Decision 035/2023: Private Water Supply
Public authority: Scottish Borders Council
Case Ref: 202100802
The Authority was asked for correspondence between it and tenants of three properties in relation to a private water supply. The investigation focussed on two documents which had been disclosed, redacted, to the Applicant. The Authority argued that the redactions were personal data which could not be disclosed and, in any event, did not fall within the scope of the request. The Commissioner accepted that most of the personal data fell outwith the scope of the request, but considered a small amount of data did fall within scope and could be disclosed.
Relevant statutory provisions
The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of “the data protection principles”, “data subject”, paragraphs (a),(b) and (f) of definition of “environmental information” “personal data” and “the UK GDPR” and (3A)(a) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 10(3) (Exceptions from duty to make environmental information available); 11(2), (3A)(a) and (7) (Personal data)
United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing); 21(1) (Right to object)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 1 March 2021, the Applicant made a request for information to the Authority in relation to ongoing investigations regarding the contamination of a private water supply. He asked for all “historic” (1 January 2000 to the date of his request):
- written communications between the Authority and the Wemyss & March Estate and its factor concerning the private water supply at three specific addresses in Peebles
- test results taken by the Authority pertaining to the three properties and
- written correspondence between the Authority and the previous/current tenants of the three properties.
2. On 22 March 2021, the Authority notified the Applicant that, given that it considered the request to be voluminous and complex, it was extending the time for responding under regulation 7 of the EIRs.
3. On 20 May 2021, the Applicant wrote to the Authority as he was yet to receive a response from the Authority. He asked the Authority to review its failure to respond.
4. The Authority notified the Applicant of the outcome of its review 3 June 2021. It apologised for the delay in responding.
5. On 1 July 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of the Freedom of Information (Scotland) Act 2002 (FOISA). By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications.
6. The Applicant was dissatisfied with the redactions made to two specific files, i.e.:
- Supply Ref: 14/00054/Spring IVA Ref: 14/02379/PWATER and
- Supply Ref: 14/00054/Spring IVA Ref: 16/04401/PWATTA
7. The Commissioner’s investigation therefore focussed on these two files (although described as “files”, each is less than one page long). The files record contact between the Authority and the tenant of one of the properties.
8. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
9. The Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the two files. The Authority provided the files and the case was allocated to an investigating officer.
10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions.
Commissioner’s analysis and findings
11. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Authority. He is satisfied that no matter of relevance has been overlooked.
Handling in terms of the EIRs
12. Where information falls within the definition of “environmental information” in regulation 2(1) of the EIRs, a person has a right to access it (and the public authority a corresponding obligation to respond) under the EIRs.
13. As noted above, the Applicant sought correspondence about a private water supply. The Commissioner is satisfied that the information is environmental information for the purposes of regulation 2(1) of the EIRs (in particular, definitions (a), (b) and (f) – see Appendix 1). Neither party disagrees with this approach, and the Commissioner will consider the Authority’s handling of the request solely in terms of the EIRs.
Interpretation of the request
14. The Authority initially advised the Applicant that all of the information which had been redacted from the two files was third party personal data which was excepted from disclosure. However, during the investigation, it stated that, although the information was excepted from disclosure, it did not actually fall within the scope of the request because it did not relate to the historical contamination of the water supply and because it related to a separate matter and not to the water supply itself.
15. During the investigation, the Authority confirmed that it had wrongly withheld information some information, which is was now willing to disclose, i.e.:
- the name (occasionally appearing as initials) of two members of staff; as these were senior members of staff, the names should have been disclosed
- the details of the “Occupier (Source Name)” on each form.
16. The files most readily fall within the third tranche of the Applicant’s request, which was for historic (i.e. from 1 January 2000 to the date of request) written correspondence between the Authority and previous/current tenants of the three properties.
17. As noted above, the Authority argued that the information did not fall within the scope of the request as it did not relate to the historical contamination of the water supply.
18. The Commissioner notes that the Applicant used the word “historic” in his information request. However, in the Commissioner’s view, this was used to describe the age of the information the Applicant wanted (the request read: “copies of the historic (01/01/2000 -1/03/2021) written correspondence…”) rather than “historical” as, for example, issues with the water supply which may subsequently have been resolved.
19. The Authority also argued that the information did not fall within the scope of the Applicant’s request as it related to a separate matter and not to the water supply itself.
20. While, for obvious reasons, the Commissioner is limited as to what he can say about the contents of the information, despite the subject matter of both of the files (already disclosed to the Applicant) being “Water Supply,” most of the information which the Authority redacted is about a separate matter. However, the Commissioner is satisfied that there is a small amount of information sufficiently closely related to the private water supply to allow it to fall within the scope of the request.
Regulation 11(2) - Personal data
21. Having concluded that some the information redacted from the files falls within the scope of the request, the Commissioner will go on to consider whether that information is excepted from disclosure.
22. Regulation 10(3) of the EIRs makes it clear that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11.
23. The Authority argued the personal data was excepted from disclosure under two separate provisions in regulation 11:
(i) regulation 11(2), read in conjunction with regulation 11(3A)(a), which provides that (third party) personal data shall not be made available where its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018; and
(ii) regulation 11(2), read in conjunction with regulation 11(3B), which provides that (third party) personal data shall not be made available where disclosure would contravene Article 21 of the UK GDPR.
Is the withheld information personal data?
24. The first question the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1.
25. Information that could identify individuals will only be personal data if it relates to those individuals. Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.
26. Given the extent of the redactions, the Applicant was concerned that the Authority had withheld information which was not personal data. However, the Commissioner is satisfied that all the information which falls within scope and which has been redacted (i.e. excluding the information referred to in paragraph 15) is personal data, either of the tenant (the third party) or of an Authority employee (a junior member of staff who has since left the Authority). In both cases, the information relates to identified (or identifiable) individuals. He is therefore satisfied that the information is personal data as defined in section 3(2) of the DPA 2018.
Would disclosure contravene Article 21 of the UK GDPR?
27. As noted above, the Authority argued that disclosing the personal data would contravene Article 21 of the UK GDPR. Article 21 gives data subjects the right to object to the processing of their personal data concerning him or her. Where a data subject has exercised their rights under Article 21, the controller (here, the Authority) can no longer process the data unless there are compelling grounds for doing so which override the interests, rights and freedoms of the data subject.
28. If a data subject has exercised their rights under Article 21, their personal data will be exempt from disclosure under the EIRs, unless the public interest favours disclosure.
29. However, there is nothing in the submissions from the Authority to suggest that the data subjects have in fact exercised their rights under Article 21 here and it may be that the Authority has misunderstood the effect of regulation 11(2)(3B). In the absence of any evidence as to disclosure contravening Article 11(2), the Commissioner will not consider this point further.
Would disclosure contravene one of the data protection principles?
30. The Authority submitted that disclosure of all of the withheld data would breach Article 5(1)(a) of the UK GDPR, which requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”. The definition of “processing” is wide and includes “disclosure by transmission, dissemination or otherwise making available” (section 3(4)(d) of the DPA 2018).
31. In the case of the EIRs, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.
32. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. Generally, when considering whether personal data can lawfully be disclosed under FOISA, only condition (f) (legitimate interests) is likely to be relevant.
Condition (f): legitimate interests
33. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data …”
34. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
35. The tests which must be met before Article 6(1)(f) can be met are as follows:
- Does the Applicant have a legitimate interest in obtaining the personal data?
- If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
- Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?
Does the Applicant have a legitimate interest in obtaining the personal data?
36. In the Authority’s view, the Applicant does not have a legitimate interest in obtaining the information. While it accepts that the Applicant does have a legitimate interest in information relevant to the private water supply, it argues that the redacted information concerns a separate matter and does not relate to the water supply itself.
37. The Applicant’s property is served by the same private water supply as that serving the tenant (third party) in question. The Commissioner understands that his interest in the information relates to ongoing investigations regarding the possible contamination of the water supply. In the circumstances, the Commissioner is satisfied that the Applicant has a legitimate interest in information which relates to the private water supply.
38. He does not accept, however, that the Applicant has a legitimate interest in the disclosure of the following information:
(i) information which focusses solely on the separate matter, particularly where those relate to a different location;
(ii) the third party’s contact details (including email address and telephone numbers)
(iii) the name of the junior member of staff. The name of that member of staff is connected to information which focusses on the separate matter at a different location.
39. In the absence of a legitimate interest in that information, the Commissioner must find that disclosure would contravene the data protection principles and that disclosure would be contrary to regulation 11(2) of the EIRs.
40. In reality, this leaves a very small amount of information left to be considered.
Is disclosure of the personal data necessary?
41. Having accepted that the Applicant has a legitimate interest in some of the personal data, the Commissioner must consider whether disclosure of that personal data is necessary to meet that legitimate interest.
42. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.
43. In the circumstances, the Commissioner accepts that disclosure of the withheld information would be necessary in order to satisfy the legitimate interests identified. He can identify no other way of meeting the Applicant’s legitimate interests.
Interests of the data subjects
44. The Commissioner has acknowledged that disclosure of the information in question would be necessary to achieve the Applicant’s legitimate interests. This must be balanced against the interests or fundamental rights and freedoms of the third party. Only if the legitimate interests of the Applicant outweigh those of the data subjects could personal data be disclosed without breaching the first data protection principle.
45. As noted above, there is very little information still left to be considered by the Commissioner. The information is factual and, in the circumstances, the Commissioner is satisfied that the third party would reasonably expect that the information would be disclosed. There is nothing to suggest, for example, that disclosure would cause harm or distress.
46. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights and freedoms of the third party, the Commissioner finds that the legitimate interests of the Applicant are not overridden by the interests or fundamental rights and freedoms of the third party.
47. For the same reasons, the Commissioner is satisfied that disclosure would be fair.
48. In the circumstances, therefore, the Commissioner is satisfied that the first condition in set out in paragraph (3A) of regulation 11(2) of the EIRs can be satisfied and that disclosing the information would be in accordance with regulation 11 of the EIRs.
49. The Commissioner will provide the Authority with a marked up copy of the files showing which information falls to be disclosed to the Applicant.
The Commissioner finds that the Authority partly complied with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the Applicant’s request.
He finds that regulation 11(2) of the EIRs did not prohibit the Authority from making some of the information available. Failure to disclose the information in question breached regulation 5(1) of the EIRs.
He therefore requires the Authority to disclose the information in question to the Applicant by 9 June 2023.
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that it has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Scottish Information Commissioner
25 April 2023
Appendix 1: Relevant statutory provisions
The Environmental Information (Scotland) Regulations 2004
(1) In these Regulations –
“the data protection principles” means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section of that Act):
"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -
(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;
(b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred in paragraphs (a);
(f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in paragraph (a) or, through those elements, by any of the matters referred to in paragraphs (b) and (c);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act); and
(3A) In these Regulations, references to the UK GDPR and the Data Protection Act 2018 have effect as if in Article 2 of the UK GDPR and Chapter 3 of Part 2 of that Act (exemptions for manual unstructured processing and for national security and defence purposes) -
(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and
5 Duty to make available environmental information on request
(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.
(2) The duty under paragraph (1)-
(b) is subject to regulations 6 to 12.
10 Exceptions from duty to make environmental information available
(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.
11 Personal data
(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -
(a) the first condition set out in paragraph (3A) is satisfied, or
(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.
(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations –
(a) would contravene any of the data protection principles, or
(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the UK GDPR (general processing: right to object to processing).
(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Article 21 Right to object
1 The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall not longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Data Protection Act 2018
3 Terms relating to the processing of personal data
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
(d) disclosure by transmission, dissemination or otherwise making available,
(5) “Data subject” means the identified or identifiable living individual to whom the data relates.
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Authority of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.