The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 065/2016: Mr X and the Scottish Public Services Ombudsman

Information from SPSO Decision

Reference No: 201501442
Decision Date: 18 March 2016

Summary

On 8 July 2015, Mr X asked the Scottish Public Services Ombudsman (SPSO) for information contained in one of its decisions. The SPSO withheld the information. Following a review, Mr X remained dissatisfied and applied to the Commissioner for a decision.

The Commissioner investigated and found that the information in the decision was exempt from disclosure under section 38(1)(b) (Personal information) of FOISA: the information was personal data and disclosure would breach the first data protection principle.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(b) and (e) (Effect of exemptions); 38(1)(b), (2)(a)(i) and (b) and (5) (definition of "the data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of personal data) and 2 (Sensitive personal data); Schedules 1 (The data protection principles) (the first data protection principle); 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6); 3 (Conditions relevant for the purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

Scottish Public Services Ombudsman Act 2002 (the SPSO Act) section 19 (Confidentiality of information)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 8 July 2015, Mr X made a request for information to the SPSO. He asked for the information contained within a specified decision of the Ombudsman. The decision had been reported in the media.

2. The SPSO responded on 14 July 2015. It told Mr X that, under section 12 of the SPSO Act, an investigation by the Ombudsman must be conducted in private. The information was therefore exempt from disclosure under section 26(a) of FOISA, which exempts information if its disclosure is prohibited by or under another enactment.

3. On 20 July 2015, Mr X wrote to the SPSO requesting a review of its decision. He did not accept that the SPSO was correct to withhold information from him. Mr X argued that full transparency and disclosure of the SPSO's decisions was of paramount importance, given its important functions.

4. The SPSO notified Mr X of the outcome of its review on 27 July 2015. It confirmed its previous decision (which was to withhold the information). It referred to section 19(1) of the SPSO Act as specifically prohibiting the Ombudsman from disclosing information in connection with a complaint, except in certain circumstances.

5. The SPSO also told Mr X that section 19 of the SPSO Act was designed to protect personal information which is exempt from disclosure under section 38 of FOISA.

6. On 30 July 2015, Mr X wrote to the Commissioner and applied for a decision in terms of section 47(1) of FOISA. Mr X did not consider that the SPSO was correct to withhold the information.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr X made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

8. On 28 August 2015, the SPSO was notified in writing that Mr X had made a valid application. The SPSO was asked to send the Commissioner the information withheld from him. The SPSO provided the information and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPSO was invited to comment on this application and answer specific questions, including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr X and the SPSO. She is satisfied that no matter of relevance has been overlooked.

Information covered by the request

11. The normal practice of the SPSO is to publish an anonymised summary of its decision notices on the complaints it has investigated. This is not the decision itself. The SPSO explained that a "decision" of the SPSO means the decision contained in the complaint file held by the SPSO. The Commissioner accepts that this is different from the anonymised summary, and that the SPSO was correct to interpret Mr X's request as a request for the decision held in the complaint file, not the published summary.

Section 38(1)(b) - Personal information

12. The Ombudsman applied a number of different exemptions to the decision. The Commissioner will first consider the exemption in section 38(1)(b).

13. The SPSO explained that, in order to protect the privacy of the complainer and the rights protected by the data protection principles under the DPA, it does not usually confirm the identity of any complainer. In the case, however, the identity of the child to whom the complaint related had been publicly disclosed by the mother. The SPSO commented that, had there not been information in the media about the decision, it would have responded to the request in terms of section 18(1) of FOISA - that is, by neither confirming nor denying whether it held any information covered by the request.

14. The SPSO applied the exemption in section 38(1)(b), read in conjunction with section 38(2)(a)(i) of FOISA, to the withheld information.

15. Section 38(1)(b) of FOISA exempts information from disclosure if it is "personal data" as defined in section 1(1) of the DPA, and disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

16. To rely on this exemption, the SPSO must show that the information being withheld is personal data for the purposes of the DPA, and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles.

Is the withheld information personal data?

17. Personal data is defined in section 1(1) of the DPA as data which relate to a living individual who can be identified a) from those data, or b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller (the full definition is set out in Appendix 1).

18. The withheld information contains information about named persons, primarily the person who made the complaint to the SPSO and their child (on whose behalf the complaint was made), but also about other third parties.

19. The Commissioner is satisfied that the whole of the decision comprises personal data: it is clearly possible to identify individuals from the data itself, and the information has biographical significance for the child (who is the subject of the decision) and for the mother (who made the complaint to the SPSO).

Is the withheld information sensitive personal data?

20. In its submissions, the SPSO submitted that the information included sensitive personal data. The definition of sensitive personal data is contained in section 2 of the DPA (see Appendix 1).

21. The Commissioner is satisfied that the majority of the information in the decision comprises sensitive personal data. The Commissioner does not wish to confirm which type of sensitive personal data it is, as to do so would increase the likelihood of identification.

Would disclosure contravene the first data protection principle?

22. The SPSO argued that disclosing the personal data would contravene the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA is also met. "Processing" here means disclosing the personal data into the public domain in response to Mr X's information request.

23. The Commissioner notes Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 472[1] (the CSA case) that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject.

First data protection principle: sensitive personal data

24. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is sensible to consider whether there are any conditions in Schedule 3 which would permit those data to be disclosed before considering the Schedule 2 conditions. The Commissioner has considered the conditions in Schedule 3 to the DPA as well as the additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000.

25. Guidance[2] issued by the Commissioner regarding section 38(1)(b) notes that, generally, only the first and fifth conditions in Schedule 3 of the DPA are likely to be relevant when considering a request for sensitive personal data under FOISA. Condition 1 would allow personal data to be disclosed where the data subject has given explicit consent to their release. Condition 5 would allow personal data to be disclosed if the information contained in the data has been made public as a result of steps deliberately taken by the data subject.

26. The SPSO informed the Commissioner that it had not considered it reasonable to ask the data subjects if they would consent to their personal data being disclosed, as this could cause distress. The Commissioner agrees that, in the circumstances, it would be inappropriate and unreasonable for the SPSO to ask the data subjects for consent. As the SPSO does not have the data subjects' consent to disclose the requested information, the Commissioner is satisfied that condition 1 cannot be met in this case.

27. As noted above, some information about the case was publicised by one of the data subjects. However, the information at issue (which is the decision notice of the Ombudsman) has not been made public as a result of steps deliberately taken by the data subjects, and so condition 5 cannot be met in this case.

28. Having concluded that no there is no lawful basis for disclosing the sensitive personal data, the Commissioner finds that its disclosure would breach the first principle of the DPA. The sensitive personal data in the decision is therefore exempt from disclosure under section 38(1)(b) of FOISA.

29. The Commissioner will now go on to consider the non-sensitive personal data.

First data protection principle: non-sensitive personal data

30. Non-sensitive personal data can only be disclosed if one of the conditions in Schedule 2 to the DPA to be met.

31. Guidance issued by the Commissioner regarding section 38(1)(b) notes that, generally, only the first and sixth conditions in Schedule 2 of the DPA are likely to be relevant when considering a request for non-sensitive personal data under FOISA.

32. Condition 1 would allow personal data to be disclosed where the data subject has given consent to the processing. The SPSO does not have the data subjects' consent to disclose their personal data, so condition 1 cannot be met in this case.

33. Condition 6(1) allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

34. The tests which must be met before condition 6(1) can apply are:

(i) Does Mr X have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure necessary for the purposes of those interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could the interests be met by means which interfere less with the privacy of the data subject?

(iii) Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects? As noted by Lord Hope in the CSA case, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr X must outweigh the rights and freedoms or legitimate interests of the data subjects before condition 6 will permit the personal data to be disclosed.

Does Mr X have a legitimate interest in obtaining the personal data?

35. Mr X views the information as relevant to his own concerns (his initial request referred to his view that there was "a strong correlation" with his current concern). The Commissioner will not set out what these "concerns" are in this decision as to do so would increase the likelihood of identification of the data subjects.

36. In his requirement for review, he also referred to the benefits of increased transparency in relation to the SPSO's decision-making process.

37. Given his concerns, the Commissioner is satisfied that Mr X has a legitimate interest in the personal data under consideration. As a member of the public, he also has a legitimate interest in information which would increase transparency in relation to the decision-making process of the SPSO.

Is disclosure of the information necessary for the purposes of these legitimate interests?

38. The Commissioner must now consider whether disclosure of the personal data is necessary for the legitimate interests identified above. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

39. The decision by the Supreme Court in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[3] stated (at paragraph 27 of the judgment):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

40. Disclosure of the withheld information would allow additional scrutiny and understanding of the Ombudsman's decision and could be relevant to Mr X's own concerns. The Commissioner accepts that disclosing the decision would be necessary to meet his legitimate interests: he could not acquire a full understanding of the decision other than through disclosure of the withheld information. The summary of the decision and the press article would not be sufficient.

Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects?

41. The SPSO stated in the strongest terms what it regarded as the interests of the data subjects: privacy and confidence, security and safety. The SPSO believed such interests, and their protection, outweighed the interests of Mr X in disclosure of the information.

42. The Commissioner must consider whether disclosure would be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects. This involves a balancing exercise between the legitimate interests of Mr X and those of the data subjects. Only if the legitimate interests of Mr X outweigh those of data subjects can the information be disclosed without breaching the first data protection principle.

43. In her briefing on section 38[4] of FOISA, the Commissioner notes a number of factors which should be taken into account in carrying out this balancing exercise. These include:

· whether the information relates the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

· the potential harm or distress that may be caused to by the disclosure;

· whether the individual has objected to the disclosure; and

· the reasonable expectations of the individual as to whether the information would be disclosed.

44. The Commissioner is satisfied that the information in question pertains wholly to the data subjects' private lives. Similarly, the Commissioner accepts that disclosure of the personal data in the detail in which it is covered in the decision would be likely to cause distress to the data subjects, who would have a reasonable expectation of privacy in relation to their personal data.

45. The Commissioner has considered whether the data subjects would have a general expectation that some or all of the information from the decision would be made public. She has taken into account the nature of the information, the SPSO's usual practice in publishing only an anonymised summary of its decisions, and the provisions in the SPSO Act prohibiting disclosure of information. Although one of the data subjects has made some of the information public, the Commissioner is satisfied that the data subjects would not have any reasonable expectation that their personal data would be publicly disclosed by the SPSO in the context of Mr X's information request.

46. In this instance, the Commissioner accepts that there is considerably more weight to be attributed to the rights and freedoms or legitimate interests of the data subjects than to Mr X's legitimate interests.

47. Having concluded that disclosure of the withheld information would lead to unwarranted prejudice to the rights and freedoms or legitimate interests of the data subjects, the Commissioner must also conclude that disclosure would be unfair. In the absence of a condition permitting disclosure, she would also regard disclosure as unlawful. In all the circumstances, therefore, she finds that disclosure would breach the first data protection principle and that the information was properly withheld under section 38(1)(b) of FOISA.

48. The Commissioner is therefore satisfied that the all of the information contained in the Ombudsman's decision is exempt from disclosure under section 38(1)(b) of FOISA.

Other exemptions

49. The Ombudsman applied a number of other exemptions to the information in the decision. Given that the Commissioner has found that the information is exempt in its entirety under section 38(1)(b), she is not required to (and will not) go on to consider the other exemptions.

Decision

The Commissioner finds that the Scottish Public Services Ombudsman complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr X.

Appeal

Should either Mr X or the Scottish Public Services Ombudsman wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

18 March 2016

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.
 

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(b) section 26;

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1. The data subject has given his consent to the processing.

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Schedule 3 - Conditions relevant for the purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

 

Scottish Public Services Ombudsman Act 2002

19 Confidentiality of information

(1) Information obtained by the Ombudsman or any of the Ombudsman's advisers in connection with any matter in respect of which a complaint or a request has been made must not be disclosed except for any of the purposes specified in subsection (2) or as permitted by subsection (3).

(2) Those purposes are-

(a) for the purposes of-

(i) any consideration of the complaint or request (including any statement under section 11),

(ii) any investigation of the matter (including any report of such an investigation),

(b) the purposes of any proceedings for-

(i) an offence under the Official Secrets Acts 1911 to 1989 alleged to have been committed in respect of information obtained by the Ombudsman,

(ii) an offence of perjury alleged to have been committed in the course of any investigation of the matter,

(c) the purposes of an inquiry with a view to the taking of any of the proceedings mentioned in paragraph (b),

(d) the purposes of any proceedings under section 14.

(3) Where information referred to in subsection (1) is to the effect that any person is likely to constitute a threat to the health or safety of individuals (in particular or in general), the Ombudsman may disclose the information to any person to whom the Ombudsman thinks it should be disclosed in the interests of the health or safety of the particular individuals or, as the case may be, individuals in general.

(4) In relation to information disclosed under subsection (3), the Ombudsman must-

(a) where the Ombudsman knows the identity of the person to whom the information relates, inform that person of the disclosure of the information and of the identity of the person to whom it has been disclosed, and

(b) inform the person from whom the information was obtained of the disclosure.

(4A) The duty under subsection (4)(a) to inform a person about the identity of a person to whom information has been disclosed does not apply where informing the former person is likely to constitute a threat to the health or safety of the latter person.

(5) It is not competent to call upon the Ombudsman or the Ombudsman's advisers to give evidence in any proceedings (other than proceedings referred to in subsection (2)) of matters coming to the knowledge of the Ombudsman or advisers in connection with any matter in respect of which a complaint or request has been made.

(6) A member of the Scottish Executive may give notice in writing to the Ombudsman with respect to-

(a) any document or information specified in the notice, or

(b) any class of document or information so specified,

that, in the opinion of the member of the Scottish Executive, the disclosure of the document or information, or of documents or information of that class, would be contrary to the public interest.

(7) Where such a notice is given nothing in this Act is to be construed as authorising or requiring the Ombudsman or any of the Ombudsman's advisers to communicate to any person or for any purpose any document or information specified in the notice, or any document or information of a class so specified.

(8) Information obtained from -

(a) the Information Commissioner by virtue of section 76 of the Freedom of Information Act 2000 (c.36)

(b) the Scottish Information Commissioner by virtue of section 63 of the Freedom of Information (Scotland) Act 2002 (asp 13),

is to be treated for the purposes of subsection (1) as obtained in connection with any matter in respect of which a complaint or request has been made.

(9) In relation to such information, subsection (2)(a) has effect as if-

(a) the reference in sub-paragraph (i) to the complaint or request were a reference to any complaint or request, and

(b) the reference in sub-paragraph (ii) to the matter were a reference to any matter.

(10) In this section and section 20 references to the Ombudsman's advisers are to persons from whom the Ombudsman obtains advice under paragraph 10 of schedule 1.


[1] http://www.bailii.org/uk/cases/UKHL/2008/47.html

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

[3] http://www.bailii.org/uk/cases/UKSC/2013/55.html

[4] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

PDF IconLink to PDF file of decision 065/2016 (222 kb)

Back to Top