Decision 009/2023: Conflict of interest
Authority: Aberdeen City Council
Case Ref: 202100891
The Applicant made a number of information requests about a conflict of interest allegation and subsequent investigation. The Authority withheld the information. The Commissioner investigated and found that the information which had been withheld was third party personal data which, in this case, was exempt from disclosure under section 38(1)(b) of FOISA.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 38(1)(b), (2)(A), (5) (definitions of “the data protection principles”, “data subject”, “personal data, “processing” and “the UK GDPR”) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 28 December 2020, the Applicant made a request for information to the Authority. He asked, in relation to a specified paper delivered to the Aberdeen City Health & Social Care Partnership Integration Joint Board (the IJB):
(i) were any conflict of interest allegations raised towards either of two named persons with regard to their delivery of this paper or its contents? If yes, what were the alleged conflicts of interest?
(ii) if allegations were raised, were these allegations investigated? If not, why not?
(iii) if allegations were investigated, what were the outcomes of these investigations?
(iv) for copies of any investigation documents, including findings.
2. The Authority responded to question (i) on 27 January 2021, stating that no interests were declared at the IJB meeting “in that regard”. The Authority answered questions (ii) to (iv) with “not applicable.”
3. Later that day, the Applicant wrote to the Authority requesting a review of its decision. He was dissatisfied that the response did not address the questions he had asked. The Applicant explained that his questions were not confined to what had or had not occurred at the meeting in question, but concerned conflict of interest allegations surrounding the delivery of the paper delivered to the meeting.
4. The Authority notified the Applicant of the outcome of its review on 23 February 2021. It apologised for misinterpreting his request. The Authority confirmed that a conflict of interest was raised and an investigation completed, but that it could not provide any recorded information in relation to the request. It argued that the information was exempt from disclosure under sections 30(b) (Prejudice to effective conduct of public affairs), 36(2) (Confidentiality) and 38(1)(b) (Personal information) of FOISA.
5. On 23 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated that he was dissatisfied with the outcome of the Authority’s review. He considered that the information should be disclosed in the public interest.
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 17 August 2021, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to its reasons for applying the exemptions in sections 30(b), 36(2) and 38(1)(b) of FOISA to the withheld information.
9. The Applicant also provided comments to support his arguments.
Commissioner’s analysis and findings
10. The Commissioner has considered all the submissions made to him by the Applicant and the Authority.
Information falling within scope
11. The information identified by the Authority as falling within the scope of the request comprised eight documents. The Authority refused to disclose this information to the Applicant.
12. The Commissioner has considered these documents in the light of the Applicant’s request and notes that document 7 does not fall within the scope of the request: the Authority did not hold the information when it received the Applicant request (section 1(4) of FOISA).
13. Where information is not covered by the terms of the request, the Commissioner cannot consider whether it should be disclosed.
Section 38(1)(b) – Personal information
14. The Authority applied the exemption in section 38(1)(b) of FOISA to all of the information falling within the scope of this request.
15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles in Article 5(1) of the UK GDPR.
16. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is not subject to the public interest test contained in section 2(1)(b) of FOISA.
Is the withheld information personal data?
17. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018.
18. “Personal data” is defined in section 3(2) of the DPA 208 as “any information relating to an identified or identifiable living individual”.
19. Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly, or indirectly, in particular reference to:
(i) an identifier such as a name, an identification number, location data, or an online identifier, or
(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
20. The Commissioner is satisfied that the information is personal data. It clearly relates to an identifiable individual.
Would disclosure contravene one of the data protection principles?
21. The Authority submitted that disclosure would breach Article 5(1)(a) of the UK GDPR, which requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.
22. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed when disclosed in response to a request.
23. This means that the personal data can only be disclosed if disclosure would be both lawful (i.e. it would meet one of the conditions for lawful processing listed in Article 6(1) of the GDPR) and fair.
24. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. The Commissioner considers condition (f) in Article 6(1) to be the only condition which could potentially apply in the circumstances of the case.
Condition (f): legitimate interests
25. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data…”
26. Although Article 6 states that this condition cannot apply to processing carried out by public authorities in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests made under FOISA.
27. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Is there a legitimate interest in obtaining the personal data?
(ii) If so, would disclosure of the personal data be necessary to achieve the legitimate interest?
(iii) Even if processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental right and freedoms of the data subject?
Is there a legitimate interest in obtaining the personal data?
28. The request relates to changes to the delivery of GP services in Aberdeen and to concerns that there was a conflict of interest regarding proposed changes. In the Applicant’s view, the subject matter highlighted the public interest in the disclosure of the information (he set out in detail why he considered this to be the case).
29. The Applicant considered that it was vital to know more about the investigation in order to assess how thoroughly the complaint was investigated, and to understand why the investigator reached the decision they did.
30. The Authority considered that the Applicant might have a legitimate interest, but only in relation to the outcome of the investigation. The Authority emphasised that a separate, independent assessment had subsequently been undertaken which had found that the original investigation was comprehensive and objective and that there was no conflict of interest.
31. The Authority submitted that neither the Applicant nor the wider public have a legitimate interest in the content of the investigation; any wider public interest was satisfied by that fact that there was a complaint handling process in place, and that complainant was provided with the outcome of their complaint.
32. The Commissioner has considered the submissions from both the Authority and the Applicant carefully. Having considered the subject matter of the request (possible conflict of interest in relation to the delivery of GP services), he has concluded that, despite the fact that the complaint has been investigated, there remains a legitimate interest in the disclosure of the personal data.
Is disclosure of the personal data necessary?
33. Having accepted that there is a legitimate interest in the personal data, the Commissioner must consider whether its disclosure is necessary to meet those interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.
34. “Necessary” here means “reasonably” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, the Commissioner must consider whether disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the legitimate interests can be met by means which interfere less with the privacy of the data subjects.
35. The Authority argued that it was not necessary for the personal data to be disclosed. It took the view that any legitimate interests were met by there being a proper and fair complaints process in place. It noted that these processes were designed to respect the rights of those being investigated.
36. The Authority also highlighted that complainants have other routes to pursue if they are dissatisfied with how a complaint has been dealt with, such as recourse to the Scottish Public Services Ombudsman or the Ethical Standards Commissioner.
37. The Commissioner recognises that this goes some way towards satisfying the Applicant’s (and wider public’s) legitimate interests. However, given the importance of the subject matter, he considers, in the absence of other viable means of meeting the legitimate interests in full, that the legitimate interests could only reasonably be met by the disclosure of the information.
38. Consequently, he will go on to consider whether the interest in obtaining the personal data outweighs the rights and fundamental freedom of the data subject.
Interests and fundamental freedoms of the data subjects
39. The Commissioner must now balance the legitimate interests in disclosure against the data subject’s interests or fundamental rights and freedoms. Only if the legitimate interests of the Applicant outweigh those of the data subject can the information be disclosed.
40. In considering the balance between the legitimate interests and the rights and interests of the data subjects, it is important to take account of whether the proposed disclosure would be within the reasonable expectations of an individual. There are factors that assist in this determination, including the distinction between private and public life; the nature of the information; how the personal data was obtained; whether any specific assurances were given to individuals; privacy notices; and any policy or standard practice.
41. The Applicant does not believe that the data subject’s rights outweigh the legitimate interests in the information. He pointed to the importance in scrutinising allegations of conflict of interest. He believes public scrutiny is required for public peace of mind and that reputational integrity may have been prioritised over patient care and staff welfare.
42. The Authority clearly believed that the data subject’s rights are more important here. It commented that an investigation process is a process undertaken in confidence and that, although it was standard practice for the outcome to be shared with the complainer, it did not follow that the “entire investigation report” should be released to a third party.
43. The Commissioner notes that the information relates to the data subject’s public life; in this instance, a complaint related to a paper prepared by the data subject in their professional, rather than private, capacity. However, he accepts that, in the circumstances of the complaint and investigation, the data subject would have reasonably expected at least some degree of confidentiality in the process.
44. The Commissioner has also considered the potential harm or distress that could be caused by disclosure. Disclosure under FOISA is a public disclosure, so would publicly link the data subject to an allegation of conflict of interest. At the most general level, disclosing or alleging that a complaint or allegation has been brought is likely to cause some reputational damage, and to have an impact on public perceptions of a person. In the circumstances, the Commissioner agrees that disclosing the personal data would cause harm or distress to the data subject.
45. After carefully balancing the legitimate interests of the individuals concerned against those of the Applicant, the Commissioner finds that the legitimate interests served by disclosure of the personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject. While the Commissioner recognises that the background to this case relate to matters of public concern, he is satisfied that, in the circumstances of this case disclosure would cause harm and distress and that the data subject would reasonably expect that their personal data would not be disclosed into the public domain.
46. Having found that the legitimate interests served by disclosure of the personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject, the Commissioner finds that condition (f) in Article 6(1) of the GDPR cannot be met and that disclosure would be unlawful.
47. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be fair and transparent in relation to the data subject.
Conclusion on section 38(1)(b)
48. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the GDPR. Consequently, he is satisfied that the personal data was correctly withheld under section 38(1)(b) of FOISA.
Section 30(b)(i) and (ii) and section 36(2)
49. As the Commissioner has accepted that section 38(1)(b) of FOISA was correctly applied by the Authority in this case to all the information withheld that falls within scope, he will not go on to consider whether the information was also exempt from disclosure under sections 30(b)(i) or (ii), or 36(2) of FOISA.
The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Head of Enforcement
14 February 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.
(6) This section is subject to sections 2, 9, 12 and 14.
38 Personal information
(1) Information is exempt information if it constitutes-
(b) personal data and the first, second or third condition is satisfied (see subsections …
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
(d) disclosure by transmission, dissemination or otherwise making available,
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.