Home Decisions

Decision 033/2022

Decision 033/2022: Names of officers on review panel

Public authority: Aberdeen City Council
Case Ref: 202101046

Summary

The Applicant asked the Council for the names of the Council officers who made up the Review Panel which upheld the decision to refuse an earlier information request he had made to the Council.  The Council refused to disclose the names of the officers.  The Commissioner investigated and agreed that the names were exempt from disclosure.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of “data protection principles”, “data subject”,” personal data”, “processing” and “UK GDPR”) and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of "personal data"); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 8 June 2021, the Applicant made a request for information to Aberdeen City Council (the Council).  He referred to an information request he had made which had been considered by a Review Panel and asked, amongst other matters, which officers were on the Panel.

2. The Council responded on 5 July 2021.  It explained that the Panel had been made up of two officers who came from different services from that which provided the original response.  It withheld the names of the Panel members under section 38(1)(b) (third party personal data).

3. Later that day, the Applicant wrote to the Council requesting a review of its decision.  He did not consider the names should be kept secret.

4. The Council notified the Applicant of the outcome of its review on 2 August 2021.  It upheld its previous response.  The Council advised the Applicant that the Panel members were not senior officers who would expect this information to be released into the public domain.  The Panel members were selected at random from a bank of officers within the Council to consider the response provided.  Officers who take part in Review Panels have experience of FOI legislation through their day-to-day roles.

5. On 24 August 2021, the Commissioner received a letter from the Applicant applying for a decision in terms of section 47(1) of FOISA as he wished to know the name of the officials who had made the decision as part of the Review Panel.  The Applicant stated he was dissatisfied with the outcome of the Council’s review. He considered the names of the officers involved should be known given the magnitude of the decision being taken.   

Investigation

6. The application was accepted as valid.  The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 6 October 2021, the Council was notified in writing that the Applicant had made a valid application. 

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Council was invited to comment on this application and to answer specific questions.  These related to its decision to withhold the requested information under section 38(1)(b) of FOISA.  

9. The Council provided its submissions, and responded to further questions raised by the investigating officer.

10. The Applicant was asked for, and provided, his comments as to his legitimate interests in the withheld information. 

Commissioner’s analysis and findings

11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council.  He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b): Personal information 

12. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR. 

13. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA. 

Is the information personal data?

14. The first question the Commissioner must address is whether the information withheld by the Council under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual.  “Identifiable living individual” is defined section 3(3) of the DPA 2018 – see Appendix 1.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)

15. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

16. The Commissioner is satisfied that the information being withheld under section 38(1)(b) is personal data: the information identifies living individuals (the Council provided the Commissioner with the names of the two individuals and their role within the Council) and clearly relates to those individuals.

Would disclosure contravene one of the data protection principles?

17. The Council argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Article 5(1) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”

18. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.

19. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.

20. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.

Condition (f): legitimate interests

21. Condition (f) states that processing shall be lawful if it - 
is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

22. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

23. The three tests which must be met before Article 6(1)(f) are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55  - although this case was decided before the GDPR (and UK GDPR) came into effect, the relevant tests are almost identical):

 •  does the Applicant have a legitimate interest in the personal data?

 •  if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

 •  even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)?

Does the Applicant have a legitimate interest?

24. The Applicant considered that there was a legitimate interest in the disclosure of the names, commenting that the aim of FOI is to enact good governance and openness.  He noted that other reports published by the Council contained the author’s name and contact details.

25. He noted that local government is funded by the public and questioned why the public should not know the names of the Panel members in order to provide confidence that openness and clarity of matters are at the heart of the operation of Council good practice.

26. The Council accepted that the Applicant has a legitimate interest in the personal data in question, specifically in knowing that the Panel Members are impartial and do not report to the same Service which provided the initial response.

27. The Commissioner agrees that, in the circumstances, the Applicant has a legitimate interest in the personal data.  He also considers that the there is a wider interest in understanding the processes of the Council, particularly around FOI.

Is disclosure necessary to achieve that legitimate interest?

28. Here, “necessary” means “reasonably” rather than absolutely or strictly necessary.  The Commissioner must therefore consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the privacy of the data subjects (the two panel members).

29. The Commissioner notes that, if the information the Applicant has requested is disclosed in response to a FOISA request, it is, in effect, disclosed into the public domain.  

30. The Commissioner notes the Applicant’s reasons for considering the names should be disclosed and accepts that the Applicant has a legitimate interest in understanding that the review was conducted fairly and impartially.  However, the Applicant has not provided any argument as to why he considers that it is necessary for him to know the actual names of the individuals concerned in order for him to achieve this legitimate interest: there are legal processes available to the Applicant to allow him to challenge either how the review was conducted or the outcome of the review, by appealing the matter to the Commissioner.

31. The Commissioner notes that the information which was the subject of the Applicant’s earlier request (i.e. the one considered by the Panel members) was disclosed by the Council following an application made to the Commissioner (see Decision 020/2022 Aberdeen City Council).  The Commissioner also notes that the Council had provided the Applicant with guidance on how to submit an appeal to the Commissioner, which he did so.

32. The Applicant clearly believes that he needs the names of the individuals concerned to ensure that the review process was fair and impartial.  In the circumstances of this case, however, the Commissioner considers it is possible to pursue any concerns about the fairness and impartially of the review without the Applicant knowing the identity of the individuals concerned.  

33. The Commissioner also concludes from the review conducted by the Council and the appeal to his office, that there was nothing to raise any question about the fairness and impartially of the Council’s review.  

34. The Commissioner is therefore satisfied that, although the Applicant has a legitimate interest in the personal data, disclosure is not necessary to achieve that legitimate interest.  

35. In the absence of a condition in Article 6 of the UK GDPR which would allow the names of the officers to be disclosed lawfully, disclosure would breach Article 5 of the UK GDPR.  The names are, therefore, exempt from disclosure under section 38(1)(b) of FOISA  

Decision 

The Commissioner finds that Aberdeen City Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Daren Fitzhenry
Scottish Information Commissioner
14 March 2022

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

 

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6
(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.


UK General Data Protection Regulation

4 Definitions

For the purpose of this Regulation:

(1) ‘Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

5 Principles relating to processing of personal data 

(1) Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
        

6 Lawfulness of processing 

(1) Processing shall be lawful only if and to the extent that at least one of the following applies:
        …
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

 

Data Protection Act 2018

3 Terms relating to the processing of personal data 
    

(2) “Personal data” means any information relating to an identified or identifiable livingindividual (subject to subsection (14)(c)).

(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 
    
(a) an identifier such as a name, an identification number, location data or an online identifier, or
        
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 
        

        
(d) disclosure by transmission, dissemination or otherwise making available.
        

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.

    …