The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

              

Mr M is David Gilroy. Mr Gilroy appealed this decision to the Court of Session.  On 17 February 2016, the Court of Session dismissed Mr Gilroy’s appeal.

The Court’s Opinion can be read here.

Decision 005/2015: Mr M and the Chief Constable of the Police Service of Scotland

List of CCTV recovered during a criminal investigation

Reference No: 201402408
Decision Date: 8 January 2015

Summary

On 20 May 2014, Mr M asked the Chief Constable of the Police Service of Scotland (Police Scotland) for a comprehensive list of CCTV recovered by Police Scotland during their investigation into his case.

Police Scotland responded by informing him that the list requested had previously been supplied to his legal representative and he should be able to obtain it via that route. On review, they confirmed that the information was exempt under section 38(1)(a) of FOISA, as Mr M's own personal data.

The Commissioner investigated and found that Police Scotland were entitled to withhold the requested information as Mr M's personal data.

  Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(i) (Effect of exemptions); 38(1)(a) (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data")

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

  Background

1. On 20 May 2015, Mr M made a request for information to Police Scotland. The information requested was a comprehensive list and specific details relating to CCTV recovered by Police Scotland as part their investigation into his case.

2. Police Scotland responded on 5 June 2014. Police Scotland stated the information requested had previously been provided to Mr M's legal representative and he should be able to obtain the list from that source.

3. On 28 June 2014, Mr M wrote to Police Scotland, requesting a review of their decision. He also complained that the response of 5 June 2014 had not informed him of his rights to request a review or subsequently make an application to the Commissioner.

4. On 30 July 2014, Mr M wrote to the Commissioner, applying for a decision on the basis that he was dissatisfied with Police Scotland's failure to respond to his requirement for review. Following the issue of a response (see below), this resulted in the Commissioner issuing Decision 205/2014.

5. Police Scotland notified Mr M of the outcome of their review on 15 August 2014. They acknowledged that they had not, in their initial response to his request, provided him with a formal refusal notice under FOISA. They confirmed that they considered the information Mr M sought to be his own personal data, and consequently applied section 38(1)(a) of FOISA. They also applied the exemption in section 34(1)(c) of FOISA (Investigations by Scottish public authorities and proceedings arising out of such investigation).

6. On 10 October 2014, Mr M wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr M stated he was dissatisfied with the outcome of Police Scotland's review.

  Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr M made a request for information to a Scottish public authority and asked the authority to review their response to that request before applying to her for a decision. The case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. Police Scotland were notified in writing that Mr M had made a valid application and were invited to comment on the application. They were asked to justify their decision to withhold the information, with specific reference to the exemptions applied in the review outcome.

9. During the investigation, submissions were received from both Police Scotland and Mr M.

  Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to her by both Mr M and Police Scotland. She is satisfied that no matter of relevance has been overlooked.

11. The Commissioner must make it clear that her remit is limited to Police Scotland's handling of Mr M's request under FOISA. Mr M has raised queries regarding the handling of the request under the DPA, but these cannot be considered here.

Section 38(1)(a) of FOISA

12. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test set out in section 2(1) of FOISA.

13. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data (commonly known as a "subject access request") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to their own personal data, and govern the exercise of that right. Crucially, it provides for access by the data subject (the person to whom the data relate) alone, rather than (as under FOISA) to the world at large. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

14. Personal data are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified: a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in the Appendix).

15. In their review outcome and in their submissions to the Commissioner, Police Scotland submitted that the information requested was Mr M's own personal data, given its biographical significance to him. They drew reference to the UK Information Commissioner's Guidance, "Determining what is personal data[1]", identifying the two main elements of personal data as being that the:

· information must relate to a living person, and

· person must be identifiable.

16. Police Scotland went on to submit that information would "relate to" a person when it:

· was about them

· was linked to them

· had some biographical significance in relation to them

· was used to inform decisions affecting them, or

· impacted on them in any way.

17. In this case, they believed the request for CCTV information related significantly to the applicant as it formed part of the criminal case against him. It was pivotal evidence in that case and Police Scotland considered it highly likely that he would be identified from the information, even though it might appear innocuous in isolation.

18. In his submissions to the Commissioner, Mr M submitted at length that disclosure of the withheld information could not lead to him being identified and so it could not be considered to be his own personal data.

19. The Commissioner has to consider the request in the context in which it was made. Mr M asked for a list of CCTV recovered by Police Scotland "as part of their investigations into my case". In that context, the Commissioner is satisfied that it would be quite straightforward for anyone with the withheld information and a reasonable awareness of Mr M's case (which was widely reported) to conclude that this was information gathered for the purposes of investigating his activities. In other words, he could be readily identified from the information, taken with other information in the public domain: the second limb of the section 1(1) definition would be met in relation to identifiability.

20. Additionally, in the context in which it was requested, the Commissioner is satisfied that this could only reasonably be described as information about Mr M's activities, alleged or otherwise. As such, it was information relating to Mr M. In all the circumstances, therefore, the Commissioner accepts that Mr M asked for his own personal data. Police Scotland were therefore entitled to withhold the information under section 38(1)(a) of FOISA.

21. As the Commissioner has determined that Police Scotland were correct to withhold the information under section 38(1)(a) of FOISA, she is not required to consider the application of section 34(c) of FOISA (which was also applied to this information by Police Scotland).

Handling of request and content of refusal notice

22. Section 16(1) of FOISA provides that, subject to the provisions of section 18 of FOISA (which are not applicable in this case), when claiming that information is exempt a Scottish public authority must issue a notice (in writing) to the applicant, which:

· discloses that it holds the information;

· states that it so claims;

· specifies the exemption in question; and

· states (if not otherwise apparent) why the exemption applies.

23. Section 16 also imports the requirements of section 19 of FOISA, so the refusal notice must include details of the applicant's rights to seek a review and thereafter apply to the Commissioner.

24. All of these requirements were met in the review outcome provided by Police Scotland and the Commissioner does not, in the circumstances, consider it necessary to make any formal finding in relation to the procedural aspects of this case. She does, however, consider it appropriate to comment on this aspect of the review outcome, if only to clarify the difference between the requirements of FOISA and good practice.

25. In responding to Mr M's requirement for review, Police Scotland accepted that Mr M's had made a request for information under FOISA. However, it believed it had been taking a "pragmatic approach" in handling his request as a subject access request, under the DPA. They referred to the Commissioner's guidance on the application of section 38(1)(a) of FOISA[2], which states:

There is no specific provision in FOISA for automatically going on to treat such requests as "subject access" requests under the DPA. However, under section 15 of FOISA (duty to provide advice and assistance), it will be good practice to consider FOISA requests for an individual's own personal data as a "subject access" request, and the authority should therefore also consider proceeding to process it under the DPA in the normal way. In such circumstances, it will also be good practice for the formal refusal notice issued under section 16 of FOISA to inform the requester that their request is separately being processed under the DPA.

26. Police Scotland went on to acknowledge that it had not issued a refusal notice to Mr M under section 16, which it accepted was "best practice".

27. The Commissioner finds this aspect of Police Scotland's handling of the review to be somewhat confused. The paragraph of guidance cited above sets out what the Commissioner believes to be good practice, by way of advice and assistance, in relation to dealing with requests for the applicant's own personal data under the DPA and informing the applicant accordingly. In particular, it suggests that it would be good practice for the refusal notice to inform the applicant that the request is being processed separately under the DPA.

28. The guidance does not suggest that requests for the applicant's own personal data need not be refused under FOISA. While it accepts (as it must) that the public authority is not obliged to apply section 38(1)(a), or any other exemption, to such a request, it presumes a refusal notice will be issued under section 16 if an exemption is being applied: where information has been requested under FOISA, the issue of such a notice is a strict requirement before that information can be withheld under any exemption. That it is good practice to inform the applicant of how the request is being handled under an alternative appropriate regime (the DPA) is another matter entirely.

 Decision

 The Commissioner finds that the Chief Constable of the Police Service of Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr M.

The Commissioner finds that Police Scotland is entitled to withhold the information in terms of section 38(1)(a) of FOISA and by doing so complied with Part 1.

  Appeal

Should either Mr M or the Chief Constable of the Police Service of Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

8 January 2015

 

  Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;



[1] http://ico.org.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PERSONAL_DATA_FLOWCHART_V1_WITH_PREFACE001.ashx

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

PDF IconLink to PDF file of decision 005/2015 (295 kb)

Back to Top