Home Decisions

Decision 048/2023

Decision 048/2023: Monies paid to Chair of Edinburgh Trams Inquiry

Authority: Transport Scotland
Case Ref: 202200112


Summary

The Applicant asked the Authority for details of the monies that had been paid to the Chair of Edinburgh Trams Inquiry.  The Authority withheld the information on the basis that it considered disclosure would breach the data protection principles.  The Commissioner found that the Authority had wrongly withheld the information, and required it to be disclosed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) article 5(1)(a) (Principles relating to processing of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 19 August 2021, the Applicant made a request for information to the Authority.  Amongst other matters, he asked what monies had been paid to the Chair of the Edinburgh Trams Inquiry.

2. The Authority responded on 24 August 2021.  It withheld the information requested under section 38(1)(b) of FOISA, on the basis that it was personal data and disclosure would breach data protection principles

3. On 3 September 2021, the Applicant wrote to the Authority requesting a review of its decision.  He was dissatisfied with the decision to withhold the requested information, as he noted that the monies were paid from public funds and that, as the Chair was a public servant, their salary should be published.

4. The Authority notified the Applicant of the outcome of its review on 10 November 2021.  It explained in detail why it considered the requested information was personal data of an identifiable living individual, and why it accepted that the Applicant had a legitimate interest in the personal data and that disclosure was necessary to meet that legitimate interest.  It advised that the data subject had objected to their personal data being disclosed, which had been taken in to account (together with other reasoning) in reaching a finding that the data subject’s interests or fundamental rights and freedoms overrode the Applicant’s legitimate interests in obtaining the information, and so the requested information was withheld under section 38(1)(b) of FOISA.

5. On 26 January 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review, submitting that the Chair and other fellow judges accepted their office on the basis that they and all public servants were aware that their salaries were public and open to scrutiny, because they were paid from public funds.  As the Inquiry report had yet to be published, the Applicant argued that the data subject’s objection should carry less weight.

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 

7. On 3 April 2022, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was allocated to an investigating officer. 

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to its reasoning for withholding the requested information.

9. The Authority was asked for and provided further submissions during the investigation, as to the data subject’s concerns with disclosure of the monies paid.

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

Section 38(1)(b) – Personal information

11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR. 

12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA. 

Is the withheld information personal data?

13. The first question the Commissioner must address is whether the information withheld by the Authority under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable living individual.  “Identifiable living individual” is defined section 3(3) of the DPA 2018 – see Appendix 1.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)

14. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

15. In his request for review, the Applicant disputed that the monies paid to the Chair was their personal data.  In response, the Authority explained that, as the request was for payments made to the named person, an individual was identifiable.  The individual in question was alive and the information requested clearly related to that person, and so constituted personal data.

16. The Commissioner concurs with the explanation provided by the Authority, and is satisfied that the information being withheld under section 38(1)(b) is personal data: the information identifies a living individual (the Applicant named the individual in his request, and the monies were paid to that individual) and clearly relates to that individual.

Would disclosure contravene one of the data protection principles?

17. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”

18. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.

19. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.

20. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.

Condition (f): legitimate interests

21. Condition (f) states that processing shall be lawful if it – 

is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

22. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

23. The three tests which must be met before Article 6(1)(f) are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55  - although this case was decided before the GDPR (and UK GDPR) came into effect, the relevant tests are almost identical):

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Does the Applicant have a legitimate interest in obtaining the personal data?

24. The Applicant considered he had a legitimate interest in the disclosure of the monies paid, as this was public money, and he submitted that there was an absolute duty to be transparent to allow the taxpayer, often through the lens of the media, to know how public funds were being spent and to allow an assessment on the value provided.  He noted that the evidence gathering had completed in 2017, and that no-one would face criminal charges or be held to account questioning how the production of a report could take so long.   He also noted that the named individual had not won a tender against other judges; they were simply given the appointment and there could be no question of commercial confidentiality.  He noted that the named individual was a public servant and their judicial salary, like that of other public servants, had been published.

25. The Authority accepted that the Applicant had a legitimate interest in the personal data in question, which related to the costs of the Edinburgh Tram Inquiry and more generally to the appropriate use of public funds.  The Authority also acknowledged that there was a legitimate interest in transparency, particularly in relation to senior public servants.

26. The Commissioner is satisfied that the Applicant has a legitimate interest in the personal data, for the reasons acknowledged by the Authority and, in particular, bearing in mind the duration of the Inquiry.  These are matters of considerable public interest.  

Would disclosure of the personal data be necessary?

27. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data would be necessary to meet the Applicant's legitimate interests.

28. Here, “necessary” means “reasonably” rather than absolutely or strictly necessary.  The Commissioner must therefore consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the privacy of the named individual.

29. The Authority accepted that disclosure was necessary, as there was no other way to satisfy the Applicant’s legitimate interest in monies paid to the named individual while interfering less with the interests or fundamental rights and freedoms of the data subject.  The Authority was satisfied that disclosure of the overall staffing costs (information it had provided to the Applicant) went some way towards meeting the legitimate interest in considering the cost of the Edinburgh Tram Inquiry and allowed for scrutiny of the appropriate use of public funds.  However, this would not provide the Applicant with the information he sought, and therefore the Authority concluded that disclosure of the personal data was necessary to achieve his legitimate interest.

30. The Commissioner accepts that disclosure of the personal data is necessary to achieve the Applicant's legitimate interests, as well as the wider legitimate interest in the use of public funds.  In line with the Authority’s comments, the Commissioner can identify no viable means of fully meeting the Applicant's legitimate interests which would interfere less with the privacy of the data subject than disclosing the withheld information.  In all the circumstances, therefore, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of the Applicant's legitimate interests.

31. The Commissioner will now consider whether the Applicant’s legitimate interest in obtaining the withheld information outweighs the rights and freedoms of the data subject.

The data subject’s interests or fundamental rights and freedoms

32. The Commissioner must balance the legitimate interests in disclosure of the information, against the data subject's interests or fundamental rights and freedoms.  In doing so, it is necessary for him to consider the impact of such a disclosure.  For example, if a data subject would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override any legitimate interests in disclosure.  Only if the legitimate interests of the Applicant outweigh those of the data subject could the information, be disclosed without breaching the first data protection principle.

33. The Commissioner's guidance on section 38 of FOISA notes factors that should be taken into account in balancing the interests of parties.  He notes that Recital (47) of the General Data Protection Regulation states that much will depend on the reasonable expectations of the data subjects.  These are some of the factors public authorities should consider:

(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii) Has the individual has objected to the disclosure?

(iii) Would the disclosure cause harm or distress?

Does the information relate to public or private life?

34. The Authority considered the personal data related to the named individual’s public life, and specifically to their employment as the Chair of the Edinburgh Tram Inquiry.  It also noted that the individual had a high public profile.

35. The Commissioner acknowledges that the withheld information relates to the named individual’s public live, in that it identifies them as the Chair of the Trams Inquiry (and relates to the discharge of that role).  However, he also acknowledges that, by association, the information relates to the individual’s private life.

36. In the circumstances, the Commissioner concludes that the withheld information relates to both the private and public life of the data subject.

Has the individual has objected to the disclosure?

37. The Authority consulted the named individual and was provided with detailed and cogent reasoning why they objected to their personal data being disclosed.  The Commissioner cannot include all the specific comments made by the individual, but has taken all relevant ones into account.

38. It was noted that the monies to be paid for the role had been agreed at the start of the Inquiry, with no increments, and there was no indication that the payments would be published.  It was submitted that this was a different situation from that of judicial salaries and salaries of Ministers and elected representatives, for which the pay scales have been routinely published for some time.  It was submitted that, for the Chairs of the other Scottish public inquiries, disclosure was voluntary or did not include details of payments to the Chair.

Would disclosure cause harm or distress to the data subject?

39. The Commissioner has also considered the harm or distress that might be caused by disclosure of the information.  Disclosure, under FOISA, is a public disclosure.  He has taken this into account when reaching his decision. 

40. Within its review outcome, the Authority noted that reaching a decision involves a balancing exercise, to assess whether the interests or fundamental rights and freedoms of the data subject override the legitimate interest of the requester.  It noted that the Commissioner has observed that “disclosure will always involve some intrusion of privacy.  However, that intrusion will not always be unwarranted…”.  

41. The Authority submitted that the named individual had objected to disclosure, and that the Commissioner considers such an objection can be taken into account in determining whether the data subject’s interests or fundamental rights and freedoms override an applicant’s legitimate interests.

42. Detailed and specific submissions and comments were provided in relation to the issue of harm and distress. 

43. During the investigation, further comments were sought as to why disclosure of the information would lead to the harm envisaged.

44. The Authority did not consider it had a lawful basis to disclose the individual’s personal data, because the interests and fundamental rights and freedoms of the data subject outweighed the Applicant’s legitimate interests.  It made submissions and referred to comments (which, again, cannot be set out in full) in support of its position.

45. The Commissioner has considered in detail the Authority’s submissions and the comments and  reasoning provided against disclosure, but no clear argument has been made as to why the specific information being withheld (monies paid) would directly lead to the harm envisaged, or make it more likely  

46. The Commissioner considers the concerns identified could occur regardless of disclosure of the withheld information.  It is unclear how disclosure of the monies paid would directly lead to the claimed consequences, or increase the risk of them happening, especially given that the total staffing costs of the Trams Inquiry have been already been published..  It is not apparent that disclosure of a discrete element of these costs would alter that position.

47. The Commissioner has taken the submissions made and explanations provided seriously, and has reached his view only after thinking very carefully about the situation.

48. The specific circumstances and concerns raised are not to be dismissed lightly.  The Commissioner’s concern, however, is not with these matters themselves but with the risk of them coming about as a result of disclosure.  That is the link the Commissioner is not satisfied has been established satisfactorily.  

49. Having carefully balanced the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subject, the Commissioner finds that the legitimate interests served by disclosure of the personal data would not be outweighed by any unwarranted prejudice that would result to the rights and freedoms and legitimate interests of the data subject.

50. The Commissioner does not accept that either the consequences, or the distress, identified by the data subject would occur as a necessary consequence of disclosure of the withheld information, or that disclosure would make their occurrence more likely.  Therefore, he cannot accept that these concerns – or any other issues identified by the Authority or the data subject – are sufficient to override the legitimate interests of the Applicant. 

51. In the circumstances of this particular case, the Commissioner finds that condition (f) in Article 6(1) of the UK GDPR can be met in relation to the withheld personal data.

Fairness

52. The Commissioner must also consider whether disclosure would be fair.  He finds, for the same reasons as he finds that condition (f) in Article 6(1) can be met, that disclosure of the withheld information would be fair.

Conclusion on the data protection principles

53. In the absence of any reason for finding disclosure to be unlawful other than a breach of Article 5(1)(a) (and none has been put forward by the Authority), and given that the Commissioner is satisfied that condition (f) can be met, he must find that disclosure would be lawful in this case.  The Commissioner therefore finds that disclosure of the withheld information would not breach the first data protection principle, and so the Authority was not entitled to withhold this information under the exemption in section 38(1)(b) of FOISA.

54. The Commissioner requires the Authority to disclose the withheld information to the Applicant.

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 (and, in particular, section 1(1)) of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant, as it was not entitled to withhold the personal data under section 38(1)(b) of FOISA.  

The Commissioner therefore requires the Authority to disclose the withheld information, by Thursday, 6 July 2023.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.


Daren Fitzhenry
Scottish Information Commissioner

22 May 2023

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

…     section 37; and 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 

    (i) the request for information to which the requirement for review relates;

    (ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);    and

    (iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    …

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data     

1 Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject         (“lawfulness, fairness and transparency”)

    …

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a) an identifier such as a name, an identification number, location data or an online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.