Home Decisions

Decision 019/2023

Decision 019/2023: Maybole Regeneration Project

Authority: South Ayrshire Council
Case Ref: 202100902 

Summary

The Applicant asked the Authority for the minutes of various meetings relating to the funding of the Maybole Regeneration project, particularly in relation to Grade B listed buildings and the building formally known as The Speakers.  The Commissioner investigated and found that the Authority was correct to state that it held no further information and to withhold some personal data, but also found that the Authority failed to provide a response within the statutory timescale. 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 10(1) (Time for compliance); 17(1) (Notice that information is not held); 20(6) (Requirement for review of refusal etc.); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing) 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 25 February 2021, the Applicant made a request for information to the Authority.  She asked for:

i) copies of minutes for all meetings where decisions regarding the applications for funding from the Maybole Regeneration Project were made, and by whom collectively, and the reason other grade B listed buildings, including a specific one, were turned down.  The Applicant commented that, as there are only 40+ properties, there should be a full description on each regarding what works are agreed to be done to bring them up to a better standard.  She asked for minutes with full clarification of these proposed works, even if no one has been appointed to carry them out.

ii) minutes from the meeting with the surveyor who carried out the due diligence on each of the properties within the Regeneration Project proposal.

iii) minutes when further funding for the frontage of the building formally known as The Speakers was agreed within this project and what it covered.  The Applicant believed there would have been a full itemised application to allow the decision to be made.

2. The Authority did not respond to the request.  

3. On 27 May 2021, the Applicant wrote to the Authority requesting a review.  The Applicant stated that she had taken the failure to respond as a refusal and asked for this to be reviewed.  

4. The Authority notified the Applicant of the outcome of its review on 23 June 2021.  It apologised for its failure to provide a response within the statutory timescale, as required by FOISA.  The Authority:

  • provided information in relation to part i) of the request, redacting what it considered to be personal data under section 38(1)(b) of FOISA
  • included links to further information available on its website
  • notified the Applicant, under section 17 of FOISA, that it did not hold information relating to parts ii) and iii) of the request 

5. To assist the Applicant, the Authority also provided a copy of the instructions and discussions with the surveyor in relation to part ii) of the request. 

6. On 27 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that she was dissatisfied with the outcome of the Authority’s review because she:

  • was concerned that some information could not be found
  • believed every decision of the Authority should have been documented
  • considered that the information provided by the Authority was vague
  • did not agree that information should have been withheld under section 38(1)(b) of FOISA and
  • was dissatisfied with the time taken to respond to her request.  

Investigation

7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 

8. On 25 August 2021, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was allocated to an investigating officer. 

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. 

10. During the investigation, the Authority recognised that some of the personal data it had previously withheld was already in the public domain. It provided this information to the Applicant on 14 December 2022. 

Commissioner’s analysis and findings

11. The Commissioner has considered all the submissions made to him by the Applicant and the Authority.  

Environmental information

12. Some of the information which is the subject of this application is environmental information for the purposes of the Environmental Information (Scotland) Regulations 2004 (the EIRs).  However, the request for review was made by the Applicant outwith the period set down in regulation 16(2) of the EIRs and the EIRs do not give the Authority the power to carry out a “late” review under the EIRs.  This is different from the position under FOISA: section 20(6) of FOISA specifically gives the Authority the power to carry out a “late” review, which is what it appears to have done here.  Consequently, the Commissioner has considered the case solely in the light of the Applicant’s rights under FOISA.  In any event, in this case, the Commissioner is satisfied that the outcome would have been the same regardless of which regime the request was considered under.  

Background

13. The Authority explained that, in 2015, following the building of a bypass, it led a charette process that created the Maybole Regeneration Project  as a partnership between it and Maybole Community Council.  (A charette process could be described as a collaborative session in which designers, stakeholders, citizens and clients draft a vision and direction for development.) The project is overseen by a project board of the Community Council, Cassillis Estate, community representatives and the Authority.  It focuses on delivering projects aimed at making the town a better place to live, work, visit and do business.  

Failure to respond within statutory timescale

14. Section 10(1) of FOISA states that a Scottish public authority receiving a request which requires it to comply with section 1(1) of FOISA must comply promptly and within 20 working days.  

15. It is a matter of fact that the Authority did not provide a response to the Applicant’s request for information within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of FOISA. 

16. As the Authority has now provided a response and apologised to the Applicant, the Commissioner is satisfied that no further action is required. 

Information held 

17. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.  

18. The information to be given is that held by the authority at the time the request is received, (section 1(4)).  This is not necessarily to be equated with information an applicant believes the authority should hold, although an applicant’s reasons may be relevant to the investigation of what is actually held.  If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to that effect.

19. It is important to bear in mind that this obligation relates to information actually held by an authority when it receives the request, as opposed to information an applicant believes the authority should hold.

20. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority.

The Authority’s submissions on searches and information held

21. The Authority explained that it held records relating to the Project Board and its work and recognised that these records were subject to disclosure. 

22. In its submissions, the Authority stated that all the information relating to this request was held by the Maybole Regeneration Project, which has a Project Lead who was an employee of the Authority.  The Project Lead was asked to carry out electronic and manual searches for any information falling within the scope of the Applicant’s request. The Authority documented the searches it had carried out and shared this with the Commissioner. 

23. The Authority submitted that all of the minutes falling within the scope of the Applicant’s request were provided to the Applicant except those relating to part iii) of her request, i.e. the grant application for Goudies (formerly The Speakers).  It explained that hand-written notes had been taken, but had not been formalised into a typed and recorded minute.  The Authority described how the Project Lead had carried out extensive searches of the paper files, but the hand-written notes could not be located.

24. The Authority recognised that the misplacing of these notes was not in keeping with its commitment to adhere to high standards of records management.  It explained that there had been a significant period when the Project Lead role had been vacant and that, additionally, an office move had taken place during this time.  

The Applicant's submissions about the information held

25. The Applicant expressed concern at the lack of information available, particularly as the matter involved public funding.  She considered that every decision made (in respect of this Project) would have been documented as it affected many businesses and private house holders.  

The Commissioner's conclusions on whether information is held 

26. Having considered the submissions, the Commissioner is satisfied that the Authority carried out adequate searches of the electronic and paper filing systems where the information requested by the Applicant would have been most likely to be held. 

27. The Commissioner is also satisfied that the person who carried out the searches was the most appropriate to do so, based on their job role and knowledge of the project.

28. The Commissioner agrees, with regard to the missing hand-written notes of the meeting relating to The Speakers, that this fell short of the standard of record keeping expected of Scottish public authorities.  However, he does recognise that circumstances, during the Covid-19 pandemic, and various lockdowns, made records management, documentation and recording of communications, etc. more difficult. 

29. The Applicant clearly believes that the Authority should hold further, more detailed information.  The Commissioner highlights again that he can only consider the information that an authority actually holds at the time of the request, and cannot comment on what an authority should or ought to hold.  

30. In all of the circumstances, therefore, the Commissioner is satisfied, on the balance of probabilities, that the Authority does not hold any further information falling within the scope of the Applicant’s request.  The Authority was therefore entitled to notify the Applicant, in terms of section 17 of FOISA, that it did not hold information requested in parts ii) and iii) of the request. 

Section 38(1)(b) - Personal information 

31. The Authority sought to rely on the exemption in section 38(1)(b) to withhold some of the information provided in response to part i) of the Applicant’s request. 

32. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

33. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.  

34. As noted above, during the investigation, the Authority identified that some personal data, that it had previously withheld, was already in the public domain and it provided this information to the Applicant. The failure to disclose this information at an earlier stage was a breach of section 1(1) of FOISA.  

Is the (remaining) withheld information personal data?

35. The first question the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018.

36. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, or an online identifier, or one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of the individual.

37. Information will “relate” to a person if it is about them, linked to them, has biographical significance for them, issued to inform decisions about them, or has them as its main focus.

38. An individual is “identifiable” if it is possible to distinguish them from other individuals.

39. The Authority considered that, as the withheld information consisted of names and contact details for individuals, the information was personal data in line with section 3 of the DPA 2018.  It noted that, for each individual, it had provided the Applicant with the role/position of the individual, the organisation they worked for and their gender.   The Commissioner is satisfied that the individuals are identifiable.  

40. The Commissioner is also satisfied, as the data highlights the involvement of the individuals in specific meetings, etc., that it relates to them.

41. The Commissioner therefore accepts that the information is personal data.

Would disclosure contravene one of the data protection principles?

42.    Article 5(1)(a) of the UK GDPR requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.  The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Articles 6(1)(f) of the UK GDPR


 43. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the personal data to be disclosed.

44. The Authority was of the view that there was no condition in Article 6 which would allow the personal data to be disclosed.  In reaching this conclusion, it considered the application of condition (f) in Article 6(1).

45. In its view, it would have been unfair and disproportionate to disclose the personal data, as the data related to more junior members of its staff and to third parties.  The Authority explained that it considered it reasonable to disclose this type of data for more senior staff members, who could be considered to be “decision-makers”.   The Authority, in reaching this conclusion, had considered the Commissioner’s Decision 026/2018 

Condition (f): legitimate interests

46. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child”.

47. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

48. The tests which must be met before Article (6)(f) can apply are as follows:

  • Does the Applicant have a legitimate interest in obtaining the personal data?
  • f so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
  • Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

49. There is no definition within the DPA 2018 of what constitutes a “legitimate interest”, but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive.  The Commissioner’s published guidance on the Personal Information exemption in section 38(1)(b)  states:

"In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the information in order to bring legal proceedings.  With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."

50. The Applicant outlined in her application to the Commissioner why obtaining the names of the individuals involved in the funding decisions was of importance.  She explained that without this information it was not possible to determine whether any potential conflict of interest could have occurred.  

51. The Authority accepted that the Applicant had a legitimate interest in seeking evidence of the decision-making process to allow her to scrutinise the decisions and the process.  However, it considered that the Project Board’s funding decisions were a matter for the whole Project Board, and not for the individuals involved. 

52. The Authority acknowledged there was clearly a legitimate public interest in transparency of the funding activities carried out by the Maybole Regeneration Project Board, in respect of any public funds.  

53. The Applicant submitted that determining whether any potential conflict of interest could have occurred in a project partly funded by public money required knowledge of who was involved, while the Authority considered that the responsibility (for decisions involving the Project) lay with the Project Board as a whole.  

54. Having considered all relevant submissions, the Commissioner is satisfied that the Applicant does have a legitimate interest in the withheld information.

Is disclosure of the personal data necessary? 

55. Having accepted that the Applicant has a legitimate interest, the Commissioner must consider whether the disclosure of the personal data is necessary to meet the legitimate interest.  In doing so, he must consider whether these interests might reasonably be met by any alternative means.

56. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner (2013) UKSC 55 , In this case, the Supreme Court stated (at paragraph 27):

"… A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim.  Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less."

57. As the Supreme Court confirmed, "necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether a requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

58. The Authority advised the Commissioner that there is a robust and clear process for applying for grants. It described how all grants must be applied for and go through a two-stage application and approval process: applications are scored on a variety of criteria, including grant type, listed status, location, community value and scope of repairs.  If the applicant of the grant is not satisfied with the decision, they may lodge an appeal.  The application process  is laid out in a flow chart on the Project’s website.

59. The Authority also highlighted that the Maybole Regeneration Project public website provides regular updates on projects, public consultants, etc. There is also a Maybole Community Action plan 2019 - 2024  which lays out the vision and aims of the regeneration programme. 

60. The Authority considered that the Applicant and others have several routes to pursue those legitimate interests as the process is open to challenge via the appeal process carried out by members of the Project Board not involved in the original decision, as well as having the option to raise concerns with any of the individual funding partners.  

61. Having considered the Applicant’s legitimate interests, the Commissioner is not satisfied that disclosure of the withheld personal data is necessary to achieve the Applicant’s legitimate interests.  In coming to this decision, the Commissioner has taken into account the comments made by the Authority, the information already disclosed and the view of the Applicant. 

62. The Commissioner notes that the information redacted under section 38(1)(b) is minimal and does not render any of the disclosed information unintelligible, nor does it shield the names of the organisations represented. The Commissioner considers that the key content of the information has been left intact. 

63. As the Commissioner is satisfied the Applicant’s legitimate interests can be satisfied without requiring the disclosure of the withheld personal data, he finds that condition (f) of Article 6 (1) of the UK GDPR cannot be satisfied in this case.  Accordingly, he accepts that disclosure of the personal data would be unlawful. 

Interests or fundamental rights and freedoms of the data subject and fairness

64. Given that the Commissioner has concluded that the processing was unlawful, he is not required to go on to consider separately the data subjects’ interests or fundamental rights and freedoms, and balance them against the legitimate interests in disclosure or to go on to consider whether disclosure would otherwise be fair.

Section 38(1)(b) outcome

65. In the absence of a condition in Article 6(1) of the UK GDPR being met, the Commissioner must conclude that disclosure of the withheld personal data would be unlawful and would therefore breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he is satisfied that the personal data is exempt from disclosure under section 38(1)(b).

Decision 

The Commissioner finds that the Authority partially complied with Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.  

He is satisfied that the Authority did not hold some of the information and was entitled to withhold some personal data under section 38(1)(b) of FOISA.

However, he finds that the Authority failed to comply with Part 1 of FOISA by:

  • withholding information which was already in the public domain (a breach of section 1(1)) and
  • failing to respond to the Applicant’s request in line with the timescale in section 10(1)

The Commissioner does not require the Authority to take any action in respect of this failure.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement 

7 March 2023



Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

,,,

 (6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

10 Time for compliance

(1) Subject to subsections (2) and (3), a Scottish public authority receiving a request which requires it to comply with section 1(1) must comply promptly; and in any event by not later than the twentieth working day after-

(a) in a case other than that mentioned in paragraph (b), the receipt by the authority of the request; or

(b) in a case where section 1(3) applies, the receipt by it of the further information.

    …

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

20 Requirement for review of refusal etc.

(6) A Scottish public authority may comply with a requirement for review made after the expiry of the time allowed by subsection (5) for making such a requirement if it considers it appropriate to do so.

38 Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

  (5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 
    (i) the request for information to which the requirement for review relates;

    (ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);    and

    (iii the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    …

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data 

1    Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Article 6 Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).