The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 056/2018: Mr N and Scottish Criminal Cases Review Commission

Written Paper and Risk Registers

Reference No: 201701008  
Decision Date: 23 April 2018

Summary

The SCCRC was asked for a copy of a paper ("Applicants with Learning Difficulties") and for risk registers dating back to 2014. The SCCRC refused to disclose any of the information.

During the investigation, the SCCRC disclosed a redacted version of the paper, but continued to refuse to disclose the risk registers because it considered disclosure would prejudice the effective conduct of public affairs.

Following an investigation, the Commissioner found that the SCCRC should have disclosed a redacted paper. He also found that parts of the risk registers were not exempt from disclosure and should also have been disclosed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 30(b) and (c) (Prejudice to the effective conduct of public affairs)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 2 March 2017, Mr N made two requests for information to the Scottish Criminal Cases Review Commission (the SCCRC). The information Mr N asked for (amongst other requests, which are not the subject of this decision) was:

(i) a copy of a paper on "Applicants with Learning Difficulties"

(ii) the SCCRC's corporate risk registers from 1 May 2014

2. The SCCRC responded on 30 March 2017. It relied on section 30 of FOISA (Prejudice to effective conduct of public affairs) to withhold the information.

3. On 20 April 2017, Mr N wrote to the SCCRC requesting a review of its decision. He argued that the paper "Applicants with Learning Difficulties" was an internal document and any deliberation had presumably been completed. He noted that some of the information in the risk registers had been published in the Annual Accounts and argued that disclosure would not prevent the effective conduct of public affairs.

4. The SCCRC notified Mr N of the outcome of its review on 23 May 2017. It upheld its previous decision without amendment.

5. On 1 June 2017, Mr N applied to the Commissioner for a decision in terms of section 47(1) of FOISA. He referred to the reasons for dissatisfaction within his request for review and to the Commissioner's guidance on the exemptions under which information had been withheld.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr N made requests for information to a Scottish public authority and asked the authority to review its responses to those requests before applying to him for a decision.

7. On 21 June 2017, the SCCRC was notified in writing that Mr N had made a valid application. The SCCRC was asked to send the Commissioner the information withheld from Mr N. The SCCRC provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SCCRC was invited to comment on this application and answer specific questions. These questions focused on its reasons for relying on the exemptions in section 30.

9. The SCCRC responded on 4 August 2017, providing submissions to support its decision to withhold the risk registers under section 30(c). At the same time, the SCCRC disclosed a redacted version of the "Applicants with Learning Difficulties" paper to Mr N, withholding some personal data under section 38(1)(b) (Personal information) of FOISA.

10. On 25 September 2017, the SCCRC was asked for submissions on its decision to withhold personal data from the "Applicants with Learning Difficulties" paper. The SCCRC provided submissions.

11. On 21 November 2017, the SCCRC was invited to explain in more detail why it considered information about each of the risks identified in the risk registers was exempt from disclosure. The SCCRC responded on 6 December 2017.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr N and the SCCRC. He is satisfied that no matter of relevance has been overlooked.

Applicants with Learning Disabilities Paper

13. In its review response, the SCCRC withheld this paper under section 30(b) of FOISA, arguing that deliberations on this "ongoing area for discussion and consideration" were not complete, as Mr N had assumed. Section 30(b) of FOISA is set out in full in Appendix 1. The SCCRC withdrew its reliance on section 30(b) during the investigation and disclosed the paper to Mr N after redacting some personal data. The SCCRC accepted that it had been incorrect to withhold the paper under section 30(b) when it had responded to Mr N's request for review. In the circumstances, the Commissioner has concluded that the exemption was wrongly applied.

14. The SCCRC withheld some personal data from the version of the paper it disclosed to Mr N, under section 38(1)(b) of FOISA.

15. Mr N was unhappy that the author's name had been withheld from the redacted paper. He commented that this name had been published in the accompanying minutes. However, he was content for other third party personal data to be withheld. Consequently, the Commissioner has not considered further the decision to withhold these names.

16. The SCCRC was asked why it had withheld the name of the report author, given that the name had appeared in published minutes. The SCCRC stated that it was unaware that the name had been published but, given that this had happened, it no longer considered that the name was exempt from disclosure under section 38(1)(b) of FOISA.

17. As the name of the author of the report is publicly available, the Commissioner does not require the SCCRC to provide this information to Mr N.

Risk registers

18. The SCCRC withheld seven risk registers under section 30(c) of FOISA. During the investigation, it confirmed that the "principal risks" considered in the registers are identified in the SCCRC's recent Annual Reports. The SCCRC informed Mr N of this on 15 September 2017.

19. Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs". The use of the word "otherwise" distinguishes the harm required from that envisaged by the exemptions in sections 30(a) and (b). This is a broad exemption and the Commissioner expects any public authority citing it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by disclosure of the information, and how that harm would be expected to follow from disclosure.

20. Section 30(c) applies where the harm caused, or likely to be caused, by disclosure is at the level of substantial prejudice. "Substantial prejudice" is not defined in FOISA, but the Commissioner considers the harm in question must be of real and demonstrable significance. The authority must be able to satisfy the Commissioner that the harm would, or would be likely to, occur and therefore needs to establish a real risk or likelihood of actual harm occurring as a consequence of disclosure at some point in the near (certainly foreseeable) future, not simply that the harm is a remote possibility. Each request should be considered on a case-by-case basis, taking into consideration the content of the information and all other relevant circumstances (which may include the timing of the request).

21. This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

The SCCRC's submissions

22. The SCCRC stated that its risk registers contain details of identified risks and mitigating actions, to help it manage risk. It commented that the information in the risk registers is more detailed than the "headline risks" identified and disclosed in its Annual Accounts. The registers show the SCCRC's evaluation of identified risks, including the likelihood of the risks materialising and the impact that would have on the Commission. The SCCRC submitted that the risk registers contain sensitive information.

23. The SCCRC explained in detail why it considered that information about three of the identified risks would result in harm, if disclosed. The Commissioner cannot discuss the reasons given by the SCCRC, as to do so would reveal withheld information.

24. As the SCCRC's submissions focussed on only three of the identified risks, the Commissioner asked it to explain why the risk registers should be withheld in their entirety.

25. The SCCRC reiterated that the risk registers disclose the rating of the principal risks it faced, both in terms of likelihood and the impact on the SCCRC's effective operation. In addition, the risk registers contain details of the existing internal controls which the SCCRC employs to minimise those risks and further control actions. Disclosure would publicise which risks are the biggest risks to the SCCRC's effective operation, and how the SCCRC tries to control those risks. Disclosure would be likely to weaken the SCCRC's control of, or protection against, the risks to its effective operation.

26. The SCCRC provided the Commissioner with an example of the way in which information from the risk register could harm its effective operation.

27. The SCCRC considered the possibility that a redacted version of the risk registers could be disclosed. However, it considered that disclosure of a redacted version would give a partial and skewed picture of the SCCRC's risk management strategies.

28. Mr N has asked for risk registers dating back to 2014. The SCCRC submitted that risk registers which pre-date the current version contain the same or similar information, so disclosure of older risk registers would raise the same issues concerning the SCCRC's risk management strategies.

29. The SCCRC submitted that it had applied a "content-based" approach when applying the exemption in section 30(c) of FOISA, as advocated in previous decisions by the Commissioner and as endorsed by the Court of Session[1]. However, it declined the invitation to provide detailed submissions explaining why the information in each part of the risk registers would, if disclosed, be capable of causing substantial prejudice to the effective operation of the SCCRC.

Mr N's submissions

30. Mr N stated that the information in the risk registers is published in part in the SCCRC's Annual Accounts under the heading "Principal Risks". He did not accept that the exemption in section 30(c) of FOISA had been correctly applied.

31. He also argued that the SCCRC had not taken account of the Scottish Ministers' guidance on the types of information that Scottish public authorities should publish proactively. Mr N referred to the 2010 version of the Scottish Ministers' Code of Practice on the discharge of functions by Scottish Public Authorities under FOISA and the EIRs (the Section 60 Code): this version is now superseded. The current version of the Section 60 Code[2] contains similar guidance in paragraph 3.2.1. It says:

"Authorities are free to publish as much information, of whatever type, they wish to publish. As a minimum, to meet the requirements of section 23 of FOISA, this should include information about:

· their functions, how they operate (including their decision-making processes), and their performance; and

· their finances, including funding allocation, procurement and the awarding of contracts."

The Commissioner's findings

32. The Commissioner recognises that risk registers are important and valuable tools that enable an organisation to identify potential risks and to evaluate its approach to those risks, highlighting areas where further action may be required to mitigate identified risks.

33. It is clear that such analysis contributes significantly to the effective conduct of public affairs, by making public authorities better able to avoid situations which would disrupt or harm their operations. The Commissioner acknowledges that, for risk registers to be effective, they must be based on an honest assessment of the challenges faced by an organisation and how they can be overcome. It is the Commissioner's view that any disclosure which had the effect of undermining the effective operation of the SCCRC (including the consideration of risks) would also be likely to prejudice substantially the effective conduct of public affairs for the purposes of section 30(c).

34. In relation to Mr N's suggestion that the Section 60 Code (see paragraph 31 ) places an obligation on Scottish public authorities to publish their risk registers, compliance with section 23 of FOISA is not a matter which the Commissioner has the power to consider when determining an application for decision made under section 47 of FOISA.

35. The Commissioner notes that each of the SCCRC's risk registers are set out in a standardised format, with a summary, overview and analysis of each risk, including its likelihood of occurring, and any mitigating measures.

36. As noted above, the SCCRC provided detailed submissions relating to three of the risks in its risk registers, and the harm that would, or would be likely to follow from disclosure. The Commissioner accepts that disclosure of the information relating to these three risks would, or would be likely to, cause substantial prejudice to the effective conduct of public affairs, for the reasons identified and explained in the SCCRC's submissions. He therefore accepts that this information was correctly withheld under section 30(c) of FOISA. (The Commissioner is unable to discuss his reasons for accepting the SCCRC's submissions without revealing withheld information.)

37. The SCCRC was invited to provide similar detailed submissions with respect to the other risks identified in the risk registers. It chose not to do so, instead referring to its previous submissions. It argued that, if the Commissioner accepted that information relating to three of the risks should be withheld, disclosure of the remaining information would give a partial and skewed picture of its risk management strategies.

38. As the SCCRC has not provided detailed reasons for withholding information about the other identified risks under the exemption in 30(c), the Commissioner has had to make his own assessment of the likely effects of releasing the risk registers, based on the content and nature of the registers and the general submissions provided by the SCCRC.

39. The Commissioner has considered each of the remaining withheld parts of the risk registers in detail. He accepts that disclosing the information would make it clear which risks are the biggest risks to the effective operation of the SCCRC and would show how the SCCRC tries to control those risks. He has considered carefully whether disclosure of this information would, or would be likely to cause substantial prejudice to the SCCRC's ability to perform its functions, looking at each part of the risk register in turn.

40. The Commissioner has concluded that information which simply describes the SCCRC's standard organisational practices and its general approach to risk is not exempt from disclosure under section 30(c) of FOISA. Such information does not provide any insight into the SCCRC's assessment and evaluation of risks, controls or mitigation measures, and the Commissioner does not accept that disclosure would harm the SCCRC's ability to assess and manage risk. He does not accept that disclosure of this information would give a skewed picture of the SCCRC's risk management strategy: while the information would be limited in detail, he cannot accept that it would give a misleading view of the risk-management approach taken by the SCCRC.

41. The Commissioner has found that some information about certain of the risks identified in the register will not cause, or be likely to cause, substantial harm to the SCCRC, if disclosed. The information is of a factual nature, and the SCCRC has not shown why disclosure would, or would be likely to, prejudice substantially the effective conduct of public affairs (i.e. why it would be capable of disrupting the effective operation of the SCCRC). For this reason, the Commissioner does not accept that this information falls within the exemption in section 30(c) of FOISA.

42. The Commissioner will provide the SCCRC with a marked up version of the risk registers, showing the information to which the exemption in section 30(c) of FOISA was wrongly applied and which should now be disclosed.

43. The Commissioner is satisfied that disclosure of the remaining information withheld under section 30(c) of FOISA would cause or be likely to cause substantial harm to the SCCRC if disclosed and therefore would, or would be likely to, prejudice substantially the effective conduct of public affairs.

Public Interest test - section 30(c)

44. The exemption in section 30(c) is subject to the public interest test in section 2(1)(b) of FOISA. The Commissioner must therefore go on to consider whether, in all the circumstances of the case, the public interest in disclosing the information is outweighed by that in maintaining the exemption.

The SCCRC's submissions

45. In its submissions, the SCCRC referred to the Commissioner's briefing on the public interest[3] and the factors that should be taken into account, when reaching a decision on whether the public interest favours disclosure or not. The SCCRC submitted that the following factors were relevant:

· the general public interest that information is accessible - i.e., whether disclosure would enhance scrutiny of decision-making processes and thereby improve accountability and participation;

· whether disclosure would contribute to the administration of justice etc.;

· whether disclosure would contribute to ensuring effective oversight of expenditure of public funds and that the public obtain general value for money; and

· whether disclosure would contribute to ensuring that any public authority with regulatory responsibilities is adequately discharging its functions.

46. The SCCRC considered that disclosure would contribute, to some extent, to ensuring that it was adequately discharging its statutory functions.

47. However, the SCCRC argued that disclosure of the withheld information would have a deleterious effect on its ability to discharge its primary function of deciding whether there may have been a miscarriage of justice in the cases it reviews, and this "could be viewed only as being contrary to contributing to the administration of justice".

48. The SCCRC did not consider that disclosure of the withheld information would be in the public interest in terms of enhancing scrutiny of decision-making processes or contribute to ensuring effective oversight of public spending.

49. Therefore, after carrying out the balancing exercise to determine where the public interest lies in this case, and noting that there is a clearly a strong public interest in protecting the effective conduct of public affairs, the SCCRC was of the view that the balance of public interest was in favour of withholding the information in question.

The Commissioner's conclusion

50. The Commissioner acknowledges the general public interest in transparency and accountability, particularly where this might contribute to understanding the risks faced by Scottish public authorities and in being assured that the authorities have identified ways of mitigating such risks.

51. The Commissioner acknowledges that the withheld information might cast some light on these matters, and to that extent, disclosure would be in the public interest. However, he considers that disclosure of the information that was wrongly withheld will go some way towards satisfying that public interest.

52. The Commissioner has already accepted that disclosure would or would be likely to cause substantial prejudice to the effective conduct of public affairs in this case. The SCCRC's main function is deciding whether there has been a miscarriage of justice. It is in the public interest to ensure that this process is not hindered by disclosing information which could be used to disrupt or otherwise harm the work done by the SCCRC. Disclosure of the remaining information in the risk registers would, in the Commissioner's view, make such disruption more likely.

53. Taking all of the submissions into consideration, on balance, the Commissioner accepts that greater weight should be attached to the arguments which would favour withholding the information in the public interest. Having reached this conclusion, the Commissioner finds that the public interest in disclosing the remaining information is outweighed by that in maintaining the exemption in section 30(c) of FOISA. Therefore, the SCCRC was entitled to withhold some information in the risk registers under that exemption.

 Decision

The Commissioner finds that the Scottish Criminal Cases Review Commission (the SCCRC) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by Mr N.

The Commissioner finds that the SCCRC was entitled to withhold some of the information in the risk registers under section 30(c) of FOISA.

However, the SCCRC:

i. incorrectly withheld information under section 30(b) of FOISA (information disclosed during the investigation);

ii. wrongly relied upon section 30(c) of FOISA to withhold some information.

The Commissioner requires the SCCRC to provide Mr N with the information in the risk registers which was wrongly withheld, 7 June 2018.

To aid compliance with his decision, the Commissioner will provide the SCCRC with redacted copies of the risk registers.

Appeal

Should either Mr N or the SCCRC wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the SCCRC fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the SCCRC has failed to comply. The Court has the right to inquire into the matter and may deal with the SCCRC as if it had committed a contempt of court.

Daren Fitzhenry
Scottish Information Commissioner

23 April 2018

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

b) would, or would be likely to, inhibit substantially-

(i) the free and frank provision of advice; or

(ii) the free and frank exchange of views for the purposes of deliberation; or

(c) would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.


[1] http://www.scotcourts.gov.uk/search-judgments/judgment?id=a94886a6-8980-69d2-b500-ff0000d74aa7

[2] https://beta.gov.scot/publications/foi-eir-section-60-code-of-practice/FOI%20-%20section%2060%20code%20of%20practice.pdf?inline=true

PDF IconLink to PDF file of decision 056/2018 (196 kb)

Back to Top