The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 083/2015: Mrs Lilian Gordon and Scottish Criminal Cases Review Commission

Number of cases investigated by a named officer

Reference No: 201500649
Decision Date: 18 June 2015

Summary

On 10 March 2015, Mrs Gordon asked the Scottish Criminal Cases Review Commission (SCCRC) for the number of cases a named person was involved in whilst working for the SCCRC. The SCCRC withheld this information on the basis that it was personal data, exempt from disclosure under section 38(1)(b) of FOISA.

Following an investigation, the Commissioner found that the SCCRC was entitled to withhold the information under this exemption, but that its responses were not fully compliant with FOISA. The Commissioner did not require the SCCRC to take any action in respect of these failures.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 19 (Content of certain notices); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part I: the principles) (the first data protection principle) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 10 March 2015, Mrs Gordon made a request for information to the SCCRC Among other information not the subject of this decision, she asked for the number of cases a named individual was involved in whilst working for the SCCRC during a period of secondment from the Crown Office and Procurator Fiscal Service (COPFS).

2. The SCCRC responded on 11 March 2015. It stated that the requested information was third party personal data and exempt from disclosure under section 38(1)(b) of FOISA.

3. On 11 March 2015, Mrs Gordon emailed the SCCRC requesting a review of its decision on the basis that the exemption did not apply. She also noted the SCCRC's response did not provide a contact email address to use when requesting a review.

4. The SCCRC notified Mrs Gordon of the outcome of its review on 31 March 2015, upholding its previous response without amendment.

5. On 2 April 2015, Mrs Gordon emailed the Commissioner, applying for a decision in terms of section 47(1) of FOISA. Mrs Gordon stated that she was dissatisfied with the outcome of the SCCRC's review. She did not consider the requested information should be withheld and gave reasons why she took this view. She also considered that the SCCRC's responses did not provide the information about her rights to seek a review of the SCCRC's response and to apply for a decision from the Commissioner, as required by FOISA.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mrs Gordon made a request to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 21 April 2015, the SCCRC was notified in writing that Mrs Gordon had made a valid application. The SCCRC was asked to send the Commissioner the information withheld from her. The SCCRC provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SCCRC was invited to comment on this application and to answer specific questions, including justifying its reliance on any provisions of FOISA it considered applicable to the information requested. It was asked to comment on whether its responses to Mrs Gordon complied with section 19 of FOISA, in relation to her rights of review.

9. Mrs Gordon was invited to provide her views as to why the withheld personal information should be disclosed, and did so.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mrs Gordon and the SCCRC. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) of FOISA

11. The SCCRC withheld the information covered by Mrs Gordon's request (the number of cases the named individual had been involved in) under section 38(1)(b) of FOISA, on the basis that it was the personal data of the named individual, the disclosure of which would breach the first data protection principle.

12. Section 38(1)(b), read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data if its disclosure to a member of the public otherwise than under FOISA would contravene any of the data protection principles.

Is the information under consideration personal data?

13. "Personal data" are defined in section 1(1) of the DPA as:

"data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."

14. In its submissions, the SCCRC stated that the withheld data relates to the named individual, who is identifiable from the data. The SCCRC considered that the withheld data is about the named individual, has them as its main focus and has some biographical significance for them, in that it discloses information about the amount of work they undertook whilst working for the SCCRC.

15. The Commissioner has considered whether the withheld data should be considered to be the personal information of the named individual. The Commissioner is satisfied that the withheld data falls within the definition of personal data. The individual has been named in the request which makes reference to their work for the SCCRC. The Commissioner is satisfied that the withheld information relates to the actions of an identifiable individual and it is that person's personal data.

16. Having concluded that the withheld information is personal data as defined in section 1(1) of the DPA, the Commissioner must now go on to consider whether disclosure of this information would contravene any of the data protection principles in the DPA.

Would disclosure of the information breach the first data protection principle?

17. The SCCRC argued that disclosure of the information would breach the first data protection principle. The first data protection principle requires that personal data be processed fairly and lawfully and, in particular, shall not be processed (in this case, disclosed into the public domain in response to Mrs Gordon's request) unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data (as defined by section 2 of the DPA), at least one of the conditions in Schedule 3 to the DPA is also met.

18. When considering the conditions, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1] (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

19. Condition 1 of Schedule 2 of the DPA permits personal data to be processed if the data subject has consented to the data processing. The SCCRC provided evidence that the named individual had refused to give consent for disclosure of the withheld data. The Commissioner has therefore concluded that condition 1 in Schedule 2 cannot be met in this case.

20. The Commissioner considers that the only other condition in Schedule 2 to the DPA which might apply in this case is condition 6. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

21. There are, therefore, a number of tests which must be met before condition 6(1) can apply. These are:

· Does Mrs Gordon have a legitimate interest in obtaining the personal data?

· If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subject (i.e. the individual to whom the data relate)?

· Even if making the information available is necessary for the legitimate purposes of Mrs Gordon, would it nevertheless cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject? This will involve a balancing exercise between the legitimate interests of Mrs Gordon and those of the data subject. Only if (or to the extent that) the legitimate interests of Mrs Gordon outweigh those of the data subject can the personal data be made available.

Does Mrs Gordon have a legitimate interest?

22. There is no definition within the DPA of what constitutes a "legitimate interest", but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. In the published guidance on section 38 of FOISA[2] , the Commissioner states:

"In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

23. In her application to the Commissioner, Mrs Gordon referred to her general interest in the withheld data, and the fact that the named individual has a public profile and investigated the cases while on secondment to the SCCRC from COPFS. Mrs Gordon took the view that this was unlawful and had compromised the independence of the SCCRC in carrying out its role, free of undue influence from other public bodies. She also believed that it could affect public confidence in the independence of the SCCRC.

24. The SCCRC understood that one of the reasons Mrs Gordon required the information is that she believed it connects in some way to the SCCRC's review of the case she is interested in, the decisions following those reviews and the litigation that has flowed from those decisions. The SCCRC understood that Mrs Gordon believed there is some sort of divergence between the SCCRC's stated position that it operates independently from the legislature, the government, the Crown and the defence, and the fact that the named individual was temporarily working for the SCCRC: she and the public at large have a right to know the 'true' position.

25. It is clear to the Commissioner that Mrs Gordon has concerns about whether the secondment of an officer from COPFS may have compromised the independence and impartiality of the SCCRC. However, Mrs Gordon has not explained to the Commissioner why she has a legitimate interest in information revealing the number of cases in which the seconded officer was involved. The Commissioner can identify no reason why it would benefit either Mrs Gordon or the public to know how many cases this officer worked on while at the SCCRC. It is not a secret that the secondment took place. Mrs Gordon is already aware that the seconded officer was involved with the case in which she is particularly interested. The Commissioner has been unable to make any link between the number of cases the named individual was involved in and Mrs Gordon's interests.

26. In the absence of clear reasons from Mrs Gordon for requiring this information, and taking account of the comments made by Lord Hope (see paragraph 18), the Commissioner does not accept that Mrs Gordon has a legitimate interest in the disclosure of this personal data.

27. The Commissioner must therefore conclude that condition 6 of Schedule 2 of the DPA is not met in this case. As none of the conditions in Schedule 2 have been found to be met, disclosure would breach the first data protection principle in the DPA. The Commissioner therefore accepts that the information is exempt under section 38(1)(b) of FOISA.

Information about rights of appeal

28. Section 19 of FOISA requires that a refusal notice under section 16(1) of FOISA must contain particulars-

a. of the procedure provided by the authority for dealing with complaints about the handling by it of requests for information; and

b. about the rights of application to the authority and the Commissioner conferred by sections 20(1) and 47(1).

29. The Commissioner notes that the SCCRC's initial response of 11 March 2015 informed Mrs Gordon that she was entitled to request a review, if she was dissatisfied. It provided Mrs Gordon with the name of the person who would carry out the review, but did not provide her with contact details for that person.

30. Section 19 of FOISA does not stipulate that such contact details must be provided, but it would be reasonable to expect that such details would be included in the "particulars" of the procedure for dealing with complaints about the way in which an information request was handled. This is confirmed in paragraph 9.11.2 of the Scottish Ministers' Code of Practice on the Discharge of Functions by Scottish Public Authorities under FOISA and the EIRs[3], which states: "The authority must also provide contact details for submitting the request for review". Therefore, the Commissioner has concluded that the SCCRC failed to comply with section 19(a) of FOISA in responding to Mrs Gordon's request.

31. The Commissioner also notes that the SCCRC's review response of 31 March 2015 did not provide Mrs Gordon with any details of her right to apply to the Commissioner for a decision. Therefore, the Commissioner has concluded that the SCCRC failed to comply with section 19(b) of FOISA in responding to Mrs Gordon's request.

32. The Commissioner notes that these failures did not hinder Mrs Gordon from submitting a request for review to the SCCRC, or appealing to the Commissioner for a decision. She notes that the SCCRC's initial response informed Mrs Gordon of her right to apply for a decision from the Commissioner.

33. The SCCRC has noted these failures and has stated that it has put in place measures to ensure that such omissions do not occur in future. The Commissioner does not require the SCCRC to take further action.

Other matters

34. In her application and correspondence with the Commissioner, Mrs Gordon expressed dissatisfaction with the SCCRC's review response and, in particular, with the statement that "only the [SCCRC's] Board can take a final decision in respect of any case under review". She considered that, as the SCCRC had omitted details of her appeal rights to the Commissioner in its review response, she was effectively informed that her case was not appealable (to the Commissioner).

35. The Commissioner's remit is to decide whether the SCCRC complied with FOISA in responding to Mrs Gordon's request. The Commissioner notes that the SCCRC had already informed Mrs Gordon of her right to apply to her for a decision, in its letter of 11 March 2015. As noted above, the SCCRC regrettably failed to repeat this in its review response, as it was required to do by section 19 of FOISA. However, although the SCCRC's review response may have given Mrs Gordon the misleading impression that it considered she was not entitled to apply to the Commissioner, the Commissioner does not find that any breach of FOISA has occurred, beyond that already discussed in relation to section 19. She does not accept that the inclusion of the above statement in the SCCRC's review response was intended, deliberately or otherwise, to encourage Mrs Gordon to believe that she could not apply to the Commissioner for a decision on whether the SCCRC had complied with FOISA in responding to her request.

36. The Commissioner notes that her remit in carrying out this investigation extends to the consideration as to whether the SCCRC was entitled to withhold the requested information and whether its responses complied with FOISA. Both of these matters have been considered above. In this instance, the Commissioner cannot comment on whether the SCCRC's investigation of Mrs Gordon's request or the case she is interested in were "truly independent", as this falls outwith her remit.

Decision

The Commissioner finds that the Scottish Criminal Cases Review Commission (the SCCRC) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mrs Lilian Gordon.

The Commissioner finds that information which was personal data was correctly withheld under section 38(1)(b) of FOISA.

However, the Commissioner finds that the SCCRC's responses did not fully comply with section 19 of FOISA.

The Commissioner does not require the SCCRC to take any action in respect of these failures in response to Mrs Gordon's application.

Appeal

Should either Mrs Gordon or the SCCRC wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

18 June 2015

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

19 Content of certain notices

A notice under section 9(1) or 16(1), (4) or (5) (including a refusal notice given by virtue of section 18(1)) or 17(1) must contain particulars-

(a) of the procedure provided by the authority for dealing with complaints about the handling by it of requests for information; and

(b) about the rights of application to the authority and the Commissioner conferred by sections 20(1) and 47(1).

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

 

1. The data subject has given his consent to the processing.

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.



[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

[3] http://www.gov.scot/Resource/0046/00465757.pdf

PDF IconLink to PDF file of decision 083/2015 (261 kb)

Back to Top