The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 222/2014: Sidlaw Executive Travel (Scotland) Ltd and Dundee City Council

Correspondence regarding the reallocation of transport for a named individual

Reference No: 201401252
Decision Date: 15 October 2014

Summary

On 2 April 2014, Sidlaw Executive Travel (Scotland) Ltd (SETS) asked Dundee City Council (the Council) for correspondence regarding the reallocation of transport for a named child. The Council withheld the correspondence on the basis that it was personal data and disclosure would breach the data protection principles.

Following an investigation, the Commissioner found that the Council was entitled to withhold the correspondence as it was exempt from disclosure under FOISA.

 Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part I: the principles) (the first data protection principle) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

 Background

1. On 2 April 2014, SETS asked the Council for:

"All correspondence emails etc between Education department and transport department regarding the reallocation of transport for [a named child], or any correspondence with the name [of the child] included within the dates 1 August 2009 and 30 September 2009. Any correspondence or notes or faxes or emails concerning the employment of [named person] in the capacity of attendant at about the same time. Any correspondence Faxes, emails or notes between [named individuals] or the education department concerning any of the above."

2. The Council responded on 29 April 2014. It stated that the requested information was the personal data of a third party and was exempt from disclosure under section 38(1)(b) of FOISA.

3. On 8 May 2014, SETS emailed the Council requesting a review of its decision on the basis that not all of the information concerned third parties. It stated that personal information regarding any third party could be redacted. SETS explained it was looking for information in connection with a contract that it had been awarded. SETS considered that the information related to Council employees who used Council equipment to communicate the information that SETS had requested, during publicly-funded time at work.

4. The Council notified SETS of the outcome of its review on 5 June 2014. It upheld its previous decision without amendment. It explained that the definition of personal data extended to information about Council employees as well as the named child. It stated that it would not be possible to redact this information.

5. On 6 June 2014, SETS emailed the Commissioner. SETS applied to the Commissioner for a decision in terms of section 47(1) of FOISA. SETS stated it was dissatisfied with the outcome of the Council's review because it considered that if any Council correspondence could be withheld under this exemption, no information would ever be disclosed.

 Investigation

6. The application was accepted as valid. The Commissioner confirmed that SETS made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 24 June 2014, the Council was notified in writing that SETS had made a valid application. The Council was asked to send the Commissioner the information withheld from it. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

9. During the investigation, the Council provided additional information to substantiate its position that the withheld information was personal data and exempt from disclosure under FOISA. SETS was also asked for further comments on its interests in obtaining the information.

 Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both SETS and the Council. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - personal data

11. The Council applied the exemption in section 38(1)(b) to the withheld information, arguing that disclosure of the information would breach the first data protection principle.

12. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (b) (as appropriate), exempts personal data from release if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

13. The Commissioner will therefore first consider whether the information in question is personal data as defined in section 1(1) of the DPA. If it is, she will go on to consider whether disclosure of the information would breach the first data protection principle.

14. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information personal data?

15. Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

16. The Council applied the exemption in section 38(1)(b) to the withheld correspondence in its entirety.

17. The Commissioner is satisfied that the withheld correspondence largely comprises the personal data of the named child. The focus of the withheld correspondence is the named child; in particular, the transport arrangements for the named child. The child has been named in the correspondence which includes details of the child's transportation needs. The Commissioner is satisfied that the withheld information relates to an identifiable individual and it is that person's personal data.

18. SETS submitted that it was only interested in Council employee correspondence, rather than personal information relating to the child.

19. The Commissioner considered whether it would be possible to separate the child's personal data from information about the Council's actions and decisions in this matter, preserving the child's anonymity and enabling the information about the Council's actions to be considered separately and not as part of the child's personal data. However, she has found that this would not be possible. The child is named in the request from SETS and if information was to be disclosed into the public domain (which is the effect of providing information under FOISA), it would be known (by SETS, and by anyone with whom SETS shared the information) that information disclosed in response to this request relates to this particular child.

20. The Commissioner notes that personal data relating to other identifiable individuals, including Council employees, is also included within the correspondence. However, as she is satisfied that the correspondence, as a whole, represents the personal data of the named child, she will first consider whether the named child's personal data is exempt from disclosure under section 38(1)(b) of FOISA.

21. Having concluded that the withheld information cannot be anonymised and must all be treated as personal data, as defined in section 1(1) of the DPA, the Commissioner must now go on to consider whether disclosure of this information would contravene any of the data protection principles cited by the Council.

Would disclosure of the information breach the first data protection principle?

22. As noted above, the Council argued that disclosure of the information would breach the first data protection principle. The first data protection principle requires that personal data shall be processed fairly and lawfully and, in particular, shall not be processed (in this case, disclosed into the public domain in response to SETS's request) unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data (as defined by section 2 of the DPA), at least one of the conditions in Schedule 3 to the DPA is also met.

23. The Council submitted that the withheld information about the named child included sensitive personal data and provided submissions to support this point.

24. When considering the conditions in Schedule 2 to the DPA which must be met before personal data can be disclosed, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1] (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the named individual to which the data relates).

25. Condition 1 of Schedule 2 permits personal data to be processed if the data subject consents to the data being processed. The Council considered that it would be wholly inappropriate to seek the consent of the named child's parents to disclosure of the requested information, and their comments have not been sought. The Commissioner agrees that it would have been inappropriate to seek consent. She has concluded that condition 1 cannot be met in this case.

26. The Commissioner considers that the only other condition in Schedule 2 which might apply in this case is condition 6. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

27. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

· Does SETS have a legitimate interest in obtaining the personal data?

· If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subject?

· Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the above judgment, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of SETS must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed.

Does SETS have a legitimate interest in obtaining the personal data?

28. SETS argued that it was seeking memos, correspondence and inter-departmental emails about the reallocation of transport of the named child from the contract which SETS had with the Council. SETS considered that if the correspondence contained the names of council employees, and the Council considered that correspondence containing such personal information could not be disclosed, then this would mean that no information could ever be disclosed under FOISA.

29. The Council stated that it did not consider that SETS had a legitimate interest in the information, believing that the information request related to matters raised previously in a court action, and which could not be raised again in any other legal action. The Council did not consider that anything could be gained from SETS being in possession of the information; there was no conceivable public interest in disclosure of the information, only a personal interest to the company itself.

30. The Commissioner notes the Council's comment that the opportunity for court action has now passed, but nonetheless, she considers that SETS has a legitimate interest in information which would help it understand why the transportation of the child (for which SETS had the contract) was re-allocated.

Is disclosure of the information necessary to achieve those legitimate interests?

31. The Commissioner must now consider whether disclosure is necessary for those legitimate interests, and in doing so she must consider whether these interests might reasonably be met by any alternative means.

32. The Council stated that even if SETS was deemed to have a legitimate interest in obtaining the personal data, disclosure was unnecessary to achieve those interests: even if further legal proceedings could be brought, this information would be of no assistance to SETS.

33. As noted above, the Commissioner finds that SETS has a legitimate interest in obtaining the personal data which is not directly related to any potential legal action, but to understanding a decision taken by the Council which affected SETS. In relation to the legitimate interest identified by the Commissioner, she has concluded that there is no alternative means by which SETS could obtain the information necessary to meet this interest.

Would disclosure cause unwarranted prejudice to the legitimate interests of the data subjects?

34. The Commissioner must now consider whether disclosure of the personal data requested by SETS would nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject. As noted above, this involves a balancing exercise between the legitimate interests of SETS and those of the data subject. Only if the legitimate interests of SETS outweigh those of the data subject can the information be disclosed without breaching the first data protection principle.

35. In the Commissioner's briefing on section 38 of FOISA[2], she considers that a number of factors should be taken into account in carrying out the balancing exercise. These include:

· whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

· the potential harm or distress that may be caused by disclosure

· whether the individual objected to the disclosure

· the reasonable expectations of the individuals as to whether the information should be disclosed.

36. The Council submitted that the requested information relates solely to an individual's private life and it therefore deserves greater protection than that afforded to information relating to an individual in his/her public or official capacity. The Council did not consider that the requested information was of the type that the named child or its parents would reasonably expect to be disclosed. The requested information contains details about the named child, and it is not in the public, or SETS's interest, for this information to be disclosed.

37. The Council did not accept that SETS's legitimate interests outweighed the legitimate interests, rights and freedoms of the named child. The Council made reference to Decision 061/2014 Mr Peter Burke and Angus Council[3], which dealt with a request for information concerning the care needs of vulnerable adults. The Council considered that disclosure of personal data in this case would not only lead to unwarranted prejudice to the rights, freedoms and legitimate interests of the named child but would in fact represent a significant intrusion into the child's rights, as well as the rights, freedoms and legitimate interests of the child's family and carers. Disclosure would both be unwarranted and unfair in this case, and furthermore, in the absence of a condition permitting disclosure, would also be unlawful.

38. The Commissioner accepts that, that in this instance, the personal data under consideration relates to the named child's private life. She also accepts that information about the transport arrangements for the child is information which the child and its parents would not reasonably expect to be put into the public domain.

39. The Commissioner has balanced the legitimate interest of SETS against the rights, freedoms and legitimate interests of the named child. Although SETS has a legitimate interest in disclosure of the information, the Commissioner considers that to disclose information about the named child into the public domain would be a significant intrusion, causing unwarranted prejudice to the rights, freedoms and legitimate interests of the child.

40. The Commissioner has therefore concluded that condition 6 in Schedule 2 to the DPA is not met in this case. Consequently, she is not required to go on to consider whether any of the information comprises sensitive personal data, or whether there is a condition in Schedule 3 which would allow it to be disclosed.

41. Having accepted that disclosure of the personal data would lead to unwarranted prejudice as described above, the Commissioner concludes, for the same reasons, that disclosure of the withheld information would also be unfair.

42. As disclosure of the personal data would be unfair and no schedule 2 conditions can be met, the personal data cannot be disclosed without contravening the first data protection principle. Consequently, disclosure would also be unlawful.

43. The Commissioner therefore concludes that disclosure of the withheld information would breach the first data protection principle, and, accordingly, this information was properly withheld under the exemption in section 38(1)(b) of FOISA.

 Decision

 The Commissioner finds that Dundee City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Sidlaw Executive Travel (Scotland) Ltd.

 

Appeal

Should either Sidlaw Executive Travel (Scotland) Ltd. or Dundee City Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

15 October 2014

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.


[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

[3] http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2014/201301554.aspx

PDF IconLink to PDF file of decision 222/2014 (261 kb)

Back to Top