The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 124/2019: Mr K and South Ayrshire Council

Planning correspondence

Reference No: 201900089
Decision Date: 19 August 2019

Summary

The Council was asked for correspondence about property in Symington. It disclosed some information in response to the request. Additional information was disclosed during the investigation. Some personal data was withheld.

The Commissioner found that the Council had failed to identify all of the information in response to the request and had incorrectly withheld some information. (This information was disclosed during the investigation.)

He also found that the Council was entitled to withhold some personal data. By the end of the investigation, he was satisfied that the Council had carried out appropriate searches to identify the information falling within the scope of the request.

Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of "the data protection principles", "the GDPR" and "personal data"") and (3A) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 10(1), (2), (3) (Exceptions from duty to make environmental information available); 11(2), (3)(A)(a) and (7) (Personal data)

General Data Protection Regulation (the GDPR) Articles 4(1) and (11) (definition of "personal data" and "consent") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and 10 (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 12 May 2018, Mr K made a request for information to South Ayrshire Council (the Council). He requested all planning department emails, both external and internal relating to a named property and buildings on a plot at a specified address in Symington from 12 May 2014.

2. The Council responded on 12 June 2018, advising Mr K that it was handling his request in terms of the EIRs. It disclosed information to Mr K.

3. On 15 July 2018, Mr K wrote to the Council requesting a review of its response. He was not satisfied that he had been provided with all of the information falling within the scope of his request. Mr K stated that emails were missing and a number of attachments were not included.

4. The Council notified Mr K of the outcome of its review on 10 August 2018. The Council acknowledged that it had not identified and disclosed all of the information held. Following fresh record searches, the Council identified several attachments and an email, which was supplied to Mr K. The Council apologised to Mr K for this error. The Council redacted some personal data within the documents.

5. On 15 January 2019, Mr K applied to the Commissioner for a decision in terms of section 47(1) of the Freedom of Information (Scotland) Act (2002) (FOISA). By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. Mr K did not accept that he had been provided with all of the information falling within the scope of his request and argued that there had been an inappropriate level of redaction.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr K made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 6 February 2019, the Council was notified in writing that Mr K had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr K. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related to the searches it had undertaken to identify the requested information and reasons for withholding personal information.

9. The Council responded on 11 March 2019. It provided a description of the searches it had conducted in locating information, together with a detailed explanation as to why it considered personal data to be exempt. The Council, on review of the redactions made, accepted that some of the redactions were made in error. Some of the information was already available through its planning portal and some information related to companies rather than individuals. This information was provided to Mr K during the course of the investigation.

10. During the investigation, Mr K confirmed that his own personal data could be excluded from consideration. The Council continued to withhold information related to employees below a certain seniority level (third tier).

11. During the investigation, the Council identified a further email which fell within the scope of Mr K's request. This was supplied to him subject to the redaction of personal data and information which fell outwith the scope of Mr K's request.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr K and the Council. He is satisfied that no matter of relevance has been overlooked.

Information falling in scope

13. Regulation 5(1) of the EIRs requires a Scottish public authority which holds environmental information to make it available when requested to do so by any applicant. It is important to bear in mind that this obligation relates to information actually held by an authority when it receives the request, as opposed to information an applicant believes the authority should hold (but which it does not in fact hold).

14. Mr K was not satisfied that the Council had identified and disclosed all the information falling within scope of his request. Mr K referred to missing attachments from the information provided and submitted that information relating to a named site should have been provided to him.

The Council's submissions

15. The Council provided details of the searches undertaken to identify the information falling within scope of the request. It provided a copy of a search form used which included details of the key words used and the electronic files searched.

16. As part of the review process, copies of all documentation provided to Mr K in the initial response was provided to the Service Lead (Planning and Building Standards), who manually compared these documents against those searched for and retrieved, using specified key words taken from the request. The Council considered this to be the most efficient and systematic way to search for any records that may not have previously been disclosed to Mr K using search terms within his request.

17. The reviewer compared the documents issued against those held across email, shared drives and the Planning document management system. The Council considered that adopting this approach enabled it to ascertain that all information falling within scope had been provided to Mr K.

18. The Council acknowledged that it had not identified all relevant information when it responded to the initial request. In its review response, the Council explained to Mr K that information had not been identified as incorrect data perimeters had been used and there had been documents incorrectly categorised/named within the Planning document management system.

Missing information

19. In his application, Mr K maintained that some information remained missing from the documents provided by the Council; specifically that attachments were missing from some emails and correspondence regarding a named site.

20. During the investigation, the Council was asked whether it held an email referred to within one of the emails disclosed to Mr K, which appeared to fall within the scope of his request. The Council confirmed that it held this email, but could not provide an explanation as to why it had not been identified earlier. This email was supplied to Mr K during the investigation, subject to the redaction of personal data and information falling outwith the scope of his request.

21. A further review of the data held and provided to Mr K was conducted, initially as part of the review and also in February 2019 in response to the Commissioner's investigation. This review identified all emails with attachments. The Council submitted that all attachments were provided to Mr K with the exception of a planning application form, which was attached to an email from Mr K. It was assumed by the Council that Mr K would have retained a copy of this form as part of his records.

22. With regard to information relating to the named site, the Council submitted that that the named site was not directly connected to the planning applications Mr K had requested, but related to an ongoing process of developing the corporate planning approach for the whole Council area. The Council submitted that information relating to this site did not form part of Mr K's request.

23. The Council noted that the original request for information for the application to which this investigation relates did not make reference to Mr K seeking information that related to the named site, and at no point during the review process did Mr K indicate to the Council that he considered documents relating to the named site formed part of his request, or that the Council had failed to provide these.

24. The Council highlighted that Mr K has now made a request for information relating to the named site to the Council on 16th October 2018, which it has responded to.

The Commissioner's findings

25. The standard proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining this, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why the information is not held, and any reason offered by the requester to explain why information is likely to be held.

26. The Commissioner has considered the Council's submissions, specifically the searches it conducted, explanations provided and the documents located during the investigation He is satisfied that the Council's interpretation of Mr K's request was reasonable and that information relating to the named site fell outwith the scope of the request.

27. However, it is clear, given the information located during the investigation that the Council failed to identify and provide all information falling within scope of Mr K's request when responding to his request and request for review. In this respect, the Commissioner finds that the Council failed to comply fully with regulation 5(1) of the EIRs when responding to Mr K's request.

28. The Commissioner is satisfied, by the end of this investigation that the Council has identified and provided all relevant information falling within scope of the request.

Regulation 11(2) of the EIRs - personal data

29. The Council confirmed, during the investigation, that it had disclosed in response to the request all the personal data of senior employees, i.e. those at tier three and above and considered to be "decision-makers". However, it had withheld other third party personal data, namely that of junior employees of the Council. During the investigation, the Council noted that other third party personal data which had been withheld had been published on its planning portal (and so it no longer considered it exempt) and made Mr K aware of this fact. The information that remains withheld is the personal data of employees below a certain level of seniority (tier three and below).

Data Protection Act 2018 (Transitional provisions)

30. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. The DPA 2018 amended regulation 11(2) of the EIRs and also introduced a set of transitional provisions, which set out what should happen where a public authority dealt with an information request before the EIRs were amended on 25 May 2018 but where the matter is being considered by the Commissioner after that date.

31. Although Mr K's information request was made before 25 May 2019, the Council dealt with the request after that date. The Commissioner will therefore consider whether the Council was entitled to apply the exception in regulation 11(2) of the EIRs as amended by the DPA 2018.

32. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11.

33. Regulation 11(2) states that public authorities can only make third party personal data available if one of three conditions is satisfied. The first condition (regulation 11(3A)) is that disclosure would not contravene any of the data protection principles in Article 5(1) of the GDPR.

34. In this case, the Council argued that the information was personal data and that disclosure would breach the data protection principle in Article 5(1)(a) of the GDPR.

Is the withheld information personal data?

35. The first question for the Commissioner is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1.

36. The Council withheld the names and contact details of its staff, under regulation 11(2) of the EIRs. The Commissioner is satisfied that the individuals can be identified from the information and that it relates to them, specifically their employment.

37. Having considered the information being withheld, the Commissioner accepts that the information is personal data: it relates to identifiable living individuals.

Would disclosure contravene one of the data protection principles?

38. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject." The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of the EIRs, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(a) and (f) of the GDPR

39. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the personal data to be disclosed. The Council took the view that conditions (a) and (f) of Article 6(1) of the GDPR were the only conditions which could apply in this case.

Condition (a): consent

40. Condition (a) would allow the Council to disclose personal data if a data subject has consented to the processing of his or her personal data for one or more specific purposes. "Consent" is defined in Article 4 of the GDPR as -

"… any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

41. The Council confirmed that the employees in question did not provide their consent to have their names released in this respect of this information request. The Commissioner is therefore satisfied that condition (a) does not apply to the information.

Condition (f): legitimate interests

42. Under condition (f), the disclosure of the personal data would be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

43. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.

44. The tests which must be met before Article 6(1)(f) can be met are as follows:

(a) Would Mr K have a legitimate interest in obtaining the personal data?

(b) If so, is the disclosure of the personal data necessary to achieve that legitimate interest?

(c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subject/s?

Does Mr K have a legitimate interest in obtaining the personal data?

45. In his correspondence, Mr K asserted that the Council officials are performing employment paid for by local residents; he considered that this "unwarranted" level of anonymity makes it very difficult for officers of the Council to be held accountable for what they are paid to do.

46. The Council stated that it had not specifically asked Mr K to define his legitimate interest in obtaining the names of the Council's employees. However, it acknowledged that there is a legitimate public interest in transparency of the planning activities carried out by the Council which impinges on the lives of individuals. The Council recognised that Mr K sought evidence of the decision making process by securing all information held by the Council relating to the matter to allow him to scrutinise the decision, the process and potentially challenge the decision made.

47. The Council argued that the planning process is open to scrutiny and decisions are in the public domain and open to appeal. Therefore, the Council considered that there are processes already in place that would satisfy Mr K's concerns about the planning process.

48. The Commissioner accepts that Mr K has a legitimate interest in the withheld personal data withheld. He accepts that Mr K has a personal interest in the planning application in question and consequently has a personal legitimate interest in being aware of the actions and communication of employees of the Council in respect of that planning application. The Commissioner accepts that his legitimate interest would extend to other members of the public with an interest in planning matters in South Ayrshire.

Is disclosure of the personal data necessary?

49. Having accepted that there is a legitimate interest in the withheld personal data, the Commissioner must consider whether disclosure of the personal data is necessary for those legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

50. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[1]. In this case, the Supreme Court stated (at paragraph 27):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

51. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the legitimate interests can be met by means which interfere less with the privacy of the data subject.

52. The Council submitted that withholding the names of planning staff who collate reports and information would not impede or thwart Mr K's (or any other's) right to have any improprieties in the process investigated. The Council considered that it is disproportionate in these circumstances to provide the names of staff who are not decision makers and if dissatisfied with the process there are already procedures in place to allow Mr K (and others) to raise concerns.

53. As such, the Council did not consider the disclosure of the personal data to be necessary.

54. The Commissioner notes that the Council has provided the job titles of the employees concerned. Sufficient information remained unredacted in documentation disclosed to Mr K to enable him to identify the department or sections concerned, allowing him to raise concerns.

55. The quote detailed above (paragraph 50) highlights the standard required: a measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. The Commissioner believes Mr K's (and others') legitimate interest can be met in a way which would interfere less with the privacy of these data subjects than providing the withheld information - that is, the least restrictive - and that is by the provision of the information in the redacted form as the Council has done. The Council highlighted a number of routes that could be used to pursue concerns about the process. The Commissioner therefore accepts that disclosure of the personal data is not necessary to satisfy the legitimate interests in this case.

56. As disclosure has not been found necessary, condition (f) in Article 6(1) of the GDPR cannot be met. As no condition in Article 6(1) can be met, disclosure of the personal data would be unlawful.

Fairness

57. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be fair and transparent in relation to the data subjects.

58. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that disclosure of the personal data is not permitted by regulation 11(2) of the EIRs.

Decision

The Commissioner finds that South Ayrshire Council (the Council) partially complied with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the information request made by Mr K.

The Commissioner is satisfied that:

· by the end of the investigation, the Council had conducted adequate searches and had disclosed all (non-exempt) information; and

· the Council was entitled to withhold personal data of employees below third tier under regulation 11(2) of the EIRs.

However, the Commissioner finds that the Council failed to comply with the EIRs by:

· not identifying and disclosing all (non-exempt) information when it responded to the request; and

· withholding, under regulation 11(2), information which was not personal data and personal data which was not excepted under regulation 11(2).

The Commissioner does not require any action with respect of these failures as the information was disclosed during the investigation.

Appeal

Should either Mr K or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

19 August 2019

 

Appendix 1: Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004

2 Interpretation

(1) In these Regulations -

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"the GDPR" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Act (see section 3(10), (11) and (14) of that Act);

"personal data" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);

(3A) In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing) -

(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations;

(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.

5 Duty to make available environmental information on request

(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.

(2) The duty under paragraph (1)-

(b) is subject to regulations 6 to 12.

10 Exceptions from duty to make environmental information available-

(1) A Scottish public authority may refuse a request to make environmental information available if-

(a) there is an exception to disclosure under paragraphs (4) or (5); and

(b) in all the circumstances, the public interest in making the information available is outweighed by that in maintaining the exception.

(2) In considering the application of the exceptions referred to in paragraphs (4) and (5), a Scottish public authority shall-

(a) interpret those paragraphs in a restrictive way; and

(b) apply a presumption in favour of disclosure.

(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.

11 Personal data

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -

(a) the first condition set out in paragraph (3A) is satisfied, or

(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations -

(a) would contravene any of the data protection principles, or

(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

 

General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation:

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

11 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to-

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).


[1] http://www.bailii.org/uk/cases/UKSC/2013/55.html

PDF IconLink to PDF file of decision 124/2019 (204 kb)

Back to Top