The Scottish Information Commissioner - It's Public Knowledge
Share this Page
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 182/2018: Mr K and Aberdeenshire Council

Claims relating to a road

Reference No: 201800621
Decision Date: 13 November 2018

Summary

The Council was asked for a wide range of information relating to a section of road at Foveran Church.

The Council disclosed some information, but withheld details of the number of successful and unsuccessful claims for a specific time period, on the basis that disclosure would be contrary to the Data Protection Act.

The Commissioner did not accept that the information was personal data and required the Council to disclose it.  

Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definition (a) and (c) of "environmental information") and (3); 5(1) and 2(b) (Duty to make available environmental information on request); 10(3) (Exceptions from duty to make environmental information available); 11(2), (3)(a)(i) and (3)(b) (Personal data)

Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provision) (definition of "personal data")

Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provisions etc. - paragraph 61)

General Data Protection Regulation (the GDPR) Article 4 (Definitions) (definition of "personal data")

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendices form part of this decision.

Background

1. On 5 January 2018, Mr K made a request for information to Aberdeenshire Council (the Council). Mr K requested information relating to a particular section of road including: the number of complaints/claims made relating to this section of road, details of these claims (upheld or refused); investigation reports, details of risk assessments, traffic flow monitoring, safety inspections, details of carriageway defects, intervention criteria, services standards and costs. Mr K's requests are set out in full in Appendix 2.

2. The Council responded on 29 January 2018. The Council responded by providing some information and explanations, stating that other information was not held and, in response to elements of request two, stating that information could not be provided due to "data protection". In relation to request three, the Council confirmed that no claims were made between July and September 2017 and less than five were made between October and December.

3. On 31 January 2018, Mr K wrote to the Council, requesting a review of its decision on the basis that he was dissatisfied with the response to request three, clarifying that he sought the exact number of claims that were accepted. He also asked for the reasons why claims were accepted and others rejected, a new request for information.

4. The Council notified Mr K of the outcome of its review on 19 March 2018. The Council stated that, due to the low number of claims, all that could be stated was that for the period October to December, liability was accepted in one or more cases. The Council stated that this was due to "data protection reasons".

5. On 7 April 2018, Mr K wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of the Freedom of Information (Scotland) Act 2002 (FOISA). By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. Mr K stated he was dissatisfied with the outcome of the Council's review because he believed the information he requested should not be withheld.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr K made requests for information to a Scottish public authority and asked the authority to review its response to parts of those requests before applying to him for a decision.

7. On 14 May 2018, the Council was notified in writing that Mr K had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr K. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions, focusing on the application of data protection legislation to the withheld information.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr K and the Council. He is satisfied that no matter of relevance has been overlooked.

FOISA or EIRs?

10. The Council responded to Mr K's request in terms of FOISA. During the investigation, the Council submitted that, should the Commissioner determine the information fell within the definition of environmental information, it would rely on regulation 11(2) of the EIRs to withhold the information.

11. Having considered the nature of the withheld information, the Commissioner is satisfied that it comprises environmental information as defined within regulation 2(1) of the EIRs. As the requested information concerns the condition of roads (including responsibility for their repair and maintenance), it relates to measures (the Council's policy in relation to handling compensation claims) and activities affecting or likely to affect the elements referred to in part (a) of the definition of environmental information, in particular land and landscape. As such, the Commissioner is satisfied that the information in question is environmental information as defined in part (c) of the definition.

12. As the Council failed to recognise and respond to the request as a request for environmental information, the Commissioner must find that in this regard it failed to respond in accordance with regulation 5(1) of the EIRs. In what follows, given the Council's application of regulation 11(2), the Commissioner will consider the withheld information solely in terms of the EIRs.

Regulation 11(2) of the EIRs (Personal information)

13. The Council withheld the exact number of successful/unsuccessful claims made against it on the basis that it was personal information.

Data Protection Act 2018 (Transitional provisions)

14. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. The DPA 2018 amended regulation 11(2) of the EIRs and also introduced a set of transitional provisions, which set out what should happen where a public authority dealt with an information request before the EIRs were amended on 25 May 2018 but where the matter is being considered by the Commissioner after that date.

15. In line with paragraph 56 of Schedule 20 of the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here - the review outcome was issued on 19 March 2018), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with the EIRs.

16. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with the EIRs (as they stood before 25 May 2018), he cannot require the authority to take steps it would not be required to take in order to comply with the EIRs on or after 25 May 2018.

17. The Commissioner will therefore consider whether the Council was entitled to apply the exception in regulation 11(2) of the EIRs under the old law. If he finds that the Council was not entitled to withhold the information under the old law, he will only order the Council to disclose the information if disclosure would not now be contrary to the new law.

18. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply. These included where disclosure would contravene any of the data protection principles in Schedule 1 to the DPA 1998 (regulation 11(3)(a)(i)). The Council argued that the disclosure of the information would breach the first data protection principle.

Is the information under consideration personal data?

19. The relevant definition of "personal data" is contained in section 1(1) of the DPA 1998 and is set out below in Appendix 1.

20. The Council submitted that it considered confirmation of the number of claims would potentially lead to the identification of the claimants, due to the small number of claims and the likelihood of local discussion.

21. The Council was asked to provide further submissions on the issue of identifiability. The Council responded, stating that because of:

(i) the low number of claims (particularly if successful) and

(ii) the unique amounts paid out for each claim,

if anybody were to discuss the topic openly it could lead to identification of an individual.

22. The two main elements of personal data are that the information must "relate to" a living person, and that person must be identifiable. Information will "relate to" a person if it is about them, linked to them, has some biographical significance for them, is used to inform decisions affecting them, has them as its main focus or impacts them in any way.

23. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals. There may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual, but this is not necessarily sufficient to make the individual identifiable.

24. In the case of Breyer v Bundesrepublik Deutschland[1] the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is realistic prospect of someone being identified. When making that determination, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is insignificant, the information will not be personal data.

25. The Commissioner has considered the Council's submissions. The Commissioner is not satisfied that he has been provided compelling arguments to come to the conclusion that disclosure would result in the identification of individuals. The Council argues that "local discussion" and the "amounts paid" could result in identification, but there is nothing from the Council's submissions to suggest that the claimants are within the same locality or indeed natural persons. Furthermore, Mr K's request did not seek any further details (e.g. amounts paid) than the number of claims made.

26. The Commissioner has not been provided with adequate submissions to conclude that individuals could be identified from the disclosure of the information in question. Taking account of the limited arguments presented by the Council, the Commissioner is of the view that the risk of identification is insignificant and consequently the information is not personal data.

27. The Commissioner cannot, therefore, conclude that the information withheld (the number of successful and unsuccessful claims made between October and December 2017) is personal data for the purposes of the DPA 1998.

28. As the Commissioner is not satisfied that this information is personal data, the Commissioner must find that the Council was not entitled to withhold the information under regulation 11(2) of the EIRs.

Transitional provisions

29. Given that the Commissioner has concluded that the Council was not entitled to withhold information on the basis of regulation 11(2) of the EIRs (as it stood before 25 May 2018), he must now go on to consider whether disclosure would breach the EIRs as they currently stand.

30. On this occasion, the first question the Commissioner must consider is whether the information is personal data for the purpose of Article 4 of the GDPR. The definition is set out in full in Appendix 1 and is the definition applicable from 25 May 2018 for the purposes of the EIRs.

31. The investigating officer contacted the Council to explain that the Commissioner was unlikely to find that the information it was withholding under regulation 11(2) of the EIRs was personal data. The Council was given an opportunity to comment on whether disclosure would be contrary to regulation 11(2) as amended.

32. The Council opted not to provide any further submissions.

33. The Commissioner has set out his reason for concluding that the information in question is not personal data for the purposes of the DPA 1998. The Council has not provided any additional arguments as to why the information is personal data for the purposes of the GDPR. The Commissioner has considered the GDPR definition and concluded, in the absence of any additional submissions from the Council, that the information in question is not personal data. Consequently, regulation 11(2) of the EIRs, as amended from 25 May 2018, could not apply.

34. The Commissioner requires the Council to disclose the information to Mr K.

Decision

The Commissioner finds that Aberdeenshire Council (the Council) failed to comply with the Environmental Information (Scotland) Regulations 2004 (the EIRs) (specifically regulation 5(1)) in responding to the information request made by Mr K. The Council failed to recognise this request as a request for environmental information and wrongly withheld information on the basis that it was personal information.

The Commissioner therefore requires the Council to provide Mr K with the information withheld by 28 December 2018.

Appeal

Should either Mr K or Aberdeenshire Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If Council fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Council has failed to comply. The Court has the right to inquire into the matter and may deal with the Council as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

13 November 2018

Appendix 1: Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004

2 Interpretation

(1) In these Regulations -

"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -

(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;

(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;

(3) The following expressions have the same meaning in these Regulations as they have in the Data Protection Act 1998, namely-

(a) "data", except that for the purposes of regulation 10(3) and 11, a public authority referred to in paragraph (e) of the definition of data in section 1(1) of that Act means a Scottish public authority within the meaning of these Regulations;

(b) "the data protection principles";

(c) "data subject"; and

(d) "personal data".

5 Duty to make available environmental information on request

(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.

(2) The duty under paragraph (1)-

(b) is subject to regulations 6 to 12.

 

 

 

10 Exceptions from duty to make environmental information available

(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.

 

11 Personal data

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject and in relation to which either the first or second condition set out in paragraphs (3) and (4) is satisfied, a Scottish public authority shall not make the personal data available.

(3) The first condition is-

(a) in a case where the information falls within paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998[6] that making the information available otherwise than under these Regulations would contravene-

(i) any of the data protection principles; or

(b) in any other case, that making the information available otherwise than under these Regulations would contravene any of the data protection principles if the exemptions in section 33A(1) of the Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded.

 

 

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Data Protection Act 2018

Schedule 2 - Transitional provision etc

61 Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

(1) This paragraph applies where a request for information was made to a Scottish public authority under the Environmental Information (Scotland) Regulations 2004 ("the 2004 Regulations") before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with those Regulations.

(3) To the extent that the request was dealt with before the relevant time -

(a) the amendments of the 2004 Regulations in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with those Regulations, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with those Regulations as amended by Schedule 19 to this Act.

(4) In this paragraph -

"Scottish public authority" has the same meaning as in the 2004 Regulations;

"the relevant time" means the time when the amendments of the 2004 Regulations in Schedule 19 to this Act come into force.

 

General Data Protection Regulation

4 Definitions

For the purposes of this Regulation:

(1) "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Appendix 2: Mr K's request

1. The location code from the single track road between the turn-off from the A975 at Foveran Church to its junction with the 'old' A90 as shown on the embedded map. It is referred to as C11C Foveran Church in your letter of 7 December.

2. The number, type and dates of complaints and claims for damage and associated cost for vehicles and separately to and (include access roads to houses and farms) as submitted to Aberdeenshire Council on this single track in 2017, (a) for the 3 months, July-September before it was used as a signed diversion to enter and leave the 'old' A90 road near Foveran village and (b) in the period October- December when it was signed as a diversion to and from the 'old' A90 near Foveran village.

3. Based on the above, the number of claims for damages that have been upheld or refused on this section of single track road for the period July-September 2017 prior to the closure of the 'old' A90 into and out of Foveran village and surrounding areas and the equivalent figures for the period October- December when it was used as the signed diversion and principal entry and exit to and from Foveran village.

4. The investigation report in to the circumstances surrounding our incident and damage incurred with the pothole on 23 October 2017.

5. Details of risk assessments undertaken by the Council and/or AWPR/Aberdeen Roads prior to and during the implementation of the signed diversion onto the single track road from the A975 and 'old' A90 beside Foveran village.

6. Details of traffic flow monitoring, including the number and type of motor vehicles travelling on the road at different times of the day before any after it was signed as a diversion for traffic to and from the 'old' A90 near Foveran village and at the junction of the A975 at Foveran church.

7. Dates of all safety inspections and investigations undertaken on the carriageway in the 2 years prior to and in the months following our incident on 23 October 2017.

8. Details of all carriageway defects identified during safety inspections in the 2 years preceding our incident on 23 October 2018 (sic) and in the months following up to its closure for major repair in December 2017.

9. Details of how carriageway safety inspections are undertaken, including whether walked or driven, the speed of the inspection vehicle and the number of persons in the vehicle.

10. The defect intervention criteria adopted in relation to the identification of all categories of carriageway potholes.

11. The time period(s) adopted between identification and repair (temporary and permanent) of all categories of carriageway defects on this road in the period January- September 2017 and October-December 2017.

12. Details on the Council's service standards of completing repairs after these have been identified and whether these have been met on this section of road for the time period identified in 11.

13. Information on the estimated cost of the major repair to the single track road to be undertaken following its temporary closure in December 2017.

14. Information on allocation of costs for this major repair, including contributions from Aberdeenshire Council, the AWPR, Aberdeen Roads and Transport Scotland.


PDF IconLink to PDF file of decision 182/2018 (193 kb)

Back to Top