The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Correspondence sent to four named individuals

Applicant: The Applicant

Public authority: Scottish Borders Council

Case Ref: 201901168

Summary

The Council was asked for correspondence regarding four named individuals. The Council refused to confirm or deny whether it held the information. The Commissioner investigated and found that Council was entitled to refuse to confirm or deny whether it held the information.

 Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 24 June 2019, the Applicant made a request for information to Scottish Borders Council (the Council). He asked for copies of all Council and SB Cares correspondence, both email and letters, regarding:

(i) the employment status and availability of four named SB Cares staff, over the last six months and

(ii) the behaviour of the four named SB Cares staff, over the last six months.

2. The Council responded on 28 June 2019. It notified the Applicant that it was unable to confirm or deny whether it held any information falling within the scope of his request. The Council cited section 18(1) of FOISA and said that, if it held the information, the exemption in section 38(1)(b) of FOISA (third party personal data) would apply.

3. On the same date, the Applicant wrote to the Council requesting a review of its decision. He argued it was unfair to neither confirm nor deny that emails have been sent to staff regarding the behaviour and availability of these staff members, because it has already been reported in the press.

4. The Council notified the Applicant of the outcome of their review on 9 July 2019. It confirmed its previous decision.

5. On the same date, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Council's review because the information has already been reported in the press and the public interest outweighs concerns of confidentiality.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 6 August 2019, the Council was notified in writing that the Applicant had made a valid application.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related to its reasons for neither confirming nor denying whether it held the information.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.

10. During the investigation, the Council confirmed that it still wished to rely on section 18 of FOISA, read in conjunction with section 38(1)(b), as outlined in its correspondence to the Applicant.

Section 18(1) - "neither confirm nor deny"

11. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

· a request has been made to the authority for information which may or may not be held by it; and

· if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

· the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

12. Where a public authority has chosen to rely on section 18(1), the Commissioner must establish whether the authority is justified in stating that to reveal whether the information exists or is held would be contrary to the public interest. He must also establish whether, if the information existed and was held by the public authority, the authority would be justified in refusing to disclose the information by virtue of any of the exemptions listed in section 18(1) and cited by the authority.

13. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority. This means that he is unable to comment in any detail on the Council's reliance on any of the exemptions referred to, or on other matters which could have the effect of indicating whether the information existed or was held by the Council.

14. Also, this decision notice summarises the arguments put forward by the Applicant. He believes the Council holds information falling within the scope of his request, and his submissions reflect that position. It should not be taken from his submissions that he is necessarily correct in that view.

15. In his application, the Applicant submitted that the names of the four individuals he named in his request had "…already been named in the local press" and argued that the public interest in allegations of bullying in a care setting outweigh the confidentially that the Council wishes to protect. The Applicant subsequently provided the Commissioner with a copy of a news article published two days after he made his request for information which names one of the four individuals, and which also states that four staff have been suspended while an investigation into allegations is carried out.

16. The Commissioner acknowledges that the name of one of the four individuals was publicly linked with workplace allegations two days after the Applicant made his information request. However, he notes that the Council, at that time, had not issued any public statement regarding the identity of the four individuals, and that essentially all the article demonstrates is speculation in the media. Furthermore, as the newspaper article was published two days after the information request was made, it was not in the public domain at the time of the request.

Section 38(1)(b) - Personal information

17. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data", as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

18. The Council submitted that, given the wording of the Applicant's information request, any documents falling within the scope of that request consists of material which would, if it existed and was held, be the personal data of the individuals involved.

Would the information be personal data?

19. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

20. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

21. The Applicant named the four individuals in his request and sought all Council and SB Cares correspondence relating to their behaviour or employment status and availability in the preceding six months.

22. Each part of the request is framed by reference to a named living individual. Given that, and the subject matter of the request (their behaviour or employment status, etc.), if it were held and if it existed, any information captured by this request would clearly relate to that named individual. The Commissioner therefore accepts that, if it existed and were held, the information would be personal data as defined in section 3(2) of the DPA 2018.

Would disclosure convene one of the data protection principles?

23. The Council argued that disclosing the personal data, if it existed and were held, would breach the first data protection principle. This requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject" (Article 5(1)(a) of the GDPR).

24. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018), "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request. This means that the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(f) of the GDPR

25. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the GDPR would allow the personal data to be disclosed.

26. The Council has argued that the only possible viable basis for lawfully processing the information under Article 6, would be condition (f).

27. In the Commissioner's view, if the personal data existed and were held, the only condition in Article 6(1) which could potentially apply is condition (f). This states that processing shall be lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

28. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in the performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

29. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Would the Applicant have a legitimate interest in obtaining the personal data, if held?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subjects?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

30. The Council has acknowledged that the Applicant does have a legitimate interest in disclosure of the information (if it existed and was held), as would relate to allegations of bullying in a care setting which is a matter of public concern.

31. In the circumstances, the Commissioner is satisfied that these are matters of legitimate interest, both to the Applicant and to the wider public and is satisfied that the Applicant does have a legitimate interest in obtaining the personal data.

Would disclosure be necessary?

32. The next question is whether disclosure of the personal data (if held) would be necessary to achieve that legitimate interest. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant's legitimate interests can reasonably be met by means which interfere less with the privacy of the data subject.

33. The Commissioner has considered the scope of the Applicant's request and he accepts that disclosure of the personal data, if in existence and held, would be necessary to achieve the Applicant's legitimate interest.

34. The Applicant wishes to obtain correspondence that relates to four named individuals and which, if held, would reveal the circumstances surrounding their suspension from SB Cares. The only way for the Applicant to do so is to view the information he has requested (assuming it exists and is held). Only then would he be able to scrutinise and assess any actions of the Council. The Commissioner notes that no procedure has been brought to his attention by the Applicant or the Council that might offer another way for the Applicant to effect such scrutiny. The Commissioner therefore accepts that disclosure of any information held would be necessary for the Applicant's legitimate interests.

Balancing legitimate interests and the data subject's interests or fundamental rights and freedoms

35. The Commissioner has concluded that the disclosure of the information (if existing and held) would be necessary to achieve the Applicant's legitimate interests. However, this must be balanced against the fundamental rights and freedoms of the data subjects (the individuals named by the Applicant as being subject to allegations). Only if the legitimate interests of the Applicant outweighed those of the data subjects could personal data be disclosed without breaching the first data protection principle.

36. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 555[1]. He is unable to set out, in detail, the arguments put forward by the Council.

37. Recital (47) of the GDPR notes that, in carrying out the balancing exercise, much will depend on the reasonable expectations of the data subjects. The Commissioner's guidance[2] on section 38 of FOISA notes factors that should be taken into account in balancing the interests of parties. These factors include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

38. The Commissioner agrees with the Council that the information (if it existed and were held) would be information a person would generally expect to be kept confidential.

39. The Commissioner has also considered the potential harm or distress that could be caused by disclosure of the information (if it existed and were held). Disclosure under FOISA is a public disclosure. He has taken into account that, in this case, disclosure of the information, if it existed and were held, would publicly link the data subjects to work place allegations. At the most general level, disclosing or alleging that some work place impropriety has taken place is likely to cause some reputational damage to the four named individuals, and to have an impact on public perceptions of them.

40. Any information held would relate to an employment disciplinary issue and the named individuals would have no expectation that such information would ever be made public, particularly as, at the time of the request, the investigations into the allegations were still ongoing and no fault had been established.

41. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question in this case.

42. In the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the GDPR could not be met in relation to the withheld personal data.

Fairness

43. Given that the Commissioner has concluded that the processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

44. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if held, would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Council could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt information by virtue of section 38(1)(b) of FOISA.

Section 18(1) - The public interest

45. The Commissioner must now consider whether the Council was entitled to conclude that it would be contrary to the public interest to reveal whether the information exists or is held.

46. The Council submitted that it was contrary to the public interest to reveal whether the information existed or was held as there was a public interest in ensuring that it protected confidential processes and complied with data protection legislation. It provided more detailed submissions on aspects of the case, which cannot be repeated here without tending to indicate whether information exists or is held.

47. The Applicant argued that the public have a right to know how their money is managed and that the public have a right to know the details of any mismanagement in order to make an informed decision about their care or the care of a loved one. The Applicant noted that SB Cares is a major employer in the Scottish Borders, and prospective employees have a right to know what sort of organisation is trying to hire them, especially when there are allegations of bulling and harassment.

48. The Commissioner has given serious consideration to the arguments made by the Applicant, but he would note that, while prospective employees may wish to know the details of any allegation of workplace bullying, they would also want reassurance that their personal data would be properly protected in the light of any allegation they themselves may receive in the workplace.

49. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.

50. Disclosure under FOISA is not simply disclosure to the person requesting the information, but rather is a public disclosure. In this case, the Commissioner is satisfied that disclosing the information, if it were held and existed, would breach the first data protection principle.

51. While the Commissioner has a deal of sympathy with the public interest arguments put forward by the Applicant, he is aware that the action of confirming or denying whether the information exists or is held would have the effect of confirming whether the allegations made are accurate. This would, of itself, lead to the Council breaching its duties as data controller under data protection legislation. In the circumstances, the Commissioner must find that it would be contrary to the public interest for the Council to reveal whether it held the requested information, or whether the information existed.

52. Consequently, the Commissioner is satisfied that the Council was entitled to refuse to confirm or deny, whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.

 Decision

The Commissioner finds that Scottish Borders Council (the Council) complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

 Appeal

Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

11 March 2020

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption - ..

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom the personal data relates

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).


PDF IconLink to PDF file of decision 047/2020 (400 kb)

Back to Top