Decision 089/2023: Porosity tests and matters relating to soakaway at named location
Authority: Scottish Environment Protection Agency
Case Ref: 202200162
Summary
The Applicant asked the Authority for information relating to a discussion of porosity test reports/results at a specified location and to amendments to authorisations and building warrants concerning soakaways at the location. The Authority withheld a single document, on the basis that it comprised third party personal data. The Commissioner concluded that the EIRs did not permit the personal data to be disclosed.
Relevant statutory provisions
The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definitions of “the Act”, “applicant”, “the Commissioner”, “the data protection principles”, “data subject”, “environmental information” (definitions (a), (b), (c) and (f)), “personal data” and “the UK GDPR”) and (3A) (Interpretation); 5(1) and 2(a) and (b) (Duty to make environmental information available on request); 10(3) (Exceptions from duty to make environmental information available); 11(2)(a), (3A)(a) and (7) (Personal data); 16(4) and (5) (Review by Scottish public authority); 17(1), (2)(a), (b) and (f) (Enforcement and appeal provisions)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) and (b) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 2 July 2021, the Applicant made a request for information to the Authority. She asked for all contact (2006 to 2012) between the Authority and Scottish Borders Council (the Council) and/or the owners/occupiers of a named property (or their representatives) regarding:
(i) a relaxation in the provision of porosity test reports or results and
(ii) an agreement that a particular Authority authorisation could (or had been) amended to suit a specific building warrant issued by the Council.
(This is a summary of the request. The full terms of the request were considered during the investigation.)
2. The Authority wrote to the Applicant on 30 July 2021, apologising that it could not provide a response within the statutory timescale. It advised the Applicant that its ability to respond was very limited, partly due to the cyber-attack on 24 December 2020.
3. On 31 July 2021, the Applicant wrote to the Authority. She acknowledged the effect of the cyber-attack on the Authority but, in order to protect her position under the EIRs, asked the Authority to review its failure to respond to her request.
4. The Authority notified the Applicant of the outcome of its review on 15 December 2021. The Authority identified one document that fell within her request. The Authority withheld the document under regulation 11(2) of the EIRs (third party personal data).
5. On 6 February 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of the Freedom of Information (Scotland) Act 2002 (FOISA). By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications. The Applicant was dissatisfied with the outcome of the Authority’s review because she considered the document could have been disclosed in a redacted form.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 5 April 2022, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was later allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions on why it considered the information was personal data and should be withheld.
Commissioner’s analysis and findings
9. The Commissioner has considered all the submissions made to him by the Applicant and the Authority. He is satisfied that no matter of relevance has been overlooked.
Application of the EIRs
10. The Commissioner is satisfied that any information falling within the scope of the request is properly considered to be environmental information, as defined in regulation 2(1) of the EIRs (paragraphs (a), (b), (c) and (f) are reproduced in Appendix 1 to this decision). The Applicant made no comment on the Authority’s application of the EIRs in this case, and the Commissioner will consider the request in what follows solely in terms of the EIRs.
Regulation 11(2) of the EIRs – Personal data
11. Regulation 10(3) of the EIRs makes it clear that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11.
12. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and another specified condition applies. These include where the disclosure would contravene any of the data protection principles in the UK GDPR or DPA 2018 (regulation 11(3A)(a)).
13. The Authority submitted that the withheld information constituted personal data, and that disclosure of the data in response to this request would contravene the first and second data protection principles in Article 5(1) of the UK GDPR (“lawfulness, fairness and transparency” and “purpose limitation”).
The withheld information
14. The withheld information comprises one email sent between employees of the Authority. That email describes the content of a telephone conversation one of the employees had with a third party.
Is the information personal data?
15. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR:
“…any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person”.
16. The Applicant questioned whether the document could be redacted in order to help her understand the situation with regard to porosity. The Authority submitted that, in addition to containing the names of people, the information related to a specific situation and it was therefore not possible for it to redact the email to make the data subjects unidentifiable. For this reason, it was not possible – the Authority suggested – for it to disclose the email in part to the Applicant.
17. The Commissioner is satisfied that the entirety of the document comprises personal data as defined by the DPA 2018: it contains the names of the data subjects and other information by which the data subjects could be identified and clearly relates to the individuals involved. Due to the way in which the email was written, the Commissioner agrees with the Authority that it was not possible to provide any meaningful information from the document without the possibility of identifying the data subjects.
Would disclosure contravene one of the data protection principles?
18. Article 5(1)(a) of the UK GDPR requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.
19. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available”. In the case of the EIRs, personal data are processed when disclosed in response to a request. This means that personal data can only be made available if making the data available would be lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.
20. As noted above, Article 5(1) of the UK GDPR states that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject(s). The Commissioner must therefore consider if disclosure (the processing of the personal data) would be fair, lawful and transparent. In considering lawfulness, he must consider whether any of the conditions in Article 6 to the UK GDPR would allow the data to be disclosed.
21. The Commissioner considers that, in the circumstances, the only condition in Article 6(1) which could apply is condition (f).
Condition (f): legitimate interests
22. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of the personal data…”
23. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.
24. The tests which must be met before Article 6(1)(f) can be met are as follows:
- Does the Applicant have a legitimate interest in obtaining the personal data?
- If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
- Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?
Does the Applicant have a legitimate interest in obtaining the personal data?
25. The Authority explained that the request was one of a number on interrelated topics and accepted that the Applicant is pursuing a legitimate interest. The Commissioner agrees.
Is disclosure of the information necessary for the purposes of these legitimate interests?
26. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of that personal data is necessary to meet that legitimate interest.
27. The Commissioner has considered this carefully in the light of the decision by the Supreme Court in South Lanarkshire v Scottish Information Commissioner (2013) UKSC 55. In this case, the Supreme Court stated (at paragraph 27):
“…A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.”
28. As the Supreme Court confirmed, “necessary” means “reasonable” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, public authorities must consider whether disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester’s legitimate interests can be met by means which interfere less with the privacy of the data subject(s).
29. The Authority did not consider that disclosure of the withheld information would achieve the legitimate interests of the Applicant.
30. The Applicant submitted that people should be able to understand how the current situation had come about and that information relating to decisions made should be in the public domain.
31. Given the subject matter of, and the background to, the request, the Commissioner is satisfied that disclosure is “necessary” in order to satisfy the Applicant’s (and, indeed, the wider public’s) legitimate interests.
32. Consequently, he will go on to consider whether the interest in obtaining the personal data outweighs the rights and fundamental freedom of the data subjects.
Interests and fundamental freedom of the data subjects
33. The Commissioner must now balance the legitimate interests in disclosure against the data subjects’ interests or fundamental rights and freedoms. Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be disclosed.
34. The Commissioner's guidance on regulation 11 of the EIRs notes some of the factors that should be taken into account in considering the interests of the data subjects and carrying out the balancing exercise. He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:
(i) whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (e.g. their home, family, social life or finances);
(ii) the potential harm or distress that may be caused by the disclosure;
(iii) whether an individual objected to the disclosure.
35. The Authority submitted that the information was provided voluntarily to it during a telephone conversation where there was the expectation of confidence. It emphasised that the information was not imparted to it through the use of its statutory powers.
36. The Authority also provided reasons to the Commissioner on why disclosure of the information into the public domain (which is the effect of a disclosure under the EIRs) would cause distress and harm to the interests of the data subjects.
37. The Authority also suggested that other routes may be open to the Applicant to access the information in such a way that it was not placed into the public domain, for example, through the courts.
38. The Applicant provided submissions on why she considered the information should be disclosed. The Commissioner has taken these into account.
39. Having considered the content of the withheld information, and the circumstances in which it was imparted and obtained, the Commissioner accepts that the information provided to the Authority was provided voluntarily to the Authority in circumstances where there was a reasonable expectation of confidence on the part of that third party who provided the information. The Commissioner also regards it as reasonable, given the circumstances in which the email was prepared, that the employees then involved would also have had a reasonable expectation that what they noted – and how they noted it – would not be disclosed into the public domain.
40. The majority of the information that is withheld can be described as relating to the third party’s private life. The Commissioner also accepts that disclosure of this personal information into the public domain, which is the effect of disclosure under the EIRs, would cause harm and distress to the data subject/third party.
41. Having considered the competing interests in this particular case, the Commissioner finds that the Applicant's legitimate interests are outweighed by the prejudice to the interests, rights and freedoms of the data subject that would result from disclosure. He therefore finds that condition (f) cannot be met.
42. In all the circumstances of this particular case, therefore, and in the absence of a condition in Article 6(1) of the UK GDPR being met, the Commissioner must conclude that that disclosure of the personal data would be unlawful and would therefore breach the data protection principle in Article 5(1)(a) of the UK GDPR. (He is not required to go on to consider whether disclosure would also, as claimed by the Authority, breach the “purpose limitation” condition in Article 6(1)(b) of the UK GDPR. Consequently, he is satisfied that disclosure of the personal data is not permitted by regulation 11(2) of the EIRs.
Decision
The Commissioner finds that the Authority complied with the Environmental Information (Scotland) Regulations 2004 in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Margaret Keyse
Head of Enforcement
21 August 2023
Appendix 1: Relevant statutory provisions
The Environmental Information (Scotland) Regulations 2004
2 Interpretation
(1) In these Regulations –
“the Act” means the Freedom of Information (Scotland) Act 2002;
“applicant” means any person who requests that environmental information be made available;
“the Commissioner” means the Scottish Information Commissioner constituted by section 42 of the Act;
“the data protection principles” means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section of that Act):
…
"environmental information" has the same meaning as in Article 2(1) of the Directive, namely any information in written, visual, aural, electronic or any other material form on -
(a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements;
(b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in paragraph (a);
(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in paragraphs (a) and (b) as well as measures or activities designed to protect those elements;
…
(f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in paragraph (a) or, through those elements, by any of the matters referred to in paragraphs (b) and (c);
“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);
…
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act); and
…
(3A) In these Regulations, references to the UK GDPR and the Data Protection Act 2018 have effect as if in Article 2 of the UK GDPR and Chapter 3 of Part 2 of that Act (exemptions for manual unstructured processing and for national security and defence purposes) -
(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and
(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.
…
5 Duty to make available environmental information on request
(1) Subject to paragraph (2), a Scottish public authority that holds environmental information shall make it available when requested to do so by any applicant.
(2) The duty under paragraph (1)-
(a) shall be complied with as soon as possible and in any event no later than 20 working days after the date of receipt of the request; and
(b) is subject to regulations 6 to 12.
…
10 Exceptions from duty to make environmental information available
…
(3) Where the environmental information requested includes personal data, the authority shall not make those personal data available otherwise than in accordance with regulation 11.
…
11 Personal data
…
(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if -
(a) the first condition set out in paragraph (3A) is satisfied, or
…
(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations –
(a) would contravene any of the data protection principles, or
…
(7) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
16 Review by Scottish public authority
…
(4) The Scottish public authority shall as soon as possible and no later than 20 working days after the date of receipt of the representations notify the applicant of its decision.
(5) Where the Scottish public authority decides that it has not complied with its duty under these Regulations, it shall immediately take steps to remedy the breach of duty.
17 Enforcement and appeal provisions
(1) The provisions of Part 4 of the Act (Enforcement) including schedule 3 (powers of entry and inspection), shall apply for the purposes of these Regulations as they apply for the purposes of the Act but with the modifications specified in paragraph (2).
(2) In the application of any provision of the Act by paragraph (1) any reference to -
(a) the Act is deemed to be a reference to these Regulations;
(b) the requirements of Part 1 of the Act is deemed to be a reference to the requirements of these Regulations;
…
(f) a notice under section 21(5) or (9) (review by a Scottish public authority) of the Act is deemed to be a reference to a notice under regulation 16(4); and
…
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes … (“purpose limitation”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
…
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
(5) "Data subject" means the identified or identifiable living individual to whom personal data relates.
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
…
