The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 130/2016: Mr A and the Scottish Prison Service

Suspension of IT facilities

Reference No: 201600121
Decision Date: 23 June 2016

Summary

On 26 October 2015, Mr A asked the Scottish Prison Service (the SPS) for all information relating to its request to Fife College to withdraw access to IT facilities from the Learning Centre at HMP Edinburgh in July 2015.

The SPS provided Mr A with some information but told him that it did not hold other information. Following a review, Mr A remained dissatisfied and applied to the Commissioner for a decision.

The Commissioner investigated and found that the SPS had partially failed to respond to Mr A's request for information in accordance with Part 1 of FOISA. The SPS failed to comply with the timescales set out in section 10(1) of FOISA when responding to the request. It initially failed to identify all relevant information falling within the scope of Mr A's request. In addition, once relevant information had been identified, the SPS wrongly withheld some information under section 35(1)(f) and section 38(1)(b) of FOISA. The Commissioner found that the SPS had correctly withheld other information under section 35(1)(f) and 38(1)(b) of FOISA.

The Commissioner required the SPS to disclose to Mr A the information which was wrongly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 10(1)(a) (Time for compliance); 35(1)(f) (Law enforcement); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal information") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provision) (definition of personal data) and (2)(g) and (h) (Sensitive personal data); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle) and Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 26 October 2015, Mr A made a request for information to the SPS. The information requested was:

All and any information held by the SPS which concerns its request to Fife College to withdraw from access by prisoners and/or College staff IT facilities within the Learning Centre at HMP Edinburgh since 1 July 2015, to include information about the numbers of students attending each weekly session designated in terms of subject (e.g. Art, etc.) from Monday 6 July 2015 to Friday 23 October 2015, and information regarding any current plans to restore educational IT facilities.

2. The SPS responded on 25 November 2015. In its response, the SPS stated that it had not made any written request to Fife College (to remove its IT facilities). It provided Mr A with some information regarding the number of students enrolled in Art and IT classes.

3. On 2 December 2015, Mr A wrote to the SPS requesting a review of its decision as he considered that it was withholding information that fell within the scope of his request.

4. The SPS notified Mr A of the outcome of its review on 31 December 2015. The SPS modified its initial response by clarifying some of the information it had provided on the numbers of prisoners undertaking classes at the Learning Centre. It also provided Mr A with two emails that fell within the scope of his request.

5. On 15 January 2016, Mr A applied to the Commissioner for a decision in terms of section 47(1) of FOISA. He was dissatisfied with the outcome of the SPS's review because he considered that it was still withholding information that fell within the scope of his request. In this letter, Mr A confirmed that he was satisfied with the information he had received pertaining to the number of prisoners enrolled in classes at the Learning Centre.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr A made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 9 February 2016, the SPS was notified in writing that Mr A had made a valid application. The case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SPS was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested. The SPS was also asked to conduct thorough searches of its information.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mr A and the SPS. She is satisfied that no matter of relevance has been overlooked.

Withheld Information

10. During the investigation, the SPS identified further information that fell within the scope of Mr A's request and provided some of it to Mr A. Twelve documents were ultimately identified as containing information covered by Mr A's request. Five have now been provided in their entirety; the others have been wholly or partially withheld.

Section 35(1)(f) - Law enforcement

11. The SPS withheld some information in documents 4 and 5 under section 35(1)(f) of FOISA. This exemption applies to information if its disclosure would, or would be likely to, prejudice substantially the maintenance of security and good order in prisons or in other institutions where persons are lawfully detained.

12. If a Scottish public authority applies this exemption, it must be able to show that disclosure would affect both the maintenance of security in prisons and good order in prisons. It must be able to show that the risk of harm arising from disclosure of the information is real or very likely, not merely hypothetical. It must be able to show that the harm caused (or likely to be caused) by disclosure would be significant, not marginal, occurring (or likely to occur) in the near foreseeable future and not in some distant time.

13. The Commissioner cannot provide full details of the arguments put forward by the SPS, as this would be likely to disclose some of the information which has been withheld. However, the Commissioner can provide an overview of the key points from the SPS's submission. In essence, it believed that disclosure of the withheld information could enable prisoners to plan and coordinate disruptive incidents. The SPS argued that while there may be a low likelihood of such an occurrence happening, the impact of one such occurrence could have very serious consequences.

14. Mr A argued that "there is no genuine issue relative to the maintenance of security and good order in prisons in relation to the exemption claimed by the authority". Mr A referred to the information redacted from documents 4 and 5 and he argued that disclosure of this "low grade" information would not threaten security and good order in prisons.

15. The Commissioner has considered the information being withheld in document 5, and she is not satisfied that its disclosure would cause the harm cited by the SPS. The information redacted in document 5 refers to technical standards of encryption used by the SPS. The Commissioner acknowledges that the SPS may not want prisoners, or the wider world, to know the specific technology it is using, but she does not consider that the SPS has showed how disclosure of this information would, or would be likely to prejudice substantially the maintenance of good order and security in prisons. The Commissioner finds that this information is not exempt in terms of section 35(1)(f) of FOISA and she requires the SPS to disclose it to Mr A.

16. The Commissioner has also considered the information withheld in document 4. She is satisfied that disclosure of this information would, or would be likely to, prejudice substantially the maintenance of good order and security in prisons. The Commissioner accepts that if prisoners become aware of any techniques or resources that facilitate covert planning then it is possible, or even likely, that some prisoners would take advantage of such facilities and this would, or would be likely to, threaten the security and maintenance of good order in prisons. The Commissioner finds that the SPS correctly applied the exemption in section 35(1)(f) of FOISA to the information redacted from document 4.

Public interest test

17. As the Commissioner has found that the exemption in section 35(1)(f) was correctly applied to the withheld information in document 4, she has gone on to consider the public interest test in section 2(1)(b) of FOISA. This requires consideration of whether, in all the circumstances of the case, the public interest in disclosing the withheld information is outweighed by the public interest in maintaining the exemption in section 35(1)(f) of FOISA.

SPS's submissions on the public interest test

18. The SPS acknowledged that there is some limited public interest in disclosure of the details of an allegation of misconduct following the introduction of inappropriate material on to Fife College PCs in use at HMP Edinburgh. The SPS submitted that this interest would be met by disclosing that the allegation had been the subject of a "sound audit and investigation".

19. However, the SPS argued that disclosure of the details of its investigation could provide information which would assist future attempts to introduce inappropriate software into the prison. The SPS argued that the public interest is best served by ensuring that appropriate investigations are carried out when required without disclosing the details. The SPS maintained that it is in the public interest that only approved material is uploaded to PCs used by prisoners and that the prison environment is kept secure and safe.

Mr A's submissions on the public interest test

20. Mr A argued that since none of the withheld information appears to be particularly sensitive in terms of its impact on security or good order, there is a clear public interest in the SPS explaining the actions which it has taken to address the IT security breaches identified so that the public can be confident that prisoners can be provided with IT facilities without seriously risking security or good order.

The Commissioner's conclusions

21. In considering the public interest in favour of disclosure, the Commissioner recognises the general public interest in disclosing information held by Scottish public authorities.

22. Overall, however, the Commissioner finds that there is only limited public interest in the disclosure of the information requested by Mr A, which discusses techniques and resources that could be used by prisoners to conduct covert planning whilst incarcerated. The Commissioner acknowledges that prisoners themselves may well have a strong interest in obtaining such information, but she does not accept that disclosure of this information is in the public interest.

23. The Commissioner notes Mr A's arguments and concerns, but she considers that the SPS has already disclosed a large amount of information which describes the actions it has taken in response to the IT security breach.

24. The Commissioner considers that the disclosure of information which could facilitate private communication between prisoners would be likely to threaten the maintenance of order and security in prisons and she finds that this would not be in the public interest. .

25. In conclusion, the Commissioner is satisfied that, on balance, the public interest in this case favours maintaining the exemption, as the public interest in disclosure is outweighed by the public interest in avoiding substantial prejudice to the maintenance of good order and security in prisons.

26. The Commissioner therefore finds that the SPS was correct to withhold information in document 4 under section 35(1)(f) of FOISA.

Section 38(1)(b) - Personal data

27. The SPS withheld some information contained in documents 2, 3, 7 and 9 under section 38(1)(b) of FOISA.

28. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) (or, as appropriate, section 38(2)(b)) exempts information from disclosure if it is "personal data", as defined in section 1(1) of the DPA, and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA.

29. In order to rely on this exemption, the SPS must show, firstly, that any such information would be personal data for the purposes of the DPA and, secondly, that disclosure of that data would contravene one or more of the data protection principles to be found in Schedule 1.

30. This exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information under consideration personal data?

31. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".

32. The SPS submitted that the only information it has withheld under this exemption relates to a specific individual. The SPS argued that the information relates to the individual in a personal sense, and is not just an impersonal reference to their position or employment role.

33. The Commissioner has considered the information withheld in documents 2, 3, 7 and 9. She is satisfied that a living individual could be identified from information contained in documents 2, 3 and 9, and that the information relates to the individual in a biographical sense and is their personal data.

34. However, the Commissioner does not accept that the information withheld in document 7 is personal data. The SPS has argued that, given the date of the email and the physical location referred to in the email, it would be possible to identify the specific individual to whom the data relate. This is not evident to the Commissioner and she has not been provided with any evidence or explanation which demonstrates how disclosure of this information would identify the individual. In the circumstances, the Commissioner has concluded that the information withheld in document 7 is not personal data as defined in section 1(1) of the DPA. As no other exemption has been applied to this information, she requires the SPS to disclose it to Mr A.

Is the withheld information sensitive personal data?

35. In its submissions, the SPs argued that all of the information being withheld under section 38(1)(b) of FOISA is the sensitive personal information of a specific individual The SPS submitted that the information falls under the definition of sensitive personal data in section 2(g) and (h) of the DPA.

36. The Commissioner has reviewed the withheld information and she is not satisfied that it is sensitive personal data. The withheld information does not relate to the commission of an offence, nor does it relate to proceedings dealing with the commission of an offence. In light of this, the Commissioner is satisfied that all of the information redacted from documents 2, 3 and 9 is non-sensitive personal data.

Would disclosure contravene the first data protection principle?

37. Non-sensitive personal data can only be disclosed if one of the conditions in Schedule 2 to the DPA to be met.

38. The SPS argued that disclosure would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. "Processing" here means disclosing the personal data into the public domain in response to Mr A's information request.

39. Guidance[1] issued by the Commissioner regarding section 38(1)(b) notes that, generally, only the first and sixth conditions in Schedule 2 of the DPA are likely to be relevant when considering a request for personal data under FOISA.

40. Condition 1 would allow personal data to be disclosed where the data subject has given consent to the processing. The SPS submitted that the data subject is unwilling to allow disclosure of their personal data. As the SPS does not have the data subject's consent to disclose their personal data, condition 1 cannot be met in this case.

41. Condition 6(1) allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

42. The tests which must be met before condition 6(1) can apply are:

(i) Does Mr A have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure necessary for the purposes of those interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could the interests be met by means which interfere less with the privacy of the data subject?

(iii) Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[2], there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr A must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 permits personal data to be disclosed.

Does Mr A have a legitimate interest in obtaining the personal data?

43. Mr A submitted that IT facilities were withdrawn at the request of local SPS management, and he indicated that he had a legitimate interest in understanding the reasons behind the suspension of IT facilities that he used. Mr A argued that he was directly affected by the withdrawal of prisoner IT facilities at HMP Edinburgh as he has been unable to participate in "open learning" classes using these facilities since August 2015, and consequently he has been prevented from completing a "Microsoft Academy" vocational training course.

44. In the circumstances, the Commissioner is satisfied that Mr A does have a legitimate interest in obtaining the personal data.

Is disclosure of the information necessary for the purposes of these legitimate interests?

45. The Commissioner must now consider whether disclosure of the personal data is necessary for the legitimate interests identified above. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

46. The decision by the Supreme Court in the case of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[3] stated (at paragraph 27 of the judgment):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

47. Disclosure of the withheld information would allow additional understanding of the SPS's decision to suspend IT facilities at HMP Edinburgh and could be relevant to Mr A' own concerns. Mr A argued that disclosure is required to counter SPS/Scottish Ministers assertions about the availability of educational IT facilities and the circumstances of their withdrawal. The Commissioner has accepted that disclosure is necessary to meet his legitimate interests: Mr A could not acquire a full understanding of the circumstances surrounding the withdrawal of IT facilities other than through disclosure of the personal information.

Would disclosure be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects?

48. The Commissioner must consider whether disclosure would be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subjects. This involves a balancing exercise between the legitimate interests of Mr A and those of the data subject. Only if the legitimate interests of Mr A outweigh those of data subject can the information be disclosed without breaching the first data protection principle.

49. The SPS argued that unfounded allegations against an individual should not be disclosed and that, under the DPA, data subjects have the right not to have misleading information about them disclosed. The SPS noted that, as the allegation was not upheld, it would be inappropriate to disclose what are essentially "hearsay" allegations only held on internal emails.

50. Mr A summarised what he understood about the withheld information (his summary is not included in this decision notice). He argued that neither the data subject nor any prisoners involved in the incident has the right to expect the whole of the information concerned to be withheld from the public.

51. In her briefing on section 38[4] of FOISA, the Commissioner notes a number of factors which should be taken into account in carrying out this balancing exercise. These include:

(i) whether the information relates the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances);

(ii) the potential harm or distress that may be caused to by the disclosure;

(iii) whether the individual has objected to the disclosure; and

(iv) the reasonable expectations of the individual as to whether the information would be disclosed.

52. The Commissioner is satisfied that disclosure of the information has the potential to cause considerable harm or distress to the data subject, who would have a reasonable expectation of privacy in relation to their personal data.

53. The Commissioner notes that the data subject has objected to the disclosure and she considers it reasonable that the data subject would expect such information be kept confidential, and not to be disclosed into the public domain in response to a request under FOISA.

54. Having considered the competing interests in this particular case, the Commissioner finds that Mr A's legitimate interests are outweighed by the prejudice to the rights and freedoms of the data subject that would result from disclosure. While disclosure would increase transparency surrounding the withdrawal of IT facilities at HMP Edinburgh, the SPS has already disclosed sufficient information for Mr A to understand why the IT facilities were suspended. Knowing the identity of the data subject does not reveal anything further about the decision-making processes of the SPS and it would constitute an unfair intrusion into the privacy of the data subject, particularly given that the allegations made against the data subject were investigated and were not upheld.) On balance, the Commissioner finds that the requirements of condition 6 cannot be met here.

55. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 of the DPA which would permit disclosure of the information. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently the Commissioner finds that disclosure of the information would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) by the SPS under section 38(1)(b) of FOISA.

Out of scope information

56. Document 1 comprises minutes of a meeting with Fife College. The SPS disclosed parts of the minutes which discussed computing facilities at HMP Edinburgh, but it withheld the rest of the substantive information on the basis that it was outwith the scope of Mr A's information request.

57. The Commissioner has reviewed the content of document 1 and she is satisfied that the only information that was redacted by the SPS was information which did not fall within the scope of Mr A's information request.

Timescales

58. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information. This is subject to qualifications which are not relevant in this case.

59. The SPS responded to Mr A's request on 25 November 2015. In its response, the SPS apologised for the delay in responding. It stated that Mr A' information request was dated 20 October 2015 and was received on 21 October 2015.

60. In his request for review, Mr A noted that he had handed the information request to a residential officer on Monday 26 October 2015 and not 20 October 2015. Mr A argued that the date of receipt is the day on which it is received by the authority and not the date upon which it is received by the SPS' Business Support Unit. Mr A also submitted that the SPS should have responded to his request on 23 November 2015.

61. Mr A asked the Commissioner for a decision that considered whether the SPS correctly calculated the time to respond to the request and whether it also failed to rectify its error on review.

62. During the investigation, the SPS submitted that the request from Mr A was logged and received on 26 October 2015. The SPS acknowledged that its response to Mr A (on 25 November 2015) was a day late and noted that it had apologised for this delay in its response to his request. The SPS noted that its response had contained several typing errors whereby the request was recorded as having been dated 20 October 2015 and received on 21 October 2015, when in fact it was dated and received on 26 October 2015. The SPS maintained that the request was logged correctly and the timescales were also calculated correctly.

63. The Commissioner has reviewed the correspondence by both parties and she is satisfied that the SPS correctly logged and calculated the time for responding to Mr A's request. The Commissioner is satisfied that the SPS received Mr A's request on 26 October 2015 and that it was required to respond to that request by 24 November 2015 (23 November 2015 was a statutory bank holiday and so is excluded from timescale calculations). As the SPS did not respond to Mr A's request until 25 November 2015, it failed to respond to the request within the 20 working days specified by section 10(1) of FOISA.

64. The Commissioner notes that the SPS apologised for this delay in its response to Mr A. In the circumstances, the Commissioner does not require the SPS to take any further action in relation to its failure to comply with the statutory timescale for responding to Mr A's request.

Decision

The Commissioner finds that the SPS partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr A.

In responding, the SPS failed to disclose information covered by the request which was later provided to Mr A, and therefore failed to comply with regulation 1(1) of FOISA.

The SPS also failed to comply with the time limit for response in regulation 10(1) of FOISA.

The Commissioner accepts that the SPS correctly withheld information in document 4 under section 35(1)(f) of FOISA and it correctly withheld information in documents 2, 3 and 9 under the section 38(1)(b) of FOISA. However, the SPS wrongly withheld information from document 5 under section 35(1)(f) of FOISA and it wrongly withheld information from document 7 under section 38(1)(b) of FOISA.

The Commissioner therefore requires the SPS to provide Mr A with the information wrongly withheld from documents 5 and 7 by 8 August 2016.

Appeal

Should either Mr A or the Scottish Prison Service wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the SPS fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that has failed to comply. The Court has the right to inquire into the matter and may deal with SPS as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

23 June 2016

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

10 Time for compliance

(1) Subject to subsections (2) and (3), a Scottish public authority receiving a request which requires it to comply with section 1(1) must comply promptly; and in any event by not later than the twentieth working day after-

(a) in a case other than that mentioned in paragraph (b), the receipt by the authority of the request; or

35 Law enforcement

(1) Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice substantially-

(f) the maintenance of security and good order in prisons or in other institutions where persons are lawfully detained;

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to -

(g) the commission or alleged commission by [the data subject] of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by [the data subject], the disposal of such proceedings or the sentence of any court in such proceedings.

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

….

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1 The data subject has given his consent to the processing.

6 (1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.


PDF IconLink to PDF file of decision 130/2016 (221 kb)

Back to Top