Home Decisions

Decision 054/2022

Decision 054/2022: Statutory Plant Health Notices 2019

Public authority: Scottish Forestry
Case Ref: 202000411

Summary

Scottish Forestry was asked for a full copy of the spreadsheet of Statutory Plant Health Notices (SPHNs) issued in 2019.  Scottish Forestry provided redacted versions of SPHNs.  The Commissioner found that they had breached the EIRs in withholding the information from the SPHNs.

Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of “the data protection principles”, “data subject”, “environmental information” (paragraphs (a) and (c)), “personal data” and “the UK GDPR”) and (3A)(a) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 10(3) (Exceptions from duty to make environmental information available) and 11(2), (3A)(a) and (7) (Personal data)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to the processing of personal data) and 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and 14(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 2 to this decision.  The Appendices form part of this decision.

Background

1. On 9 January 2020, the Applicant made a request for information to Scottish Forestry (an executive agency of the Scottish Ministers).  The information requested was a full copy of the spreadsheet pertaining to SPHNs (Statutory Plant Health Notices) issued in 2019, referenced within an email dated 6 January 2020 (the request is set out in full at Appendix 1).

2. Scottish Forestry responded on 5 February 2020.  The authority identified that the request fell under the EIRs and applied the exemption in section 39(2) of the Freedom of Information (Scotland) Act 2002 (FOISA).  It provided a redacted spreadsheet of plant health notices, withholding some information under regulation 11(2) (Personal data) of the EIRs.

3. On 14 February 2020, the Applicant wrote requesting a review of its decision, on the basis that he was dissatisfied that not all of the requested information was provided and that no reason for the omissions of such information was supplied.  The Applicant also stated that the information provided contained errors and potential omissions.  The Applicant subsequently (on the same day) provided more specific reasons why he considered information should not be redacted, based on information previously provided to him in response to earlier requests where location, map and grid references had been provided.  He explained why he considered provision of the grid references and research domains was in the public interest.  He further identified information that appeared to have been omitted from the spreadsheet.

4. Scottish Forestry notified the Applicant of the outcome of its review on 16 March 2020, upholding the original response with modifications.  It noted that the six figure grid reference data previously provided should not have been provided and stated that it was reasonable to redact personal information.  It acknowledged the public interest in the pattern and spread of the disease Phytophthora ramorum on larch, but did not consider this outweighed the public interest in redacting personal information.  Scottish Forestry provided a revised version of the spreadsheet, with the identified missing information and wider scale grid reference data, allowing identification at a geographic rather than an individual level.

5. On 31 March 2020, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications.  The Applicant stated he was dissatisfied with the outcome of Scottish Forestry’s review because he did not accept that the classification of grid reference points of plant health infections was personal data: exact grid points were critical for scientific study and analysis of infection dispersal rates and patterns.  He noted that a previous request resulted in provision of a document containing a detailed study on spore dispersal measurements ranging between 10s of meters apart over 1,000m.  

6. The Applicant believed the provision of coarser edited grid measurements would make underlying data less accurate for study and raised issues around potential illegal release of personal data in previous request responses.  He provided previously supplied plant health notices which were unredacted.  He explained that the notices contained satellite imaging with a marked zone centred on the six-figure grid reference, already made visible by indirect reference. The Applicant was also concerned about a perceived intent to hide or obfuscate legal errors and not being open about information concerning foreign viral or bacterial infections, hiding behind privacy regarding location of inanimate objects as personal data. 

Investigation

7. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

8. On 10 July 2020, Scottish Forestry was notified in writing that the Applicant had made a valid application and was asked to send the Commissioner the information withheld from the Applicant.  Scottish Forestry, provided the information and the case was allocated to an investigating officer.  


9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  Scottish Forestry was invited to comment on this application and to answer specific questions. These related to the use of the EIRs, Scottish Forestry’s rationale for categorising the withheld information as personal data and its approach in applying regulation 11(2) of the EIRs.  

Commissioner’s analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and Scottish Forestry.  He is satisfied that no matter of relevance has been overlooked.

Handling in terms of the EIRs

11. Scottish Forestry processed the Applicant’s request and requirement for review in accordance with the EIRs.

12. Where information falls within the definition of “environmental information” in regulation 2(1) of the EIRs, a person has a right to access it (and the public authority a corresponding obligation to respond) under the EIRs, subject to various restrictions and exceptions contained in the EIRs.

13. Scottish Forestry explained, by way of background, that SPHNs are a mechanism that regulators use to require landowners to take action.  This can include the felling of trees to prevent the spread of a specific disease, such as infected larch stands, and susceptible hosts within a 250 metre buffer zone everywhere in Scotland outside a specified Management Zone.  No SPHNs are issued inside this Management Zone, in order to allow the phased removal of larch within the capacity of the forestry sector to harvest and process the timber.  First found in Scottish plant nurseries in 2002 and in gardens and parks in 2007, Scottish Forestry went on to explain, Ramorum disease (Phytophthora ramorum) is causing extensive damage and mortality to larch trees and other plants, mainly in the wetter west of Scotland. 

14. Scottish Forestry conducts bi-annual helicopter surveillance and associated ground surveys of larch to monitor the spread of Phytophthora ramorum on larch. The information collected is the: 

  • occupier or person in charge of the premises, including name, address, telephone number and/or email address (and/or an agent acting on their behalf)
  • name of location of infection or suspected infection
  • 10 figure grid reference - so the location is identified within 1m2 and
  • map showing location of infected material and survey details (positive or negative of disease presence).

All of this information is contained within an SPHN, which is given a unique identifier, and is also recorded in the tree health team GIS dataset.

15. Scottish Forestry serve notices using the powers granted to the Scottish Ministers.  The notices will normally be served on the woodland owner and the business that legally owns the woodland.  The woodland owner is then legally bound to undertake the actions defined in the SPHN, such as the felling of infected trees. 

16. Scottish Forestry issues numerous SPHNs and, in recent years, these have largely been associated with the control of the spread of Phytophthera ramorum on larch trees.  The issuing and compliance of SPHNs is well understood, in Scottish Forestry’s view, and action is undertaken by the vast majority of landowners.

17. The Applicant did not challenge Scottish Forestry’s decision to deal with the information as environmental information.  The Commissioner is satisfied that this was an appropriate decision, as the request relates to reporting on aspects of the state of the elements of the environment, including natural sites and biological diversity (paragraph (a) of the definition pf “environmental information” in regulation 2(1) of the EIRs) and associated action to protect those elements (being measures and activities falling within the scope of part (c) of that definition).  He will consider the handling of the request in what follows solely in terms of the EIRs.

Regulation 11(2) – Personal data

18. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply.  These include where disclosure would contravene any of the data protection principles in the UK GDPR or DPA 2018 (regulation 11(3A)(a)).

19. To rely on this provision, therefore, Scottish Forestry must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain would contravene one or more of the data protection principles in Article 5(1) of the UK GDPR.  There is no public interest test to be considered where this limb of regulation 11(2) applies.

Is the withheld information personal data?

20. The first question the Commissioner must address is whether the information is personal data in terms of section 3(2) of the DPA 2018.

21. “Personal data” is defined in section 3(2) of the DPA as “any information relating to an identified or identifiable individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

22. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.

23. An individual is “identifiable” if it is possible to distinguish them from other individuals.

24. The Applicant submitted that the information requested related to confirmation of disease on larch trees in an area and it was not clear why that could be described as personal data.

25. Scottish Forestry submitted that the information being withheld was geographical locator data, specifically national grid references, and X and Y co-ordinates, of woodlands on which SPHNs were served, which were all location data.  Scottish Forestry explained that SPHNs are served on the landowner or their representative, which requires identification, and that the grid reference, when accompanied by a scale, can often be associated with a house/accommodation or place of work.

26. In the case of Breyer v Bundesrepublik Deutschland the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is realistic prospect of someone being identified.  When making that determination, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain - if the risk of identification is insignificant, the information will not be personal data.

27. Scottish Forestry submitted that natural persons could be identified indirectly from some of the information, in combination with other publicly available information.  They accepted that not all grid references will be associated with an identified living individual, as land may be owned by a company or may not immediately be associated with a house or factor which is specific to an individual, e.g. a woodland in a remote location.  However, to determine whether each grid reference was associated with a living individual would require details of every site individually to identify land details at the time the SPHN was issued.   Scottish Forestry would also need to consider whether there had been any ownership changes since the SPHN was issued, which could be either from a private individual to a company or vice versa.

28. Scottish Forestry further submitted that 448 grid references/X and Y co-ordinates would have to be checked individually to determine whether or not the entry related to a living individual in each case.  Given the resource implications for completing this task, they did not consider it proportionate to undertake a review of each individual entry: to protect the personal data of individuals, they considered it necessary to withhold all of the specific locational data in line with regulation 11(2).  

29. Scottish Forestry cited the (UK) Information Commissioner’s guidance that ”relates to” means that it does more than simply identifying [the individual] – it must concern the individual in some way.  As such, they considered the content of the data and whether it was directly about the individual or their activities, and concluded that the data would relate to activities on the individuals’ land and the effects of a disease on their trees and the actions they must take and potential consequences of that action (such as economic impact or loss of amenity).

30. The Commissioner has considered the arguments provided and acknowledges that the withheld information could, in some cases at least, be linked to living individuals through provision of the grid reference, X and Y coordinates and site name, when added to other information in the public domain, e.g. local knowledge or more formally by searches of the Registers of Scotland (although that would require significant cost).  In such cases, the Commissioner accepts that – in relating to actions required on the individuals’ land and the economic and amenity impacts of plant disease on that land – the withheld information could be said to relate to those individuals.

31. However, regulation 11(2) cannot be relied upon when there is no identifiable living individual that could be identified from disclosure of the withheld information.  Scottish Forestry has acknowledged that there will be sites, owned by companies or other non-natural persons, where it will not be possible to identify living individuals from the withheld information.  Regulation 11(2) is a provision relating to personal data and it can only be used to withhold personal data.  There may be circumstances in which it is appropriate to take a precautionary approach in determining what comprises personal data, but that cannot extend to information from which it is acknowledged living individuals could not be identified.  Whatever other provisions in the EIRs (which have not been cited by Scottish Forestry and therefore do not fall to be considered here) may permit consideration of the resource implications of complying with the request, regulation 11(2) does not.  

32. The Commissioner is not, therefore, satisfied that all of the withheld information can be said to be personal data.  Where no living individual (as opposed to a company or other non-natural person) can be said to have an interest in the site in question, the Commissioner cannot accept that the information relating to that site will be anyone’s personal data.  It cannot, therefore, be withheld under regulation 11(2) of the EIRs.  As no other provision in the EIRs has been claimed in relation to such information, the Commissioner must require its disclosure.

Would disclosure contravene one of the data protection principles?

33. Scottish Forestry considered that disclosure of these data would contravene Article 5(1)(a) of the UK GDPR as the third parties would not expect information about them to be released into the public domain under the EIRs.  Article 5(1)(a) requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.  The definition of “processing” is wide and includes “disclosure by transmission, dissemination or otherwise making available” (section 3(4)(d) of the DPA 2018).

34. In the case of the EIRs, personal data are processed when disclosed in response to a request.  In terms of Article 5(1)(a), personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

35. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. Generally, when considering whether personal data can lawfully be disclosed under FOISA, only condition (f) (legitimate interests) is likely to be relevant.

Condition (f): legitimate interests

36. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data …”

37. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 2) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs. 

38. The tests which must be met before Article 6(1)(f) can be met are as follows: 

  • Does the Applicant have a legitimate interest in obtaining the personal data? 
  • If so, would the disclosure of the personal data be necessary to achieve that legitimate interest? 
  • Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

39. The Applicant sought to establish the validity of setting a 250 metre “buffer” surrounding an identified diseased tree. He explained that the data "points" that are GPS locations are implemented in legal instruments (felling orders under the Plant Health Acts) as a centre point, around which the 250m "buffer" is deemed to be included.  He considered the core basis of the auditability of the legal instrument to be the centre point (or points) as a single distinct reference to a biological immobile plant: the absence of any way to audit the validity of a buffer brought into question the transparency of the application of the law.  As the locations referred to immobile plants, he considered it irrelevant who was the current custodian of that plant, as property ownership records are transparent. 

40. The Applicant was also concerned that withholding the data requested would affect the value to current and historical research where a 250m "buffer" was determined, small distances then being determined relevant.  Without the accurate location which determined the "centre", the analysis of 250m was impossible and created unnecessary statistical errors in critical research.

41. Scottish Forestry acknowledged that there was an ongoing public interest in the general requirement for transparency in public life, and in the issue that the information in question relates to, i.e. the management of tree diseases in Scotland and the application of statutory measures. 

42. Having considered all relevant submissions, the Commissioner is satisfied that the Applicant (as well as the wider public) does have a legitimate interest in the withheld information, at the level requested, for the reasons set out by the Applicant and Scottish Forestry.

Is disclosure of the personal data necessary?

43. Having accepted that the Applicant has a legitimate interest, the Commissioner must consider whether disclosure of the personal data is necessary to meet that legitimate interest.

44. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

45. Scottish Forestry believed the four-figure grid reference provided to the Applicant (as opposed to the full ten-figure reference withheld) was at a scale which would enable the Applicant to identify a region/locality, to identify a region/locality to allow an understanding of migration patterns, and to assess aspects of its approach to tackling the disease, without identifying living individuals.  In its view, it provided an appropriate balance between protecting personal data and meeting the public interest in showing the spread and approach to the management of this disease.

46. Scottish Forestry explained that regulation 17 of The Plant Health (Official Controls and Miscellaneous Provisions) (Scotland) Regulations 2019 (the 2019 Regulations) makes provision for the Scottish Ministers, following confirmation of the presence of a controlled plant pest in an area of Scotland where it was not previously present, by notice, to demarcate an area and specify provisions for eradication or containment.  Such a notice must be in writing, which is effectively an SPHN.  Regulation 17(3)(d) states that the notice “must be published in a manner appropriate to bring it to the attention of the public”.  Consequently, there is a legal requirement to publish information to bring notices to the attention of the public under the 2019 Regulations. 

47. Scottish Forestry also explained that it published a map on its website showing accurately, but not in detail, the approximate geographic locations of extant SPHNs, which it considered to be an appropriate manner to inform the public and therefore met their legal obligations in this regard.  A link to relevant webpage was provided: the map, which is in PDF format, is to be found within the paragraph heading “Disease spread”. 

48. Having reviewed the information previously disclosed and publicly available at the time of the request, together with the above submissions, the Commissioner is not satisfied that the Applicant’s legitimate interests (as acknowledged above) can be met adequately without disclosure of the withheld personal data.  As a result, he considers disclosure of those data to be necessary to meet those legitimate interests.  

Interests of the data subjects

49. The Commissioner has acknowledged that disclosure of the withheld information would be necessary to achieve the Applicant’s legitimate interests.  This must be balanced against the interests or fundamental rights and freedoms of the data subjects.  Only if the legitimate interest of the Applicant outweighed those of the data subjects could personal data be disclosed lawfully in line with Article 6(1)(f). 

50. Scottish Forestry argued that the third parties would not expect Scottish Forestry to release this information about them into the public domain under the EIRs.  Scottish Forestry had considered how processing of the information at the level requested by the Applicant might affect the individuals concerned and they believed that by making the information publicly available, noting that it would allow the identification of individuals who had trees on their land that were diseased and who were being served with a statutory requirement to undertake works to fell those trees.  The impact of this would, in Scottish Forestry’s view, be to potentially disclose to neighbours an event/issue connected with their property, leading to them knowing the disease was on a neighbouring property, which could affect the relationship between individuals and could cause distress and/or blame.

51. Scottish Forestry believed disclosure could also allow agents and management companies to actively market their services to a landowner, for example, for removal of the trees.  Additionally, Scottish Forestry noted that the media actively monitor the movement of this disease and, if individuals were known, they could be singled out.

52. The Commissioner finds these submissions to be speculative in nature, with no apparent evidence to support the likelihood of their becoming a reality.  It is not self-evident that the presence of an endemic plant disease on particular property necessarily reflects adversely on the owner or occupier of that property, or (given the prevalence of the disease) that approaches of the kind described by Scottish Forestry would be made significantly more likely by disclosure of the withheld personal data.

Commissioner’s conclusions

53. The Commissioner has considered the likely expectations of the data subjects, along with the potential for harm or distress being caused by disclosure of the information, Scottish Forestrys’ claims for which appear to be based on speculation with no apparent basis in evidence.  

54. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights and freedoms of the data subjects, the Commissioner finds that Article 6(1)(f) of the UK GDPR would permit disclosure of the withheld personal data, with the result that disclosure would be lawful.  Bearing that in mind, he can identify no reason why disclosure would be unfair and therefore finds that disclosure would be consistent with the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he must conclude that Scottish Forestry was not entitled to rely on regulation 11(2) of the EIRs in relation to the withheld personal data and so requires Scottish Forestry to provide the Applicant with all of the information previously withheld under regulation 11(2).

Decision 

The Commissioner finds that the Scottish Forestry failed to comply with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the information request made by the Applicant.  

The Commissioner finds that regulation 11(2) of the EIRs did not prohibit Scottish Forestry from making the information available.  Failure to make the information available breached the EIRs (in particular, regulation 5(1)).  

The Commissioner therefore requires the Scottish Forestry to disclose the requested information to the Applicant by 27 June 2022.

Appeal

Should either the Applicant or Scottish Forestry wishes to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If Scottish Forestry fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that Scottish Forestry have failed to comply. The Court has the right to inquire into the matter and may deal with Scottish Forestry as if it had committed a contempt of court. 

Margaret Keyse
Head of Enforcement

13 May 2022

Appendix 1: Original Request

Request 9 January 2020 [23:08}

I would like to request a full copy of the spreadsheet pertaining to SPHN's issued in 2019 which is referenced (as an extract copy of data) within an email from [name] dated 6th January 2020 13:18.

The particular details I am requesting for clarity are:

NGR

X Y Site Name Date Sample Taken SampleID Species Sample Type FR_ID Input Date Comments  Result LFD Result Result Date CP_RAMORUM CP_COX LINEAGE YEAR

Request 9 January 2020 [23:10]

NGR, X,Y - geographic location
Site Name,
Date Sample Taken
SampleID
Species 
Sample Type 
FR_ID 
Input Date 
Comments 
Result LFD 
Result 
Result Date 
CP_RAMORUM 
CP_COX 
LINEAGE 
YEAR

 
Appendix 2: Relevant statutory provisions

The Environmental Information (Scotland) Regulations 2004

2 Interpretation 

(1) In these Regulations – 

“the data protection principles” means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and 

(b) section 34(1) of the Data Protection Act 2018;

“data subject” has the same meaning as in the Data Protection Act 2018 (see section of that Act):

"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on - 

(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;

(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;

 “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act); and

(3A) In these Regulations, references to the UK GDPR and the Data Protection Act 2018 have effect as if in Article 2 of the UK GDPR and Chapter 3 of Part 2 of that Act (exemptions for manual unstructured processing and for national security and defence purposes) -

(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and

5     Duty to make available environmental information on request

(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.

(2) The duty under paragraph (1)-

(b) is subject to regulations 6 to 12.

10 Exceptions from duty to make environmental information available

(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.

11 Personal data 

(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if - 

 (a) the first condition set out in paragraph (3A) is satisfied, or

 (b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.

(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations – 

(a) would contravene any of the data protection principles, or 


(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data 

1 Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject         (“lawfulness, fairness and transparency”)

    …


Article 6    Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f.    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the  protection of personal data, in particular where the data subject is a child.

…  

Data Protection Act 2018

3 Terms relating to the processing of personal data 
    

    (2) “Personal data” means any information relating to an identified or identifiable living         individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly         or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an             online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental,             economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations             which is performed on information, or on sets of information, such as – 

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom  the data relates.

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.