Decision 099/2020: Information regarding a named property

Public authority: Glasgow City Council
Case Ref: 201902123

Summary

The Council was asked about a specified property where another named person lived. The Council withheld the requested information on the basis it was the personal data of the named person and, in this case, exempt from disclosure.

The Commissioner investigated and found that the Council had complied with FOISA in responding to the request.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 26 September 2019, the Applicant made a six-part request for information to Glasgow City Council (the Council). The information requested was focused on an upstairs neighbour's flat and any actions taken by the Council in respect of repairs in that flat affecting his flat and the whole building.

2. On 30 October 2019, having received no response to his request, the Applicant wrote to the Council requesting a review of its failure to respond.

3. The Council notified the Applicant of the outcome of its review on 12 November 2019, with an apology for not responding to his request sooner. The Council withheld the information requested by the Applicant under section 38(1)(b) of FOISA, on the basis that the information comprised personal data and disclosure in this case would breach the data protection principles in Article 5(1) of the GDPR.

4. On 19 November 2019, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Council's review because, in his view, the context was such that his legitimate interests permitted disclosure of this particular information. 

Investigation

5. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

6. On 22 November 2019, the Council was notified in writing that the Applicant had made a valid application. The Council was asked to send the Commissioner the information withheld from the Applicant. The Council provided the information and the case was allocated to an investigating officer.

7. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related largely to the Council's application of section 38(1)(b) of FOISA.

Commissioner's analysis and findings

8. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

9. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

10. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

11. In its review, the Council advised the Applicant that FOISA was not the appropriate route with which to obtain this kind of information which, it believed, could not lawfully be placed in the public domain. It offered the Applicant a meeting to discuss matters.

12. In his application to the Commissioner, the Applicant questioned whether all the information requested was a third party's personal data. The Applicant also wanted information about his own property and about the building itself.

Is the withheld information personal data?

13. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR.)

14. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

15. An "identifiable living individual" is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018 in Appendix 1). It is clear that the information withheld in this case (a person's property which is their place of residence) "relates to" an identifiable individual.

16. In his request, the Applicant named the person living at a specified address and asked what action the Council took, as well as whether the named person co-operated with the Council and what action the named person planned to take in relation to the property. All six elements of the request have as their focus some aspect or other of the named person's decision-making and actions concerning works required to their property, or actions to be taken by the Council affecting that property. In conjunction with their name, the Commissioner is satisfied that all parts can be said to relate to the person in question. In the circumstances, the Commissioner can identify no viable way of rendering the data anonymous and thus depriving them of their quality as personal data.

17. The Commissioner therefore concludes that the withheld information is personal data for the purposes of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

18. The Council states that disclosure of this personal data would contravene the first data protection principle (Article 5(1)(a) of the GDPR). Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

19. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

20. The Council did not consider any of the conditions in Article 6(1) applied in the circumstances of this case. The Applicant put forward his reasoning why he believed, in the circumstances here, it would be possible to disclose the information he sought under FOISA.

21. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the GDPR would allow the data to be disclosed. The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in this case.

Condition (f): legitimate interests

22. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

23. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

24. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject (the person to whom the data relate)?

Does the Applicant have a legitimate interest in obtaining the personal data?

25. The Commissioner understands that the Applicant owns and lets an adjacent property to the one which is described in their request. The Applicant described steps he was taking to repair his own property and why this needed to involve the property to which this request relates.

26. The Commissioner recognises the importance of the investigative work being carried out by the Applicant and, in the circumstances, is satisfied that the Applicant has a legitimate interest in the information here to the extent that it affects his own property. To that extent, the Commissioner is prepared to accept that the Applicant has a legitimate interest in disclosure of the personal data.

Is the disclosure of the personal data necessary?

27. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

28. To be "necessary" in this context, disclosure would need to be proportionate as a means (of achieving the Applicant's legitimate interest) and fairly balanced as to ends. The Commissioner must consider whether these interests could be achieved by means which interfere less with the privacy of the data subject.

29. The Commissioner has considered the withheld information. In the circumstances, he accepts that disclosure of the information under consideration here is necessary, in order for the Applicant to both scope and effect repairs to his own property.

30. The Commissioner can identify no viable means of meeting the Applicant's legitimate interests which would interfere less with the privacy of the data subject than disclosing this withheld information.

31. The Commissioner will now consider whether the Applicant's legitimate interest in obtaining the remaining information outweighs the rights of the data subject to privacy.

The data subjects' interests or fundamental rights and freedoms

32. It is necessary to balance the legitimate interests in disclosure against the data subject's interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subject would not reasonably expect disclosure to the public under FOISA in response to a request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override the legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subject can the information be disclosed without breaching the first data protection principle.

33. The Commissioner's guidance on section 38 of FOISA[1] notes factors that should be taken into account in balancing the interests of parties. He makes clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects - and that these are some of the factors public authorities should consider:

(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii) Would disclosure cause harm or distress?

(iii) Whether the individual has objected to the disclosure.

34. Disclosure under FOISA is public disclosure: information disclosed under FOISA is effectively placed into the public domain.

35. The Commissioner acknowledges that the withheld information relates to the resident's home and to their private life in that home. In consideration of this, significant weight must lean toward withholding the data.

36. The Commissioner has also considered the harm or distress that may be caused by disclosure.

37. The Commissioner received arguments from the Council which explained circumstances regarding the property in question relative to the resident. For reasons of privacy, it is not possible to go into more detail without divulging something of the withheld information.

38. After carefully balancing the legitimate interests of the individual concerned against those of the Applicant, the Commissioner finds that the legitimate interests served by disclosure of the personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individual. Condition (f) in Article 6 of the GDPR cannot be met in relation to the withheld personal data.

39. In the absence of a condition in Article 6 of the GDPR allowing personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful.

Fairness

40. Given that the Commissioner has concluded that the processing of personal data would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be fair and transparent in relation to the data subject.

Conclusion on section 38(1)(b)

41. The Commissioner is satisfied that disclosure would breach the first data protection principle. This means that the information is exempt from disclosure under section 38(1)(b) of FOISA.

Section 36(1)

42. The Council also submitted during the Commissioner's investigation that some information was exempt in terms of section 36(1) of FOISA. As the Commissioner has accepted that section 38(1)(b) was correctly applied in relation to all of the information, he need not go on to consider whether some of that information is also exempt from disclosure under section 36(1).

Decision

The Commissioner finds that Glasgow City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or Glasgow City Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

31 August 2020

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection (1), the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom

personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and

of the Council of 27 April 2016 on the protection of natural persons with regard

to the processing of personal data and on the free movement of such data (General Data Protection Regulation).



Link to PDF of Decision 099/2020 (228 KB)

Back to Top