Home Decisions

Decision 096/2022

Decision 096/2022: Refusal to confirm or deny
 

Authority: Chief Constable of the Police Service of Scotland
Case Ref: 202101533

Summary

The Authority refused to confirm or deny whether it held information it had been asked for.  The Commissioner investigated and found that the Authority was entitled to refuse to confirm or deny whether it held the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General  entitlement); 2(1)(a) and (2)(e) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(a), (b), (2A)(a) and (5) (definitions of “data protection principles”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), 4(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 20 September 2021, the Applicant submitted two related requests for information to the Authority. 

2. The Authority responded on 30 September 2021.  It refused, under section 18(1) of FOISA, to confirm or deny whether it held the information or whether the information existed.

3. On 20 October 2021, the Applicant wrote to the Authority requesting a review of its decision. 

4. The Authority notified the Applicant of the outcome of its review on 8 December 2021.  It upheld its original decision to refuse to confirm or deny whether it held the information or whether the information existed.

5. On 15 December 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He did not agree that the Authority was entitled to refuse to confirm or deny whether the information he asked for existed or was held.  

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation. 

7. On 19 January 2022, the Authority was notified in writing that the Applicant had made a valid application.  The case was allocated to an investigating officer. 

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  The Authority did so.

9. The Applicant provided further submissions on why he considered it was in the public interest for the Authority to confirm or deny if the information was held or not. 

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

Section 18(1) of FOISA – “neither confirm nor deny”

11. The Authority refused to confirm or deny whether it held any information falling within the scope of the Applicant’s requests.  

12. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

  • a request has been made to the authority for information which may or may not be held by it;
  • if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; 
  • the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

13. In any case where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority.  This means that he is unable to comment on matters which could have the effect of indicating whether the information existed or was held by the authority.

14. In this case, the Authority submitted that, if it held any information falling within the scope of the Applicant’s requests, it would be exempt from disclosure under sections 38(1)(a) and 38(1)(b) of FOISA. 

Section 38(1)(a) – Personal information of the data subject

15. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the Applicant is the data subject. 

16. Personal data is defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the GDPR (see Appendix 1):  

“… any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

17. The Commissioner has considered the wording of the Applicant’s requests for information. The requests, and their context, means that much of the information, if held, would comprise the Applicant’s own personal data, as defined by section 1(1) of the DPA.  The Commissioner therefore accepts that much of the information covered by the requests, if it exists and is held by the Authority, would be exempt from disclosure under section 38(1)(a) of FOISA. 

18. Having accepted that the Authority could have given a refusal notice under section 16(1) of FOISA in relation to any information which was the Applicant’s personal data by virtue of section 38(1)(a) of FOISA, the Commissioner is required by section 18(1) to go on to consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether that information exists or is held.  He will do so after he has considered whether, as claimed by the Authority, the exemption in section 38(1)(b) of FOISA would, if held and if it existed, apply to third party personal data.   

Section 38(1)(b) – Personal information

19. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.  

Would the information be personal data?

20. “Personal data” is defined in section 3(2) of the DPA 2018 (see paragraph 16). 

21. The Applicant named specific individuals in one his requests.  Given the subject matter of both requests, information about those individual, if held and if it existed, would clearly relate to those individuals.  The Commissioner therefore accepts that, if held, the information would be the personal data of those third parties.

Would disclosure contravene one of the data protection principles?

22. The Authority submitted that disclosing the third-party personal data, if it existed and were held, would breach the first data protection principle (Article 5(1)(a) of the GDPR).  This requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” 

23. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available”.  In the case of FOISA, personal data are processed when disclosed in response to a request.  

24. This means that the third party personal data, if held, could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Article 6(1)(f) of the GDPR

25. As noted above, in considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data (if held) to be disclosed.

26. The Authority considered the only lawful basis in Article 6(1) of the UK GDPR which could allow disclosure of the information, if it existed and were held, would be condition (f).  The Commissioner agrees.  (Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.)

27. The tests which would have to be met before Article 6(1)(f) can be applied are as follows:

(i) Would the Applicant have a legitimate interest in obtaining the third-party personal data, if held?

(ii) If so, would the disclosure of the third-party personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the third parties?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

28. The Authority acknowledged that, if the information existed and were held, the Applicant would be pursuing a legitimate interest in seeking this information. The Commissioner agrees.

Would disclosure be necessary?

29. The next question is whether the disclosure of the third-party personal data (if held) would be necessary to achieve that legitimate interest.  Here, “necessary” means “reasonably” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, public authorities need to consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the legitimate interests in the third-party data could reasonably be met by means which interfered less with the privacy of the data subjects.

30. No policy or procedure has been brought to the Commissioner’s attention by the Authority that would, in the absence of disclosure of the third-party data (if held), allow the Applicant’s legitimate interests to be fulfilled.  The Commissioner therefore accepts that disclosure of the third-party data, if held, would be necessary for the Applicant to achieve his legitimate interests.

The data subjects’ interests or fundamental rights and freedoms (and balancing exercise)

31. The Commissioner has concluded that the disclosure of any third-party data (if it existed and was held) would be necessary to achieve the Applicant’s legitimate interests.  However, this must be balanced against the fundamental rights and freedoms of the third parties.  Only if the Applicant’s interests would outweigh those of the third parties could the third-party data be disclosed without breaching the first data protection principle.

32. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 555.  

33. The Commissioner’s guidance on section 38 of FOISA notes that, in carrying out the balancing exercise, much will depend on the reasonable expectations of the data subjects.    Factors which will be relevant in determining reasonable expectations include:

(i) whether the information relates to the individual’s public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by disclosure

(iii) whether the individual objected to the disclosure.

34. The Authority argued that, if held, the interests or fundamental rights of the data subjects would override the Applicant’s interests in the information.  

35. Due to the nature of the case, the Commissioner cannot detail or expand upon the reasoning provided by the Authority.  However, having considered the facts in this case, the Commissioner finds that any legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the third parties named in the request.  

36. Therefore, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it exists and is held).

Fairness and transparency

37. Given that the Commissioner has concluded that the processing of the personal data, if existed and held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the third parties.

The Commissioner’s view on the data protection principles

38. For the reasons set out above, the Commissioner is satisfied that disclosure of the third-party personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt by virtue of section 38(1)(b).

Is it contrary to the public interest to reveal whether the information exists?

39. Having accepted that the Authority could have given a refusal notice under section 16(1) of FOISA on the basis that any relevant information, if held, would be exempt information by virtue of section 38(1)(a) and (b) of FOISA, the Commissioner is required to go on to consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

40. The Applicant explained why he believed the information he was seeking, if held, should be disclosed.  The Commissioner has taken his views into account.

41. In the Authority’s view, it was clearly contrary to the public interest to reveal whether the information existed or was held, particularly given that any personal data, if held, would be placed into the public domain.

42. The Commissioner is satisfied that the act of confirming or denying whether the information existed or was held would have the effect of revealing personal data which would, of itself, lead to the Authority breaching its duties as a data controller under data protection legislation.  Clearly, this would not be in the public interest.  

43. The Commissioner therefore finds that it would be contrary to the public interest for the Authority to reveal whether it held the requested information, or whether the information existed.

44. The Commissioner is therefore satisfied that the Authority was entitled to refuse to confirm or deny, in accordance with section 18(1) of FOISA, whether it held the information requested by the Applicant, or whether such information existed.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information requests made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement 

27 September 2022

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e) in subsection (1) of section 38 – 

(i) paragraphs (a), (c) and (d); and

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

38 Personal information 

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

 (5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 

    (i)    the request for information to which the requirement for review relates;

    (ii)    the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and

    (iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    …

Article 5    Principles relating to processing of personal data 

1 Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Article 6    Lawfulness of processing 

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f.    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.