The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

 Decision 050/2015: Gordon MacDonald MSP and Chief Constable of the Police Service of Scotland

 Significant Case Review

 Reference No: 201402476
 Decision Date: 13 April 2015

Summary

On 2 July 2014, Mr MacDonald asked the Chief Constable of the Police Service of Scotland (Police Scotland) for information relating to a Significant Case Review (SCR) report.

In response, Police Scotland stated that a redacted version of the SCR report was already publicly accessible and that the redactions were made on the basis that the information was sensitive personal data. In relation to other aspects of the request, Police Scotland stated that the information was not held. Following a review, Mr MacDonald remained dissatisfied and applied to the Commissioner for a decision.

The Commissioner investigated and found that Police Scotland had responded to Mr MacDonald's request for information properly, in accordance with Part 1 of FOISA.

 Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (2)(b) and (5) (definition of " the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data) and 2 (Sensitive personal data); Schedules 1 (The data protection principle) (the first data protection principle); 3 (Conditions relevant for the purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

 Background

1. On 2 July 2014, Mr MacDonald made a request for information to Police Scotland. The information requested was:

i. A full copy of the SCR report relating to Mr Kevin Rooney (request 1);

ii. Information relating to Mr Rooney's risk status (request 2);

iii. Information relating to Mr Rooney's medical status on a particular date (request 3);

iv. Information relating to an alleged incident on the same night of the murder (request 4).

2. Police Scotland responded on 29 July 2014.

3. In response to request 1, Police Scotland stated that a redacted version of the report had been published and was therefore otherwise accessible in terms of section 25 of FOISA. The remaining redactions were considered to be sensitive personal data and therefore exempt under section 38(1)(b) of FOISA.

4. In response to request 2, the Police referred Mr MacDonald to a section of the report which it believed conveyed this information.

5. In response to request 3, Police Scotland stated that the information was exempt of the basis that it was sensitive personal data and section 38(1)(b) of FOISA applied.

6. In response to request 4, Police Scotland stated that no information was held, applying section 17(1) of FOISA.

7. On 18 August 2014, Mr MacDonald wrote to Police Scotland, requesting a review of their decision. Mr MacDonald argued that there was information redacted from the SCR report which should be disclosed (request 1); he did not accept that: the information regarding the risk assessment had been conveyed (request 2); Police Scotland had not responded to his request relating to Mr Rooney's medical status on a particular date (request 3), and he did not accept that no information was held in relation to alleged incident on the same evening as the murder (request 4).

8. Police Scotland notified Mr MacDonald of the outcome of their review on 15 September 2014. Police Scotland confirmed their reliance on section 38(1)(b) in relation to the redactions made to the SCR report (request 1); confirmed the risk status of Mr Rooney, which they argued was conveyed in the SCR report (request 2); stated that they did not hold information relating to Mr Rooney's medical status (except insofar as redacted from the SCR report under section 38(1)(b) of FOISA) and directed Mr MacDonald to other authorities that might hold this information (request 3), and confirmed their reliance on section 17(1) of FOISA in relation to the alleged incident on the same evening of the murder (request 4).

9. On 21 October 2014, Mr MacDonald wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr MacDonald stated he was dissatisfied with the outcome of Police Scotland's review as he wanted access to the full report (request 1) and did not accept that he had been provided with adequate information in relation to Mr Rooney's risk assessment (request 2).

 Investigation

10. The application was accepted as valid. The Commissioner confirmed that Mr MacDonald made requests for information to a Scottish public authority and asked the authority to review its response to those requests before applying to her for a decision.

11. On 29 October 2014, Police Scotland were notified in writing that Mr MacDonald had made a valid application. Police Scotland were asked to send the Commissioner the information withheld from him. Police Scotland provided the information and the case was allocated to an investigating officer.

12. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. Police Scotland were invited to comment on this application and answer specific questions, to establish whether they could justify their reliance on any provisions of FOISA they considered applicable to the information requested.

Commissioner's analysis and findings

13. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr MacDonald and Police Scotland. She is satisfied that no matter of relevance has been overlooked.

Background to request

14. A Significant Case Review (SCR) is undertaken, generally, in the following circumstances:

i. When an offender managed under Multi-Agency Public Protection Arrangements (MAPPA) is charged with murder, attempted murder or a crime of serious sexual harm;

ii. Significant concern has been raised in respect of the management of a MAPPA offender which gives rise to serious concerns about professional and/or service involvement;

iii. Where it appears that an offender managed under MAPPA is killed or is seriously injured as a direct result of his/her status as a sex offender becoming known

15. The overarching objectives of SCRs are to:

i. Establish whether there are lessons to be learnt about how better to protect the public from the risk of harm;

ii. Make recommendations from action ;

iii. Address accountability;

iv. Provide public reassurance in relation to the actions of the responsibilities in the specific circumstances; and

v. Identify good practice.

16. A SCR was commissioned by the Edinburgh Offender Management Committee at Edinburgh City Council, following the death of Rosina Sutherland on 30 October 2011. Kevin Rooney, a registered sex offender, was convicted of Mrs Sutherland's murder. A redacted version of the resulting SCR report and a timeline was published on 29 July 2014[1]. This redacted version provided the basis for, and the recommendations arising from, the review.

Redactions made to SCR report (Request 1)

17. Mr MacDonald, although recognising that some of this information was the personal data of Mr Rooney, did not accept that further information could not be provided that did not relate directly to Mr Rooney's medical history. He also argued that almost all of the information would have been admissible in court.

18. Police Scotland withheld complete sections of the SCR report and made smaller redactions in other areas on the basis that section 38(1)(b) (read in conjunction with (2)(a)(i)) of FOISA applied.

19. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or (2)(b)), exempts personal data if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles.

Is the information under consideration personal data?

20. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in the Appendix).

21. The Commissioner has considered the submissions received from Police Scotland on this point, along with the withheld information. The Commissioner is satisfied that the information is personal data: it is possible to identify individuals from the data itself, in line with the definition of personal data. The information is biographical in relation to Mr Rooney, and therefore can be said to relate to him.

Is the withheld information sensitive personal data?

22. In its submissions, Police Scotland submitted that the redacted information comprised sensitive personal data.

23. The definition of sensitive personal data is contained in section 2 of the DPA (see Appendix)

24. The Commissioner has carefully reviewed the withheld information in the SCR report, in order to establish how much of it is sensitive personal data. The Commissioner is satisfied that the personal data withheld falls into at least one of the categories in section 2 of the DPA and therefore represents the sensitive personal data of an individual. (The Commissioner is unable to confirm which of the categories of sensitive personal data are relevant here without, in effect, disclosing sensitive personal data.)

Would disclosure contravene the first data protection principle?

25. In their submissions, Police Scotland argued that disclosure of the personal data of the data subjects would contravene the first data protection principle.

26. The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met. The processing under consideration is disclosure of the personal data into the public domain, in response to Mr MacDonald's request.

First data protection principle: sensitive personal data

27. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions. The conditions listed in Schedule 3 to the DPA have been considered by the Commissioner, as have the additional conditions for processing sensitive personal data contained in legislation, such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

28. Guidance issued by the Commissioner regarding the exemption in section 38(1)(b)[2] notes that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA. Condition 1 would allow personal data to be disclosed where the data subject has given explicit, and fully-informed, consent to their release. Condition 5 would allow the personal data to be disclosed if the data have been made public as a result of steps deliberately taken by the data subject.

29. Police Scotland informed the Commissioner that they had not considered it appropriate to ask the data subject, Mr Rooney, if he would consent to disclosure of his personal information. Police Scotland also submitted that, even if consent had been provided, it was unlikely that it could be relied upon as informed and freely provided, given Mr Rooney's current status. The Commissioner accepts these conclusions.

30. Police Scotland also submitted that they had no knowledge of Mr Rooney taking any steps to release any of his personal data into the public domain deliberately. The Commissioner is also satisfied that the information has not been made public as a result of steps deliberately taken by the data subject, and so condition 5 is not met in this case.

31. Having reached these conclusions, and having concluded that no other condition in Schedule 3 applies in this case, the Commissioner finds that disclosure of Mr Rooney's sensitive personal data would breach the first data protection principle. As a result, the information is exempt from disclosure under section 38(1)(b) of FOISA.

Risk assessment information (Request 2)

32. In his application to the Commissioner, Mr MacDonald clarified that he not only sought information contained within the SCR report, but also all relevant information relating to Mr Rooney's risk assessment. Specifically, Mr MacDonald stated that he wished to know why Mr Rooney's risk assessment had been upgraded just prior to the murder.

33. In their submissions, Police Scotland explained that Mr MacDonald was mistaken in his assertion that Mr Rooney was upgraded to "Very High" risk prior to the murder. They confirmed that the overall risk assessment was "High" and had remained so since 2008.

34. To explain, Police Scotland stated that there are a number of risk assessment tools that are used to assess people's risk. Each tool has a different function and could appear to contradict each other.

35. Police Scotland explained that the section within the SCR report to which they had referred Mr MacDonald provides the outcome of each acute risk assessment under the Stable and Acute 2007 risk assessment tool.

36. Police Scotland stated that Mr MacDonald's interpretation was inaccurate. Police Scotland provided the Commissioner with an explanation of how risk assessments are arrived at, using different tools, under the MAPPA process. Police Scotland confirmed that this had also been explained to Mr MacDonald. As such, Police Scotland submitted that there was nothing more they could add to this particular aspect of this request.

37. The Commissioner has considered the explanation provided by Police Scotland and she is satisfied that Police Scotland could not reasonably be expected to hold any further information on this point.

  Decision

The Commissioner finds that the Chief Constable of the Police Service of Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr MacDonald.

 Appeal

Should either Mr MacDonald or the Chief Constable of the Police Service of Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

13 April 2015

 

 Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

 

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;


Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 - Conditions relevant for the purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.



[1] http://www.cjalb.co.uk/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=232&cntnt01pagelimit=5&cntnt01returnid=59

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

PDF IconLink to PDF file of decision 050/2015 (251 kb)

Back to Top