The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

 Decision 232/2014: Mr John Mauger and the Scottish Police Authority

 Assistant Chief Constables' qualifications

Reference No: 201400348
Decision Date: 5 November 2014

Summary

On 28 December 2013, Mr Mauger asked the Scottish Police Authority (the SPA) for information about Assistant Chief Constables' qualifications. The SPA told Mr Mauger that it did not hold the information and directed him to another Scottish public authority. Following a review, Mr Mauger remained dissatisfied and applied to the Commissioner for a decision.

During an investigation, the Commissioner found that the SPA held some information that fell within Mr Mauger's requests. The Commissioner did not accept that this information was exempt from disclosure, and required the SPA to disclose it to Mr Mauger.

 Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1, Parts I (The data protection principles) (the first and second data protection principles) and II (Interpretation of the principles in Part I; the second principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in the Appendix to this decision. The Appendix forms part of this decision.

 Background

1. On 28 December 2013, Mr Mauger made a request for information to the SPA[1]. Mr Mauger quoted from an application form for the post of Assistant Chief Constable (ACC), which stated:

"Individuals who are attending this year's Senior Police National Assessment Centre (PNAC) are eligible to apply. If they are unsuccessful in passing PNAC their application will not be considered further. If they are successful at PNAC, any appointment to an ACC post in the Police Service of Scotland would be subject to successfully completing the Strategic Command Course."[2]

2. Mr Mauger asked for the following information:

"…For each of the six ACCs [Assistant Chief Constables] listed below can you set out:

1. The date they passed PNAC [Police National Assessment Centre]. Please show the syndicate, month they attended and year they were successful in passing PNAC.

2. The date they completed the Strategic command course. This being the Command course run by Bramshill. Please detail the date they started the course, they (sic) year that was in and the year they actually completed the course if there is a spread over two different years. I am only interested in this course.

3. The date those listed officially started in the service of PSOS (the Police Service of Scotland)

4. Please provide a simple yes or no to the question - how (sic) they passed PNAC or not.

The six ACC's I require the information on are: Assistant Chief Constable Malcolm Graham;
Assistant Chief Constable Bernard Higgins; Assistant Chief Constable Ruaraidh Nicolson QPM; Assistant Chief Constable Derek Penman; Assistant Chief Constable Mike McCormick; and Assistant Chief Constable Wayne Mawson."

3. On 29 January 2014, the SPA told Mr Mauger that the information was held in an unstructured format, and that it might take the SPA longer than expected to search the relevant files. The SPA asked for an extension until 5 February 2014, to which Mr Mauger agreed.

4. The SPA responded on 6 February 2014, notifying Mr Mauger, in terms of section 17 of FOISA, that it did not hold the information he had requested. The SPA provided Mr Mauger with a link to the Police Service of Scotland's (Police Scotland's) website and stated that Police Scotland would hold the information he had requested.

5. On 6 February 2014, Mr Mauger wrote to the SPA requesting a review of its decision. Mr Mauger asked the SPA why, as the body that oversees Police Scotland, it did not assist him in obtaining the information from it. Mr Mauger stated: "I simply do not accept that the SPA does not hold this information or can't get hold of this information and provide it." He commented:

"… the SPA stated in its recruitment process that those they selected must pass PNAC. It is inconceivable that the SPA does not hold this information as officers would have needed to record this on the application forms. Therefore you must have had it. The SPA ran the recruitment process and the applications will be on files held by the SPA."

6. The SPA notified Mr Mauger of the outcome of its review on 7 February 2014. It upheld its initial response, and advised Mr Mauger that it was not required by FOISA to create or obtain information for him. The SPA explained that there had been no section on the application form which required candidates to provide information in respect of their attendance at the courses specified. The SPA advised that Her Majesty's Inspectorate of Constabulary (HMIC) had been asked to confirm verbally at each interview that the officer had attended and successfully completed the relevant courses.

7. On 17 February 2014, Mr Mauger wrote to the Commissioner, stating that he was dissatisfied with the outcome of the SPA's review and applying to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr Mauger stated he was dissatisfied with the outcome of the SPA's review because he did not accept that the SPA did not hold the information he had requested.

 Investigation

8. The application was accepted as valid. The Commissioner confirmed that Mr Mauger made requests for information to a Scottish public authority and asked the authority to review its response to those requests before applying to her for a decision.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPA was invited to comment on this application and to answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

10. The SPA responded on 3 March 2014. It maintained that it did not hold the information requested by Mr Mauger. However, the SPA explained that the Scottish Government had transferred some files to it "subsequent to a separate, unrelated, information request", on a memory stick; this information included the ACC candidates' application forms. Having reviewed the files, the SPA confirmed that some candidates' application forms did provide details of their training, but (in SPA's view) the information did not provide the level of detail that Mr Mauger sought.

11. The SPA submitted that, as this information was the respective candidates' self-declaration, and not an official training record verified by SPA, the SPA did not believe it would be appropriate to provide this information. Furthermore, the SPA commented that Mr Mauger had not requested information from job applications and it was the SPA's interpretation - given the level of detail that he sought - that Mr Mauger was looking for training records.

12. The investigating officer asked the SPA to provide the Commissioner with the memory stick. The SPA did this, and confirmed that it had held the information when it received Mr Mauger's request.

13. Having viewed the information on the memory stick, the investigating officer was satisfied that some of it fell within the scope of Mr Mauger's requests. The SPA was asked if it agreed and, if not, to explain why.

14. On 25 June 2014, the SPA responded that, having reviewed the files, it accepted that it held some information that might fall within the terms of the request about the Strategic Command Course (SCC). The SPA submitted that it now wished to rely on section 38(1)(b) of FOISA to withhold some information. The SPA maintained that it did not hold some of the information covered by Mr Mauger's requests.

15. Mr Mauger was informed that the SPA held some information, but considered it exempt from disclosure. Mr Mauger provided additional comments.

 Commissioner's analysis and findings

16. In coming to a decision on this matter, the Commissioner considered all the relevant submissions, or parts of submissions, made to her by both Mr Mauger and the SPA. She is satisfied that no matter of relevance has been overlooked.

Requests 1, 2 and 4 - whether information held

17. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received, subject to certain qualifications which are not applicable in this case. Under section 17(1) of FOISA, where an authority receives a request for information it does not hold, it must give an applicant notice in writing to that effect.

18. As noted above, the SPA initially told Mr Mauger that it did not hold any of the information he had asked for: application forms were "weeded out" after six months, and Mr Mauger's request was received more than six months after the advertised posts had been filled.

19. The SPA submitted that Mr Mauger had made it clear that his request related to an allegation that one of the appointed officers did not hold what Mr Mauger termed "mandated qualifications". The SPA had formed the opinion that Mr Mauger sought information that had been verified and recorded, as opposed to information recorded on an application form which might not be accurate, complete or might have changed between the date the form was filled out and the date of appointment. As such, it was with the best of intentions, the SPA said, that Mr Mauger was directed to seek the information he required from Police Scotland.

20. The SPA commented that Mr Mauger's request did not ask for information from job applications. Given the level of detail that he sought, the SPS interpreted Mr Mauger's request as being for training records.

21. The SPA also commented that the guidance in the ACC recruitment pack stated that individuals may apply for a post whilst not holding a relevant qualification, but would not be appointed unless a qualification had been gained. Therefore, information on an application form may not have been up to date by the time it came to interview/appointment (as a candidate may have achieved the qualification in the intervening period). Given that Mr Mauger wanted to uncover whether all the ACCs had the required qualification at the time of appointment [the SPA's emphasis], the SPA's position remained that it was Police Scotland who held this information in an accurate and validated format on a training database and Mr Mauger's efforts to seek disclosure of this information should be concentrated on this area.

22. The SPA said that its efforts were not designed to obstruct Mr Mauger, but were to make sure that he got the information that he actually wanted. The SPA understood that Mr Mauger wanted to know whether, on the day they were appointed, the six ACCs held the required qualifications; this (the SPA submitted) was information that could not be validated via a job application, due to the time gap between completion of the form and the appointment.

23. In interpreting information requests, the Commissioner believes that the words used in the request should generally be given their plain, ordinary meaning. Similarly, the Commissioner expects requests to be interpreted in an objective manner, rather than with reference to what a public authority considers a requester may have intended. If there is any doubt over the information that an applicant wishes to obtain when making a request, the public authority should seek clarification from the applicant without delay.

24. When making his requests, Mr Mauger did not refer to a training record. His requirement for review of 6 February 2014 refers to information he believed would be recorded on the candidates' application forms.

25. The Commissioner accepts that, because request 3 asked for the date of appointment, this may have suggested to the SPA that Mr Mauger was seeking information about the qualifications each candidate held at the date of their appointment as ACC. The Commissioner acknowledges that it may be reasonable to distinguish between information from a training record held by an individual's employer (with dates, or completion certificates, commendations etc.) and information that is supplied by a person in an application form, although the hope would be that the content of the two (application and formal record) would correspond in terms of objective facts. However, as noted above, Mr Mauger made a direct reference to information on the candidates' application forms when he made his request for review. It was therefore unreasonable to exclude such information when interpreting Mr Mauger's request. If the SPA required clarification of Mr Mauger's request before responding, it should have taken steps to obtain this.

26. The SPA said that police officers may use other terms for the PNAC and SCC courses that SPA staff may not be familiar with: the terms were colloquial names used for these courses. The SPA stated: "It may well be that Mr Mauger knows the course as PNAC, but that's not its proper name. Thus, the correct response would be Section 17 - 'information not held', which is the response Mr Mauger was given."

27. The Commissioner cannot accept this argument from the SPA: the terms PNAC and SCC are found in the person specification and application form for the post of ACC, to which Mr Mauger provided a link in his request.[3]

28. In the light of the above, the Commissioner cannot accept the SPA's position that, on its interpretation of Mr Mauger's requests, it was correct to state that it held no information falling within the requests. On a reasonable, plain language interpretation of the requests, the Commissioner cannot accept that the requests were restricted to information held in a formal training record and would exclude information within an application form or other information relating to the recruitment process.

29. Having viewed the information held on the memory stick provided by the SPA, the Commissioner is of the view that the information held by the SPA (which includes completed application forms and other information) contains information that falls within the terms of requests 1, 2 and 4. As noted previously, the SPA acknowledged this during the investigation.

30. The Commissioner accepts that the SPA believed that the information it held did not fall within the request as it was not part of a formal training record (although she does not find this to be a reasonable interpretation of Mr Mauger's request). She also accepts that there was no attempt by the SPA to conceal any information or to obstruct Mr Mauger (the SPA's earliest submissions to the Commissioner of 3 March 2014 refers to the memory stick with recruitment information), and that the SPA believed that Mr Mauger was more likely to obtain the information he required by making a request to Police Scotland.

31. Having viewed the memory stick, the Commissioner is satisfied that the information held by the SPA does not include all the information covered by requests 1, 2 and 4; in this respect, the SPA was correct to give Mr Mauger notice in terms of section 17(1) of FOISA that it did not hold the information. However, the Commissioner finds that the SPA was wrong to give notice that it did not hold any information covered by these requests.

32. The Commissioner will now go on to consider whether the information held by the SPA was exempt from disclosure under section 38(1)(b) of FOISA or whether it should have been provided to Mr Mauger.

Section 38(1)(b) - Personal information

33. During the investigation, the SPA submitted that the information it held, if it fell within the terms of the request, would be exempt from disclosure under section 38(1)(b) of FOISA. Section 38(1)(b), read in conjunction with section 38(2)(a)(i) or (b) (as appropriate), exempts personal data from disclosure if its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles. The SPA argued that disclosure would breach the first and second data protection principles.

34. In considering the application of this exemption, the Commissioner will first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether its disclosure would breach either the first or second data protection principles.

Is the information under consideration personal data?

35. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is the possession of, or is likely to come into the possession of, the data controller" (the full definition is in the Appendix).

36. Mr Mauger argued that information showing whether a chief officer has passed a selection process to be a chief officer is not personal data.

37. The Commissioner disagrees with Mr Mauger on this point. "Personal data" is a term defined in the DPA. The information is about individuals' experience and qualifications and appears on application forms the individuals have completed for particular posts. In each case, the information identifies, and clearly relates to, a living individual. The Commissioner is therefore satisfied that the information comprises personal data for the purposes of the DPA.

The first data protection principle

38. The first data protection principle requires personal data to be processed fairly and lawfully. "Processing" here would entail disclosing the information into the public domain in response to Mr Mauger's request. The principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met. (The Commissioner is satisfied that none of the withheld information constitutes sensitive personal data: therefore, she is not required to consider whether any of the conditions in Schedule 3 can be met.)

39. The SPA submitted that there was no indication in the ACC recruitment packs that information from application forms might be disclosed - accordingly, the SPA considered that disclosure in response to Mr Mauger's request might breach the first data protection principle, as the individuals concerned would have no expectation that their personal data might be made public. The application form stated that all information provided would be treated in strict confidence.

Can any of the conditions in Schedule 2 be met?

40. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner[4], (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the six ACCs named in Mr Mauger's request).

41. Of the conditions in Schedule 2 to the DPA which would allow the information to be disclosed, the Commissioner is of the view that only condition 6 is likely to apply in this case. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

42. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

· Does Mr Mauger have a legitimate interest in obtaining the personal data?

· If so, is the disclosure necessary for the purposes of that interest or those interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could the interests be met by means which interfered less with the privacy of the data subjects

· Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject(s)? As noted by Lord Hope in the CSA case, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr Mauger must outweigh the rights and freedoms or legitimate interests of the named ACCs before condition 6 will permit the personal data to be disclosed.

Does Mr Mauger have a legitimate interest in obtaining the personal data?

43. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38[5] of FOISA states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

44. Mr Mauger, himself an ACC, has alleged that certain procedures were not complied with during the ACC recruitment process referred to in his information request. In particular, he believes that candidates were appointed without having the necessary qualifications. Mr Mauger has made a number of information requests - some of them high profile - on this and on related matters. Given the seniority of the posts, and the seriousness of the allegations made, the Commissioner is satisfied that Mr Mauger has a legitimate interest in obtaining the personal data. The Commissioner is also satisfied that there is a wider legitimate interest in this information being made disclosed; the general public is also likely be interested in knowing whether the recruitment of senior police officers was carried out in accordance with the specified recruitment process.

Is disclosure necessary for the purposes of these interests?

45. The Commissioner must now consider whether disclosure of the personal data is necessary for the legitimate interest she has identified. In doing, so she must consider whether these interests might reasonably be met by any alternative means.

46. The SPA considered that it would be better for Mr Mauger to make his requests to Police Scotland, as being more likely to hold information that had been verified and was up to date. The Commissioner acknowledges that it is likely that Police Scotland would hold information which falls within Mr Mauger's request[6]. However, this does not necessarily mean that the information would be provided under FOISA. The Commissioner is aware that Mr Mauger has also made a similar request[7] to another Scottish public authority and received some information, but not all the information he is seeking. Therefore, Mr Mauger cannot rely on these means in order to obtain the information.

47. The Commissioner is aware that there is some information already in the public domain which may show whether certain individuals have passed PNAC or the SCC course. However, the Commissioner is unaware of any published information which would answer all of Mr Mauger's questions about all of the candidates named in his request.

48. The Commissioner is therefore not aware of any other means by which Mr Mauger's legitimate interest in obtaining the information could have been met, at the time of his request. The Commissioner therefore accepts that disclosure of the information held by the SPA is necessary to meet his legitimate interest. Without it, Mr Mauger could not acquire a full understanding of whether the candidates appointed to the rank of ACC had satisfied the requirement that they held certain mandatory qualifications.

49. Having accepted this, the Commissioner must, therefore, go on to consider the interests of the data subjects.

Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects?

50. The Commissioner must consider whether disclosure would be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects. As noted above, this involves a balancing exercise between the legitimate interests of Mr Mauger and those of the data subjects. Only if the legitimate interests of Mr Mauger outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

51. In the Commissioner's briefing on section 38 of FOISA[8], the Commissioner notes a number of factors which should be taken into account in carrying out this balancing exercise. These include:

· whether the information relates the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

· the potential harm or distress that may be caused by the disclosure;

· whether the data subjects have objected to the disclosure; and

· the reasonable expectations of the individual as to whether the information would be disclosed.

52. Firstly, the Commissioner is of the view that the information pertains more to the data subjects' public lives than their private lives. Completion of the courses specified by Mr Mauger is regarded as a requirement for senior police rank.

53. The SPA did not make any specific submissions about the distress which disclosure might cause the data subjects, but pointed out that the data subjects would not expect the withheld information to be made available to the general public in this way.

54. The Commissioner is not persuaded that disclosure of this information would cause significant distress or harm to the data subjects. Mr Mauger indicated that a pass in such courses is sometimes publicised, albeit with the consent of the data subject, and commented that such information is often found in the public domain, for example, on police force web pages, news articles etc. The Commissioner accepts that this is so (see examples[9] [10] [11]).

55. The Commissioner does not accept that any significant distress would be caused to the individuals named in Mr Mauger's request should the information be disclosed. The information in question is the date of a professional qualification that was required for their appointment as senior officers. Nor, in this instance, can the Commissioner see how disclosure of the information could or would put any of the data subjects at risk of professional and personal embarrassment. As noted elsewhere, information about such qualifications, including the date they were obtained, is often found in the public domain.

56. The SPA has not indicated whether the data subjects were asked if they would consent to disclosure, and if so, whether consent was given or objections raised.

57. The Commissioner accepts as a general principle that employees will normally have a reasonable expectation that information which is supplied to a prospective employer during the recruitment process will not be disclosed to anyone outside the recruitment process. The Commissioner accepts that even persons applying for senior positions will, for the most part, have a reasonable expectation that information provided in this context will not be publicly disclosed.

58. Nonetheless, the Commissioner is of the view that it does not necessarily follow that it is reasonable to expect that all information provided in an application form or other information from the recruitment process should be exempt from disclosure, in all circumstances.

59. Mr Mauger said that the "further up the organisation the less likely that right of privacy extends" and commented that the public have a right to know they have chief police officers qualified to do their job.

60. The Commissioner accepts that it is reasonable to expect a public authority to disclose more information relating to senior officers than to junior ones. In this instance, the data subjects were all appointed to the post of ACC, and are very senior police officers. The Commissioner finds that, in the interests of transparency and accountability relating to these senior appointments, it is reasonable to expect information to be made available which would show whether the appointed individuals hold the qualifications which (according to the guidance accompanying the ACC application form) were essential for appointment to this senior position.

61. The Commissioner concludes that, given the seniority of the officers involved, the nature of the information and the desirability of making the recruitment process for senior police officers as transparent as possible, it was reasonable for the officers in question to expect that information about whether they had obtained the relevant qualification would be made available.

62. On balance, the Commissioner accepts that disclosure of the withheld information would be necessary to fulfill Mr Mauger's legitimate interests, and takes the view that, in this instance, Mr Mauger's legitimate interests outweigh the prejudice that would be caused by disclosure to the data subjects' rights and freedoms or legitimate interests. Consequently, she finds that such prejudice would not be unwarranted. The Commissioner is therefore satisfied that condition 6 of Schedule 2 is met in this case.

63. The SPA did not put forward any arguments as to why disclosure of the information would otherwise be unfair. The Commissioner has found (for the same reasons for finding that disclosure would not breach condition 6), that disclosure would be fair.

64. She notes the comment from the SPA (see paragraph 39) that the application form stated that all information provided would be treated in strict confidence. This is not enough to allow the Commissioner to find that disclosure would be an actionable breach of confidence (and, therefore, unlawful). However, the SPA has argued that disclosure would breach the second data protection principle. If disclosure would breach the second data protection principle, disclosure would clearly be unlawful. The Commissioner will therefore consider the second data protection principle before making a determination on whether disclosure would breach the first data protection principle.

65. The Commissioner, being satisfied that the three tests as set out above are fulfilled, finds that the processing is permitted by condition 6(1) of Schedule 2 to the DPA is met.

66. Having concluded that disclosure of the withheld information would not lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects, the Commissioner must also conclude that disclosure would not be unfair. In the presence of a condition permitting disclosure, she does not regard disclosure as unlawful. In all the circumstances, therefore, she finds that disclosure would not breach the first data protection principle.

Would disclosure breach the second data protection principle?

67. The second data protection principle provides that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be processed in any manner incompatible with that purpose or those purposes.

68. Part II of Schedule 1 to the DPA (see the Appendix) provides that, in deciding whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, consideration will be given to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed

69. The second data protection principle aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.

70. The Commissioner's guidance on section 38 (see paragraph 51 above) refers to guidance published by the (UK) Information Commissioner, who is responsible for enforcing the Data Protection Act 1998 throughout the UK. He is satisfied that a disclosure under freedom of information legislation which complies with the DPA in other respects will not breach the second principle. The ICO expanded on this in a 2014 decision, Cornwall Council FS50513655[12]). The decision says:

"… a disclosure under FOIA that complies with the DPA in other respects will not breach the second principle. The 'specified and lawful purposes' referred to in the second principle are the public authority's business purposes, i.e. the purposes for which it obtains and processes data. Disclosure under FOIA is not a business purpose. A public authority does not have to specify, either when it obtains personal data or in its notification as a data controller to the Commissioner under the DPA, that the personal data may be disclosed under FOIA. Furthermore, the aim of FOIA is to promote transparency and confidence in public authorities. So, if disclosure would be fair and lawful under the first principle, and the information is not exempt under another FOIA exemption, then that disclosure cannot be incompatible with the public authority's business purposes."

71. In decision FS50087443 (Maldon District Council), the ICO also considered whether the second data protection principle would be breached by release of certain personal data in response to a request under FOIA. Maldon District Council had argued that, because disclosure of information in response to freedom of information requests had not been specified in a fair collection notice issued to the data subjects concerned, disclosure of the information gathered in response to a request under FOIA would breach the second data protection principle. The ICO commented on this argument as follows:

"… this is not a correct interpretation of the Data Protection Act. If the Council were correct in its interpretation, no disclosures of third party data would be permitted in response to FOI requests except where data subjects had been given prior notice. This would include cases where requests for information identified individuals acting in a public or official capacity in addition to information relating to their private lives.

The [Information] Commissioner considers that the correct interpretation of Principle 2 in this context is that the disclosure of third party data in response to a request submitted in accordance with other statutory rights is not inherently incompatible with any other lawful purpose for which information may be obtained. Principle 2 may, however, restrict the purposes for which a third party to whom personal data are disclosed may subsequently process those data.

The [Information] Commissioner considers that the central issue in considering whether or not the FOI Act requires the disclosure of personal data is not the second data protection principle but rather the first principle."

72. Having considered the submissions from the SPA in the light of these decisions from the ICO, the Commissioner has concluded that disclosing the personal data would not be incompatible with the purpose or purposes for which the data was gathered by the SPA. The Commissioner is therefore unable to accept that disclosure of the information sought by Mr Mauger would breach the second data protection principle.

73. Having concluded that disclosure of the information would not breach the second data protection principle, the Commissioner is satisfied that disclosure would not be unlawful and that disclosure would not breach the first data protection principle. The Commissioner therefore finds that the information was wrongly withheld under the exemption in section 38(1)(b) of FOISA.

Action

74. Having considered the format in which the information is held, the Commissioner requires the SPA to extract the factual information that Mr Mauger asked for in requests 1, 2 and 4 from the information that it holds and provide this to him. The Commissioner will provide the SPA with a table showing which information she requires to be disclosed to Mr Mauger.

Request 3 - whether information held

75. The SPA gave Mr Mauger notice, in terms of section 17 of FOISA, that it did not hold information about the dates on which the named officers had started in the service of Police Scotland. The SPA commented that it had conducted a search of the Police Scotland website and found that the website showed the month when each officer in question was appointed. As such, the SPA said, it could be argued that the information in respect of request 3 was already in the public domain. However, as the SPA itself did not publish this information, it did not believe it was required to search the internet on behalf of the applicant.

76. The Commissioner accepts that the SPA was not required, under FOISA, to seek out and provide information which it did not hold. The Commissioner accepts that the SPA did not hold information covered by request 3, and finds that the SPA was correct to rely on section 17 in respect of this request.

77. The Commissioner notes that the information covered by request 3 has been disclosed to Mr Mauger by another authority in response to a similar request[13].

 Decision

 The Commissioner finds that the Scottish Police Authority (the SPA) generally failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr Mauger. In particular, the Commissioner finds that the SPA:

· does not hold information covered by request 3;

· was wrong to give notice, in terms of section 17(1) of FOISA, that it did not hold information covered by requests 1, 2 and 4; and

· was not entitled to apply the exemption in section 38(1)(b) to the information falling within requests 1, 2 and 4. In applying this exemption, the SPA failed to comply with section 1(1) of FOISA.

The Commissioner therefore requires the SPA to provide Mr Mauger with the information it holds by 22 December 2014.

 Appeal

Should either Mr Mauger or the SPA wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 Enforcement

If the SPA fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the SPA has failed to comply. The Court has the right to inquire into the matter and may deal with the SPA as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

5 November 2014

 Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Part II - Interpretation of the principles in Part I

The second principle

5. The purpose or purposes for which personal data are obtained may in particular be specified -

(a) in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or

(b) in a notification given to the Commissioner under Part III of this Act.

6. In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.


 

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.


[1] https://www.whatdotheyknow.com/request/appointed_accs_who_have_passed_p#incoming-483314

[2] http://www.scotland.gov.uk/Topics/archive/law-order/Police/ConsultationFuturePolicin/keyappointments/chiefconstable/DeputyChiefConstablesApplicationForm

[3] http://www.scotland.gov.uk/Topics/archive/law-order/Police/ConsultationFuturePolicin/keyappointments/chiefconstable

[4] 2008 UKHL 47: http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[5] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.asp

[6] https://www.whatdotheyknow.com/request/pnac_qualified_senior_officers#incoming-499741

[7] https://www.whatdotheyknow.com/request/pnac_qualified_accs_in_scotland#incoming-501457

[8] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.asp

[9] http://www.hmics.org/about-us/who-we-are

[10] http://62.128.131.116/files/Information/Publications/EPG/24_September_2010_EPG_%20minutes.pdf

[11] http://www.polfed.org/documents/Biogs_for_ICC_conference_2014.pdf

[12] http://ico.org.uk/~/media/documents/decisionnotices/2014/fs_50513655.ashx

[13] https://www.whatdotheyknow.com/request/pnac_qualified_senior_officers#incoming-499741

PDF IconLink to PDF file of decision 232/2014 (146 kb)

Back to Top