Decision 154/2018: Mr D and Fife Council

Officer suspension details and outcomes

Reference No: 201800554

Decision Date: 5 October 2018

Summary

The Council was asked for information relating to Council Officers, in specific services, suspended due to allegations of gross misconduct.

The Council withheld the information under section 38(1)(b) of FOISA, considering it to be personal data exempt from disclosure.

The Commissioner investigated and agreed that the information was exempt from disclosure.

  Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provision) (definition of personal data), (2)(g) (definitions of "sensitive personal data"); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5))

Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provision etc - paragraph 56)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

  Background

1. On 13 November 2017, Mr D made a request for information to Fife Council (the Council). He asked for information about Council officers employed in specific services within the Council who were suspended due to allegations of gross misconduct in the calendar years 2014, 2015 and 2016 including:

· Year of suspension

· Officer's department/section

· Nature of allegation e.g. dishonesty, fraud, inappropriate sexual behaviour, violence etc.

· Total working days suspended

· Outcome of disciplinary investigation.

2. The Council responded on 19 December 2017. The Council withheld the information under section 38(1)(b) of FOISA, stating that it was possible that a specific individual (or specific individuals) would be identifiable from the data.

3. On 9 February 2018, Mr D wrote to the Council requesting a review of its decision. He considered the Council's decision to be unjustified, as he had only requested information on numbers of officers suspended in particular services; in his view, he had not requested information specific enough to identify individuals, such as salary or name or post. Mr D stated that he was aware that investigations of gross misconduct are carried out under the strictest confidentiality; he believed that this would make the identification of individuals unlikely.

4. The Council notified Mr D of the outcome of its review on 15 March 2018. The Council upheld the original decision. It stated that, although no personal names were included in the information, due to the number involved (less than five) and the size of the relevant Council services teams, it might be possible for colleagues or other third parties to be able to identify the individual(s) affected.

5. On 27 March 2018, Mr D applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr D was dissatisfied with the outcome of the Council's review because he was seeking only the numbers of officers and had not, in his view, requested information which might reasonably be used to identify an individual. He stated that "disclosure of this information may lead to speculation on the identity of individuals," but he did not consider this would constitute an unwarranted intrusion of privacy.

  Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr D made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 2 May 2018, the Council was notified in writing that Mr D had made a valid application. The Council was asked to send the Commissioner the information withheld from Mr D. The Council provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested.

9. Mr D was asked for his comments on his legitimate interest in obtaining the withheld personal data. He provided a response, and argued that similar information had been disclosed in response to other, specified, requests. (The Commissioner notes that the examples provided by Mr D to the Commissioner involved council-wide requests made to local authorities which did not, as in this case, focus on a small number of specified services within the local authorities.)

  Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Mr D and the Council. He is satisfied that no matter of relevance has been overlooked.

Data Protection Act 2018 (Transitional provisions)

11. On 25 May 2018, the DPA 1998 was replaced by the DPA 2018. The DPA 2018 amended section 38 of FOISA. It also introduced a set of transitional provisions which set out what should happen where a public authority dealt with an information request before FOISA was amended on 25 May 2018, but where the matter is being considered by the Commissioner after that date.

12. In line with paragraph 56 of Schedule 20 to the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with Part 1 of FOISA.

13. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with Part 1 of FOISA (as it stood before 25 May 2018), he cannot require the authority to take steps which it would not be required to take in order to apply with Part 1 of FOISA on or after 25 May 2018.

14. The Commissioner will therefore consider whether the Council was entitled to apply the exemption in section 38(1)(b) of FOISA under the old law. If he finds that the Council was not entitled to withhold the information under the old law, he will only order the Council to disclose the information if disclosure would not now be contrary to the new law.

Section 38(1)(b) of FOISA (Personal Information)

15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA 1998) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA 1998.

16. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA 1998 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA 1998. The Council considered disclosure of the information would breach the first data protection principle.

Is the withheld information personal data?

18. "Personal data" are defined in section 1(1) of the DPA 1998 as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

19. The Council submitted that disclosure of the withheld information would allow the public to obtain information about an identifiable, living individual or individuals. Given the number involved, this information, combined with the other information requested, would make it possible to identify the individual or individuals. The Council considered that disclosure of the information would provide sufficient information for colleagues, family and friends of the individual(s) to draw conclusions about their identity. Further detailed submissions were provided by the Council to explain how the individual(s) could be identified. These submissions are not replicated here, as to do so could have the effect of identifying any individual(s) concerned, but they were detailed and specific.

20. The Council argued that, if an individual was identified, the information requested by Mr D would also reveal the reason for that individual's suspension and the outcome.

21. Mr D submitted that he was not seeking personal information, but statistical information. He did not consider that the information he had requested could reasonably be used to identify an individual or allow colleagues and third parties to identify individuals.

22. The withheld information clearly relates to one or more living individuals. Having considered the submissions received from the Council and Mr D, and the withheld information, the Commissioner accepts the arguments put forward by the Council, and is satisfied that it would be possible for a determined individual to identify the living individual(s) covered by the request, if the information was combined with other information likely to be accessible to Mr D (and others). Consequently, the Commissioner accepts that the statistical information requested by Mr D is personal data, as defined by section 1(1) of the DPA 1998.

Is the information under consideration sensitive personal data?

23. The Council submitted that the withheld information constituted sensitive personal data. The Council specified that, due to the reasons for the suspension of the individual(s), the personal data related to "the commission or alleged commission of an offence" and therefore fell within the definition of sensitive personal data in section 2(g) of the DPA 1998.

24. In this case, the Commissioner is satisfied that all of the withheld personal data falls into the category of sensitive personal data listed in section 2(g) of the DPA 1998 (see Appendix 1).

Would disclosure of the personal data contravene the first data protection principle?

25. In its submissions, the Council argued that disclosure of the withheld personal data would contravene the first data protection principle, which requires that personal data are processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions of Schedule 2 to the DPA 1998 is met. In the case of sensitive personal data at least one of the conditions in Schedule 3 to the DPA 1998 must also be met. The processing in this case would comprise making the information publicly available in response to Mr D's request.

26. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions.

27. The conditions listed in Schedule 3 to the DPA 1998 have been considered by the Commissioner, as have additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000. None of these additional conditions have been identified as potentially applicable in this case.

28. The Commissioner's guidance on section 38(1)(b)[1] of FOISA notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA.

29. Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the processing (which in this case would be the disclosure into the public domain in response to Mr D's request). Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

30. The Council has stated that, due to the nature of the suspension(s) and disciplinary investigation(s) in these cases, it would not be appropriate for them to seek to contact the individual(s) involved to seek consent. The Commissioner accepts that, in the circumstances of this case, it would not be reasonable or appropriate to seek consent from the data subject(s) for disclosure of personal data, and that condition 1 cannot be met in this case.

31. He is also satisfied that none of the information under consideration has been made public as a result of steps deliberately taken by the data subject(s), and so condition 5 cannot be met in this case.

32. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 to the DPA 1998 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed.

33. In the absence of a condition in Schedule 3 permitting sensitive personal data to be disclosed, the Commissioner must find that the disclosure would be unfair and in the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the sensitive personal data would contravene the first data protection principle. The Commissioner therefore finds that the Council was correct to withhold the information requested by Mr D, as it was exempt from disclosure under section 38(1)(b) of FOISA.

Transitional provisions

34. Given that the Commissioner has found that the Council complied with Part 1 of FOISA (as it stood before 25 May 2018) in responding to the request by Mr D, he is not required to go on to consider whether disclosure would breach Part 1 of FOISA as it currently stands.

 Decision

The Commissioner finds that the Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr D.

  Appeal

Should either Mr D or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

5 October 2018

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

 

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

(g) the commission or alleged commission by [the data subject] of any offence, or

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the subject.

Data Protection Act 2018

Schedule 2 - Transitional provision etc

56 Freedom of Information (Scotland) Act 2002

(1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 ("the 2002 Act") before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 19 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.

(3) To the extent that the request was dealt with before the relevant time -

(a) the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act as amended by Schedule 19 to this Act, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act.

(4) In this paragraph -

"Scottish public authority" has the same meaning as in the 2002 Act;

"the relevant time" means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force.


Link to PDF of Decision 154/2018 (194 KB)

Back to Top