Home Decisions

Decision 100/2023

Decision 100/2023:  Communications between specified staff

Authority:  University of Edinburgh
Case Ref:  202100620

Summary

The Authority was asked for communications between a named individual and specified individuals in the Authority on the topic of the named individual’s communications with a fake Russian

agent and their activities regarding Russia and Syria.  The Authority refused to confirm or deny that it held the information, stating that – if it existed and were held – it would be

exempt from disclosure and that it was not in the public interest to reveal whether the information existed.  The Commissioner found that the Authority was not entitled to refuse to reveal

whether the information existed or was held.  He required the Authority to issue a new response.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii)) (Effect of exemptions); 18(1) (Further provisions as respects

responses to request); 38(1)(b), (2A)(a), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, and “the UK GDPR”) and (5A) (Personal

information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) Article 5(1)(a) (Principles relating to processing of personal data) and 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1.On 6 April 2021, the Applicant made a request for information to the Authority.  The information requested was:

Since and including March 26 2021, communications between [a named individual] and any of the following individuals –

[a number of specified individuals at the Authority were then listed by post];

on the topic of the fake Russian agent [they] communicated with and [their] activities regarding Russia and Syria.

I believe that the information requested is in the public interest for the following reasons:

(i)to uphold public confidence that … at distinguished universities conduct themselves with appropriate dignity and integrity;

(ii)to understand how the University defines freedom of expression and where its limits end;

(iii)to ensure that money is correctly spent on ensuring staff behave in an appropriate manner.

2.The Authority responded on 5 May 2021 in terms of section 18(1) of FOISA, in conjunction with section 38(1)(b) (Personal information).  It refused

to confirm or deny whether the information (which it described as concerning activities outwith the named individual’s University role) was held, as doing

so would reveal whether such communications existed, and would publicly disclose personal information about that individual and others.

3.On 5 May 2021, the Applicant wrote to the Authority requesting a review of its decision, refuting that it had asked for information about activities

outwith the named individual’s University role.  The Applicant believed the named individual was using their academic status to give credibility to their

interventions on issues concerning Syria, Russia and other contentious matters, and argued that their academic role was referred to in their correspondence

with the apparent spy.

4.The Applicant referred to earlier correspondence from the Authority, dated 25 March 2021, regarding the named individual’s conduct in relation to

this matter, in which an Authority spokesperson commented “Freedom of expression within the law is central to the concept of a university”.   In the

Applicant’s view, while it might be expedient for the Authority to now regard the individual’s activities as outwith their University role, it was not

tenable for the Authority to shift its position to a contradictory view some six weeks later.

5.The Applicant further believed that the Authority had erred in applying the balance of public interest.  In the Applicant’s view, disclosure of the

information was in the public interest to uphold public confidence that senior staff at distinguished universities conduct themselves with appropriate

dignity and integrity, to understand how the Authority defines freedom of expression and where its limits end, and to ensure that money is correctly spent

on ensuring staff behave in an appropriate manner.

6.The Authority notified the Applicant of the outcome of its review on 14 May 2021, fully upholding its original decision.

7.On 17 May 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that it

was dissatisfied with the outcome of the Authority’s review because it believed that it was in the public interest for the information (if held) to be

disclosed and that section 38(1)(b) did not apply.  The Applicant disagreed with the Authority’s representations that the individual’s actions were

“private”: references to the individual’s University role in articles they had written showed that this kind of work formed part of their University role.

Investigation

8.The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

9.On 19 May 2021, the Authority was notified in writing that the Applicant had made a valid application and the case was subsequently allocated to an

investigating officer.

10.Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority

was invited to comment on this application and to answer specific questions.  These focused on the Authority’s justification for neither confirming nor

denying whether it held the information requested.

Commissioner’s analysis and findings

11.The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

Section 18 – “neither confirm nor deny

12.Section 18 of FOISA allows Scottish public authorities to refuse to reveal whether they hold information (or whether it exists) in the following

limited circumstances:

(i) a request has been made to the authority for information which may or may not be held by it;

(ii) if the information were held by the authority (and it need not be), the authority could give a refusal notice under section 16(1) of FOISA, on the

basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

(iii) the authority considers that to reveal whether the information exists or is held would be contrary to the public interest.

13.In this case, in both its initial and review responses, the Authority stated that, if it did hold any information falling within the scope of the

request, it could be withheld under the exemption in section 38(1)(b) (Personal information) of FOISA.

14.The Commissioner must ensure that this decision does not confirm one way or the other whether the information requested actually exists or is held

by the authority.  This means that he is unable to comment in any detail on the authority's reliance on section 38(1)(b), or on other matters which could

have the effect of indicating whether or not the information sought by the Applicant exists or is held.

Section 38(1)(b) – Personal information

15.Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a), exempts information from disclosure if it is "personal data" (as defined in

section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or

(where relevant) in the DPA 2018.

16.The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it

is not subject to the public interest test contained in section 2(1)(b) of FOISA.

Would the information, if held, be personal data?

17.The Applicant sought information in correspondence between specified individuals on a particular topic.  The Commissioner must firstly address

whether the information requested, if it existed and were held, would be personal data for the purposes of section 3(2) of the DPA 2018.

18."Personal data" is defined in section 3(2) as any information relating to an identified or identifiable living individual.  "Identifiable living

individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1.  (This definition reflects the definition of personal data in Article 4(1) of the

UK GDPR.)  Information which could identify individuals will only be personal data if it relates to those individuals.  Information will "relate to" a

person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main

focus.

19.The Authority acknowledged that, if it were held and if it existed, any information captured by this request would relate primarily to the named

individual, and also to the other Authority staff holding the roles referred to in the request.  Its nature would be such that it would contain the personal

data of those individuals.

20.The Commissioner is satisfied that, if it were held and if it existed, any information captured by this request would "relate to" the individuals

specified in the request.  He is satisfied, in light of the submissions from the Authority, that any such information would relate to identified or

identifiable individuals.  The Commissioner therefore accepts that the information, if it were held and if it existed, would be personal data for the

purposes of section 3(2) of the DPA 2018.

21.The Commissioner will now go on to consider whether disclosure would contravene one of the data protection principles in Article 5 of the UK GDPR.

Would disclosure contravene one or more of the data protection principles?

22.The Authority argued that disclosing the personal data, if they existed and were held, would breach the first data protection principle.  This

requires personal data to be processed lawfully, fairly and in a transparent manner in relation to the data subjects (Article 5(1)(a) of the UK GDPR).

23.The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making

available".  In the case of FOISA, personal data are processed when disclosed in response to an information request. This means that the personal data could

only be disclosed if disclosure would be both lawful and fair.

24.The Commissioner must now consider whether disclosure of the personal data, if they existed and were held, would be lawful and fair (Article 5(1)

(a)). In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.  The

Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstances of this case.

25.The Authority explained that it considered the request to be one seeking correspondence regarding a member of staff’s employment (specifically

whether personal conduct was the subject of discussion by their employer and the nature of those discussions).  It submitted that, if the information

existed and were held, it would be an employment issue, in the sense that it would manifest itself in the form of Human Resources (HR) processes and

procedures, and whether or not the Authority had applied (or had considered applying) any sanctions under those procedures.  The Authority’s position was

that this would be a private and confidential matter in which there was no public interest in release to the general public.

26.The Authority did not consider the information requested to be related to the named individual’s employment at the Authority, such that it would

lead to the information being subject to disclosure under FOISA.  It argued that the subject matter of the correspondence, as set out in the request, was

not related to the named individual’s area of study or teaching, nor to any other research or academic work undertaken in their role at the Authority.  It

further submitted that they were not directed to carry out any such activities on behalf of the Authority and any which may have taken place would have been

undertaken without the Authority’s knowledge, and in a private and personal capacity.

27.The Authority submitted that its Disciplinary Policy allowed for conduct, carried out by staff in a private capacity, to be considered under that

policy if it damaged the reputation of the Authority.  It considered that confirming whether or not any such personal conduct had engaged the Disciplinary

Policy process, or was in another way relevant to an individual’s employment, would be the personal data of the employee in question.  In its view,

individuals should expect that issues regarding any overlap between their private conduct and their employment would not be made public.

28.The Authority did not, therefore, consider it would be fair to disclose information (if it existed and were held) that would reveal whether an

employee’s private actions were being discussed with their employer.

Condition (f): legitimate interests

29.The Authority stated that Article 6(1)(f) would provide the only lawful basis permitting disclosure.

30.Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or

by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require the

protection of personal data (in particular where the data subject is a child).

31.Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks,

section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

32.The tests which must be met before Article 6(1)(f) can be satisfied are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by

the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

33.In its application and submissions to the Commissioner, the Applicant explained that its legitimate

purpose in accessing the information was journalism.  It argued that there was a strong public interest in

disclosure of the information, if held, and that this was not confined to the three examples set out in its

request, i.e. upholding public confidence in the conduct of senior university staff, understanding how the

Authority defines freedom

of expression and where its limits end, and transparency on expenditure surrounding staff behaviour.

34.The Applicant believed the Authority had wrongly interpreted the request as concerning the “private

actions” of the named individual “as a private

citizen”.  In support of this view, the Applicant submitted that the named individual was in a privileged and

influential position of trust as a senior

member of staff at one of the world’s most distinguished universities.  It argued that the named individual was

using their academic position to add

credibility to their opinions on the subject matter set out in the request, for example, by using their title as a

signatory in correspondence.  In doing

so, the Applicant believed that their conduct had brought the Authority into disrepute.

35.In the Applicant’s view, the Authority’s claim that the named individual was acting in a private capacity

was untenable: they were a public figure

seeking to influence public policy on a specific, sensitive subject matter, using academic credentials provided to

them by the Authority.  Even if some of

this activity had taken place outwith Authority premises and outwith working hours, the Applicant believed the

character and conduct of employees in senior

positions was a matter of concern to employers.

36.The Applicant explained that the other individuals specified in the request were chosen as they appeared

to be the named individual’s managers and in their chain of command.  The request did not refer to extraneous

matters about relations with other colleagues or other matters and therefore was proportionate.

37.In the Applicant’s view, the named individual’s conduct had attracted considerable concern and media

attention, which was damaging to the reputation of the Authority.  However, the Applicant argued, the response

given by the Authority (to its information request) demonstrated that it had failed to address this behaviour and

appeared to defend the named individual on the grounds of freedom of expression.

38.Consequently, the Applicant believed it was in the public interest to know whether the Authority tolerated

this behaviour (and encouraged it on the grounds of academic freedom of expression) or whether it took steps to

prevent such conduct.

39.The Authority acknowledged that the Applicant had a legitimate interest in the information, as set out in

its original request.  However, given the request sought information about conduct which, it said, was not

undertaken in the named individual’s academic role and was not related to their academic field, the Authority did

not consider the question of academic freedom, or whether it encouraged such conduct on the grounds of academic

freedom, to be relevant.

40.The Commissioner accepts that disclosure of the information requested, if it existed and were held, would

facilitate transparency and accountability to the Applicant (and the wider public) regarding the matters specified

in the request, where such matters might impact the reputation of an educational establishment.  There is clearly

a legitimate interest in the public having confidence in the Authority’s staff members, knowing the Authority’s

approach to freedom of expression on sensitive topics such as those set out in the request, and how it enforces

its policies regarding staff behaviour.  Consequently the Commissioner is satisfied that the Applicant (and,

indeed, the wider public) has a legitimate interest in the disclosure of these personal data, assuming they

existed and were held.

Would disclosure of the personal data be necessary?

41.Having accepted that the Applicant has a legitimate interest in the personal data, if they existed and

were held, the Commissioner must consider whether disclosure of these personal data would be necessary to meet the Applicant's legitimate interests.

42."Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether

disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a

means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be

met by means which interfere less with the privacy of the data subjects.

43.In its submissions to the Commissioner, the Authority submitted that disclosure of the information, if it

existed and were held, would not be necessary to satisfy the legitimate interests identified in this case.  It

argued that there were other means of meeting the Applicant’s legitimate interests (i.e. those relating to how it

defines freedom of expression and how it spends money) without disclosing the requested information (if it existed

and were held) into the public domain.

44.The Applicant disagreed that some of the aims identified in its request (such as understanding the

Authority’s position on freedom of speech) could be achieved without the release of the information.  It argued

that one of the purposes of Freedom of Information was to inform the public on how public authorities actually

behave, as opposed to their public positions.  It also made comments on the proportionality of the request – see

paragraph 36 above.

45.Having considered the Authority's arguments carefully, the Commissioner takes the view that disclosure of

the personal data, if it existed and were held, would be necessary to achieve the Applicant's legitimate

interests.  While he accepts that there are clearly other means of satisfying part of the Applicant’s legitimate

interests (for example, the Authority’s audited accounts will set out how it spends money), he considers that the

only way to fully satisfy the Applicant’s legitimate interests in transparency and accountability surrounding the

involvement of senior Authority employees in such a sensitive subject would be, in this context, through accessing

the information requested, if it existed and were held.  He also notes the Applicant’s attempts to limit the

request to particular individuals only, in the interests of proportionality.

46.In addition, in the Commissioner’s view, even redacting the names or roles of individuals in any

information that might be held, would still provide opportunity to allow individuals to be identified.

47.In all the circumstances, the Commissioner can identify no viable means of fully meeting the Applicant's

legitimate interests which would interfere less with the privacy of the data subjects other than providing the

information requested, if it existed and were held.  In all the circumstances, therefore, the Commissioner is

satisfied that disclosure of the information, if it existed and were held, would be necessary for the purposes of

the Applicant's legitimate interests.

48.The Commissioner will now consider whether the Applicant's legitimate interests in obtaining the

information requested, if it existed and were held, would outweigh the rights and freedoms of the data subjects.

The data subjects’ interests or fundamental rights and freedoms

49.The Commissioner must balance the legitimate interests in disclosure of the information, if it existed and

were held, against the data subjects' interests or fundamental rights and freedoms.  In doing so, it is necessary

for him to consider the impact of such a disclosure.  For example, if the data subjects would not reasonably

expect that the information, if it existed and were held, would be disclosed to the public under FOISA in response

to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to

override any legitimate interests in disclosure.  Only if the legitimate interests of the Applicant outweighed

those of the data subjects could the information, if it existed and were held, be disclosed without breaching the

first data protection principle.

50.The Commissioner’s guidance on section 38  of FOISA notes factors that should be taken into account in

balancing the interests of parties.  He notes that much will depend on the reasonable expectations of the data

subjects. These are some of the factors public authorities should consider:


(i)Does the information relate to an individual's public life (their work as a public official or employee)

or to their private life (their home, family, social life or finances)?

(ii)Would the disclosure cause harm or distress?

(iii)Whether the individual has objected to the disclosure.

51.The Authority submitted that the information (if it existed and were held) would relate to the named

individual’s employment and associated HR processes, and would therefore be private and confidential.  It

considered disclosure of any such information would violate the individual’s fundamental rights to privacy in the

context of their employment with the Authority and the related exercise of confidential HR processes.

52.In the Authority’s view, the disclosure of such correspondence, if it existed and were held, would

prejudice the rights and freedoms or legitimate interests of the individuals in question, as it would disclose

whether an employee’s actions, as a private citizen, were being discussed with their employer.  This, the

Authority argued, could cause distress to the data subjects.

53.The Authority further submitted that none of the individuals referenced in the request had consented to

having their personal data disclosed to the general public.

54.The Commissioner acknowledges that the information, if it existed and were held, would relate to either or

both the public and/or private lives of individuals.  He recognises that this would, to a certain extent, depend

on whether or not the data subjects had engaged in the activities identified in the request as part of their

employment at the Authority, and whether or not the allegations related to events which took place in a

professional setting.  However, he also considers that, even if such activities had occurred in a private

capacity, given the prominent roles of these individuals within the Authority, this would, by association, also

relate to their public lives.

55.In the circumstances, the Commissioner concludes that the information, if it existed and were held, would

relate to both the private and public lives of the data subjects.

56.The Commissioner has also considered the harm or distress that might be caused by disclosure of the

information, if it existed and were held.  Disclosure, under FOISA, is a public disclosure.  He has taken into

account that, in this case, disclosure of the information, if it existed and were held, would publicly link the

data subjects to the topic specified in the request, as a party in such communications.  At the most general

level, disclosing that an identifiable individual has participated in communications on this topic, some of which

may be extremely sensitive in nature, may, depending on the situation, cause that person distress.  It might also

cause some reputational damage to the public perception of those involved, including the Authority itself, or in

some other way, unless there were mitigating circumstances (which might be private) that were also made known.

57.The Commissioner has given weight to the Applicant’s legitimate interests, as set out above.  Having

carefully balanced the legitimate interests of the Applicant against the interests or fundamental rights or

freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of the

information, if it existed and were held, would be outweighed by the unwarranted prejudice that would result to

the interests or fundamental rights and freedoms of the data subjects.

58.In the circumstances of this particular case, the Commissioner concludes that condition (f) in Article

6(1) of the UK GDPR could not be met in relation to the personal data requested (if they existed and were held).

Fairness

59.Given that the Commissioner has concluded that the processing of the personal data, if they were held and

existed, would be unlawful, he is not required to go on to consider whether any such disclosure would otherwise be

fair or transparent in relation to the data subjects.

Conclusion on the data protection principles

60.For the reasons set out above, the Commissioner is satisfied that the disclosure of any relevant personal

data, if they existed and were held, would breach the data protection principle in Article 5(1)(a) of the GDPR.  

Consequently, he is satisfied that such personal data, if they existed and were held, would be exempt from

disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1)

of FOISA, on the basis that the information would be exempt information by virtue of section 38(1)(b) of FOISA.

Section 18(1) – The public interest

61.The Commissioner must now consider whether the Authority was entitled to conclude that it would be

contrary to the public interest to reveal whether the information existed or was held.

The Authority’s submissions

62.The Authority believed it was not in the public interest to reveal whether the information existed or was

held.

63.In the Authority’s view, doing so would publicly disclose personal information about the individuals

specified in the request, and would breach data protection law.  It argued that the named individual’s employment

was a private matter between them and the Authority, and confirming whether or not it “tolerated” their behaviour

would constitute an intrusion into their privacy.

64.The Authority explained that it had in place full misconduct policies and procedures that would be

followed where the requirements to initiate an investigation were met.  Given this, the Authority believed there

was no public interest in confirming whether or not the information was held or existed, as this would likely

deter potential witnesses in other misconduct investigations from providing statements if the confidentiality of

proceedings was not maintained.

The Applicant’s submissions

65.The Applicant believed the public interest lay in knowing whether or not the Authority tolerated the named

individual’s behaviour and encouraged it on the grounds of academic freedom of expression, or whether it took

steps to prevent such conduct.  In its view, there would be no correspondence held between the individuals named

in the request if this had taken place within a private setting.  It argued that the named individual was clearly

using their privileged position at the Authority as a practical means to further their research within their

University role, rather than outwith it, and that the Authority had erred when applying the balance of public

interest.

The Commissioner’s views

66.The Commissioner has carefully considered the arguments by both parties.  The test he must consider is

whether (having already concluded that the information, if it existed and were held, would be exempt from

disclosure) revealing whether the information exists or is held would be contrary to the public interest.

67.As rehearsed above, disclosure under FOISA is not simply disclosure to the person requesting the

information, but rather is a public disclosure.  In this case, the Commissioner is satisfied that disclosing the

personal information of third parties (i.e. the information requested in this case), if it existed and were held,

would breach the first data protection principle.

68.However, confirming whether or not the information requested existed or was held would not, in the

Commissioner’s view, cause the harm envisaged by the Authority.  He does not agree that doing so would confirm or

otherwise whether any disciplinary investigation had been initiated by the Authority regarding the named

individual’s conduct relating to the matter in question, as claimed by the Authority.  Rather, it would solely

provide confirmation of whether or not the Authority held the information requested, namely any correspondence

between the parties specified in the request on the subject matter described.

69.Further, the Commissioner does not accept that confirming or denying the information’s existence (or

whether it was held) would compromise the privacy of the data subjects, or cause them unjustifiable harm or

distress (were the information held), in the manner described by the Authority.  Confirming or denying that the

information exists, or is held, is simply just that – it does not extend to the disclosure of the actual content

or nature of any information, if it existed and were held.  No basis has been offered for concluding that simply

confirming or denying would be capable of causing any such harm or distress to any of the individuals referred to

in the request, all of whom hold senior positions within the Authority.  It would not, after all, be particularly

surprising to anyone if the Authority were to have made further inquiry into an employee’s involvement in matters

of this significance, whether in an employment capacity or a private one.


70.In the Commissioner’s view, the Authority’s arguments for section 18(1) focus more on the actual

disclosure of any relevant information (if it existed and were held), as opposed to confirmation or otherwise of

its existence and whether or not it was held.

71.Having carefully considered the submissions from both parties and the relevant circumstances, the

Commissioner’s view is that there is a strong public interest in knowing whether or not the information existed or

was held by the Authority at the time of the request.  This would provide clarity on whether or not, at the time

of the request, the Authority held any information in correspondence between the individuals specified in the

request on the matter described therein.  There is, after all, a definite public interest in knowing whether the

Authority gave the issue referred to in the request – clearly a matter of significant public concern – serious

attention.

72.On balance, therefore, the Commissioner concludes that the Authority was not entitled to refuse to confirm

or deny, in line with section 18(1) of FOISA, whether it held the information requested, or whether that

information existed.

73.The Commissioner requires the Authority to issue the Applicant with a revised review outcome, otherwise

than in terms of section 18(1) of FOISA.  He requires the Authority to confirm to the Applicant whether the

information requested existed and was held by it when it received the request, and to issue a fresh review 

outcome in terms of section 21(4)(b) of FOISA.

 

Decision

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland)

Act 2002 (FOISA) in responding to the information request made by the Applicant.

He finds that the Authority was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA,

whether it held the information requested, or whether that information existed.

The Commissioner therefore requires the Authority to reveal to the Applicant whether the information requested

existed and was held by it when it received the request, and to provide the Applicant with a fresh review outcome

in terms of section 21(4)(b) of FOISA, by 27 November 2023.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of

intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of

Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal

with the Authority as if it had committed a contempt of court.

 

Daren Fitzhenry
Scottish Information Commissioner

12 October 2023

 


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given

it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.


2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to

the extent that –

(a)the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are

to be regarded as conferring absolute exemption –

(e) in subsection (1) of section 38 –

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a

refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of

sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is

so held would be contrary to the public interest, it may (whether or not the information does exist and is held by

it) give the applicant a refusal notice by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than

under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see

section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)

of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the

UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be

read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public

authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a

notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the

request for information to which the requirement relates has been dealt with in accordance with Part 1 of this

Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify –

    (i) the request for information to which the requirement for review relates;

    (ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and

    (iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).


UK General Data Protection Regulation

Article 5    Principles relating to processing of personal data

1    Personal data shall be:

    a.processed lawfully, fairly and in a transparent manner in relation to the data subject     

    (“lawfulness, fairness and transparency”)

    …


Article 6    Lawfulness of processing

1    Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f.processing is necessary for the purposes of the legitimate interests pursued by the     

    controller or by a third party, except where such interests are overridden by the         

    interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.


Data Protection Act 2018


3    Terms relating to the processing of personal data 
    …
    
 

(2)    “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
    
(3)    “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 
        
(a)    an identifier such as a name, an identification number, location data or an online identifier, or
        
(b)    one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
    
(4)    “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 
        

        
(d)    disclosure by transmission, dissemination or otherwise making available,
        

    
(5)    “Data subject”, means the identified or identifiable living individual to whom the personal data relates.

(10)    “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by

virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14)    In Parts 5 to 7, except where otherwise provided – 
    
(a)    references to the UK GDPR are to the UK GDPR read with Part 2;
    

(c)    references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d)    references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.