The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 097/2014 Mr Paul Hutcheon and Dundee City Council

Payments made

Reference No: 201400258
Decision Date: 5 May 2014

Summary

On 19 November 2013, Mr Hutcheon asked Dundee City Council (the Council) for information relating to Dundee Schools Music Theatre. The Council responded by providing some information, withholding the rest on the basis that it was personal data and disclosure would breach the data protection principles.

Following an investigation, during which further information was disclosed, the Commissioner found that the Council was entitled to withhold the remaining information as disclosure would breach the first data protection principle.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part I: the principles) (the first data protection principle) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

Background

1. On 19 November 2013, Mr Hutcheon wrote to the Council requesting information about the Dundee Schools Music Theatre (DSMT), including the following:

(a) Broken down by financial years 2010/11, 11/12, 12/13 and 13/14, did [named persons] receive any i) salary ii) fees iii) expenses for their work with DSMT? If so, how much?

(b) Broken down by financial years 2010/11, 11/12, 12/13 and 13/14, how much did DSMT pay to consultants/contractors and any other external organisations? Please state the names of all consultants/contractors/external organisations.

2. The Council responded on 31 December 2013. In relation to the above requests, it stated that the information was personal data and withheld it under section 38(1)(b) of FOISA.

3. On 4 January 2014, Mr Hutcheon wrote to the Council requesting a review of its decision. He believed it was standard practice for public bodies to release the name of consultants/contractors/external bodies in receipt of public funds. Also, given their status, he considered it reasonable for payments to the named individuals to be made public.

4. The Council notified Mr Hutcheon of the outcome of its review on 30 January 2014. The Council confirmed that one of the named persons had been consulted and was happy for the Council to confirm that it held no information relative to that person. With that exception, the Council upheld its original decision that the information was properly withheld in terms of section 38(1)(b) of FOISA.

5. On 3 February 2014, Mr Hutcheon wrote to the Commissioner, stating that he was dissatisfied with the outcome of the Council's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA.

6. The application was validated by establishing that Mr Hutcheon made requests for information to a Scottish public authority and applied to the Commissioner for a decision only after asking the authority to review its response to that those requests.

Investigation

7. On 12 February 2014, the Council was notified in writing that an application had been received from Mr Hutcheon and was asked to provide the Commissioner with the information withheld from him. The Council provided the information and the case was then allocated to an investigating officer.

8. The investigating officer subsequently contacted the Council, giving it an opportunity to provide comments on the application (as required by section 49(3)(a) of FOISA) and asking it to respond to specific questions. The investigating officer's questions focused on the Council's application of section 38(1)(b) of FOISA: the Council responded with full submissions on these points.

9. The Council confirmed it had disclosed to Mr Hutcheon information falling within the scope of part (a) of his request, together with payments made to a further staff member. It maintained that, with the exception of the information disclosed, the information requested at part (b) was exempt in terms of section 38(1)(b) of FOISA.

10. Mr Hutcheon confirmed receipt of the information disclosed during the investigation and required a decision on the information that remained withheld.

Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Hutcheon and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal Information

12. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate) exempts personal data if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

13. The Council submitted that the withheld information was personal data for the purposes of the DPA and that its disclosure would contravene the first data protection principle. Therefore, it argued that the information was exempt under section 38(1)(b) of FOISA.

14. In considering the application of this exemption, the Commissioner will first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether disclosure of the information would breach the first data protection principle as claimed.

15. This is an absolute exemption, which means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

16. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in the Appendix).

17. The Commissioner has considered the submissions received from the Council on this point, along with the withheld information. She is satisfied that living individuals could be identified from the information, either by itself or with other information reasonably likely to be accessible to Mr Hutcheon (and others). Given the nature of the information, the Commissioner finds that it relates to the individuals concerned. Consequently, the Commissioner accepts that the information would be those individuals' personal data, as defined by section 1(1) of the DPA.

The first data protection principle

18. The first data protection principle states that personal data shall be processed fairly and lawfully. The processing in this case would be disclosure of the information into the public domain in response to Mr Hutcheon's request. The first principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, as defined in section 2 of the DPA, at least one of the conditions in schedule 3 to the DPA must also be met: having considered the information, the Commissioner does not consider it to fall into any of the categories of sensitive personal data in section 2 of the DPA.

19. The Commissioner will now consider whether there are any conditions in Schedule 2 which would permit the withheld personal data to be disclosed. If any of these conditions can be met, she must then consider whether the disclosure of the personal data would be fair and lawful.

20. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. These three aspects are interlinked. For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

Can any of the conditions in Schedule 2 be met?

21. In the circumstances, it appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr Hutcheon. In any event, neither Mr Hutcheon nor the Council has argued that any other condition would be relevant. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (the individual(s) to whom the data relate).

22. There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

a. Is Mr Hutcheon pursuing a legitimate interest or interests?

b. If yes, is the processing involved necessary for the purposes of those interests? In other words, is the processing proportionate as a means and fairly balanced as to ends, or could these interests be achieved by means which interfere less with the privacy of the data subject?

c. Even if the processing is necessary for Mr Hutcheon's legitimate interests, is that processing nevertheless unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

23. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of Mr Hutcheon must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to Mr Hutcheon.

Is the applicant pursuing a legitimate interest or interests?

24. The Council did not consider Mr Hutcheon to be pursuing a legitimate interest in relation to the information withheld beyond the payments made to staff members (which were disclosed during the investigation).

25. Mr Hutcheon submitted that, as a journalist, he had a legitimate interest as disclosure was in the public interest. He submitted that there were precedents where such information was disclosed and drew comparison to previous decisions by the Commissioner, in particular Decision 219/2010 Mr Paul Hutcheon of the Sunday Herald and the Water Industry Commission for Scotland[1], where the Commissioner ordered disclosure of information.

26. Having considered all relevant submissions he has received on this point, together with the nature of the information, the Commissioner accepts that Mr Hutcheon, as a journalist, has a legitimate interest in the withheld information, and that this interest extends to the wider public.

Is disclosure necessary for the purposes of these interests?

27. The Commissioner must now consider whether disclosure of the requested information is necessary for achieving the legitimate interests she has identified, and in doing so she must consider whether these interests might reasonably be met by any alternative means. The Council submitted that disclosure was not necessary for the purposes of any legitimate interest. Mr Hutcheon, on the other hand, could not identify any alternative means of meeting his legitimate interest.

28. Having considered the actual information withheld, the Commissioner concludes that Mr Hutcheon's legitimate interests could not be met in any way, other than by the release of the information under consideration. In the circumstances, she concludes that disclosure is necessary to meet those legitimate interests.

Would disclosure cause unwarranted prejudice to the legitimate interests of the data subjects?

29. The Commissioner must now consider whether disclosure would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the individuals to whom payments were made. As noted above, this involves a balancing exercise between the legitimate interests of Mr Hutcheon and those of the data subject(s). Only if the legitimate interests of Mr Hutcheon outweigh those of the data subject(s) concerned can the information be disclosed without breaching the first data protection principle.

30. The Commissioner's guidance on the exemptions in section 38[2] identifies a number of factors which should be taken into account in carrying out this balancing exercise. These include:

a. whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

b. the potential harm or distress that might be caused by the disclosure;

c. whether the individual has objected to the disclosure;

d. the reasonable expectations of the individual as to whether the information would be disclosed.

31. Mr Hutcheon submitted that disclosure of the requested information would not cause unwarranted prejudice, arguing that if a contractor/consultant received money from the taxpayer, he/she should have an expectation that details would be published, if asked for.

32. The Council argued that it had given no prior notification to the data subjects that such data would be disclosed. They would have no reasonable expectation that such personal information would be disclosed.

33. The Council explained that the payments made to the individuals concerned were not payments made in relation to work as a public official or employee. The payments were made for a variety of purposes, for example, providing music tuition, playing in a band or performing at an amateur production.

34. The Council also referred to the Commissioner's Guidance on the exemption in section 38, as mentioned above and in particular to the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[3]. There, Lord Hope states (at paragraph 7) "… there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The reference which FOISA makes to the provisions of [the Data Protection Act] 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of fundamental rights and freedoms of persons and in particular their right to privacy with the respect to the processing of personal data…"

35. Taking account of this, the Council submitted that a person's financial affairs were their own personal data and, in a free society, they should not be put in the public domain unless there was an extremely good reason so to do.

36. The Council further submitted that, given the size of these payments and the fact that none of the individuals concerned would have expected this information would be made public when the payments were made, there was no overwhelming public interest that would justify the publication of the information requested. Consequently, disclosure would be unlawful.

37. The Commissioner acknowledges that the remaining withheld information does not constitute earnings as a result of the individuals being employed directly by the Council, but rather in performing the various independent roles described in paragraph 33 above. The question, however, is whether it would be reasonable for the Commissioner to conclude that unwarranted prejudice to the data subjects' rights and freedoms or legitimate interests would follow from disclosure of that information.

38. Whilst noting Mr Hutcheon's reference to precedent and to Decision 219/2010, the Commissioner emphasises that each case has to be considered on its own merits. This previous decision referred to by Mr Hutcheon related to monies paid to a "sole trader" business over a substantial period of time: the same cannot be said to apply here. In this case, the Commissioner accepts that the data subjects would have no reasonable expectation that information regarding their payments would be made known in response to a request for information under FOISA.

39. The Commissioner accepts that the disclosure of the information requested by Mr Hutcheon would be a significant intrusion into the private lives of the individuals concerned. She considers that this is particularly so where the amounts paid can be as little as £40.00 or less over the period of a year.

40. Overall, the Commissioner accepts that there is weight to Mr Hutcheon's arguments regarding the public interest, since disclosure would allow fuller scrutiny of expenditure on the DSMT. However she considers that public interest to be met sufficiently by the disclosure of payments made to employees of the Council. Having conducted the required balancing exercise, she has concluded that, in relation to the information which continues to be withheld, the legitimate interests identified by Mr Hutcheon are outweighed by the rights and freedoms or legitimate interests of the data subject(s) in this case. She must therefore conclude that condition 6 is not met.

41. Since no condition within schedule 2 of the DPA has been, or can be, met in this case, the Commissioner's conclusion is that the first data protection principle would be breached by disclosure and so the information under consideration was properly withheld by the Council under section 38(1)(b) of FOISA.

DECISION

The Commissioner finds that, in respect of the information remaining withheld at the close of the investigation, Dundee City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr Hutcheon.

Appeal

Should either Mr Hutcheon or Dundee City Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
5 May 2014

Appendix

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

...

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;


Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I: the principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

[1] http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2010/201001231.aspx

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.asp

[3] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

PDF IconLink to PDF file of decision 097/2014 (95 kb)

Back to Top