The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down

 Decision Notice 035/2020

 Firefighter recruitment

 Applicant: The Applicant

 Public authority: Scottish Fire and Rescue Service

 Case Ref: 201900331

 Summary

Scottish Fire and Rescue Service (SFRS) was asked for numbers of firefighters who passed/failed the training period and how many of these were of BME origin.

SFRS withheld the information on the basis that it was personal data which, in this case, was exempt from disclosure.

Following an investigation, the Commissioner required SFRS to provide the overall number of successful (and by default unsuccessful) recruits to the Applicant, but found that SFRS were correct to withhold BME data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of the "data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 4(11) (Definitions); 6(1)(a) and (f) (Lawfulness of processing); 9(2)(a) and (e) (Special category data)

Data Protection Act 2018 (the DPA 2018) section 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data); 10(1)(c) (Special categories of personal data and criminal convictions etc data); 11(1)(a) (Special categories of personal data etc: supplementary); schedule 2, part 4, section 19(a) and (b) (Exemptions etc from the GDPR)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 29 July 2018, the Applicant made a request for information to Scottish Fire and Rescue Service (SFRS). The Applicant requested:

Part A - Total number of new firefighters recruited in Scotland for the periods 2015/2016, 2016/2017, 2017/2018 and how many:

· Successfully completed their probationary period

· Did not successfully complete their probationary period

Part B - Of those in Part A please also state how many in each category were of Black and Minority Ethnic (BME) origin.

2. SFRS did not respond to the request.

3. On 29 August 2018, the Applicant wrote to SFRS requesting a review of its failure to respond.

4. SFRS notified the Applicant of the outcome of its review on 11 September 2018. SFRS provided total recruitment figures for 2015, 2016, 2017 and 2018 and provided an explanation that there was no "probationary" period, but a 14 week training course and three years' service before competency. The SFRS also stated that ethnicity reporting is at employees' discretion so it could not provide accurate reports for this detail. SFRS provided a link to the SFRS published statistics on ethnicity.

5. Later that day, the Applicant wrote to SFRS stating her dissatisfaction with its response to her request. She was dissatisfied with the format in which she was provided with the figures as they were not labelled. She was also dissatisfied by SFRS's failure to seek clarification of her request and confirmed that it was the 14 week training period at the beginning of a fire fighters' training that she was referring to by stating "probationary period". She explained that the intention behind her request was to obtain information about the number of BME trainee firefighters who successfully completed the training as a proportion of the total.

6. SFRS provided a response on 4 October 2018, SFRS provided further explanations of figures previously provided and the reasons for any variance, and stated, with respect to the information relating to the probationary period, that it was satisfied that it had provided the information as requested.

7. Following an application to the Commissioner, the SFRS provided a revised review response to the applicant on 8 February 2019. In this response, SFRS provided clarification of the recruitment figures provided and expanded evidence of firefighter training process. SFRS stated that information regarding those not completing the probationary period could not be released as there were so few that individuals could be identified and therefore section 38(2)(a) of FOISA applied. The SFRS stated that ethnicity data was supplied voluntarily by the firefighters and therefore it did not hold an accurate figure. It indicated that it could check the records of the unsuccessful trainees but as the resulting figure is so low that it would identify individuals.

8. On 22 February 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of SFRS's review because:

(i) she had only been provided with one of the figures requested (the overall number of firefighters recruited) and had not been told how many had successfully completed the training period;

(ii) it was not clear whether SFRS were relying on section 38(2)(a) in conjunction with section 38(1)(b)

(iii) she did not accept that it would be possible for her or a third party to identify an individual who had been unsuccessful - in her view, firefighters are likely to already be aware who has been successful or unsuccessful

(iv) it was unclear whether individual had been asked to consent to the information being disclosed and

(v) the SFRS had not considered whether the information could have been provided as a percentage.

Investigation

9. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

10. On 3 April 2019, SFRS was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.

11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. SFRS was invited to comment on this application and to answer specific questions. These related to whether SFRS could provide a calculation of those successfully completing the training period, if SFRS considered that section 38(1)(b) of FOISA applied to the information in conjunction with section 38(2)(a) and if so, to provide submissions regarding why the information was considered personal data.

Commissioner's analysis and findings

12. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and SFRS. He is satisfied that no matter of relevance has been overlooked.

13. The Applicant's request falls into four parts:

(i) total number of new recruits over a four year period;

(ii) number that successfully completed their probationary period (the initial 14 week training period as confirmed by the Applicant)

(iii) number that did not successfully complete their probationary period

(iv) how many candidates were of BME of origin falling within the scope of parts (ii) and (iii)

14. The Applicant appealed to the Commissioner on the basis that she had not been provided with information in response to parts (ii), (ii) and (iv) of her request.

15. In response to parts (ii) and (iii), SFRS submitted that it was unable to disclose the information. SFRS indicated that, as it had already disclosed the total number of recruits (428), disclosing the number of recruits who had successfully completed the "probationary" period would, by default, disclose the number who were unsuccessful. SFRS stated that this number was so low that section 38(1)(b) of FOISA applied, even if the information was provided as a proportion of the total.

16. With respect to those falling within the BME category, SFRS explained that it has a duty to collect equality and diversity information. It collects this information through an Employee Self Service system which is strictly voluntary. Consequently, SFRS did not hold an accurate figure for equality and diversity data. The Commissioner is satisfied, in light of the explanations provided, that SFRS did not hold the number of candidates who were of BME origin that successfully completed their "probationary" period. However, SFRS confirmed that it held the data relating to the candidates that were unsuccessful. SFRS stated that this information was exempt on the basis that section 38(1)(b) of FOISA applied.

Section 38 (1)(b) - personal information

17. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

18. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

19. In order to rely on this exemption, SFRS must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

20. In her application to the Commissioner, the Applicant believed that it was in the public interest to disclose the information as she argued that SFRS is making little headway in increasing the proportion of BME firefighters. Release of this data would improve transparency, allow scrutiny of progress and ensure ethnicity is given equal focus in the recruitment and retention of trainee firefighters and the reporting of it.

21. The Applicant disputed the ability of a third party to identify individuals from the release of these figures. She argued that, given the nature of the training as described by SFRS, it is unlikely that others are not already aware of who amongst them has been successful or unsuccessful.

Is the withheld information personal data?

22. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018. (The definition is set out in full in Appendix 1.)

23. The two main elements of personal data are that:

(i) the information must "relate to" a living person; and

(ii) the living individual must be identifiable.

24. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

25. An "identifiable living individual" is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018 in Appendix 1).

26. The information remaining withheld by SFRS comprises: the number of firefighters successfully completing (and by default the number failing to complete) the "probationary" period and how many of those failing to complete were of BME origin.

Number of successful/unsuccessful recruits

27. SFRS submitted that section 38(1)(b) was applied as only a very small proportion of the 428 recruits could be considered as not completing the course. SFRS accepted that the Applicant may not be able to identify the individuals. However, if the information was to be disclosed under FOISA it would not have any control over the use or availability of the information once put into the public domain.

28. SFRS explained that, in the time period covered by this request, there were seven Firefighter Foundation Programmes (FFFP). 428 trainees were recruited with only a small number not completing the programme. SFRS submitted that the FFFP course is unique in terms of length of course as is, consequently, the level to which trainees become known over the course. SFRS submitted that due to the timeline (a copy of which was provided to the Commissioner) and the low numbers of unsuccessful trainees there is a significant risk that the individuals concerned would be identified.

29. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland[1]. The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data.

30. Public authorities responding to requests for numbers will therefore have to determine whether members of the public would be able (realistically) to identify individuals from the numbers, if they are disclosed.

31. The Commissioner has considered SFRS's submissions. He is not satisfied that he has been provided with sufficiently compelling arguments to conclude that disclosure would lead to identification of individuals.

32. SFRS argued that disclosure of low numbers could result in identification, referencing the unique nature of the course to support it position. However, the Commissioner remains unclear as to how disclosure would lead directly to the identification of the individuals concerned. Where an individual (for example, a colleague on the course) knows that an individual has failed to pass the "probationary" period, disclosure of this number would permit that individual to identify the individual as one of the larger number. However, this in itself would not make this information personal data; it is not the disclosure of the number which would identify the individual.

33. The Commissioner has taken account of the time period of this request Individuals may be able to confirm that they fell within this category, or those that were close to them, but they will know that anyway: disclosure of the withheld information will not contribute to identifying the individuals concerned.

34. In this case, therefore, taking account of all the circumstance, the Commissioner is not persuaded that there is a realistic prospect of individuals being identified from disclosure of the information in question. Having taken account of the arguments, he is of the view that the risk of identification is insignificant. Consequently, the number of successful recruits (and, by default, the number of unsuccessful recruits) is not personal data.

BME unsuccessful recruits

35. SFRS submitted that release of this information would identify the ethnic origin of those recruits to other members of the courses, employees and the wider public if combined with other information publicly available. The Commissioner notes that this is a discreet subset of the information detailed above. Although SFRS explained that it does not hold the data relating to the tranche as a whole (i.e. for the successful recruits), due to the voluntary nature in which it is provided, it confirmed that it did hold this information for this subset of those who were unsuccessful in completing the "probationary period".

36. The Commissioner has considered SFRS's submissions. Due to the reduction in population size (i.e. unsuccessful applicants who provided information about their ethnic minority and who fall within the category of BME), he is satisfied that the prospect of identifiability is increased to the extent that identification would, in this case, be possible. Although colleagues on the course may be able to identify those that failed within their group, they would not know how those individuals categorised themselves to SFRS.

37. Given that the information would clearly relate to those identifiable individuals, the Commissioner is satisfied that the information captured by this part of the Applicant's request is, by definition, personal data for the purposes of section 3(2) of the DPA 2018.

Would disclosure contravene on of the data protection principles?

38. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

39. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". For the purposes of FOISA, personal data are processed when disclosed in response to a request.

Lawful processing

40. In their submissions to the Commissioner, SFRS stated that the data was considered special category data as defined by Article 9 as the Applicant was looking specifically for information which would identify individuals' ethnic origin. This information was provided on a strictly voluntary basis for monitoring purposes only and the individuals would have no expectation that this information would be disclosed as it is personal to them.

41. As noted above, the information requested relates to those who were unsuccessful in completing the probationary period and the fact that they recognised themselves as BME. Information about a data subject ethnicity is "special category data" for the purposes of Article 9 of the GDPR. The Commissioner is satisfied that the information falls within he definition of special category data. Special category data is afforded more protection by the GDPR.

42. The Commissioner considers that the only situations where it is likely to be lawful to disclose special category data in response to an information request under FOISA are where, in line with Article 9 of the GDPR:

· The data subject has explicitly consented to their personal data being disclosed in response to the information request (condition 2(a)) or

· The personal data has manifestly been made public by the data subject (condition 2(e)).

Condition (a): explicit consent

43. "Consent" is defined in Article 4 of the GDPR as-

"…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

44. In terms of Article 7(1), the data controller (in this case SFRS) must be able to demonstrate that the required consent exists.

45. SFRS stated that the individuals concerned provided their data voluntarily as part of their training process and were provided with a Privacy Notice which provided that they would have no expectation that their data would be disclosed.

46. SFRS confirmed that individuals did not consent to the disclosure of their data.

47. As the request refers to numbers who failed to pass the probationary period, the Commissioner concludes that it would not be appropriate or reasonable for SFRS to contact those individuals to seek consent. As consent has not been freely and explicitly given for the personal data to be disclosed, condition (a) does not allow for the disclosure of the information.

Manifestly made public

48. Neither the SFRS nor the Applicant has suggested that the personal data has manifestly been made public by the data subjects.

49. In the circumstances, the Commissioner has concluded, in the absence of a condition in the GDPR allowing the special category data to be processed, that disclosing the information would be unlawful. As such, he is not required to go on to consider whether disclosure would otherwise be fair and must find that the information is exempt from disclosure under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that Scottish Fire and Rescue Service (SFRS) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

SFRS wrongly withheld the number of successful and unsuccessful recruits under section 38(1)(b) of FOISA on the basis that it was personal data.

However, the Commissioner found that SFRS was entitled to withhold the number of BME recruits falling within the unsuccessful category on the basis that it was the exempt from disclosure under section 38(1)(b) of FOISA.

The Commissioner requires SFRS to provide the Applicant with the overall number of successful/unsuccessful recruits by 04 April 2020

Appeal

Should either the Applicant or SFRS wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

19 February 2020


Appendix 1: Relevant statutory provisions

 

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 4 Definitions

 

For the purposes of this Regulation:

11 "consent" of the data subject means any freely given, specific, informed and

unambiguous indication of the data subject's wishes by which he or she, by a

statement or by a clear affirmative action, signifies agreement to the processing of

personal data relating to him or her.

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 9 Processing of special categories of personal data

1 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2 Paragraph 1 shall not apply if one of the following applies:

a. the data subject has given explicit consent to the processing of those personal data for one or more specific purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

e. processing relates to personal data which are manifestly made public by the data subject;

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make

provision about references to processing in the different Parts of this Act).

(5) "Data subject" means the identified or identifiable living individual to whom personal

data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of

the Council of 27 April 2016 on the protection of natural persons with regard to the

processing of personal data and on the free movement of such data (General Data

Protection Regulation).


[1] http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30d5a43ad9a18e97498382489c6c7fea9de9.e34KaxiLc3qMb40Rch0SaxyKbhf0?text=&docid=184668&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1077604

PDF IconLink to PDF file of decision 035/2020 (191 kb)

Back to Top