Decision 069/2023: Correspondence relating to a named street
Authority: South Lanarkshire Council
Case Ref: 202101464
Summary
The Applicant asked the Authority for correspondence relating to service areas and driveways of a named street. The Authority provided the Applicant with information, but it redacted personal data from the correspondence. The Commissioner investigated and found that the Authority had wrongly withheld some information as personal data but, as this information was disclosed during the investigation, he did not require it to take any action.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 39(2) (Health, safety and the environment); 47(1) and (2) (Application for decision by Commissioner)
The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of “the data protection principles”, “data subject”, “environmental information” (paragraphs (a), (b) and (c)), “personal data” and “the UK GDPR”) and (3A)(a) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 11(2), (3A)(a) and (7) (Personal data); and 17(1), (2)(a), (b) and (f) (Enforcement and appeal provisions)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to the processing of personal data) and 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and 14(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 20 September 2021, the Applicant made a request for information to the Authority. He asked for all correspondence (including but not limited to enquiries and complaints) relating to roads, service strips, service verges and driveways for a named road.
2. The Authority responded on 30 September 2021, and provided the Applicant with information falling within the scope of his request.
3. On 16 October 2021, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision, because some information had been redacted from the disclosed documents and he believed some information had not been provided.
4. The Authority notified the Applicant of the outcome of its review on 11 November 2021. It identified and disclosed a letter that had been omitted from the original response, and it notified the Applicant that information had been redacted from the correspondence it had previously disclosed, under regulation 11(2) of the EIRs.
5. On 25 November 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he believed that further information was held and he challenged the redactions made under regulation 11(2) of the EIRs.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 10 December 2021, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to its reasons for withholding information under regulation 11(2) of the EIRs, and details of the searches it had carried out to identify and locate relevant information.
Commissioner’s analysis and findings
9. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Application of the EIRs
10. In its correspondence with the Applicant, the Authority identified all of the information requested as being environmental information, as defined in regulation 2(1) of the EIRs. Having reached this conclusion, it applied section 39(2) of FOISA.
11. The Commissioner is satisfied that the information covered by this request (information regarding the service strips and driveways of a named street) is environmental information, as defined in regulation 2(1) of the EIRs. In reaching this conclusion, the Commissioner has considered the information in question, along with paragraphs (a), (b) and (c) of the definition of environmental information (reproduced in Appendix 1), and he agrees that the Authority was correct to have categorised the information as environmental. (The Applicant has not disputed the Authority’s decision to handle the request under the EIRs.)
12. The exemption in section 39(2) of FOISA provides, in effect, that environmental information (as defined by regulation 2(1) of the EIRs) is exempt from disclosure under FOISA, thereby allowing any such information to be considered solely in terms of the EIRs. In this case, the Commissioner accepts that the Authority was entitled to apply the exemption to the information withheld in this case, given his conclusion that it is properly classified as environmental information.
13. The exception in section 39(2) is subject to the public interest test in section 2(1)(b) of FOISA. As there is a statutory right of access to environmental information available to the Applicant in this case, the Commissioner accepts, in all the circumstances, that the public interest in maintaining this exemption (and responding to the request under the EIRs) outweighs any public interest in disclosing the information under FOISA. Both regimes are intended to promote public access to information and there would appear to be no reason why (in this particular case) disclosure of the information should be more likely under FOISA than under the EIRs.
14. The Commissioner therefore concludes that the Authority was correct to apply section 39(2) of FOISA, and consider the Applicant’s information request wholly under the EIRs. In what follows, the Commissioner will consider this case solely in terms of the EIRs
Regulation 5(1) of the EIRs – Duty to make environmental information available
15. In terms of regulation 5(1) of the EIRs, a Scottish public authority that holds environmental information is required make it available when requested to do so. This obligation is subject to various other provisions in terms of regulation 5(2)(b), including the exceptions in regulation 10. A Scottish public authority is required to interpret these exceptions restrictively (regulation 10(2)(a)) and apply a presumption in favour of disclosure (regulation 10(2)(b)).
16. On receipt of a request for environmental information, therefore, the authority must ascertain what information it holds falling within scope of the request. Having done so, regulation 5(1) requires the authority to provide that information to the requester, unless a qualification in regulations 6 to 12 applies (regulation 5(2)(b)).
Information disclosure during the investigation
17. When the Authority provided the Applicant with information in response to his request, it redacted email addresses under regulation 11(2) of the EIRs. However, the redactions did not just obscure the names of the individuals involved in the correspondence, it also obscured the email domain names, such as “[council].gov.uk” or “gmail.com.”
18. The Authority was challenged on these redactions and it was asked for its reasons for concluding that an email domain name, by itself, was personal data.
19. In response, the Authority withdrew its reliance on regulation 11(2) to withhold this part of the email addresses, and it provided the Applicant with a new set of documents which still redacted the name parts of the email addresses under regulation 11(2) of the EIRs, but which disclosed the email domains.
20. In the circumstances, the Commissioner must find that the domain name parts of the email addresses were wrongly withheld under regulation 11(2) of the EIRS, and that the Authority breached the provisions of regulation 5(1) of the EIRS, by not disclosing this information when requested to do so.
21. Since the email domain names have now been disclosed, the Commissioner will not consider them any further in this Decision Notice.
Did the Authority identify all of the relevant information?
22. In his application, the Applicant questioned the completeness of the information disclosed by the Authority. He argued that, for example, there should be internal communications prior to the issuing of a formal letter, or following telephone calls that he made to the Authority, but these were not provided. The Applicant noted that, when he requested escalation of his complaint, he was advised that certain individuals would be notified and would call him with updates. He argued that this information was missing and the information he was provided with was incomplete.
23. In order to ascertain whether all relevant information had been identified, the Authority was asked to explain the steps it took to establish what information it held that fell within the terms of the Applicant's request.
24. The Authority explained that the Service which would have held the information only maintained electronic records, and it submitted that these records were searched and the information was provided to the Applicant in its original response, with one further letter disclosed after a review. The Authority provided the Commissioner with evidence of the searches that had been undertaken. The Authority explained that the searches were carried out by the Engineering Officer as he had knowledge and experience of the electronic systems which held the information. The Authority confirmed that email accounts and data systems were searched for relevant information pertaining to the named street.
25. The Authority submitted that it had already carried out two searches for relevant information. At the Commissioner’s request, it carried out a third search but no new information was identified.
26. The Authority was asked about the content of a draft letter, which the Applicant obtained in response to a separate FOI request, that referred to correspondence from several utility companies. The Authority was advised that the Applicant had only been provided with correspondence from one utility company, whereas this draft letter indicated that other correspondence existed and was held. The Authority was advised that, if this information did exist and was held, it would likely fall within the scope of the Applicant’s information request.
27. In response, the Authority submitted that there appeared to be a misunderstanding of the wording of the draft letter. It explained that while the third party (referenced in the letter) had been in contact with several utility companies, the third party had only provided the Authority with correspondence from one utility company, and that correspondence had been provided to the Applicant. The Authority submitted that it had carried out a further search of its records, and no other relevant information was identified.
28. The Commissioner accepts that the draft letter was not finalised; he notes that it contained typographical errors, and it is possible that the wording used in the letter might have been changed if the letter were finalised and posted. However, he maintains that the draft letter, as written, is misleading and he rejects the Authority’s arguments that he has misunderstood the letter. The draft letter notes that the third party had been in “direct contact with several utility companies” and it goes on to state, “After having this correspondence sent to ourselves…” The Commissioner considers that the wording used in this letter suggests that the Authority obtained copies of all of this correspondence obtained by the third party, not just one example. However, given the searches undertaken by the Authority, and the submissions it has made, he is satisfied that the Authority only holds correspondence from one utility company.
29. The standard of proof to determine whether a public authority holds information is the civil standard of the balance of probabilities. In determining where the balance of probabilities lies, the Commissioner considers the scope, quality and thoroughness and results of searches carried out by the public authority. He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information.
30. In its submissions, the Authority stated, in response to questions from the Commissioner as to why certain information was or was not held (or was no longer held), that is was concerned that the questions went beyond whether it had complied with its responsibilities under the EIRs. It noted that its responsibility under the EIRs is to undertake reasonable searches for information to identify the information covered by the request. The Commissioner agrees that this is the correct approach to take. However, he is under a duty, in cases such as this one, to take reasonable steps to ensure an authority has in fact carried out reasonable searches. As part of this, it may be necessary for him to ask an authority about what information would (or would not) be expected to be held in order that he can come to a view as to what recorded information is (or was, at the time the request was received) actually held by the authority.
31. The Commissioner notes the Applicant’s concerns about missing internal communications but, having considered the searches undertaken by the Authority, he accepts, on the balance of probabilities, that the Authority does not hold any further information falling within the scope of the Applicant’s information request.
Regulation 11(2) – Personal data
32. The Authority relied on the exception in regulation 11(2) (as read with regulation 11(3A)(a)) for withholding some information from what it made available following the Applicant's application to the Commissioner. Here, the Commissioner will consider the information which remained withheld under this provision at the close of the investigation.
33. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply. These include where disclosure would contravene any of the data protection principles in the UK GDPR or the DPA 2018 (regulation 11(3A)(a)).
34. The Authority submitted that the redacted information constituted personal data, disclosure of which in response to this request would breach the first and second data protection principles in Article 5(1) of the UK GDPR ("lawfulness, fairness and transparency" and "purpose limitation").
Is the withheld information personal data?
35. The first question the Commissioner must address is whether the information is personal data in terms of section 3(2) of the DPA 2018.
36. "Personal data" is defined in section 3(2) of the DPA as "any information relating to an identified or identifiable individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
37. Information will "relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
38. An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals.
39. In its submissions, the Authority explained that the information it had redacted under regulation 11(2) of the EIRs contained the identities and contact details of its own employees, as well as employees of a utility company and members of the public who were interacting with the Authority.
40. Having considered the Authority's submissions and the withheld information, the Commissioner accepts that living individuals can be identified from the data and that, in the circumstances, the data relate to them. The Commissioner is therefore satisfied that the redacted information is personal data as defined in section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
41. Article 5(1)(a) of the UK GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject."
42. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". For the purposes of the EIRs, personal data are processed when made available in response to a request. This means that the personal data can only be made available if doing so would be both lawful (i.e. it would meet one of the conditions for lawful processing in Article 6(1) of the UK GDPR) and fair.
43. In considering this, the Commissioner has looked at condition 6(1)(f) as the only one which might potentially apply in the circumstances.
Condition (f): legitimate interests
44. Condition (f) states that the processing will be lawful if it is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).
45. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.
46. The tests which must be met before Article 6(1)(f) can apply are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, would making the personal data available be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?
Does the Applicant have a legitimate interest in obtaining the personal data?
47. There is no definition within the DPA 2018 of what constitutes a "legitimate interest", but the Commissioner takes the view that the terms indicate that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. In the Commissioner's published guidance on personal information it states:
"In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety."
48. In his submissions to the Commissioner, the Applicant explained that he wanted to see the full flow of information prior to the initial letter being issued by the Authority, including who reviewed and approved the initial assessment and the action taken.
49. The Authority noted that the Applicant had not disclosed any personal interest in obtaining this third-party information. However, it submitted that the background to the correspondence appeared to relate to matters concerning the exercise of the Authority’s regulatory function in relation to ensuring that roads are not obstructed in terms of section 59 of the Roads (Scotland) Act 1984. The Authority submitted that there was a public interest in ensuring that it was accountable for its decisions and actions/inactions in relation to its regulatory functions. Given this, the Authority concluded that this element of article 6(1)(f) of the UK GDPR could be met.
50. Having considered the submissions from both the Authority and the Applicant, the Commissioner accepts that the Applicant was pursuing a legitimate interest in seeking to understand actions taken by the Authority. As such, the Applicant would have a legitimate interest in the information requested.
If yes, is the disclosure of the personal data necessary to achieve that legitimate interest?
51. Having accepted that the Applicant has a legitimate interest, the Commissioner must consider whether disclosure of the personal data is necessary to meet that legitimate interest.
52. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.
53. Having considered this question, the Authority submitted that disclosure of the withheld information was reasonably connected to the Applicant’s legitimate interest and that it would also advance that legitimate interest. The Authority also accepted that disclosure of the information was the least intrusive way for the Applicant to obtain the information, and that it was proportionate.
54. Having reviewed the information previously disclosed along with that currently being withheld, the Commissioner is not satisfied that the Applicant’s legitimate interests (as acknowledged above) can be met adequately without disclosure of the withheld personal data. As a result, he considers disclosure of those data to be necessary to meet those legitimate interests.
Fundamental rights and freedoms of the data subjects?
55. Having found that disclosure would be necessary, the Commissioner must now balance the legitimate interests in disclosure against the data subjects’ interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if a data subject would not reasonably expect that the information would be disclosed to the public under the EIRs in response to a request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override the legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweigh those of the data subject(s) can the information be disclosed without breaching the first data protection principle.
56. The Commissioner's guidance on regulation 11(2) of the EIRs lists the factors that should be taken into account in balancing the interests of parties. He notes that Recital (47) of the General Data Protection Regulation states that much will depend on the reasonable expectations of the data subjects. These are some of the factors public authorities should consider:
(i) Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?
(ii) Would the disclosure cause harm or distress?
(iii) Whether the individual has objected to the disclosure.
57. The Authority has commented that disclosure under the EIRs is the equivalent of putting the disclosed information on its website. The Authority argued that it had no reason to believe the individuals concerned (employees and third party individuals) would expect that disclosure would occur. The Authority argued that the employees of the public bodies concerned were not of a sufficient level of responsibility, within the structures of those organisations, to justify their personal data being made available to the public.
58. The Authority further argued that members of the public would expect it to keep their details confidential and not disclose them to anyone, unless required to process their interactions within the Authority. The Authority argued that the legitimate interests of the data subjects outweighed the legitimate interests of the Applicant and the wider public.
59. The Commissioner has considered the Applicant’s need for transparency and his interest in knowing who sent and received the correspondence he has requested, and which relates to a complaint that he made. However, he must also consider the expectations of the data subjects, and he does not consider that any of the employees (who do not hold senior positions within either public body) or the members of the public would have expected their personal data to be disclosed in response to a request for information.
60. Additionally, he considers it likely that the members of the public may be distressed if their personal contact details were to be placed into the public domain as a result of disclosure in this case.
61. Having carefully balancing the legitimate interests of the individuals concerned against those of the Applicant (and the wider public), the Commissioner finds that the legitimate interests served by disclosure of the withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject. Condition (f) in Article 6(1) of the GDPR cannot, therefore, be met in relation to the withheld personal data.
62. In the absence of a condition in Article 6 of the GDPR allowing the personal data to be disclosed, the Commissioner has concluded that disclosing the information would be unlawful. Given the requirement for the processing to be both fair and lawful for the data protection principle in Article 5(1)(a) to be met, the Commissioner must find that the personal data are exempt from disclosure under regulation 11(2) of the EIRs.
63. In the circumstances, he is not required to, and will not, go on to consider whether disclosure would also breach the second data protection principle in Article 5(1) of the UK GDPR ("purpose limitation"). He notes, however, that guidance from the (UK) Information Commissioner, who regulates the DPA 2018 and UK GDPR throughout the whole of the UK, states that it is only the first principle (“lawfulness, fairness and transparency") that is likely to be relevant when considering disclosure under FOI.
Decision
The Commissioner finds that the Authority partially complied with the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the information request made by the Applicant.
The Commissioner finds that, by providing all of the information it held that fell within the scope of the request, and by withholding the personal data of third parties under regulation 11(2) of the EIRs, the Authority complied with the EIRs.
However, by incorrectly withholding the email domain names under regulation 11(2) of the EIRs, the Authority failed to comply with regulation 5(1) of the EIRs.
Given that the Authority has since disclosed the email domain names to the Applicant, the Commissioner does not require the Authority to take any action in respect of this failure, in response to the Applicant’s application.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
6 July 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
..
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
…
(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.
…
39 Health, safety and the environment
…
(2) Information is exempt information if a Scottish public authority-
(a) is obliged by regulations under section 62 to make it available to the public in accordance with the regulations; or
(b) would be so obliged but for any exemption contained in the regulations.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
…
The Environmental Information (Scotland) Regulations 2004
2 Interpretation
(1) In these Regulations –
…
“the data protection principles” means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section of that Act):
…
"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -
(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;
(b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in paragraph (a);
(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;
…
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
…
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act); and
…
(3A) In these Regulations, references to the UK GDPR and the Data Protection Act 2018 have effect as if in Article 2 of the UK GDPR and Chapter 3 of Part 2 of that Act (exemptions for manual unstructured processing and for national security and defence purposes) -
(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and
…
5 Duty to make available environmental information on request
(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.
(2) The duty under paragraph (1)-
…
(b) is subject to regulations 6 to 12.
…
11 Personal data
…
(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -
(a) the first condition set out in paragraph (3A) is satisfied, or
(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.
(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations –
(a) would contravene any of the data protection principles, or
…
(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
17 Enforcement and appeal provisions
(1) The provisions of Part 4 of the Act (Enforcement) including schedule 3 (powers of entry and inspection), shall apply for the purposes of these Regulations as they apply for the purposes of the Act but with the modifications specified in paragraph (2).
(2) In the application of any provision of the Act by paragraph (1) any reference to -
(a) the Act is deemed to be a reference to these Regulations;
(b) the requirements of Part 1 of the Act is deemed to be a reference to the requirements of these Regulations;
…
(f) a notice under section 21(5) or (9) (review by a Scottish public authority) of the Act is deemed to be a reference to a notice under regulation 16(4); and
…
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
…
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(5) "Data subject" means the identified or identifiable living individual to whom the data relates.
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.
