The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

 Decision 116/2019: Mr N and Fife College

 Complaint about a named person

Reference No: 201900468
Decision Date: 6 August 2019

 Summary

The College was asked for information about "a complaint made against one of your students" (named). The College refused to confirm or deny whether it held the information. The Commissioner investigated and found that College was entitled to refuse to confirm or deny whether it held the information.

 Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), and (5) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

 Background

1. On 13 January 2019, Mr N made a request for information to Fife College (the College). He referred to "a complaint made against one of your students" (whom Mr N named) and requested all documents - including, but not limited to, email, meeting minutes and internal memos - created/sent regarding the complaint between 19 October 2018 and 13 January 2019. Mr N specified that this should include:

 · related correspondence among three named persons (between the quoted dates)

 · related correspondence/documents from/to senior staff and admin, etc. (between the quoted dates)

 · details of any investigation or disciplinary action regarding the named student (between the quoted dates) including the status of any current investigation stage 1, stage 2, escalated, etc.

 · any other complaints regarding the named student prior to 19 October 2018, with detail dates, a high level description, and outcome of the complaint, i.e. upheld/dismissed.

 2. On 31 January 2019, the College notified Mr N that it was unable to confirm or deny whether it held any information falling within his request. The College cited section 18(1) of FOISA and said that, if it held the information, the exemptions in sections 30(b)(ii), 30(c) and 38(1)(b) of FOISA would apply. For section 38(1)(b), the College said the requested information would constitute the personal data of living individuals, and disclosure would contravene the first data protection principle in Article 5 of GDPR, as disclosure under FOISA would be unfair and unlawful.

 3. The College added, in the context of section 18(1), that whilst there may be a public interest in ensuring that information is properly recorded, the public interest favoured neither confirming nor denying the existence of the information requested.

 4. On 4 February 2019, Mr N wrote to the College requesting a review of its decision. He disagreed with the application of section 18(1) and put forward what he considered to be additional public interest arguments supporting his position.

 5. The College notified Mr N of the outcome of its review on 4 March 2019. The College upheld its previous response that section 18(1) of FOISA applied, for the same reasons as given initially and with the same exemptions (sections 30(b)(ii), 30(c) and 38(1)(b) of FOISA).

 6. On 12 March 2019, Mr N applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr N was dissatisfied with the outcome of the College's review. He explained in detail, expanding on points he had made in his request for review, why he believed the College was incorrect to rely on section 18 of FOISA to refuse to confirm or deny whether it held any information falling within his request.

 Investigation

7. The application was accepted as valid. The Commissioner confirmed that Mr N made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The College was invited to comment on this application and to answer specific questions, focusing on the requirements of section 18(1) (as applied with the exemptions referred to by the College).

9. Mr N, too, provided information and arguments to support his position that the College was not entitled to apply section 18(1) in this case.

 Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all the relevant submissions, or parts of submissions, made to him by Mr N and the College. He is satisfied that no matter of relevance has been overlooked.

Section 18(1) of FOISA - "neither confirm nor deny"

11. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

· a request has been made to the authority for information which may or may not be held by it;

· if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

· the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

12. Where a public authority has chosen to rely on section 18(1), the Commissioner must establish whether the authority is justified in stating that to reveal whether the information exists or is held would be contrary to the public interest. He must also establish whether, if the information existed and was held by the public authority, the authority would be justified in refusing to disclose the information by virtue of any of the exemptions listed in section 18(1) and cited by the authority.

13. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority. This means that he is unable to comment in any detail on the College's reliance on any of the exemptions referred to, or on other matters which could have the effect of indicating whether the information existed or was held by the College.

14. Also, this decision notice summarises the arguments put forward by Mr N. He believes the College holds information falling within the scope of his request, and his submissions reflect that position. It should not be taken from his submissions that he is necessarily correct in that view.

15. During the investigation, the College confirmed that it still wished to rely on section 18 of FOISA, read in conjunction with sections 30(b)(ii), 30(c) and 38(1)(b), as outlined in its correspondence to Mr N.

16. Mr N provided arguments. His requirement for review and his application said that the identity of the student "has already been revealed in the media". He also said he had "already received an FOI response from Abertay University - Fife College's parent organisation - confirming a complaint about the student was made and that it was to be referred to Fife." (Abertay University is not the parent organisation of Fife College: Abertay University is the awarding body for the degree programme which Fife College runs as part of its portfolio of courses. These degree students are enrolled both at Fife College and Abertay University.)

17. Mr N supplied the Commissioner with the information supplied to him on 8 February 2019 by Abertay University for this request. The request to Abertay University was almost identical to the request at issue here (to Fife College). Mr N received some information from Abertay University, but other information was withheld as personal data or under section 30(c) of FOISA. There is nothing in this information to confirm whether or not a complaint on the same matter was made to the College, or relating to any action which may, or may not, have been taken by the College in relation to such a complaint.

Section 38(1)(b) - Personal information

18. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data", as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

19. The College submitted that to provide any personal data falling within the scope of the request would breach the requirement to process data fairly, as laid down by the first data principle in Article 5(1)(a) of the GDPR. It would constitute unfair, and therefore unlawful, processing of personal data of identified or identifiable individuals in terms of the GDPR and the DPA 2018.

Would the information be personal data?

20. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular by reference to -

a. an identifier such as a name, an identification number, location data or an online identifier, or

b. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

21. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

22. Mr N named the individual in his request and sought all information "created/sent regarding this complaint between 19 October 2018 and 13 January 2019". Mr N specified that his request should include related correspondence, details of any investigation or disciplinary action regarding the named student, and any other complaints regarding the named student prior to 19 October 2018.

23. Each part of the request is framed by reference to a named living individual. Given that, and the subject matter of the request (any complaint or investigation, etc.), if it were held and if it existed, any information captured by this request would clearly relate to that named individual. The Commissioner therefore accepts that, if it existed and were held, the information would be personal data as defined in section 3(2) of the DPA 2018. He also accepts that such information (if held) would likely include the personal data of third parties.

24. Mr N's requirement for review suggested that the College redact the student's name to ensure no personal data were released. The College responded that, as any relevant information would still obviously relate to the named person, redacting the name would not be sufficient to comply with data protection requirements: the information provided would still be about the named student.

25. The Commissioner agrees with the College: to redact the student's name, whilst disclosing other information about that named student (which it would be, if it existed and were held, given the terms of the request), would not make the disclosed information cease to be personal data.

Would disclosure contravene one of the data protection principles?

26. The College argued that disclosing the personal data, if they existed and were held, would contravene Article 5(1)(a) of the GDPR. This requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

27. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018), "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request. This means that the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.

Lawful processing: Articles 6(1)(f) of the GDPR

28. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the GDPR would allow the personal data to be disclosed. The College took the view that no conditions in Article 6 apply in the circumstances of this case.

29. In the Commissioner's view, if the personal data existed and were held, the only condition in Article 6(1) which could potentially apply is condition (f). This states that processing shall be lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

30. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in the performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

31. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Would Mr N have a legitimate interest in obtaining the personal data, if held?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subject/s?

Would Mr N have a legitimate interest in obtaining the personal data, if held?

32. The College's review acknowledged that Mr N's might have a legitimate interest in disclosure of the information (if it existed and were held).

33. Mr N's submitted that he was trying to ascertain whether the College had taken a complaint he believed to have been made seriously and whether it had met its duty of care to its students. The Commissioner is satisfied that these are matters of legitimate interest, to Mr N and the wider public.

Would disclosure be necessary?

34. The next question is whether disclosure of the personal data (if held) would be necessary to achieve that legitimate interest. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can reasonably be met by means which interfere less with the privacy of the data subject.

35. The College did not argue that disclosure of the personal data (if they existed and were held) would be other than necessary to achieve the legitimate interest identified above: based upon the facts of this case, the Commissioner accepts that disclosure of the personal data, if in existence and held, would be necessary to achieve Mr N's legitimate interest.

36. Mr N wishes to assess how the College dealt with a complaint he understands was made to it about the named student. The only way for Mr N to do so is to view the information he has requested (assuming it exists and is held). Only then would he be able to scrutinise and assess any actions of the College. The Commissioner notes that no procedure has been brought to his attention by Mr N or the College that might offer another way for Mr N to effect such scrutiny. The Commissioner therefore accepts that disclosure of any information held would be necessary for Mr N's legitimate interests.

Balancing legitimate interests and the data subject's interests or fundamental rights and freedoms

37. The Commissioner has concluded that the disclosure of the information (if existing and held) would be necessary to achieve Mr N's legitimate interests. However, this must be balanced against the fundamental rights and freedoms of the data subject/s (the person named by Mr N as being subject to a complaint and any other person identifiable within any information held). Only if the legitimate interests of Mr N outweighed those of the data subject/s could personal data be disclosed without breaching the first data protection principle.

38. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 555[1].

39. The College's review asserted that the balance would favour the fundamental rights and freedoms of the data subject/s. Information relating to a disciplinary investigation or complaint would, by definition, be confidential and there would be an expectation that such information would not be released publicly.

40. Recital (47) of the GDPR notes that, in carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject/s. The Commissioner's guidance[2] on section 38 of FOISA notes factors that should be taken into account in balancing the interests of parties. These factors include:

(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by the disclosure

(iii) whether the individual objected to the disclosure

41. The Commissioner agrees with the College that the information (if it existed and were held) would be information a person would generally expect to be kept confidential (i.e. as relating to a complaint or investigation).

42. The Commissioner has also considered the potential harm or distress that could be caused by disclosure. Disclosure under FOISA is a public disclosure. He has taken into account that, in this case, disclosure of the information, if it existed and were held, would publicly link the data subject/s to a complaint, whether as a person who made a complaint or as a subject of a complaint. At the most general level, disclosing or alleging that a complaint has been brought is likely to cause some reputational damage, and to have an impact on public perceptions of a person, unless there are mitigating circumstances (which may be private) that are also made known. Disclosing whether an individual has made a complaint may also, depending on the situation, cause that person distress.

43. Any information held would relate to the individual's private life. While subject to the disciplinary processes of a Scottish public authority, the individual concerned has no public role to perform.

44. The Commissioner has given weight to Mr N's legitimate interest as set out in paragraph 33.

45. After carefully balancing the legitimate interests of Mr N against the interests or fundamental rights or freedoms of the data subject, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individual/s in question in this case.

46. In the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the GDPR could not be met in relation to the withheld personal data.

Fairness

47. Given that the Commissioner has concluded that the processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

48. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if held, would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the College could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt information by virtue of section 38(1)(b) of FOISA.

Section 18(1) - The public interest

49. The Commissioner must now consider whether the College was entitled to conclude that it would be contrary to the public interest to reveal whether the information exists or is held.

50. The College submitted that it was contrary to the public interest to reveal whether the information existed or was held as there was a public interest in ensuring that it protected confidential processes and complied with data protection legislation. It provided more detailed submissions on aspects of the case, which cannot be repeated here without tending to indicate whether information exists or is held.

51. Mr N's requirement for review and his application suggested factors relevant to the public interest. Mr N said the identity of the student "has already been revealed in the media". Mr N referred to media interest around this case and the claimed impact of the case on others, submitting that it was in the public interest to know whether the College took the complaint seriously and met its duty of care to its students. In his application, he also referred to the information request to Abertay University - see above.

52. The test the Commissioner must consider is whether (having already concluded that the information, if in existence and held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.

53. Disclosure under FOISA is not simply disclosure to the person requesting the information, but rather is a public disclosure. This must always be borne in mind when considering the effects of disclosure: a disclosure of this kind to one individual cannot, therefore, be considered in isolation. The Commissioner accepts that there is a strong public interest in the College not breaching the data protection legislation and maintaining expectations of confidentiality in relation to processes such as this. On the other hand, there is a public interest in scrutiny of processes such as these, to ensure they are carried out fairly and expeditiously.

54. The Commissioner has considered all relevant submissions and supporting information carefully. On balance, for the reasons outlined above, the Commissioner accepts that it would be contrary to the public interest for the College to reveal whether it held the requested information, or whether the information existed. Consequently, the Commissioner is satisfied that the College was entitled to refuse to confirm or deny, whether the information requested by Mr N existed or was held, in accordance with section 18(1) of FOISA.

55. Having reached this conclusion, the Commissioner does not consider it necessary in this case to consider the potential application of the exemptions in section 30 of FOISA, also identified by the College in conjunction with section 18(1).

Decision

The Commissioner finds that Fife College complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr N. 

Appeal

Should either Mr N or the College wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse

Head of Enforcement

6 August 2019

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and 14 of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to-

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as-

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.


PDF IconLink to PDF file of decision 116/2019 (421 kb)

Back to Top