Decision 125/2021: Court records related to trial of named individual

Public authority: Scottish Courts and Tribunals Service
Case Ref: 202001471

Summary

The Scottish Courts and Tribunals Service (SCTS) was asked for information regarding the trial of a named individual. The SCTS withheld the information, as it considered the information to be third party personal data and, in this case, to be exempt from disclosure.

The Commissioner investigated and found that the SCTS was entitled to withhold this information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of "the data protection principles", "data subject", "the GDPR", "personal data" and "processing") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (definition of "personal data" (Definitions); 5(1)(a) (Principles relating to processing of personal data); 10 (Processing of personal data relating to criminal convictions and offences)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14) (Terms relating to the processing of personal data); 10(4) and (5) (Special categories of personal data and criminal convictions etc data); 11(2) (Special categories of personal data etc: supplementary)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 22 October 2020, the Applicant made a request for information to the Scottish Courts and Tribunals Service (the SCTS). The information requested was documentation, including any court records / evidence / judgements in the case of a High Court trial in 2004 of a named individual.

2. The SCTS responded on 11 November 2020. It stated that the information was the personal data of other individuals and exempt from disclosure under section 38(1)(b) of FOISA.

3. On 12 November 2020, the Applicant wrote to the SCTS requesting a review of its decision on the basis that some information had been published about the court case, personal data could be redacted from the documents, and there was no negative consequence of disclosure.

4. The SCTS notified the Applicant of the outcome of its review on 2 December 2020. It reiterated that it considered the information to be exempt from disclosure under section 38(1)(b) of FOISA. While it agreed that data subjects could expect some details of the criminal case to be disclosed during the course of proceedings, they would not expect information about the case to be disclosed some years later: to do so would, in the view of the SCTS, be unfair.

5. On 5 December 2020, the Applicant applied for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the SCTS's review, submitting that the case had been widely reported in a newspaper and other court judgements had been published on the SCTS website which had named individuals. The Applicant argued that the information could be disclosed in a redacted form.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 8 January 2021, the SCTS was notified in writing that the Applicant had made a valid application. The case was then allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The SCTS was invited to comment on this application and to answer specific questions. These related to the information held by the SCTS falling in scope of the request, why it was considered to be the personal data of identifiable living individuals, and why the information was considered exempt under section 38(1)(b) of FOISA.

9. The SCTS provided detailed submissions to the Commissioner on 15 February 2021.

Commissioner's analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and SCTS. He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) - Personal information

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR or (where relevant) in the DPA 2018.

12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

13. This exemption can be applied to information regardless of how old it is, subject, of course, to the need for it to relate to a living individual.

14. To rely on this exemption, the SCTS must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.

15. The SCTS explained that, due to the Coronavirus pandemic, it had limited access to National Records of Scotland buildings and could not obtain copies of the court case referred to in the request. However, it provided a summary of the information which would be held in this type of court case (as a minimum, the indictment and minutes of proceedings, but also stated cases, appeal documents, social work reports and transcripts).

Is the information personal data?

16. The first question for the Commissioner is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the GDPR, also set out in Appendix 1.)

17. The SCTS submitted that, as the accused can be identified from information contained within criminal court cases, the information is considered to relate to a living individual.

18. During the investigation, the Applicant provided information to both the SCTS and the Commissioner, which, in his view, confirmed that the named individual had died.

19. The SCTS stated, on the basis of the information, it could not confirm beyond doubt that the individual had died. Therefore, it was was continuing to withhold the requested information under section 38(1)(b) of FOISA.

20. The Commissioner has made his own enquiries, as to whether it could be established if the named individual had died. As he could also not confirm that the named individual had died, the Commissioner has progressed on the basis that the data subject is a living individual.

21. The Commissioner accepts that the information requested is personal data: the named individual in the court case clearly relates to an identifiable living individual. The Commissioner therefore accepts that the information is personal data as defined in section 3(2) of the DPA 2018.

Criminal offence data

22. Information relating to criminal convictions and offences is given special status in the UK GDPR: Article 10 makes it clear that the processing of this type of personal data can be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of the data subjects.

23. Section 11(2) of the DPA 2018 makes it clear that proceedings for an offence committed by a data subject or the disposal of such proceedings, including sentencing, is criminal offence data. The Applicant's request for court documents, falls within the definition of special categories of personal data (section 11(b) of DPA 2018): proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

24. The Commissioner is satisfied that the personal data the Applicant has asked for clearly falls within the definition of criminal offence data.

25. Criminal offence data can only be processed if one of the stringent conditions in Part 1 to 3 of Schedule 1 to the DPA 2018 can be met (section 10(5) of the DPA 2018).

26. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore covers disclosing information into the public domain in response to a FOISA request.

27. Parts 1 to 3 of Schedule 1 to the DPA contain a wide range of conditions which allow personal data to be disclosed, but there are very limited conditions which would allow a public authority to disclose criminal offence data into the public domain in response to a FOI request.

28. The Applicant submitted that he was seeking the data for research purposes, to investigate the background of the named individual and his family. He considered there was no possible value to the public authority by withholding the records, as the offence is acutely historical, and the victims' identities can be redacted. He also provided details of his personal interest in the case.

29. However, as stated above, criminal offence data can only be processed if one of the stringent conditions in Parts 1 to 3 of Schedule 1 to the DPA 2018 can be met. The Commissioner has considered each of these conditions and whether any of them could be relied on to disclose the criminal offence data in this case. Having done so, and having taken into account the restrictive nature of the conditions, he considers that they could not.

30. The SCTS submitted that disclosure would breach the data protection principle (Article 5(1)(a) of the GDPR) which requires that personal data shall be processed lawfully and fairly. Having considered the information being requested, and that it was criminal offence data, it concluded that there was no lawful basis that it could be disclosed under FOISA.

31. The Commissioner is also satisfied that none of the conditions required for processing personal data of this nature are satisfied; consequently, there can be no legal basis for its disclosure and the information requested by the Applicant is exempt from disclosure under section 38(1)(b) of FOISA.

32. The Commissioner therefore finds that the SCTS complied with Part 1 of FOISA by withholding the requested information.

Decision

The Commissioner finds that the Scottish Courts and Tribunals Service complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the SCTS wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
25 August 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

….

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"the GDPR", "personal data", "processing" and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4), (10), (11) and (14) of that Act);

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

United Kingdom General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation:

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 10 Processing of personal data relating to criminal convictions and offences

1. Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law domestic law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

2. In the 2018 Act-

(a) section 10 makes provision about when the requirement in paragraph 1 of this Article for authorisation by domestic law is met;

(b) section 11(2) makes provision about the meaning of "personal data relating to criminal convictions and offences or related security measures".

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to section 14(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier, such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.

10 Special categories of personal data and criminal convictions etc data

(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

11 Special categories of personal data etc: supplementary

(2) In Article 10 of the GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to -

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.


Link to PDF of Decision 125/2021 (169 KB)

Back to Top