate bodies for law enforcement

purposes. He accepts that the public interest does not lie in disclosing information that would limit or prevent

proper progress of any investigation that might be required to meet the Authority’s statutory role in performing

these functions.

53. The Commissioner is satisfied that there is a strong public interest in ensuring that Authorities are able

to carry out audits in order to ascertain whether or not individuals have failed to comply with the law or are

responsible for conduct with is improper. It is important, with a view to ensuring high standards of conduct are

observed, that the Authority is able perform these investigative functions effectively.

54. Having considered all the circumstances of this case including the nature of the withheld information

concerned, the Commissioner is satisfied that the public interest in maintaining the exemption outweighs that in

disclosure. Consequently, he finds that the Authority was entitled to withhold the information in question under

section 35(1)(g) of FOISA.

55. As the Commissioner has found that entirety of documents 11 to 54, and parts of documents 6 and 9 were

correctly withheld under section 35(1)(g), read together with section 35(2)(a) and (b) of FOISA, he will not go on

to consider the application of the other exemptions applied to this information.

Section 38(1)(b) – Personal data of a third party

56. The Authority is withholding one sentence of paragraph 4.10 in document 6 under section 38(1)(b) of FOISA,

on the grounds that it comprises the personal data of a third party. The Commissioner will now consider whether

this information has been correctly withheld under this exemption.

57. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) (or (b), exempts information from

disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would

contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.

58. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an

absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of

FOISA.

59. To rely on the exemption in section 38(1)(b), the Authority must show that the information is personal

data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the

effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1)

of the UK GDPR.

60. The Applicant noted that the Authority was withholding personal data of individuals including staff and

former staff and he raised his concern that he did not know who these individuals were or why they were relevant

to the investigation which took place. The Applicant submitted that this supported his claim that as much

information as possible was released to determine whether, or not, the investigation was proportionate in scope to

the available evidence.

61. The Applicant specifically asked the Commissioner to rule on whether, or not, what is being withheld was

personal data, whether the withholding was justifiable in the circumstances of this particular case and whether

the legitimate interest in disclosure outweighed the privacy rights of the individuals.

Is the information personal data?

62. The first question the Commissioner must address is whether the information is personal data for the

purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable

individual. “Identified living individual” is defined in section 3(3) of the DPA 2018. (This definition reflects

the definition of personal data in Article 4(1) of the UK GDPR.)

63. Information will "relate to" a person if it is about them, is linked to them, has biographical

significance for them, is used to inform decisions affecting them, or has them as its main focus.

64. The Authority submitted that the information was personal data for the purposes of section 3(2) of the DPA

2018.

65. The Commissioner has viewed the relevant information in paragraph 4.10 of document 6 and he is satisfied

that it is personal data.

Would disclosure contravene one of the data protection principles?

66. The Authority stated that disclosure would breach Article 5(1)(a) of the UK GDPR, which requires personal

data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. It submitted

that these individuals would not expect their personal data to be released into the public domain in response to

an information request. The Authority submitted that this would be unfair.

67. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by

transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed

when disclosed in response to a request.

68. This means that the personal data can only be disclosed if disclosure would be both lawful (i.e. it would

meet one of the conditions for lawful processing listed in Article 6(1) of the GDPR) and fair.

69. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. The

Commissioner considers condition (f) in Article 6(1) to be the only condition which could potentially apply in the

circumstances of the case.

Condition (f): legitimate interests

70. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the

legitimate interests pursued by the controller or by a third party, except where such interests are overridden by

the interests or fundamental rights and freedoms of the data subject which require the protection of personal

data…”

71. Although Article 6 states that this condition cannot apply to processing carried out by public authorities

in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities

can rely on Article 6(1)(f) when responding to requests made under FOISA.

72. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Is there a legitimate interest in obtaining the personal data?

(ii) If so, would disclosure of the personal data be necessary to achieve the legitimate interest?

(iii) Even if processing would be necessary to achieve the legitimate interest, would that be overridden by the

interests or fundamental right and freedoms of the data subject?

Is there a legitimate interest in obtaining the personal data?

73. The Authority submitted that the Applicant was appointed as a Board Member of CBG and CBC, and as such had

access to an enhanced level of information, including closed papers provided in private to help carry out scrutiny

of CBG. The Authority commented that the Applicant had received reports and private briefings in relation to the

investigation and its conclusions and, it submitted that this level of access was appropriate for the Applicant’s

membership of the Board.

74. The Authority acknowledged that Board Members have a legitimate interest in any investigation involving

CBG, but the Authority did not consider that disclosure of the remaining, undisclosed personal data was necessary

for the Board to carry out its functions. It considered this information to be operational, rather than necessary

to the scrutiny process. The Authority submitted that the Applicant did not have a legitimate interest in

disclosure of the information.

75. The Applicant argued that there was a legitimate interest in disclosure of as much information as possible

such that the value and proportionality of the investigation could be ascertained. He commented that he had

received only very limited information concerning the investigation.

76. The Commissioner has carefully considered the submissions from both parties. He recognises that if the

information the Applicant has requested is disclosed in response to a FOISA request, it is, in effect, disclosed

into the public domain.

77. Although the Applicant has argued that there is legitimate interest in disclosure of as much information

as possible, the Commissioner is not satisfied that disclosure of the personal data in this one sentence would add

any value to the information already disclosed in document 6. He does not accept that the Applicant has any

legitimate interest in this particular information.

78. Given this, the Commissioner finds that the Applicant does not have a legitimate interest in obtaining the

personal data of the third party, and he is satisfied that this information has been properly withheld under

section 38(1)(b) of FOISA.

Decision

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002

(FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of

intimation of this decision.

Euan McCulloch
Head of Enforcement

10 December 2024