Home Decisions

Decision 061/2022

Decision 061/2022: Appeal uphold rates by school and school area

Public authority: Scottish Qualifications Authority
Case Ref:  202100867

Summary

The SQA was asked for the appeal uphold rates by school and school area for the last decade for National 5, Higher and Advanced Higher exams.  The SQA refused to provide the information as it considered it to be personal data.  During the Commissioner’s investigation, the SQA disclosed the majority of the information requested, but continued to withhold certain data where the numbers were “less than five”.  The Commissioner investigated and concluded that the information was not personal data.  He required the SQA to disclose the remaining withheld information to the Applicant.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions), 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 7 October 2020, the Applicant made a request for information to the Scottish Qualifications Authority (the SQA).  The information requested was the appeal uphold rates by school and school area for the last decade, for National 5s, Highers and Advanced Highers.

2. The SQA responded on 3 November 2020.  It stated this was the first year there had been appeals and, as they were still in progress, there was no finalised data available as yet.  The Results Services Statistical Tables would be published in December as per its Publication schedule , with tables published by course.  The SQA explained that, from the start of the Curriculum for Excellence in 2014 until 2019, centres could request a clerical check or review of marking through the Post Results Service.  From 2010 to 2013, a different appeals service was in place.  Corresponding statistics and tables for both were published on its website.

3. On 4 November 2020, the Applicant wrote to the SQA, requesting a review of its decision on the basis that the response given did not answer his request.  He argued that the information provided on appeals (whether review of marking or full appeals) did not include successful appeals by school, which was the information requested.

4. The SQA notified the Applicant of the outcome of its review on 27 November 2020, modifying its original decision.  It explained that the published information was by course, which was in keeping with the format of the National Attainment Statistics (NAS) (i.e. by level and by subject).  The SQA accepted it had not fully explained why the centre level tables requested had not been provided.

5. The SQA explained that, as Scotland’s national qualifications body, it is subject to the Education (Scotland) Act 1996 as amended by the Scottish Qualifications Authority Act 2002. Under this legislation, the SQA is responsible for devising qualifications and for making arrangements for the assessment of individuals undertaking these qualifications and ensuring that standards of qualifications are maintained.  It publishes NAS by qualification level and subject each year, to enable public scrutiny of these standards, and one of the processes designed to ensure this standardisation is the Grade Boundary process.

6. The SQA argued that the level of information requested by the Applicant substantially increased the risk of being able to identify individual candidates, given the small numbers in very small geographical areas.  In its view, disclosure would breach its responsibilities under the GDPR and the DPA to safeguard the personal data held on individual candidates.  The SQA withheld the information requested under section 38(1)(b) of FOISA.

7. On 19 July 2021, the Commissioner received an application for a decision from the Applicant, in terms of section 47(1) of FOISA.  Following further enquiry, it was established that this had been sent by the Applicant on 8 December 2020.

8. The Applicant stated he was dissatisfied with the SQA’s decision to withhold the information on the basis that it could lead to the identification of individual cases, due to low numbers.  He did not believe this was a reasonable excuse to withhold the information as, in his view, it was not possible to use raw data and identify individuals based on the information requested.  The Applicant argued disclosure was clearly in the public interest and allowed due scrutiny of a government agency.

Investigation

9.  The application was accepted as valid.  The Commissioner confirmed that the Applicant had made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

10. On 18 August 2021, the SQA was notified in writing that the Applicant had made a valid application and was asked to send the Commissioner the information withheld from the Applicant.  The SQA provided the information and the case was subsequently allocated to an investigating officer.

11. On 17 December 2021, the SQA informed the Commissioner that, having reviewed its original decision, it had decided the exemption in section 38(1)(b) no longer applied to all of the information requested.  It disclosed the information, with redactions, to the Applicant that same day.

12. For the redacted information, where the number of appeals for any qualification level by individual SQA centre (or school) totalled less than five, the SQA considered it was possible to identify individuals (i.e. those who were successful or unsuccessful in their appeals) from such a small number.  Where the total number of appeals for any qualification level by centre totalled more than five, the breakdown of successful and unsuccessful appeals was not redacted, even where these breakdown figures were less than five.

13. Following the SQA’s disclosure of the further information, the Applicant confirmed that he wished to continue with his application for a decision by the Commissioner.  He clarified that he was not only dissatisfied with the SQA’s decision to withhold all of the information at review stage, but remained dissatisfied with the redaction of certain data “less than five” in the information now disclosed.

14. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The SQA was invited to comment on this application and to answer specific questions.  These related to the SQA’s justification for withholding the information requested (including the “less than five” data) under the exemption in section 38(1)(b) of FOISA, on the basis that it was personal data.

15. The Applicant was also invited to submit his legitimate interests in obtaining the information requested.

16. Both parties provided submissions to the Commissioner.

Commissioner’s analysis and findings

17. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the SQA.  He is satisfied that no matter of relevance has been overlooked.

Section 38(1)(b) – Personal information

18. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

19. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

20. To rely on this exemption, the SQA must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

21. The Commissioner must decide whether the SQA was correct to withhold the information requested under section 38(1)(b) of FOISA.

Is the withheld information personal data?

22. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual.  "Identifiable living individual" is defined in section 3(3) of the DPA 2018   see Appendix 1.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix 1.)

23. The two main elements of personal data are that the information must “relate to” a living individual and the living individual must be identifiable.

24. An “identifiable living individual” is one who can be identified, directly or indirectly, by reference to an identifier (such as a name or one or more factors specific to the individual) (see section 3(3) of the DPA 2018, set out in Appendix 1).

25. In the case of Breyer v Bundesrepublik Deutschland (C-582/14), the Court of Justice of the European Union looked at the question of identification.  The Court took the view that the correct test to consider is whether there is a realistic prospect of someone being identified.  In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party.  However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data.

26. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply.  As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.  In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments.  It confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

The SQA’s submissions

27. In its submissions to the Commissioner, the SQA submitted that the request sought data disaggregated to individual SQA centre (i.e. school) level.  The SQA stated it did not publish information at centre level as there was a risk that candidates could be identified if other information was published elsewhere, or could be known to other individuals, particularly for low uptake subjects.

28. The SQA explained that, at the time of the Applicant’s initial request and request for review, given the variances in centre sizes, it took the view that disclosure of the information, at individual SQA centre level, increased the risk of identification of some candidates.

29. On reviewing its position at the start of the investigation, the SQA accepted that its decision to apply the exemption in section 38(1)(b) in a blanket fashion was incorrect.  It therefore disclosed the information to the Applicant on 17 December 2021, subject to disclosure control of certain data where the number of appeals was “less than five”.

Data less than five

30. For the “less than five” data which the SQA continued to withhold, the SQA explained this was due to the request seeking data at centre and qualification level.  Where there were fewer than five appeal requests by the centre for a qualification level, the SQA judged that disclosure risked the identification of candidates.  To mitigate against this risk, the SQA applied disclosure control by withholding the outcome figures (i.e. the breakdown of successful and unsuccessful appeals) for those totals.  In the SQA’s view, this was a reasonable and proportionate decision for the following reasons:

  • Protection of personal data:  Where appeals totalled “less than five”, and where the centre name, a geographical area reference, the relevant local authority and the qualification level were provided, this risked individual candidates being identified.  These small numbers might, in some circumstances, be a reasonably large proportion of the total dataset for a centre/level.  Where a specific centre was identified, there was a risk that those with knowledge of the centre and/or cohort (beyond the staff members in the centre) might be able to identify individuals.
  • Compliance with Code of Practice for Statistics:  As an Official Statistics Producer named in The Official Statistics (Scotland) Amendment Order 2019, the SQA stated that it was obliged to comply with the UK Statistics Authority’s Code of Practice for Statistics.  This mandates that: “Organisations should be transparent and accountable about the procedures used to protect personal data” and that “Appropriate disclosure control methods should be applied before releasing statistics and data” (Principle T6.4).  In applying disclosure control to the dataset disclosed, the SQA stated it had complied with the Code of Practice for Statistics.

31. The SQA was asked to provide examples showing how individuals would be identified as a direct result of disclosure of the remaining withheld information.  In response, the SQA submitted that its response to the Applicant’s information request was published on its disclosure log and, should the information become more widely available, there was a risk that people in the local area of a centre may be able to work out who an individual appellant was.

32. The SQA was also asked to explain why it believed there was no similar risk of identification of individuals as a direct result of disclosure of the “less than five” figures present in the information disclosed to the Applicant on 17 December 2020.  This information comprised:

  • appeals totalling less than five for any particular centre/qualification level, and
  •  the outcomes of appeals (i.e. the breakdown of successful and unsuccessful appeals) which were “less than five” but where the total number of appeals for any particular centre/qualification level was more than five.

33. In response, the SQA submitted that the data was disaggregated at centre level, not qualification level, so the risk of identification was lower.  It had assessed that, where there was a moderate to large number of appellants, i.e. greater than five, there was less risk that individuals and appeal outcomes could be identified.  By way of example, it submitted that, if only one out of 25 appellants was downgraded, it would be difficult to ascertain who that one appellant was.

34. In conclusion, the SQA’s view was that the appeals information, including the appeal outcomes for individual candidates, met the definition of personal data.

The Applicant’s submissions

35. In his submissions to the Commissioner, the Applicant disputed the information was personal data and could not see how anyone could be identified by that data which, he argued, was simply numbers.

36. The Applicant drew a parallel with the publication of COVID statistics.  He argued that, while those statistics clearly related to individuals, there was no way to identify the individuals from the raw data and it was clearly in the public interest (in that case) to obtain the data, given the need to understand the threat level and the progress through the pandemic.  He submitted that, at times, the numbers of COVID infections were very low, yet the data was still published, it was still in the public interest and it was still impossible to identify individuals from the data.

37. The Applicant refuted the SQA’s argument that, due to the low numbers of appeals, individuals could readily be identified.  He argued this was not logical, given that other information would be needed which was clearly not in the public domain (and should not be).  In the Applicant’s view, contrary to the SQA’s claims, there was actually a large number of appeals and it was simply not possible to identify individuals from the data.

38. In the Applicant’s view, the SQA’s rationale for refusing his request was, at best, flawed and not compliant with the regulation.

The Commissioner’s conclusions

39. The Commissioner has carefully considered the submissions from both parties, together with the information withheld from the Applicant.

40. For the information originally withheld and subsequently disclosed to the Applicant at the start of the Commissioner’s investigation, the Commissioner has no option but to find that the SQA wrongly withheld this information under section 38(1)(b) of FOISA.

41. For the remaining withheld information (i.e. certain data “less than five”), the Commissioner is not satisfied that he has been provided with sufficiently persuasive arguments to conclude that disclosure would lead to the identification of individuals, as claimed by the SQA.

42. While the Commissioner accepts that the particular candidates themselves, staff in the corresponding centres, relatives and close friends may be aware of whether a particular individual who submitted an appeal was successful or unsuccessful in doing so, without the benefit of the withheld information, he does not accept that disclosure of the “less than five” figures, corresponding to these outcomes, into the public domain in response to a request under FOISA (such as this), would increase the likelihood of those individuals being readily identifiable to anyone else.

43. In the Commissioner’s view, the SQA’s arguments surrounding identification appear to be based on the availability of other information about candidates which might be “linked” to the data to allow identification.  However, the SQA has provided no evidence to show that this has been, or can realistically be, done.  The possibility that it might conceivably be done in the future is immaterial here: full consideration of the circumstances prevailing at that point (i.e. in the future) would be required before any decision on disclosure could be made.  Nor has the Commissioner been provided with any evidence to demonstrate that there is (or was at the time of the Applicant’s request for review) other publicly available information that could be used to “link” with the actual figures withheld, which would enable the identification of specific candidates.

44. As each centre will serve an area with a reasonably large population and area (which, in the case of certain categories of centre, e.g. rural, denominational or independent secondary schools, will also be fairly dispersed), it is not readily apparent to the Commissioner how even the small numbers being withheld could provide a realistic prospect of identification.

45. The Commissioner notes that, in the information released to the Applicant at the start of the investigation, the SQA disclosed figures “less than five”, as described above.  It is clear that, in doing so, the SQA considered there was no risk of identification of individuals from those low numbers disclosed.  The Commissioner has carefully considered the SQA’s arguments (which, in his view, lack evidence) surrounding the identification of individuals as a direct result of the remaining withheld “less than five” data, but is not persuaded that this would be more likely than would be the case for the “less than five” figures already disclosed.

46. In all the circumstances of the case, therefore, the Commissioner does not agree that a realistic causal chain exists where living individuals could be identified as a direct result of disclosing the remaining withheld “less than five” data.  The Commissioner therefore does not accept that the remaining withheld information qualifies as personal data, as defined in section 3(2) of the DPA.

47. As the Commissioner is not satisfied that the remaining withheld information is personal data, he must find that the SQA was not entitled to withhold the remaining “less than five” figures under section 38(1)(b) of FOISA.  He therefore requires the SQA to disclose the remaining withheld information to the Applicant.

Decision 

The Commissioner finds that the Scottish Qualifications Authority (the SQA) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.  The Commissioner finds that the information was incorrectly withheld under the exemption in section 38(1)(b) of FOISA.

As the SQA has already disclosed the majority of the information falling within the scope of the Applicant’s request, he does not require it to take any action in relation to that information.

However, the Commissioner requires the SQA to disclose the remaining withheld information (i.e. certain data “less than five”) by 29 July 2022.

Appeal

Should either the Applicant or the SQA wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the SQA fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the SQA has failed to comply.  The Court has the right to inquire into the matter and may deal with the SQA as if it had committed a contempt of court.

Margaret Keyse
Head of Enforcement

14 June 2022



Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1     General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38     Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A)    In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 4    Definitions

For the purpose of this Regulation:

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 5    Principles relating to processing of personal data 

1 Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject         (“lawfulness, fairness and transparency”)

    …

Article 6    Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

 …

      f.    processing is necessary for the purposes of the legitimate interests pursued by the         controller or by a third party, except where such interests are overridden by the             interests or fundamental rights and freedoms of the data subject which require the         protection of personal data, in particular where the data subject is a child.



Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2)    “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3)    “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4)    “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 
        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.