Decision 018/2023: Complaints or disciplinary action against a named social worker
Public authority: Renfrewshire Council
Case Ref: 202101055
Summary
The Council was asked whether a named social worker had been subject to complaints and/or disciplinary action. The Commissioner found that the Council was entitled to refuse to confirm or deny whether it held the information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, and “the UK GDPR”) and (5A) (Personal information)
United Kingdom General Data Protection Regulation (the UK GDPR) Article 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 2 March 2021, the Applicant made a request for information to Renfrewshire Council (the Council). She asked about any complaints received by the Council regarding the conduct or work of a named social worker (“the social worker”) when they were a social worker for the Council and about any disciplinary action the social worker was subject to.
2. The Council responded on 30 March 2021. The Council applied section 18 of FOISA, in conjunction with section 38(1)(b) (Personal information) and refused to confirm or deny whether the requested information existed or was held. The Council noted that guidance from the (UK) Information Commissioner (who regulates data protection legislation throughout the UK) states that information regarding an employee’s disciplinary record relates to them and their personal circumstances and that there is an expectation that information about an employee’s disciplinary record should not be disclosed.
3. On 25 April 2021, the Applicant wrote to the Council, requesting a review of its decision in relation to this and to another case. The Applicant commented that the range of information she was seeking was wider than disciplinary records.
4. The Council notified the Applicant of the outcome of its review on 21 May 2021. It upheld its original decision. (The Council’s review included a reference to the exemption in section 36(2) (Confidentiality), arguing that some of the information, if it existed, would have been provided by individual social work clients in confidence. Given that this exemption cannot be applied in conjunction with section 18(1) and that it became clear during the investigation that the Council only wished to rely on section 38(1)(b), the Commissioner will not consider section 36(2) further.)
5. On 24 August 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated she was dissatisfied with the outcome of the Council’s review.
Investigation
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 17 September 2021, the Council was notified in writing that the Applicant had made a valid application. The case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. On 17 February 2022, the Council was invited to comment on this application and to answer specific questions.
9. Further submissions were also sought and obtained from the Applicant.
Commissioner’s analysis and findings
10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.
Section 18(1) – “neither confirm nor deny”
11. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:
- a request has been made to the authority for information which may or may not be held by it; and
- if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and
- the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.
12. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority. This means he is unable to comment in any detail on the Council’s reliance on any of the exemption referred to, or on other matters which could have the effect of indicating whether the information exists or is held by the Council.
Section 38(1)(b) – Personal information
13. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.
Would the information be personal data?
14. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”. Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a living individual who can be identified, directly or indirectly, in particular with reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
15. Given that the information request is framed with reference to a named person, and given the subject matter of the request, the Commissioner is satisfied that, if this information did exist and was held by the Council, any information captured by the request would clearly relate to the named individual. The Commissioner therefore accepts that, if it existed and was held, the information would be personal data as defined in section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
16. The Council argued that disclosing the personal data, if it existed and were held, would breach the first data protection principle. This requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR).
17. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed when disclosed in response to a request. This means that, if it existed and was held, the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.
Lawful processing: Article 6(1)(f) of the UK GDPR
18. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data, if it existed and was held, to be disclosed.
19. The Commissioner considers that, if the information existed and was held, condition (f) is the only one condition which could potentially apply. This states that processing shall be lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...”
20. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
21. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Would the Applicant have a legitimate interest in obtaining personal data, if held?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?
Would the Applicant have a legitimate interest in obtaining the personal data, if held?
22. While the Council acknowledged there was a clear legitimate interest in organisational accountability, it queried whether, in the circumstances, there was a legitimate interest in the disclosure of information about a single, former member of staff.
23. The Commissioner notes the Council’s comments, but considers the Applicant has provided persuasive arguments as to her legitimate interests in the personal data, if held. The Commissioner is therefore satisfied that, if it existed and were held, the Applicant (and, indeed, the wider public) would have a legitimate interest in obtaining the personal data.
Would disclosure be necessary?
24. The next question is whether, if the personal data existed, disclosure would be necessary to achieve the legitimate interest in the information. “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject.
25. The Council queried how disclosing information about complaints, etc. (if, indeed, any had been made) would be necessary for the purpose of meeting the Applicant’s legitimate interests.
26. However, in the Commissioner’s view, the only way the Applicant’s legitimate interest in the particular circumstances of this case could be met would be by viewing the information requested (assuming it exists and is held). The Commissioner notes that no policy or procedure has been brought to his attention by either the Council or the Applicant that might offer another way for the Applicant to be able to scrutinise and understand the actions and decisions of the Council. The Commissioner accepts that disclosure of any information held would be necessary for the Applicant’s legitimate interests.
The data subject’s interests or fundamental rights and freedoms (and balancing exercise)
27. The Commissioner has concluded that the disclosure of the information (if existing and held) would be necessary to achieve the Applicant’s legitimate interests. However, this must be balanced against the fundamental rights and freedoms of the social worker. Only if the legitimate interests of the Applicant outweighed those of the data subject could personal data be disclosed without breaching the first data protection principle.
28. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 .
29. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject. Factors which will be relevant in determining reasonable expectations include:
(i) whether the information relates to the individual’s public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)
(ii) the potential harm or distress that may be caused by disclosure
(iii) whether the individual objected to the disclosure.
30. The Council considered that disclosure of any information (if indeed it existed) would be distressing. The Council also argued that, given that the social worker has not worked for the Council for some time, the social worker would have no expectation that any information (if held) would be disclosed into the public domain which, as noted above, is the effect of information being disclosed in response to an FOI request.
31. The Commissioner agrees with the Council that the information (if it existed and were held) would be information a person would generally expect to be kept confidential and only shared amongst limited individuals for specific purposes.
32. The Commissioner has also considered the potential harm or distress that could be caused by disclosure of the information (if it existed and were held). Disclosure under FOISA is a public disclosure. At the most general level, disclosing or alleging some work place impropriety has taken place is likely to cause some reputational damage to the named individual.
33. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question in this case.
34. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it exists and is held).
Fairness and transparency
35. Given that the Commissioner has concluded that the processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.
Conclusion on the data protection principles
36. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR. Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Council could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt by virtue of section 38(1)(b).
Section 18(1) – The public interest
37. The Commissioner must now consider whether the Council was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.
The Applicant’s submissions
38. The Applicant considered that it was in the public interest for the public to know whether the information she had asked for existed.
The Council’s submissions
39. The Council stated that its decision is based purely on data protection considerations and is not aimed at avoiding transparency.
The Commissioner’s conclusions
40. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.
41. The Commissioner has fully considered the submissions from the Applicant and appreciates that, where a complaint or disciplinary action has been made or taken against a member of staff, there would be a public interest in ensuring that adequate consideration had been given to all facts of the case and a full and robust investigation is carried out.
42. However, the Commissioner is aware that the action of confirming or denying whether the information existed or was held would have the effect of revealing whether the named individual was subject to a complaints or disciplinary action. Doing so, would, of itself, lead to the Council breaching its duties as a data controller under data protection legislation. In the circumstances, the Commissioner must find that it would be contrary to the public interest for the Council to reveal whether it held the requested information, or whether the information existed.
43. Consequently, the Commissioner is satisfied that the Council was entitled to refuse to confirm or deny, whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.
Decision
The Commissioner finds that Renfrewshire Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Daren Fitzhenry
Scottish Information Commissioner
28 February 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
…
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
18 Further provision as respects responses to request
(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
…
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.
