Home Decisions

Decision 013/2023

Decision 013/2023: Communications with a community council regarding conflict of interest

Authority: Highland Council
Case Ref: 202100927

Summary

The Applicant asked the Authority about communications with, and any advice given to, Nairn River Community Council concerning a specific conflict of interest or conflict of interest in general. The Authority stated that it did not hold any information regarding the specific conflict of interest described and withheld wider correspondence on the basis that its disclosure would be likely to inhibit the free and frank provision of advice and exchange of views, or was third party personal data, disclosure of which would breach data protection principles.

The Commissioner investigated and, while he agreed that the Authority did not hold any information on the specific conflict of interest referred to, or any advice given regarding conflict of interest, he found that the Authority had wrongly withheld some information under the exemptions claimed. He also found that the Authority had failed to comply with statutory timescales in responding to both the request and the requirement for review.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 10(1)(a) (Time for compliance); 15 (Duty to provide advice and assistance); 21(1) (Review by Scottish public authority); 30(b) (Prejudice to effective conduct of public affairs); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 23 March 2021, the Applicant made a request for information to the Authority. In his correspondence, he made reference to Nairn River Community Council’s (the Community Council’s) response (as a statutory consultee) to a specific planning application where, he believed, there had been a possible conflict of interest involving one of its members. He asked the Authority for:

…details of all correspondence (to include emails, notes of telephone conversations, letters, hand written notes etc) between officials of [the Authority] and [the Community Council] and vice versa since August 2020 to the date of this email. This is to include any advice provided by the [Authority] to [the Community Council] and any correspondence on this matter related to Conflict of Interest.

2. Having received no response to his information request within 20 working days, the Applicant wrote to the Authority on 29 April 2021 requesting a review based on its failure to respond.

3. On 23 June 2021, having received no response to his request for review within 20 working days, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA, based on the Authority’s failure to respond.

4. Following notification of the Applicant’s appeal (relating to the Authority’s failure to respond), the Authority notified the Applicant of the outcome of its review on 14 July 2021. In summary, the Authority explained that correspondence had been identified and reviewed, but there was no mention of the conflict of interest referred to. Given the wider scope of the request, the Authority had considered disclosing the correspondence held. The Authority concluded that it would not be in the public interest to do so, given its content related to internal issues within the Community Council (which was a separate organisation from the Authority) and also contained personal data of the Community Councillors and some members of the Nairn community. The Authority withheld the correspondence under the exemptions in section 30(b) of FOISA (as disclosure would likely inhibit substantially the free and frank provision of advice or exchange of views) and section 38(1)(b) (as disclosure of third party personal data would breach data protection principles).

5. On 28 July 2021, the Applicant notified the Commissioner that he wanted to withdraw his application relating to the Authority’s failure to respond, and wished to make a fresh application with regard to its review outcome now issued.

6. On 30 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because:

he was unhappy with its failure to respond to his initial information request and his request for review within the timescales allowed; and
he disagreed with the Authority’s position with regard to the withheld information. He argued that the information related to a statutory planning process in which the Community Council participated as a statutory consultee and potentially serious issues had been raised in relation to conflict of interest. He believed there was an absolute public interest in accessing the correspondence where the conflict of interest referred to (he assumed) had been dealt with.

Investigation

7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

8. On 30 July 2021, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was subsequently allocated to an investigating officer.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to the Authority’s justification for withholding the correspondence under the exemptions in section 30(b) and section 38(1)(b) of FOISA, and its failure to comply with statutory timescales for responding to the Applicant’s initial request and his request for review.

10. The Applicant was also invited to submit his comments on the scope of his request, and what his legitimate interests were in accessing the personal data in the withheld information.

11. The Applicant provided his comments on 10 March 2022.

12. On 28 June 2022, the Authority provided its initial submissions which focussed mainly on section 38(1)(b) of FOISA. The Authority confirmed it would be willing to disclose some of the correspondence to the Applicant, with some personal data redacted, in an attempt to resolve the case informally.

13. The Applicant was then given the opportunity to consider whether he wished to accept the Authority’s offer to disclose some of the information, with a view to resolving the case informally. He subsequently confirmed, however, that he wished the Commissioner to reach a determination by means of a Decision Notice.

14. Following further consideration of the terms of the request, the Authority’s interpretation of it and the information which the Authority considered fell within scope (and which was being withheld), the Investigating Officer questioned whether much of that information actually fell within the scope of the request. In light of this, the Applicant was asked to clarify the scope of the information covered by his application to the Commissioner.

15. In response, the Applicant clarified that his application concerned correspondence (including any advice given) between the Authority and the Community Council (and vice versa), during the period August 2020 to March 2021, relating to the specific conflict of interest referred to in his request, and to conflict of interest in general. He commented further on the public interest in disclosure of the information.

16. The Authority was made aware of the clarified scope. It was asked to provide further submissions on the searches carried out to identify and locate the information requested, and whether it now considered that any of the information identified comprised correspondence (including advice) between the parties specified in the request and relating either to the specific conflict of interest referred to, or to conflict of interest in general. The Authority was again asked to provide submissions on its reliance on section 30(b), and to provide further submissions on its position regarding section 38(1)(b) of FOISA. It was also asked to explain what consideration it had given to seeking clarification from the Applicant about the information he was seeking.

17. The Authority provided the further submissions requested.

Commissioner’s analysis and findings

18. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

The information held by the Authority

19. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

20. The information to be given is that held by the authority at the time the request is received, as defined by section 1(4).

21. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority and falls within the scope of the original request.

Searches

22. The Authority described the searches carried out to identify the information which, it considered, fell within the scope of the request.

23. It explained that the Nairn Ward Manager (who was responsible for assisting community councils) and the Inverness City Manager (who was handling a complaint regarding the possible conflict of interest) had been asked to carry out searches. As both of these officers had been attempting to assist the Community Council with its issues, the Authority was satisfied that these were the appropriate officers to direct the request to, and that no other searches would have identified correspondence regarding the possible conflict of interest referred to.

24. The Authority explained that, during the period in question, email was the only form of correspondence taking place due to restrictions on accessing offices. It had therefore carried out searches for emails from members of the Community Council, and for emails containing “Nairn River”, “NRCC” and the name of the premises which was the subject of the planning application. The Authority submitted that the information identified had been sifted to remove any correspondence which was not with the Community Council and any duplicates. It considered these searches reasonable, and that any advice, guidance or discussions regarding conflict of interest, whether specific or general, would have been discovered in the searches for “all correspondence”.

Interpretation of the request and the in-scope information held

25. As stated above, the Authority provided the Commissioner with the withheld information identified as a result of the searches described which, it had determined, fell within the scope of the request.

26. Following the Investigating Officer’s consideration of this information, and the Applicant’s subsequent clarification of the scope of the information his application covered (referred to in paragraph 15 above), the Authority was asked whether it considered all of this information actually fell within scope.

27. In response, the Authority now believed that only four individual email chains fell within scope, in light of the Applicant’s clarification. It pointed out, however, that these conversations were not with the Authority, but were among members of the Community Council. The emails were held by the Authority either as a result of the Authority’s staff members having been copied in to these emails, or where these conversations had been forwarded to Authority staff.

28. The Authority submitted that, while these emails contained references to conflict of interest in general, they did not appear to relate to the possible conflict of interest referred to in the request. The Authority highlighted that a key fact here was that it did not deal with complaints regarding community councils and therefore it did not need to contact the Community Council about the matter complained of.

29. The Authority submitted that it would be willing to disclose this information to the Applicant, with some personal data redacted.

The Commissioner's views on the information held

30. The Commissioner has considered all relevant submissions, the terms of the original request, the Applicant’s clarification and the withheld information.

31. In light of the Applicant’s clarification, the Commissioner can only consider the information which falls within the scope of the clarified request, namely information (including any advice given) in correspondence between the Authority and the Community Council (and vice versa), during the period August 2020 to March 2021, relating to the specific conflict of interest referred to in the request, and to conflict of interest in general.

32. Having done so, the Commissioner is satisfied that the majority of the information originally identified by the Authority does not fall within the scope of the Applicant’s request: it does not relate to any discussions between the Authority and the Community Council, or to any advice given by the Authority to the Community Council, on either the possible conflict of interest referred to in the request, or on conflict of interest in general.

33. For the four email chains which the Authority now considered to fall within scope, the Commissioner would, to a certain extent, concur with the Authority’s view. He is satisfied that this correspondence contains some information falling within scope, in that it contains references to “conflict of interest”. However, the Commissioner is of the view that the majority of the information in these four email chains relates to other issues being discussed, and not to “conflict of interest”, and therefore that information cannot be considered to fall within the scope of the Applicant’s request, as clarified.

34. The Commissioner notes that the particular exchanges in these email chains which contain references to “conflict of interest” are, in the main, between Community Council members. While he recognises that these exchanges are only held by the Authority by virtue of Authority staff either having been copied in, or having had these exchanges forwarded to them, he has no option but to determine that the information is held by the Authority.

35. Having examined the content of the exchanges in the email chains containing these references, the Commissioner is further satisfied that they relate to conflict of interest “in general” and that there is nothing in the correspondence that confirms that any of these references relate to the specific (possible) conflict of interest referenced in the Applicant’s request, nor to any advice given by the Authority to the Community Council on conflict of interest.

36. The Commissioner notes that the Authority has indicated it is willing to disclose this information to the Applicant with some personal data redacted. As the Authority is seeking to withhold some of the information in these four email chains under section 38(1)(b) of FOISA, the Commissioner will go on to consider the application of that exemption later in this decision notice.

Section 30(b) – Prejudice to effective conduct of public affairs

37. In its review outcome, the Authority withheld some information under section 30(b) of FOISA. Section 30(b) provides that information is exempt if its disclosure under FOISA would, or would be likely to, prejudice substantially (i) the free and frank provision of advice, or (ii) the free and frank exchange of views for the purposes of deliberation. Section 30(b) is subject to the public interest test in section 2(1)(b) of FOISA.

38. During the investigation, the Authority withdrew its reliance on section 30(b) of FOISA to withhold any information in this case. It confirmed that it was no longer relying on this exemption to withhold the information now considered to fall within scope, as clarified.

39. Consequently, in the absence of arguments from the Council as to why the exemptions in section 30(b) originally applied, the Commissioner has no option but to find that the Authority was not entitled to withhold any information in this case under the exemption in section 30(b). Having reached this conclusion, he is not required to consider the public interest test in section 2(1)(b) of FOISA.

Section 38(1)(b) – Personal information

40. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

41. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

42. To rely on this exemption, the Authority must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

43. In his request (as subsequently clarified), the Applicant sought details of all correspondence (including any advice given) between the Authority and the Community Council, relating to a specific (possible) conflict of interest, or to conflict of interest in general (as fully described in paragraph 15 above).

44. In its initial submissions to the Commissioner (prior to the Applicant’s clarification), the Authority submitted that certain of the information in question comprised the names and contact details of Community Councillors, correspondence between individual Community Councillors and the personal data of third parties who were in communication with the Community Council, all of which comprised third party personal data.

45. As set out above, following notification of the Applicant’s clarification, the Authority changed its position on the extent of the information falling within scope (now limited to information in four email chains). The Commissioner has already found that the majority of the information originally withheld, plus some of the information in the remaining four email chains, does not fall within the scope of the Applicant’s request.

46. In relation to the remaining information in the four email exchanges now considered to fall within scope, the Commissioner notes, as stated in paragraph 36 above, that the Authority has stated it is willing to disclose this information to the Applicant with some personal data redacted. For the information in these exchanges which the Authority is now willing to disclose, the Commissioner has no option - in the absence of any reasons supplied by the Authority - but to find that the Authority was not entitled to withhold that information, at review stage, under section 38(1)(b) of FOISA. He requires the Authority to disclose it to the Applicant.

47. For the remainder, the Commissioner must now decide whether the Authority was correct to withhold any of that information under section 38(1)(b) of FOISA.

Is the withheld information personal data?

48. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 see Appendix 1. (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix 1.)

49. Information which could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus. It is clear that the information withheld in this case (i.e. the correspondence in the four email chains found to fall within scope) "relates to" identifiable living individuals, i.e. as a sender/recipient, or referred to in the body of the correspondence.

50. Having considered the remaining withheld personal information, which comprises the names and email addresses of Community Councillors, it is clear to the Commissioner that the information withheld is personal data, for the purposes of section 3(2) of the DPA 2018.

Which of the data protection principles would be contravened by disclosure?

51. The Authority believed that disclosure of this personal data would contravene the first data protection principle (Article 5(1)(a)). Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

52. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request.

53. The Commissioner must now consider if disclosure of the personal data would be lawful (Article 5(1)(a)). In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed. The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstances of this case.

Condition (f): legitimate interests

54. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

55. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

56. The Authority argued that the legitimate interests of the data subjects which favoured non-disclosure outweighed those of the Applicant in favour of disclosure.

57. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

58. In his application to the Commissioner, the Applicant believed there was a public interest in disclosure of the information. In support of his position, he submitted that the information he was seeking related to a statutory planning process in which the Community Council participated as a statutory consultee. In his view, potentially serious issues had been raised in relation to conflict of interest and, as such, there was a public interest in gaining access to the correspondence where, he believed, this had been dealt with.

59. During the investigation, the Applicant explained that an issue had been highlighted to the Authority in relation to a potential conflict of interest concerning a member of the Community Council who was then involved, as a statutory consultee, in submitting a response to a planning application. He believed there was a public interest in accessing any correspondence on this matter to be able to understand how an issue was dealt with that potentially allowed a statutory consultee with (in his view) an identified bias, to then be involved in making a decision in relation to a planning application, and to know who was involved in these discussions relating to the planning process.

60. The Applicant further argued that there was a public interest in identifying, as a minimum, the Community Council office bearers and any senior Authority officials in the correspondence exchanged. As this related to a planning process, he believed there was a public interest in openness and transparency in demonstrating how this issue was handled.

61. The Applicant also believed that, even though these roles were voluntary, office bearers within the Community Council were at a more senior level and, when participating in a statutory process, should expect their decisions to be open to scrutiny and their identities to be made publicly available.

62. The Authority did not consider the Applicant had a legitimate interest in obtaining the remaining personal data contained in the correspondence requested.

63. The Commissioner has considered the arguments from both parties, and the content of the remaining personal information being withheld under section 38(1)(b).

64. In respect of the remaining personal data (i.e. the names and contact details of Community Councillors), the Commissioner is satisfied that the Applicant has a legitimate interest in obtaining that information. He accepts that disclosure of this remaining information would facilitate transparency and accountability to the Applicant (and the wider public) as to the individuals involved in the correspondence found to fall within the scope of the request. Consequently, the Commissioner accepts that the Applicant has a legitimate interest in disclosure of this personal data.

Is disclosure of the personal data necessary?

65. Having accepted that the Applicant has a legitimate interest in the remaining withheld personal data, the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might reasonably be met by any alternative means.

66. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 . In this case, the Supreme Court stated (at paragraph 27):

A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

67. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subjects (in this case, the Community Councillors).

68. In its submissions to the Commissioner, the Authority did not believe disclosure of the withheld personal data was necessary to achieve any legitimate interest the Applicant might have. In its view, as the request was focussed on details of correspondence/advice in relation to a potential conflict of interest and, as none of the redactions related to this, it believed disclosure would not provide the Applicant with the information he was interested in and therefore would not achieve that interest.

69. The Commissioner notes that the Applicant is focussed on knowing the identities of those involved in the correspondence, particularly those involved in dealing with the specific (possible) conflict of interest described in his request (e.g. as senders or recipients, or named within the body of the correspondence). As set out in paragraph 35 above, the Commissioner is satisfied that the references to “conflict of interest” in the in-scope information relate to conflict of interest “in general” and that there is nothing in the correspondence that confirms that any of these relate to the specific (possible) conflict of interest described in the request, nor to any advice given by the Authority to the Community Council on conflict of interest.

70. In light of there being nothing in the in-scope correspondence confirming that the references to “conflict of interest” relate to the specific (possible) conflict of interest described in the request, or to any advice given by the Authority to the Community Council on conflict of interest, the Commissioner considers that disclosure of the remaining personal data would add nothing of substance to the information which he has already found to have been wrongly withheld under section 38(1)(b) and which he requires to be disclosed to the Applicant (as described in paragraph 46 above).

71. For that information which is to be disclosed (which contains references to conflict of interest “in general”), the Commissioner notes that this discloses the names of senior Authority officials involved in that correspondence. This therefore reveals those officers in the Authority to whom these communications have been copied or forwarded, with the remainder of the correspondence in these email chains being between members of the Community Council.

72. While the Commissioner concurs with the Applicant’s view that individuals undertaking roles as office bearers in community councils hold a more senior role within these organisations, he considers it is important to note that such roles are carried out voluntarily and that community councils are not subject to any obligations under FOISA. In the Commissioner’s view, any individual holding an official (or any other) role within a community council would have no expectation that personal data, such as that the Applicant has requested, would routinely be disclosed under FOISA in response to a request for information made to a Scottish public authority. He recognises their right to privacy in that regard.

73. In the Commissioner’s view, the Applicant’s legitimate interest (and the wider public interest) here is served by disclosure of the in-scope information already found to have been wrongly withheld under section 38(1)(b) of FOISA (which identifies the senior Authority officials involved in the correspondence). The Commissioner is therefore satisfied that, although the Applicant has a legitimate interest in the remaining personal data (i.e. the names and contact details of the Community Councillors), disclosure is not necessary to achieve that legitimate interest in this case.

74. In this case, in the absence of a condition in Article 6 of the UK GDPR which would allow the names and contact details of the Community Councillors to be disclosed lawfully, disclosure would breach Article 5 of the UK GDPR. The remaining withheld personal data (i.e. the names and contact details of the Community Councillors) are, in this case, therefore exempt from disclosure under section 38(1)(b) of FOISA.

Section 10(1) – Time for compliance

75. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information. This is subject to qualifications which are not relevant in this case.

76. In his application to the Commissioner, the Applicant was dissatisfied with the Authority’s failure to respond to his original request.

77. In its submissions to the Commissioner, the Authority stated that it did not wish to comment beyond referring to the level and type of correspondence it was receiving from the Applicant at the time, where any response was met with a quick and lengthy disagreement.

78. It is a matter of fact that the Authority did not provide a response to the Applicant's original information request of 23 March 2021 within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of FOISA.

Section 21 – Review by Scottish public authority

79. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following receipt of the requirement to comply with a request for review. This is subject to qualifications which are not relevant in this case.

80. In his application to the Commissioner, the Applicant was dissatisfied with the Authority’s failure to respond to his requirement for review in time.

81. In its submissions to the Commissioner, the Authority stated that it did not wish to comment beyond referring to the level and type of correspondence it was receiving from the Applicant at the time, where any response was met with a quick and lengthy disagreement.

82. It is a matter of fact that the Authority did not provide a response to the Applicant's requirement for review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA.

Handling of request

83. Section 15(1) of FOISA requires a Scottish public authority, so far as is reasonable to expect it to do so, to provide advice and assistance to a person who proposes to make, or has made, a request for information to it. Section 15(2) states that a Scottish public authority shall be taken to have complied with this duty where (in relation to the provision of advice and assistance in a particular case) it conforms with The Scottish Ministers' Code of Practice on the discharge of functions by Scottish public authorities under FOISA and the Environmental Information (Scotland) Regulations 2004 (the Section 60 Code).

84. The Section 60 Code states, at paragraph 5.1.1 in Part 2:

Authorities have a duty to provide advice and assistance at all stages of a request. It can be given either before a request is made, or to clarify what information an applicant wants after a request has been made, whilst the authority is handling the request, or after it has responded.

85. It further states, in section 9.2 in Part 2:

Duty to advise and assist when responding to a request

The obligation to provide advice and assistance continues at the point of issuing a response. For example, if directing the applicant to a website, the authority should take all reasonable steps to direct the applicant to the relevant section.

86. In its submissions to the Commissioner, the Authority submitted that it had considered asking the Applicant to clarify his request. It explained it had decided not to do so as, from previous dealings and correspondence with the Applicant, it believed he would not have co-operated with such a request.

87. While the Commissioner has some sympathy for the Authority’s position, this does not preclude it from fulfilling its obligations under FOISA. He notes that, during the investigation, having noted that the request was subject to interpretation, the Investigating Officer sought and obtained from the Applicant clarification of the actual information he wished to obtain. This was something which would have been reasonable to expect the Authority to do at the outset, but which it had chosen not to do. In the Commissioner’s view, had the Authority taken such steps at an early stage, this may well have avoided the need for the Applicant to make an application to him, which would have resulted in a saving in time and resources for all concerned.

88. In failing to take steps to clarify with the Applicant the information he actually wished to obtain, the Commissioner must conclude that the Authority failed to comply with its duty under section 15 of FOISA to provide the Applicant with the requisite advice and assistance.

89. The Commissioner cannot stress enough the importance of ensuring that the terms of any FOI request received by a Scottish public authority are clear, before proceeding to respond. He would urge the Authority, and indeed all Scottish public authorities, to take steps to clarify with applicants any matter which is open to interpretation, prior to proceeding with a request (as provided for by sections 1(3) and 10 of FOISA). In this case, it appears likely that such consideration would not only have resulted in earlier disclosure, to the Applicant, of the information falling within scope which he was entitled to receive, but also a saving in staff time and effort for both the Commissioner and the Authority.

Action required by the Authority

90. In line with this Decision Notice, the Commissioner requires the Authority to disclose to the Applicant the information falling within the scope of the request which the Commissioner has found to have been incorrectly withheld under the exemptions in section 30(b) and section 38(1)(b) of FOISA. This will be marked up on a copy of the withheld information to be provided to the Authority with this Decision Notice.

Decision

The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that the Authority partially complied with Part 1 of FOISA by correctly withholding some information under the exemption in section 38(1)(b) of FOISA.

However, the Commissioner also finds that the Authority failed to comply with Part 1 by:

failing to comply with section 10(1) of FOISA by not responding to the initial request within statutory timescales
failing to comply with section 21(1) of FOISA by not responding to the request for review within statutory timescales;
incorrectly withholding some information under the exemptions in section 30(b) and section 38(1)(b) of FOISA, and
failing to comply with section 15 of FOISA by not clarifying the terms of the Applicant’s request (and thereby failing to provide the requisite advice and assistance).

The Commissioner therefore requires the Authority to provide the Applicant with the information which the Commissioner has found to have been incorrectly withheld under the exemption in section 38(1)(b) of FOISA by 11 April 2023.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

22 February 2023

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

…

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –

…

(e) in subsection (1) of section 38 –

…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

…

10 Time for compliance

(1) Subject to subsections (2) and (3), a Scottish public authority receiving a request which requires it to comply with section 1(1) must comply promptly; and in any event by not later than the twentieth working day after-

(a) in a case other than that mentioned in paragraph (b), the receipt by the authority of the request; or

…

15 Duty to provide advice and assistance

(1) A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and assistance to a person who proposes to make, or has made, a request for information to it.

(2) A Scottish public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice issued under section 60 is, as respects that case, to be taken to comply with the duty imposed by subsection (1).

21 Review by Scottish public authority

(1) Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later than the twentieth working day after receipt by it of the requirement.

…

30 Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

…

(b) would, or would be likely to, inhibit substantially-

(i) the free and frank provision of advice; or

(ii) the free and frank exchange of views for the purposes of deliberation; or

…

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

…

(5) In this section-

"the data protection principles" means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

…

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

…

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(i) the request for information to which the requirement for review relates;

(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and

(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

…

UK General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation:

1 ‘personal data’ means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person:

…

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

…

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

…

f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –

…

(d) disclosure by transmission, dissemination or otherwise making available,

…

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

…

(14) In Parts 5 to 7, except where otherwise provided –

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

…

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.