Decision 013/2021: Processing of FOI request

Public authority: University of Edinburgh
Case Ref: 201901929

Summary

The University was asked how the Applicant's earlier FOI requests had been processed. The University disclosed information, but withheld some personal data. The Commissioner found that the University was entitled to withhold the personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1) and (2)(e) (Effect of exemptions); 38(1)(a) and (b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4 (1) and (11) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing); 7(1) (Conditions for consent); 15(1) (Right of access by the data subject)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 5 March 2019, the Applicant made a request for information to the University of Edinburgh (the University). The Applicant sought information relating to the handling of previous information requests.

2. The University responded on 1 April 2019. It gave detailed explanations of the processes, etc. used. It provided the Applicant with copies of correspondence, with personal data redacted.

3. On 1 May 2019, the Applicant wrote to the University requesting a review of its decision. She believed her concerns had not been addressed as the correspondence had been heavily redacted.

4. The University notified the Applicant of the outcome of its review on 22 May 2019. It upheld the original response and provided further explanation of which staff were involved in the processing of requests and why. It also explained further why some information (including the Applicant's personal data and personal data of University staff) had been redacted. It provided further detail on who information was shared with and why in dealing with the request.

5. On 17 October 2019, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of the University's review because she believed responses were too heavily redacted.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 6 November 2019, the University was notified in writing that the Applicant had made a valid application. The University was asked to send the Commissioner the information withheld from the Applicant. The University provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The University was invited to comment on this application and to answer specific questions in relation to the exemptions it had relied on to withhold information from the Applicant.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the University. He is satisfied that no matter of relevance has been overlooked.

10. The University confirmed that it considered the information withheld to be:

(i) the personal data of the Applicant and exempt under section 38(1)(a)

(ii) personal data of third parties (the subjects of the requests and junior members of staff below management level) and exempt under section 38(1)(b).

Section 38(1)(a) - the Applicant's personal data

11. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. (The fact that it is absolute means that it is not subject to the personal interest test set out in section 2(1) of FOISA.)

12. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the UK GDPR/DPA 2018. This route is more appropriate for individuals accessing their personal data as it ensures the information is disclosed only to the individual. Disclosure under FOISA is considered disclosure into the public domain.

13. Therefore, section 38(1)(a) of FOISA does not deny individuals a right to access information about themselves, but ensures that the right is exercised under the correct legislation (the UK GDPR/DPA 2018) and not under FOISA.

Is the information withheld personal data?

14. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3) incorporates the definition of personal data in Article 4(1) of the UK GDPR:

"…any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

The definition of personal data is set out in full in Appendix 1.

15. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

16. The Commissioner has considered the information that falls within the scope of the Applicant's request and the submissions received. The Commissioner accepts that the information withheld by the University under this exemption is the personal data of the Applicant: the Applicant can be identified from the information and the information clearly relates to her.

17. In the circumstances, the Commissioner is satisfied that the University was entitled to withhold the personal data under section 38(1)(a) of FOISA.

Section 38(1)(b) - third party personal data

18. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

19. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Is the information withheld personal data?

20. The first question that the Commissioner must address is whether the information withheld is personal data for the purposes of section 3(2) of the DPA 2018 - see the definition in Appendix 1.

21. The University has withheld the names and email addresses of the individuals involved in processing the Applicant's requests and other information about the subjects of her requests. Having considered the information withheld from the Applicant under section 38(1)(b), the Commissioner is satisfied that it is personal data: it relates to identified or identifiable individuals.

Would disclosure contravene one of the data protection principles?

22. The University has argued that disclosure of this data would breach Article 5(1)(a) of the UK GDPR, which requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject". The definition of "processing" is wide and includes "disclosure by transmission, dissemination or otherwise making available" (section 3(4)(d) of the DPA 2018). In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one or more of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

23. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. Generally, when considering whether personal data can lawfully be disclosed under FOISA, only conditions (a) (consent) and (f) (legitimate interests) are likely to be relevant. Both are considered below.

Condition (a): consent

24. Condition (a) states that processing will be lawful if the data subject has given consent to the processing of the data for one or more specific purposes. "Consent" is defined in Article 4(11) of the UK GDPR as:

"…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

25. In terms of Article 7(1), the data controller (in this case, the University) must be able to demonstrate that the required consent exists.

26. The University advised the Commissioner that it did not have consent to disclose the information and that it did not consider that it appropriate to ask the data subjects for their consent.

27. The Commissioner is satisfied that there was no requirement on the University to seek consent for disclosure.

28. In all the circumstances, the Commissioner is satisfied that the University does not have consent to disclose the personal data, with the result that condition (a) cannot be met.

Condition (f): legitimate interests

29. Condition (f) states that processing will be lawful if it "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data …"

30. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

31. The tests which must be met before Article 6(1)(f) can be met are as follows:

  • Does the Applicant have a legitimate interest in obtaining the personal data?
  • If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
  • Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

32. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the data subjects before condition (f) will permit the data to be disclosed. If the two are evenly balanced, the Commissioner must find that the University was correct to refuse to disclose the personal data to the Applicant.

33. The University submitted that it did not consider that the Applicant has a legitimate interest in the disclosure of the third parties' personal data. It provided details of its employee privacy notice which states with whom and why the University may share employees' details with third parties. This includes the following statement:

Individuals who exercise their legal right to access recorded information held by the University under information legislation, particularly the Freedom of Information (Scotland) Act 2002 and data protection law (General Data Protection Regulation (GDPR) and Data Protection Act 2018). The University will normally only disclose work-related or professional information about its members of staff and will inform or consult any members of staff concerned where disclosure would not reasonably be expected.

The University explained that staff members below the grade of manager would not reasonably expect their contact details to be disclosed to the general public. Their contact details were, therefore, redacted. This was considered appropriate in particular as their identities were incidental to the request response.

34. The University told the Commissioner that it had explained to the Applicant that information about her requests had been shared with individuals to allow them to identify, collate and provide the information she had requested and with the individuals her requests had been about. The University considered this was sufficient to meet any legitimate interests of the Applicant.

35. However, having considered the background to the requests and the Applicant's concerns, the Commissioner accepts that the Applicant has a legitimate interest in how her FOI requests were conducted and with whom her personal data had been shared for that purpose.

36. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might be reasonably be met by any alternative means.

37. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[1]. In this case, the Supreme Court stated (at paragraph 27):

A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

38. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

39. The Commissioner notes that the University provided the Applicant with a detailed description of what was shared, who it was shared with and why, and with a timeline. Having reviewed the details provided, the Commissioner is satisfied that the Applicant's legitimate interests have been satisfied in the provision of this information. Consequently, the Commissioner does not consider it necessary to disclose the remaining personal data to satisfy the legitimate interests identified.

40. In the circumstances of this case, as the Applicant's legitimate interest have been satisfied by the explanations provided, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR cannot be met in relation to the withheld personal data. Disclosure would therefore be unlawful.

Fairness and transparency

41. Given the Commissioner's finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.

42. The Commissioner, therefore, finds no condition in Article 6(1) of the UK GDPR can be met and disclosure of the information requested would contravene Article 5(1)(a) of the UK GDPR. The information was therefore properly withheld under section 38(1)(b) of FOISA.

Other matters

43. The Applicant has made it clear that she considers the sharing of her personal data with the University staff dealing with the request (and with the subjects of her request) to be inappropriate. She also considers that her personal data has been misused. However, this is not a matter within the Commissioner's remit.

Decision

The Commissioner finds that the University of Edinburgh complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the University of Edinburgh wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
25 January 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

United Kingdom General Data Protection Regulation

4 Definitions

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

5 Principles relating to processing of personal data

1 Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

7 Conditions for consent

1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.

15 Right of access by the data subject

1 The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data …

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4).



Link to PDF of Decision 013/2021 (194 KB)

Back to Top