Decision 027/2022: Data Controller(s) recorded at specific MARACs
Public authority: Chief Constable of the Police Service of Scotland
Case Ref: 202100727
Police Scotland were asked for the Data Controller(s) recorded by it for specified Multi-Agency Risk Assessment Conferences (MARACs).
Police Scotland notified the Applicant that they held no recorded information which would fulfil his request.
The Commissioner investigated and found that Police Scotland were entitled to respond as they did.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement); 17(1) (Notice that information is not held).
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. It may be helpful to explain that a Multi-Agency Risk Assessment Conference or “MARAC” is a local meeting where statutory and non-statutory agencies meet to discuss individuals at high risk of serious harm or murder as a result of domestic abuse.
2. On 7 February 2021, the Applicant made a request for information to the Chief Constable of the Police Service of Scotland (Police Scotland).
The information requested was:
please detail the Data Controller (or Data Controllers) that are recorded by Police Scotland for the following MARACs [which he specified].
3. Police Scotland responded on 3 March 2021. They notified the Applicant, in line with section 17 of FOISA, that they did not hold the information covered by his request. Police Scotland referred the Applicant to guidance on the website of the UK Information Commissioner’s office (ICO) which sets out the definition of “Data Controller”. Police Scotland also explained that their Data Controller was the Chief Constable, similarly Aberdeen City Council was a Data Controller. Police Scotland provided the Applicant with another link to the UK ICO’s website to enable him to use the search facility to access a full list of Data Controllers.
4. On 9 March 2021, the Applicant wrote to Police Scotland requesting a review of their decision.
5. The Applicant sought a review on the basis that a previous Decision Notice of the Scottish Information Commissioner (DN 092/2019) had made it clear that a multi-agency meeting or group was not a single legal entity, so the Data Controller for any other single organisation could not be the Data Controller for an entity with no legal character. The Applicant considered Police Scotland’s reply to imply that it had absolved itself of its Data Protection statutory responsibilities and failed to record the Data Controllers with whom it shared information. The Applicant also referred to documentation which he considered Police Scotland should have in place in compliance with Data Protection responsibilities, from which it should be able to provide the Data Controller(s) details requested.
6. Police Scotland notified the Applicant of the outcome of their review on 31 May 2021. In doing so, Police Scotland upheld their reliance on section 17 of FOISA, explaining that it held no recorded information which would fulfil the Applicant’s request.
7. On 10 June 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of Police Scotland’s review for the following reasons:
- He considered Police Scotland’s response to be obtuse and disingenuous
- He submitted that when an individual representing one organisation shares information with another individual who represents another organisation, there should be a record of the organisations sharing information.
- He believed Data Controller organisations would be expected to be recorded when criminal offence data was shared at a MARAC meeting.
- Given the regularity of MARAC meetings, he believed these should be covered by Information Sharing Agreements (ISAs) or an Appropriate Policy Document (APD), recording the Data Controller organisations participating.
- He considered the requested information should be readily accessible and easily retrievable.
- He submitted that he should have been provided with the Data Privacy Impact Assessment (DPIA) confirming compliance with the UK GDPR in relation to multi-agency working and the recording of information on the interim Vulnerable Persons Database (iVPD).
8. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
9. On 15 July 2021, Police Scotland were notified in writing that the Applicant had made a valid application. The case was allocated to an investigating officer.
10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. Police Scotland were invited to comment on this application and to answer specific questions. These related to the actions taken by Police Scotland to determine what recorded information they held falling within scope of the Applicant’s request.
Commissioner’s analysis and findings
11. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and Police Scotland. He is satisfied that no matter of relevance has been overlooked.
12. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given the information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable in this case.
13. The information to be given is that held by the authority at the time the request is received. as defined in section 1(4). This is not necessarily to be equated with information an applicant believes the authority should hold. If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant a notice in writing to that effect.
The Applicant’s submissions
14. In his submission, the Applicant considered the stance of Police Scotland, from which he understood it followed that Police Scotland would not set up any Data Protection documentation such as an ISA or APD unless the Chief Constable was to attend in person to be patently absurd. The Applicant referred to ISA documents that he was aware Police Scotland had in place between themselves and the Crown Office and Procurator Fiscal Service (COPFS) and the Scottish Children’s Reporter Administration, covering the sharing of criminal offence data. Therefore, the Applicant considered Police Scotland’s argument to be meaningless, submitting that Data Controller organisations would be expected to record when criminal offence data was shared at a multi-agency meeting such as a MARAC.
15. The Applicant explained that MARAC meetings were well-established regular meetings in Scotland, having been set up by the charity SafeLives with funding from the Scottish Government’s MARAC Development Programme. The Applicant submitted that from information in the public domain, these appeared to be monthly meetings, with FOISA requests in the public domain identifying that senior staff from Scottish local authorities attend. In the Applicant’s view, these meetings should be covered by ISAs and/or APDs, recording the Data Controller organisations who participated and share sensitive personal data.
16. The Applicant also commented on a link provided by Police Scotland, which enabled him to access a specific Privacy Notice. The Applicant stated that this Privacy Notice was of no relevance as the document dated from October 2020 (after Police Scotland moved to Public Task as their lawful basis for data sharing with third sector and advocacy services in June 2020) and did not relate to the time information was being shared at one of the specific MARAC meetings covered by his request.
17. The Applicant asserted that he should, instead, have been provided with the DPIA that confirmed compliance with the General Data Protection Regulation in relation to multi-agency working and the recording of such information on the iVPD (as well as the Privacy Notice for the relevant time period, developed following release of the DPIA).
Police Scotland’s submissions
18. Police Scotland explained that, under MARAC procedures, they and partner agencies share information in a multi-agency conference setting.
19. Police Scotland interpreted the Applicant’s request as implying that there would be a specific record for each MARAC meeting, which set out who the various Data Controllers were. However, they stated that there was no form which is completed at every MARAC meeting to define the Data Controllers for any data shared.
20. Police Scotland submitted that in the context of a MARAC with, say, Aberdeen City Council, the Data Controllers would be the Chief Constable and Aberdeen City Council itself – but that detail would not specifically be recorded in the context of the meeting.
21. The recording system in use is, Police Scotland advised, the iVPD. While this would perhaps record that information had been received from a specific public authority, it would not set out who the Data Controller for that information was.
22. Police Scotland explained that the Chief Constable was the Data Controller for all personal information they held, and this was referred to in various high-level documentation. Similarly, with other agencies, the Data Controllers would be referred to as and when appropriate, but they would not routinely record details of the Data Controllers in every instance of information sharing: there was no need for them to do so.
23. In response to specific concerns raised by the Applicant around the relevance of the Privacy Notice Police Scotland provided him with a link to, and his view that he should have been provided with a DPIA which confirmed GDPR compliance with multi-agency working, Police Scotland explained that the Applicant had not requested a DPIA or any information regarding the lawfulness or otherwise of processing under MARAC procedures.
24. Police Scotland noted that the Applicant had made many information requests – including for DPIA’s – in the past, so they were quite sure that had this been the intended scope of his request he would have specifically asked for the DPIA.
25. With regard to the provision of the link to the Privacy Notice, Police Scotland commented that this had been provided for assistance only, given that it did not specifically relate to MARAC. On that basis, they did not check for an earlier version, but regardless, given that the Applicant’s request was for the Data Controllers, such information would not have changed over time.
26. In response to the Applicant’s contention that Police Scotland should have been able to extract the requested information from Data Protection compliance documents, Police Scotland stated that, in the absence of a DPIA, the only document they hold which could be described as a data protection compliance document in relation to the MARAC process was the Privacy Notice the Applicant was provided with a link to.
27. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance lies, the Commissioner must first of all consider the interpretation and scope of the request and thereafter the quality, thoroughness and results of the searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information. Ultimately, however, the Commissioner’s role is to determine what relevant information is actually held by the public authority (or was, at the time it received the request).
28. Having considered all of the relevant submissions from both the Applicant and Police Scotland, together with the wording of the information request under consideration, the Commissioner accepts that Police Scotland’s interpreted the scope of the request reasonably and took adequate, proportionate steps in the circumstances to establish what information they held.
29. Given the explanations and other submissions provided, the Commissioner is satisfied that Police Scotland do not (and did not, on receiving the request) hold the information requested by the Applicant and were correct to give the Applicant a notice, in terms of section 17(1) of FOISA that they held no such information. Although the Applicant believed specified information would exist and be recorded in a particular way, the Commissioner is satisfied that this was not the case.
The Commissioner finds that the Chief Constable of the Police Service of Scotland complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
Should either the Applicant or Police Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Scottish Information Commissioner
7 March 2022
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.
17 Notice that information is not held
(a) a Scottish public authority receives a request which would require it either-
(i) to comply with section 1(1); or
(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),
if it held the information to which the request relates; but
(b) the authority does not hold that information,
it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.