Decision 016/2022: Data Controller(s): Midlothian and East Lothian Multi-Agency Risk Assessment Conference
Public authority: East Lothian Council
Case Ref: 202100338
The Council was asked for the Data Controller(s) recorded by it for the Midlothian and East Lothian Multi-Agency Risk Assessment Conference (MARAC). The Council provided the Applicant with information relating to the East Lothian MARAC, directed him to where information about non-East Lothian Data Controllers attending this MARAC could be found and confirmed that no further information was held. The Commissioner investigated and found that the Council was entitled to respond as it had.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. It may be helpful to explain that a Multi-Agency Risk Assessment Conference or “MARAC” is a local meeting where statutory and non-statutory agencies meet to discuss individuals at high risk of serious harm or murder as a result of domestic abuse.
2. On 7 February 2021, the Applicant made a request for information to East Lothian Council (the Council). The information requested was the data controller(s) recorded by the Council for the Midlothian and East Lothian MARAC.
3. The Council responded on 10 February 2021, providing details for the operational level data controller for the East Lothian and Midlothian MARACs on behalf of the East Lothian and Midlothian Public Protection Committee, explaining that MARAC operated through East Lothian Council Information Systems and providing the name of the relevant Council Data Protection Officer.
4. On 11 February 2021, the Applicant wrote to the Council requesting a review of its decision on the basis that he had not asked about the East Lothian and Midlothian Public Protection Committee but for all of the Data Controllers present at the East Lothian and Midlothian MARAC. The Applicant added that he would appreciate the Data Protection reference numbers recorded with the Information Commissioner’s Office (ICO) being provided.
5. The Council notified the Applicant of the outcome of its review on 11 March 2021. It informed the Applicant that there was no Midlothian and East Lothian MARAC but that each Council operated their own MARAC under the East Lothian and Midlothian Public Protection Committee. It provided details of the Data Controllers for East Lothian’s MARAC together with the ICO reference numbers in so far this information was held by the Council and a link to the ICO website where other ICO registration numbers could be found. The Council also provided a copy of the MARAC Operating Protocol, which included details of the Data Controllers for East Lothian’s MARAC and Midlothian’s MARAC.
6. On 15 March 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Council’s review because he believed there was an East Lothian MARAC and that it was not covered by the MAPPA (Multi-Agency Public Protection Arrangements) Information Sharing Agreement (ISA) and should have a separate list of Data Controllers independent of the MAPPA process.
7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
8. On 19 March 2021, the Council was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.
9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related to why the Council considered it had no further information falling within the Applicant’s request.
Commissioner’s analysis and findings
10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.
Whether information was held
11. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable in this case.
12. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). This is not necessarily to be equated with the information an applicant believes an authority should hold. If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to this effect.
13. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reasons offered by the public authority to explain why it does not hold the information. While it may be relevant as part of this exercise to explore expectations as to what information the authority should hold, ultimately the Commissioner’s role is to determine what information is actually held by the public authority (or was, at the time the request was received).
Submissions from the Applicant
14. In his submissions, the Applicant referred to the charity, SafeLives, and provided the Commissioner with a screenshot of its website as evidence that there was an email address linked to the MARAC he was asking about (i.e. an East Lothian and Midlothian MARAC).
15. The Applicant argued that data protection legislation required meetings such as MARACs to have their own data-sharing arrangements in place in each of the individual organisations that participate and, in his view, this should be separate to any arrangements for other types of data sharing that might occur between agencies (such as Multi-Agency Public Protection Arrangement (MAPPA) meetings).
16. In his application to the Commissioner, the Applicant explains that MARACs are not part of the MAPPA process, and he does not consider he has been provided with the data controllers who participate in the MARAC process, independent of the MAPPA process. In his view, the MARAC process should be covered by a separate Information Sharing Agreement (ISA) that justifies the sharing of special category and criminal offence data. The Applicant considers the Council appears to be conflating the MARAC and MAPPA meetings to obfuscate its lack of documentation to confirm compliance with the general Data Protection Regulation (GDPR) for the MARAC process.
Submissions from the Council
17. The Council, when providing its review response to the Applicant, provided him with the names of the Council staff working as Data Controllers concerned with the East Lothian MARAC, as well as the Data Protection reference number for the Council. The Council informed the Applicant how he could find out the ICO Registration numbers for the other data controllers who attended the East Lothian MARAC.
18. In its submissions to the Commissioner, the Council confirmed that there was one MARAC for East Lothian Council, and another separate MARAC for Midlothian Council, with East Lothian staff participating in the East Lothian one.
19. It further explained that the Council’s key document relating to MARAC was the East Lothian and Midlothian Public Protection Committee’s MARAC Operating Protocol, a copy of which was provided to the Applicant.
20. The Council submitted that the information requested by the Applicant was contained within this protocol, as it documented the partner agencies (and job titles) of those who it had been agreed can attend (and by extension share information) at the East Lothian MARAC and the Midlothian MARAC. The Commissioner notes that this document also signposts the reader to further information about the East Lothian and Midlothian Public Protection Committee, what organisations it is comprised of, its role and policy on information sharing.
The Commissioner’s findings
21. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance lies, the Commissioner will consider the scope, quality, thoroughness and results of the searches carried out by the public authority. He will also consider, where appropriate, any reason offered by the public authority to explain why the information is not held.
22. The Applicant clearly has a view of what information he considers the Council should hold and in what form but, as mentioned previously, the Commissioner cannot comment on what information a public authority should hold: rather, the Commissioner’s role is to determine what relevant information is actually held by the public authority (or was, at the time the request was received).
23. The Commissioner has considered all of the submissions and the information already provided to the Applicant.
24. In the circumstances, the Commissioner is satisfied, on the balance of probabilities, that the Council provided the Applicant with the information it held falling within the scope of his request, and holds nothing further. Although the Applicant believed specified information would exist and be recorded in a particular way, the Commissioner is satisfied that this was not the case.
The Commissioner finds that East Lothian Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Head of Enforcement
2 February 2022
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.