Decision 120/2020: Arrangement of an interview

Public authority: NHS Greater Glasgow and Clyde
Case Ref: 201902187

Summary

NHS GGC was asked for the information it held relating to the decision to arrange a particular interview, as well as all information held showing how and why this was arranged without the interviewee's prior knowledge and consent.

NHS GGC refused to disclose information which would fulfil the first part of the request as it considered this to be personal data and, in this case, exempt from disclosure. In response to the second part of the request, NHS GGC notified the Applicant that it did not hold any recorded information.

The Commissioner investigated and found that NHS GGC had partially complied with FOISA in responding to the request. While he was satisfied that NHS GGC was correct to withhold personal data from the Applicant, and to inform that Applicant that no information was held which would fulfil the second part of her request, he found that NHS GGC did not carry out adequate searches prior to responding to the Applicant's request and requirement for review.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

General Data Protection Regulation (the GDPR) Articles 4(11) (definition of "consent") (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(a) and (f) (Lawfulness of processing); 7(1), (2) and (3) (Conditions for consent)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 10 September 2018, the Applicant made a request for information to NHS Greater Glasgow and Clyde (NHS GGC). The information requested was all information held by the Board:

(a) relating to the decision taken to arrange an interview for [ ] at Barlinnie Prison on 31 July 2017.

(b) that shows how and why the interview was arranged without [ ] prior knowledge and consent.

2. NHS GGC responded on 8 October 2018. It confirmed that information was held which would fulfil part (a) of the request, but withheld the information as personal data under section 38(1)(b) (Personal information) of FOISA. In response to part (b) of the request, NHS GGC gave notice, in line with section 17 of FOISA, that the information was not held.

3. On 22 November 2018, the Applicant wrote to NHS GGC, requesting a review of its decision on the basis that no consideration appeared to have been given to conditions (a) and (f) in Article 6 of the GDPR which, in some cases, allow the disclosure of personal data. The Applicant also expressed dissatisfaction with NHS GGC's response, in that it appeared to have failed to recognise that personal data of senior members of staff involved in decision making regarding the interview, as well as the senders and recipients of the emails, would also be included in the withheld information: it had not revealed that this information existed. With regard to information which would fulfil part (b) of the request, the Applicant commented on information she was aware of which led her to believe further searches should be carried out by NHS GGC as she believed relevant information should be held.

4. Following the failure of NHS GGC to respond to her request for review within the statutory timescale, the Applicant applied to the Commissioner for a decision. Following an investigation, the Commissioner's Decision 061/2019 required NHS GGC to provide a response to the Applicant's requirement for review by 28 May 2019.

5. In response to Decision 061/2019, NHS GGC notified the Applicant of the outcome of its review on 28 May 2019. NHS GGC apologised for its failure to respond to the requirement for review within the statutory timescale and informed the Applicant that it was upholding its original response, explaining its position further but not modifying that decision.

6. On 28 November 2019, the Applicant wrote to the Commissioner. The Applicant applied to the Commissioner for a decision in terms of section 47(1) of FOISA. The Applicant was not satisfied that the exemption in section 38(1)(b) had been appropriately considered, submitting that NHS GGC had avoided confirming that it also held and was withholding personal data of staff and officials involved in the decision-making and arrangements for the interview. She did not consider NHSGGC had addressed the question of the data subject's consent adequately and believed NHS GGC held further personal information relating to the data subject which had not already been disclosed. She also questioned NHS GGC's view that she had demonstrated no legitimate interest in receiving the information, when it had sought no explanation from her as to why she considered she did have such an interest. The Applicant also explained, with reasons, why she considered information should be held by NHS GGC which would fulfil part (b) of the request.

Investigation

7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 4 December 2019, NHS GGC was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS GGC was asked to provide the information withheld from the Applicant, to comment on this application and to answer specific questions. These related to reliance on section 17(1) (Notice that information is not held) and section 38(1)(b) (Personal information) of FOISA for refusing to provide information in response to the Applicant's request.

10. The Applicant was also invited to provide submissions as to why she considered that she had a legitimate interest in receiving the information NHS GGC is withholding in line with section 38(1)(b) of FOISA.

Commissioner's analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS GGC. He is satisfied that no matter of relevance has been overlooked.

12. Having looked at the information NHS GGC is seeking to withhold from the Applicant in response to part (a) of her request, the Commissioner is not satisfied that all of this information falls within scope of the request. Specifically he does not agree that the information contained in documents 4, 5, 6, 7 and 8 relate to the matter of the decision to arrange an interview at Barlinnie Prison on 31 July 2017. Consequently, the Commissioner will not consider this information any further.

13. In her application, the Applicant has noted that she does not require the correspondence from the data subject to the Chief Officer of NHS GGC in which they declined to attend the interview. As a result, the Commissioner will not consider the information withheld in document 9 as part of this investigation.

Section 38(1)(b) - Personal information

14. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

15. The exemption in section 38(1)(b) of FOISA, applied on the basis of the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1) of FOISA.

16. In order to rely on this exemption, NHS GGC must show that the information being withheld is personal data in terms of section 3(2) of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

17. In her application to the Commissioner, the Applicant commented that NHS GGC had avoided confirming that it held and had withheld the personal information of staff and officials involved in the decision-making and arrangements surrounding the Barlinnie Prison interview.

18. She also noted that NHS GGC must be aware that it held personal information of the data subject relating to this matter which had not been disclosed to them. The Applicant submitted that this was information NHS GGC wished to avoid being seen and scrutinised.

19. The Applicant also provided reasons why she considered the withheld personal data should be disclosed.

20. NHS GGC has withheld information which would fulfil part (a) of the Applicant's request, under section 38(1)(b). This includes information identified during further searches carried out during the investigation (see consideration of section 17(1) below, from which it will be apparent that the Commissioner is now satisfied that all information held by NHS GGC and falling within the scope of the request has been identified and located). The Commissioner will also consider (under section 38(1)(b)) information discovered during these further searches to which no exemption has been applied by NHS GGC, where he finds that the information comprises personal data.

Is this information personal data?

21. The first question the Commissioner must address is whether the information is personal data in terms of section 3(2) of the DPA 2018.

22. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an individual or identifiable living individual." Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular by reference to -

(i) an identifier such as name, an identification number, location data or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

23. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

24. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals.

25. NHS GGC has submitted that the withheld information constitutes personal data as it contains information relating to an individual from which the individual (the data subject) can be identified. It is NHS GGC's view that the content of the withheld information is about the data subject and their employment status, and contains identifiers from which that individual can be identified. NHS GGC explained what it considers these identifiers to be.

26. NHS GGC acknowledged that the withheld information also contains the personal data of other individuals who are employees of NHS GGC and West Dunbartonshire Health and Social Care Partnership, but confirmed that it was not withholding these for the purpose of this investigation.

27. Having considered NHS GGC's submissions and the withheld information, the Commissioner accepts that the data subject can be identified from all of the information, given that the focus is the arrangement of an interview for them. He is also satisfied that the information would clearly relate to that person. This includes the additional information for which NHS GGC is not relying on any exemption: it is apparent from reading the content of these communications that they all relate to the arrangement of an interview at Barlinnie Prison for the data subject and so also constitute their personal data. Indeed, given the terms of this part of the request, it is inevitable that anything falling within the scope of the request will be the personal data of that individual.

28. The Commissioner is therefore satisfied that the withheld information is personal data as defined in section 3(2) of the DPA 2018. He does not consider the personal data of others can readily be separated from the withheld personal data.

Would disclosure contravene one of the data protection principles?

29. Article 5(1)(a) of the GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject."

30. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". For the purposes of FOISA, personal data are processed when disclosed in response to a request. This means that the personal data can only be disclosed if disclosure would be both lawful (i.e. it would meet one of the conditions for lawful processing listed in Article 6(1) of the GDPR) and fair.

31. NHS GGC did not consider any of the conditions in Article 6(1) applied in the circumstances of this case. The Commissioner considers conditions (a) and (f) in Article 6(1) - as claimed by the Applicant - are the only conditions which could potentially apply in this case.

Condition (a): consent

32. Condition (a) states that the processing will be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. "Consent" is defined in Article 4(11) of the GDPR as-

"…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

33. In terms of Article 7(1), the data controller (in this case NHS GGC) must be able to demonstrate that the required consent exists, presented (where in a written declaration) in a manner which is clearly distinguishable from any other matters covered in that declaration (Article 7(2)). The data subject must also be informed that they can withdraw their consent at any time (Article 7(3)).

34. NHS GGC acknowledged that it received a letter from the data subject on 3 February 2020, in which they referred to the application to the Commissioner under consideration here. NHS GGC noted that the letter confirmed that the data subject consented to the disclosure of any of their personal information being withheld in this case.

35. However, NHS GGC submitted that the consent given in the data subject's letter had not been sought by it and was not, therefore, provided in response to a request to provide informed consent. NHS GGC noted that if it were to seek consent from the data subject (or any individual) for disclosure of personal information, it would seek to ensure that consent fulfilled all of the requirements set out in Article 4 of the GDPR as referred to above. This would include ensuring that the data subject was fully aware that disclosure of their personal information under FOISA would in effect be disclosure into the public domain, not just to the Applicant, but also the wider public.

36. Given that the letter from the data subject was unsolicited, NHS GGC argued that it was not able to satisfy itself, beyond doubt, that the consent was fully informed.

37. Having considered the content of the letter from the data subject, together with Articles 4 and 7 of the GDPR, the Commissioner is not satisfied that the data subject has given specific and informed consent to the processing of their personal data (in particular, its disclosure under FOISA) in response to the Applicant's request.

38. In this regard, the Commissioner has taken account of the Article 29 Working Party's Guidelines on Consent under the GDPR[1] and also the equivalent guidance issued by the UK Information Commissioner[2]. For consent to be considered specific and informed, the data subject must have sufficient information before exercising his or her choice. They must understand what they are consenting to, including the type of data and the purposes and processing operations involved. Consent must be regarded as specific to the purposes for which it is given.

39. Some operations may require more information than others if they are to be understood fully: in the case of disclosure under FOISA, for example, it is of particular significance that disclosure is to the world at large and not simply to one individual or a small group of individuals. Specific and informed consent under such circumstances may require a greater understanding of what is to be disclosed than would be the case in relation to other processing operations.

40. As indicated above, valid consent is also contingent on the data subject having the right to withdraw their consent (and understanding that they have that right). While a withdrawal of consent will only cover future processing and not processing which has already taken place, it must still be a right which is capable of being exercised meaningfully. In the case of information which has been placed in the public domain and over which the data controller has, in effect, relinquished all future control, it must be open to question (to say the least) whether the right to withdraw consent can be considered a remotely meaningful right.

41. The Commissioner is satisfied that the data subject knows the general nature of the data under consideration, but not of its specific content, and that the processing in question would take the form of disclosure to a specific individual (known to them). However, from the information available, the Commissioner is not satisfied that they are fully aware of the public nature of the disclosure. In the circumstances, the Commissioner is not satisfied that the data subject has given specific and informed consent to disclosure. Neither is it apparent that the data subject is aware of their right to withdraw their consent - and, in any case, the illusory nature of that right in the context of disclosure under FOISA must call into question the validity of any consent given for that purpose.

42. In all the circumstances, therefore, the Commissioner is not satisfied that consent meeting the requirements of the GDPR has been (or can be) given in this case, with the result that condition (a) does not allow for disclosure of the withheld information.

Condition (f): legitimate interests

43. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

44. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

45. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Does the Applicant have a legitimate interest in obtaining the personal data?

46. The Applicant described the background to the information request. She noted various factors of which she considered NHS GGC should have been aware when determining whether she had a legitimate interest in receiving the withheld information. It was wrong, she believed, to conclude that she demonstrated no legitimate interest in the withheld information.

47. In particular, the Applicant submitted that disclosure of the withheld information would enhance scrutiny of the NHS GGC's actions, not only by herself but also other members of the public. The Applicant also considered that disclosure of the requested information would not involve an unwarranted level of intrusion of privacy.

48. The Applicant believed it most important that all of the information covered by her request was disclosed, as a record of another part of something that happened which had an impact on many. She submitted that if this information were not disclosed the decision makers and their advisers within NHS GGC would escape scrutiny of their actions and influence and - as a result - other employees, particularly those who raised safety concerns, would more likely to be treated in a similar way, leading to similar damage to them and others.

49. In the Applicant's view, disclosure - in addition to enabling transparency and accountability of the controlling mind behind the decision-making - might be preventative and enable some protection of others in future. For these reasons, she considered it important to her and of value to the public that the information be disclosed.

50. NHS GGC submitted that it had not identified any legitimate interests the Applicant might have in seeking the information. It did not consider disclosure of the information necessary to achieve any legitimate interest the Applicant might have. NHS GGC was of the view that the Applicant could either obtain this information directly from the data subject, or the data subject could exercise their rights to obtain it via a Subject Access Request under the GDPR.

51. The Commissioner understands that the Applicant is concerned about the processes followed by NHS GGC in relation to its employment practices, specifically around the treatment of the data subject. The Commissioner accepts in the circumstances that the Applicant has a legitimate interest in understanding of the decision-making and processes followed, as have the wider public in being assured that these were appropriate. However, having considered the content of the withheld personal data, the Commissioner is not satisfied that any of it has a direct enough bearing on the matters of concern to the Applicant to fulfil that legitimate interest.

52. Furthermore, the Commissioner cannot accept that the public interest expressed by the Applicant in relation to the protection of employees who raise safety concerns, and the impact of NHS GGC's decisions on them and others, would be fulfilled by disclosure of the withheld information.

53. Having concluded that the withheld personal data would not contribute to the legitimate interest identified in this case, the Commissioner is not required to consider whether the other tests set out in paragraph 45 above can be met.

54. The Commissioner therefore concludes that there is no condition in Article 6 of the GDPR allowing the personal data to be disclosed, with the result that he must conclude that disclosure would be unlawful.

55. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure of such personal data would be otherwise fair and transparent in relation to the data subject.

Conclusion on the data protection principles

56. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data under consideration here would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently he is satisfied that the personal data are exempt from disclosure under section 38(1)(b) of FOISA.

Section 17 - Notice that information is not held

57. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received. This is subject to qualifications, but these are not applicable here. If no such information is held by the authority, section 17(1) of FOISA requires the authority to give the applicant notice in writing to the effect.

58. "Information" is defined in section 73 of FOISA as "information recorded in any form". Given this definition, it is clear that FOISA does not require a public authority to create recorded information in order to respond to a request, or to provide information which is not held in a recorded form (e.g. about a person's intentions or opinions).

59. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority.

60. As mentioned already, NHS GGC notified the Applicant, in line with section 17(1) of FOISA, that it did not hold any recorded information which would fulfil part (b) of her request. In part (b) of her request, the Applicant asked for all information held by the Board showing how and why the interview was arranged without the prior knowledge and consent of the individual concerned.

Submissions from Applicant

61. In her request for review, the Applicant commented that the interview with the prison could not have been arranged without a decision being taken to arrange it and communication internally and with the Scottish Prison Service. In her application, the Applicant named individuals within NHS GGC she believed would have been party to such correspondence.

62. The Applicant also disputed NHS GGC's suggestion that she was aware of the interview being arranged and considered all information held by NHS GGC, relating to the planning and arrangement of the interview, created and dated prior to the invitation to attend the interview, would come within scope of her request

Submissions from NHS GGC

63. In seeking to respond to this part of the Applicant's request, NHS GGC explained that it had located all recorded information it held relating to the arrangements made for the individual in question to attend an interview at HMP Barlinnie. Having reviewed this correspondence, NHS GGC submitted that it found no information which would relate to arrangements being made without the individual's prior knowledge and consent. NHS GGC went on to submit that to be able to answer the questions "how" and "why" it would have to establish that the arrangements were actually made without the data subject's prior knowledge or consent. It did not consider any recorded information it had identified demonstrated this. Therefore, NHS GGC concluded that it did not hold any recorded information which would fulfil this part of the Applicant's request

64. In any case, NHS GGC considered any information it held relating to the interview was captured within part (a) of the Applicant's request. As a consequence, NHS GGC submitted that its efforts in seeking to answer part (b) of the request were focused on the question of "without his prior knowledge and consent", given that the decision to arrange an interview was the focus of the first part of the request.

65. NHS GGC detailed the searches carried out in response to the Applicant's request and requirement for review. These included searches of relevant systems by key members of staff, considered most likely to been involved in the arrangements for the interview. NHS GGC explained that it asked these same personnel to carry out further searches during the course of the Commissioner's investigation. The outcome of these further searches was that additional information relevant to part (a) of the request was located. This has already been considered under section 38(1)(b) of FOISA.

66. During the investigation, NHS GGC was asked to undertake further searches of recorded information that might be held by personnel the data subject was due to meet in the course of their interview. These individuals had not been involved in carrying out earlier searches.

67. As a consequence of these further searches, NHS GGC identified further information, falling within scope of part (a) of the request. It confirmed that it was relying on the exemption in section 38(1)(b) of FOISA for withholding some of this (see above).

68. The Commissioner understands that NHS GGC is not relying on the exemption in section 38(1)(b) of FOISA for all of this additional information. Having considered the additional information, however, he has found all of it to be the personal data of the data subject (see above) and so has considered it under section 38(1)(b) of FOISA .

Commissioner's conclusions on section 17(1)

69. Having considered all relevant submissions, the Commissioner is satisfied that, by the end of the investigation, NHS GGC had taken adequate and appropriate steps to establish whether it held any recorded information to fulfil part (b) of the request.

70. The Commissioner acknowledges that any information held by NHS GGC about the arrangement of the interview would have been captured by the terms of part (a) of the Applicant's request. He therefore accepts that NHS GGC was correct to focus on the question of "without prior knowledge or consent" when considering which of this information fell within the scope of part (b) of the request. The Commissioner considers the searches described by NHS GGC would have been capable of identifying any information held relevant to part (b) (and, therefore, part (a)) of the request.

71. As explained previously, the Commissioner can only consider what relevant information is actually held by NHS GGC (or was held, at the time it received the Applicant's request). He cannot consider what information it should hold, or what the Applicant believes it should hold.

72. The Commissioner is therefore satisfied, on the balance of probabilities, that NHS GGC does not (and did not, on receipt of the request) hold recorded information which would fulfil part (b) of the Applicant's request. However, in failing to carry out adequate searches prior to responding to the Applicant's request and requirement for review, the Commissioner finds that NHS GGC failed to comply with section 1(1) of FOISA, in relation to the request as a whole. Given that NHS GGC carried out further searches before the end of the investigation, the Commissioner does not require it to take any action in relation to this breach.

Decision

The Commissioner finds that NHS Greater Glasgow and Clyde (NHS GGC) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that by relying on the exemption in section 38(1(b) of FOISA for withholding personal data which would fulfil part (a) of the Applicant's request, NHS GGC complied with Part 1.

The Commissioner also finds that NHS GGC was correct to notify the Applicant - in line with section 17(1) of FOISA - that no information was held by it which would fulfil part (b) of the request.

However, he also finds that NHS GGC did not carry out adequate searches to determine what recorded information it held before it responded to the Applicant's request and requirement for review and, in doing so, failed to comply with section 1(1) of FOISA.

Given that adequate searches were carried out by the end of the investigation the Commissioner does not require NHS GGC to take any action in respect of this failure, in response to the Applicant's application.

Appeal

Should either the Applicant or NHS GGC wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If NHS GGC fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that NHS GGC has failed to comply. The Court has the right to inquire into the matter and may deal with NHS GGC as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

5 October 2020

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

….

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

….

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

General Data Protection Regulation

Article 4 Definitions

11 "consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Article 7 Conditions for consent

1 Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2 If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3 The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available.

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).



Link to PDF of Decision 120/2020 (215 KB)

Back to Top