The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 208/2014: Mr Michael Roulston and Her Majesty's Inspectors of Constabulary

Copy of interim report

Reference No: 201400274
Decision Date: 26 September 2014

Summary

On 16 October 2013, Mr Roulston asked Her Majesty's Inspectors of Constabulary (HMICS) for a copy of a report about an investigation by HMICS into governance arrangements made by the former Central Scotland Joint Police Board (CSJPB) for the post of Assistant Chief Constable.

HMICS withheld the information on the basis that it comprised personal data and was exempt from disclosure in terms of section 38 of FOISA.

The Commissioner investigated and found that HMICS had partially failed to respond to Mr Roulston's request for information in accordance with Part 1 of FOISA. The Commissioner found that some of the withheld information did not comprise personal data and required HMICS to disclose it to Mr Roulston. In respect of the information that did comprise personal data, the Commissioner did not accept that any of it comprised Mr Roulston's personal data or was exempt from disclosure under section 38(1)(a) of FOISA. The Commissioner accepted that HMICS was entitled to withhold some third party personal data under section 38(1)(b) of FOISA, but ordered disclosure of other personal data wrongly withheld under that exemption.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 38(1)(a), (b), (2)(a)(i) and (b) and (5) (definitions of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data); 2 (Sensitive personal data); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for the purposes of the first principle: processing of any personal data: conditions 1 and 6(1)); Schedule 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 16 October 2013, Mr Roulston emailed HMICS via the whatdotheyknow website[1], making reference to an investigation by HMICS into the former CSJPB's governance arrangements for the post of Assistant Chief Constable. He asked for copy of the report and other information that is not the subject of this decision.

2. HMICS responded on 19 November 2013. HMICS informed Mr Roulston that, as conduct proceedings were still ongoing, it was not appropriate to publish the report. HMICS did not cite any exemption in FOISA explaining why the report was being withheld.

3. On 29 November 2013, Mr Roulston emailed HMICS requesting a review of their decision. Mr Roulston noted that HMICS's initial response had not cited any exemptions in FOISA to justify withholding the information. He also submitted that most of the misconduct charges to which HMICS had referred had now been dropped. In his view, this provided some scope for a redacted copy of the report to be disclosed.

4. HMICS notified Mr Roulston of the outcome of their review on 17 December 2013. HMICS informed Mr Roulston that they considered the report contained personal data and was exempt from disclosure in terms of section 38 of FOISA.

5. On 9 February 2014, Mr Roulston applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Roulston stated he was dissatisfied with the outcome of HMICS's review and he believed HMICS could disclose a redacted copy of the report.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr Roulston made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 13 March 2014, HMICS were notified in writing that Mr Roulston had made a valid application. HMICS were asked to send the Commissioner the information withheld from him. HMICS provided the information and the case was allocated to an investigating officer. HMICS indicated that they were withholding the information under the exemption in section 38(1)(a) of FOISA (personal data of which the applicant is the data subject).

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. HMICS were invited to comment on Mr Roulston's application including justifying their reliance on any provisions of FOISA they considered applicable to the information requested.

9. At this stage, the investigating officer informed HMICS that some of the information being withheld under section 38 of FOISA did not appear to comprise personal data. The investigating officer asked HMICS for their views on this and whether they considered that some of this information could now be disclosed to Mr Roulston. Additionally, the investigating officer asked HMICS to provide the Commissioner with a marked up copy of the withheld information indicating the parts which they considered to be personal data.

10. The investigating officer also asked HMICS to clarify whether they were withholding the information under section 38(1)(a) or 38(1)(b) of FOISA. The investigating officer pointed out that none of the withheld information comprised Mr Roulston's own personal data. The investigating officer also noted that HMICS had redacted the header from the withheld information and asked HMICS to clarify whether they still wished to withhold this specific information. If so, HMICS were asked to provide submissions on any exemption(s) they considered applicable to this information.

11. In response, HMICS agreed that some of the information did not comprise personal data. They provided the investigating officer with a marked up copy of the withheld information identifying such information, and indicated that they would be prepared to disclose this information to Mr Roulston.

12. HMICS confirmed that they considered some of the information to be exempt from disclosure in terms of section 38(1)(a) of FOISA. Additionally, they provided submissions explaining that they also considered the information to be exempt from disclosure in terms of section 38(1)(b). HMICS did not cite any exemptions in relation to the header on the withheld information.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr Roulston and HMICS. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(a) of FOISA - the applicant's own personal data.

14. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. The fact that the exemption is absolute means that it is not subject to the public interest test in section 2(1) of FOISA.

15. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data (commonly known as a "subject access request") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to their own personal data. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

16. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified: a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. (The full definition is set out in the Appendix).

17. HMICS submitted that Mr Roulston was acting on behalf of an individual whose personal data comprised the majority of the withheld personal data. HMICS provided background information to support this assertion. In HMICS's view, this meant that the information was exempt from disclosure in terms of section 38(1)(a).

18. The Commissioner disagrees with HMICS's position that Mr Roulston was acting on behalf of another person when making this request. There is nothing within the request to suggest that Mr Roulston was acting on behalf of a third party. Additionally, the Commissioner notes that HMICS did not ask Mr Roulston whether he was acting on behalf of another person. In the Commissioner's view, if HMICS had any suspicion that Mr Roulston was acting on behalf of another person, they ought to have tried to clarify whether this was indeed the case. In the absence of any such clarification, the Commissioner must conclude that HMICS were content - and correct - to treat Mr Roulston as the "true applicant" in this case.

19. On the basis that none of the withheld information comprises Mr Roulston's own personal data, the Commissioner finds that HMICS was not entitled to withhold information under the exemption in section 38(1)(a) of FOISA.

Section 38(1)(b) of FOISA - third party personal data

20. In their submissions to the Commissioner, HMICS stated that, should the Commissioner disagree with their view that the information was exempt under section 38(1)(a) of FOISA, they wished to apply the exemption in section 38(1)(b).

21. HMICS applied this exemption to information which they considered comprised the personal data of individuals who were named and referenced within the interim report. HMICS considered that the disclosure of this information would breach the first data protection principle of the DPA, as disclosure would be unfair to the data subjects and would fail to satisfy a condition in Schedule 2 to the DPA.

22. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

23. In order to rely on this exemption, HMICS must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.

Is the information under consideration personal data?

24. As noted at paragraph 16 above, the definition of personal data is set out in the Appendix below.

25. The Commissioner is satisfied that the majority of the information is personal data, in line with the definition in part a) of section 1(1) of the DPA. Living individuals, i.e. those individuals who are the subject of the information, can be identified from this information. Given its nature (the name of the individuals and their job titles), the Commissioner is satisfied that the information clearly relates to them.

26. However, the Commissioner is not satisfied that some of the information to which this exemption has been applied actually comprises personal data. In the Commissioner's view, some of the information is not capable of identifying living individuals. As such, the Commissioner is not satisfied that this information is exempt from disclosure in terms of section 38(1)(b) of FOISA and finds that it was incorrectly withheld by HMICS. The Commissioner now requires HMICS to disclose this information to Mr Roulston.

Is the information under consideration sensitive personal data?

27. The Commissioner has considered the definition of sensitive personal data set out in section 2 of the DPA (see Appendix to this decision). This provides that some types of information are "sensitive personal data" and affords additional protection to such data.

28. The Commissioner is satisfied that some of the withheld information comprises sensitive personal data for the purposes of section 2. The Commissioner is unable to confirm the specific types of sensitive personal data which are included as to do so would risk revealing the data itself.

29. The Commissioner will now consider whether disclosure of the personal data would breach the first data protection principle, as HMICS have argued.

Would disclosure of the personal data contravene the first data protection principle?

30. As noted above, HMICS argued that making this information available would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA must also be met. The processing in this case would comprise making the information publicly available in response to Mr Roulston's request.

31. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. However, these three aspects are interlinked. For example, if there is a specific condition which permits the personal data to be disclosed, it is likely that disclosure would also be fair and lawful.

32. The Commissioner has considered this in respect of both sensitive and non-sensitive personal data.

Withheld sensitive personal data

33. The Commissioner will first consider whether there are any conditions in Schedule 3 to the DPA which would allow the data to be disclosed.

34. The conditions listed in Schedule 3 to the DPA have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

35. The Commissioner's guidance on section 38(1)(b)[2] notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

36. Condition 1 allows sensitive personal data to be processed where the data subject has given explicit consent to the processing.

37. In his submissions, Mr Roulston stated he was aware that one of the data subjects had no objection to the disclosure of their personal data.

38. For condition 1 of Schedule 3 to apply, consent must be explicit. According to guidance issued by the (UK) Information Commissioner who regulates the DPA throughout the UK, consent must be freely given, specific and informed.[3] The guidance goes on to say that, when dealing with sensitive personal data, the individual's consent should be absolutely clear and should cover the specific processing details, the type of information (or even the specific information), the purposes of the processing and any special aspects that may affect the individual.

39. In this case, the Commissioner does not consider that a data subject's apparent lack of objection to disclosure is sufficient to represent "explicit" consent in terms of condition 1 of Schedule 3 to the DPA. The Commissioner does not consider that the data subject is fully aware of all of the personal data held about them. As such, they would not be in a position to give explicit consent to their personal data being disclosed into the public domain.

40. Given that no explicit consent exists, the Commissioner has concluded that condition 1 of Schedule 3 cannot be met.

41. Condition 5 allows sensitive personal data to be processed where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. In this case, the data subject would need to have taken steps to make the specific information public. As noted above, the data subject is not fully aware of all of the personal data that is held about them. Therefore, they could not have made the information public and condition 5 cannot apply.

42. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed.

43. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data contained within the withheld information would contravene the first data protection principle. The information is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Withheld non-sensitive personal data

44. The Commissioner will now consider whether there are any conditions in Schedule 2 to the DPA which would permit the withheld non-sensitive personal data to be disclosed. Where a Schedule 2 condition can be met, she will then go on to consider whether disclosure of the personal data would otherwise be fair and lawful.

45. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[4] (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

Can any schedule 2 conditions be met?

46. The Commissioner considers that the only conditions in Schedule 2 to the DPA which might apply in this case are conditions 1 and 6.

47. Condition 1 permits personal data to be processed if the data subject consents to the data being processed. As noted above, Mr Roulston stated that one of the data subjects had no objections to the disclosure of their personal data.

48. For the same reasons contained above in relation to condition 1 of Schedule 3, the Commissioner is not satisfied that consent has been given by the data subject to the disclosure of their personal data. Therefore condition 1 of Schedule 2 cannot be met in this case.

49. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects.

50. In line with the view of Lady Hale in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (paragraph 14)[5], there are three tests which have to be satisfied before condition 6 can be met. These are:

i. Does Mr Roulston have a legitimate interest in obtaining the personal data?

ii. If yes, is the processing (in this case, the disclosure of the information) necessary to achieve those legitimate aims and fairly balanced as to ends, or could these legitimate aims be achieved by means which interfere less with the privacy of the data subject?

iii. Even if the processing is necessary for Mr Roulston's legitimate purposes, would the disclosure nevertheless cause unwarranted prejudiced to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the CSA case, given that there is no presumption in favour of the release of personal data, the legitimate interests of Mr Roulston must outweigh the rights, freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that HMICS were correct to refuse to disclose the personal data to Mr Roulston.

Is Mr Roulston pursuing a legitimate interest in obtaining the personal data?

51. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA states:

"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

52. HMICS stated that it could be supposed that Mr Roulston's interest might be the scrutiny of the actions of a public body. They also submitted that matters in which an individual has interest should be distinguished from matters about which he or she is simply inquisitive. HMICS submitted that neither Mr Roulston nor the wider public had a legitimate interest in the interim report.

53. Mr Roulston submitted that the matters addressed within the report were of public interest, especially taking into account the considerable public expenditure involved and the press attention surrounding the case. Mr Roulston also submitted that the analysis of the efficiency and effectiveness of the disciplinary system relating to police officers was clearly a matter of public interest. Additionally, he submitted that allegations made by, and against, senior police officers were clearly matters of public interest.

54. In the Commissioner's view, Mr Roulston has a legitimate interest (which would be shared by the general public) in the information. Given the seriousness of the matters addressed in the report, the Commissioner considers there is a legitimate interest in understanding why and how those matters arose and the way in which they were addressed both by CSJPB and within the report itself.

Is the processing necessary to achieve those legitimate aims?

55. Having concluded that Mr Roulston has a legitimate interest in obtaining the personal data under consideration, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims and fairly balanced as to ends, or whether these legitimate aims be achieved by means which interfere less with the privacy of the data subject. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

56. HMICS submitted that alternative means of obtaining the information were available, such as awaiting the final report.

57. Having considered the information that has been withheld, the Commissioner considers that it would be necessary for the withheld personal data to be disclosed to Mr Roulston in order to satisfy the identified legitimate interests. The Commissioner is not aware of any other viable means of meeting Mr Roulston's interests which would interfere less with the privacy of the data subjects than providing the withheld personal data. Although HMICS has indicated that it intends publishing a final report, the Commissioner is aware that the final report will not contain all of the information included in the interim report. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr Roulston's legitimate interests.

Would disclosure cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects?

58. The Commissioner is satisfied that disclosure of the withheld personal data would be necessary to fulfil Mr Roulston's legitimate interests, but must now consider whether that disclosure would cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr Roulston and the data subjects in question. Only if the legitimate interests of Mr Roulston outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

59. In the Commissioner's briefing on the personal information exemption, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

· whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

· the potential harm or distress that may be caused by disclosure

· whether the individual objected to the disclosure

· the reasonable expectations of the individual as to whether the information should be disclosed

60. HMICS argued that the data subjects would have no expectation that their personal data would be disclosed. They submitted that Mr Roulston's legitimate interests did not outweigh the rights and freedoms and legitimate interests of the data subjects.

61. As noted above, Mr Roulston argued that there was a significant public interest in the matters under investigation in view of the costs incurred and the seriousness of the allegations.

62. The Commissioner has considered all of the submissions made by both Mr Roulston and HMICS when balancing the legitimate interests in this case.

63. The Commissioner considers that senior officials and senior police officers should have some expectation that information relating to their public life might be disclosed into the public domain. In the circumstances of this case - an investigation into a high-profile case involving allegations of misconduct by senior police officers - the Commissioner believes that those officials and police officers could not reasonably have expected that their involvement in the investigation would not be disclosed into the public domain. Similarly, the Commissioner considers that the independent solicitor appointed by CSJPB could not reasonably have expected that their involvement in the investigation would not be disclosed into the public domain.

64. In the Commissioner's view, where officials, senior police officers and the independent solicitor are referenced in passing within the report or have been mentioned purely in relation to their administrative involvement in the investigation, the disclosure of the information would not carry any significant risk of harm or distress. The report does not mention the views or statements of these individuals. As a result, the Commissioner has determined that disclosure would not be unwarranted in such circumstances.

65. Having drawn these conclusions, the Commissioner finds that condition 6 in Schedule 2 (to the DPA) can be met in this case in relation to disclosure of this category of withheld personal data.

66. As the Commissioner has not accepted that disclosure of the personal data would lead to unwarranted prejudice to the rights, freedoms or legitimate interests of the data subjects, the Commissioner also concludes, for the same reasons, that disclosure of the withheld information would not be unfair.

67. In the absence of any other reason for finding disclosure to be unlawful, and given that she is satisfied that condition 6 can be met, the Commissioner must find that disclosure would be lawful. The Commissioner therefore finds that disclosure of this category of withheld information would not breach the first data protection principle, and so this information was not properly withheld under the exemption in section 38(1)(b) of FOISA. She now requires HMICS to disclose this information to Mr Roulston.

68. The Commissioner has reached a different conclusion where the report relates to allegations of misconduct by or against individuals. In such circumstances, the Commissioner considers there would be no expectation on the part of the data subjects that their personal data would be disclosed into the public domain as a consequence of Mr Roulston's information request. She accepts that the information relates to the individuals' public lives, but also, given the nature of that information, to their private lives as well.

69. On balance, while the Commissioner accepts that the disclosure of such information would be necessary to fulfil Mr Roulston's legitimate interests, she does not agree that this outweighs the prejudice that would be caused to these data subjects' rights, freedoms and legitimate interests. She considers that such prejudice would be unwarranted in relation to these individuals. Consequently, the Commissioner is satisfied that condition 6 of Schedule 2 is not met in this case in relation to these individuals in relation to this type of information.

70. Having concluded that disclosure of the withheld information would lead to unwarranted prejudice to the rights, freedoms and legitimate interests of these data subjects, the Commissioner must also conclude that disclosure would be unfair. As condition 6 cannot be met, she would also regard disclosure as unlawful. In all the circumstances, therefore, she finds that disclosure would breach the first data protection principle and that this information was properly withheld under section 38(1)(b) of FOISA.

Other withheld information

71. As noted above, HMICS withheld the header on the report. Also as noted above, HMICS did not cite any exemption(s) in relation to this specific information.

72. In the absence of any submissions from HMICS explaining why this information should be withheld, the Commissioner now requires HMICS to disclose it to Mr Roulston.

Conclusion

73. The Commissioner requires HMICS to disclose the information that does not comprise the personal data of any individual (see paragraph 26 above).

74. The Commissioner requires HMICS to disclose the personal data of officials, police officers and the independent solicitor referenced within the report, as outlined at paragraph 67 above.

75. The Commissioner accepts that HMICS was entitled to withhold the personal data of individuals where the information concerns allegations of misconduct (see paragraph 70 above).

76. The Commissioner requires HMICS to disclose the header on the report (see paragraph 72 above).

77. With this decision, the Commissioner will provide HMICS with a marked up copy of the report, indicating the information that should be redacted and the information that should be provided.

 

 Decision 

The Commissioner finds that Her Majesty's Inspectors of Constabulary (HMICS) partially failed to comply with Mr Roulston's request for information in accordance with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA). The Commissioner finds that:

· by failing to disclose information that did not comprise personal data, HMICS failed to comply with section 1(1) of FOISA

· HMICS was not entitled to withhold information under the exemption in section 38(1)(a) of FOISA

· HMICS incorrectly applied the exemption in section 38(1)(b) of FOISA to some of the withheld information

· HMICS was entitled to withhold some of the personal data under the exemption in section 38(1)(b)

The Commissioner therefore requires HMICS to disclose to Mr Roulston the information specified in paragraphs 26, 67 and 72 above by 10 November 2014.

 Appeal

Should either Mr Roulston or Her Majesty's Inspectors of Constabulary wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If Her Majesty's Inspectors of Constabulary fail to comply with this decision, the Commissioner has the right to certify to the Court of Session that HMICS have failed to comply. The Court has the right to inquire into the matter and may deal with HMICS as if they had committed a contempt of court.

Margaret Keyse
Head of Enforcement
26 September 2014 

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

...

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.
 

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

..

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

… 
 
Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1. The data subject has given his consent to the processing.

6..(1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

 
 [1] www.whatdotheyknow.com

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

[3] http://ico.org.uk/for_organisations/data_protection/the_guide/conditions_for_processing#consent

[4] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[5] http://www.bailii.org/uk/cases/UKSC/2013/55.html

PDF IconLink to PDF file of decision 208/2014 (214 kb)

Back to Top