Home Decisions

Decision 101/2022

Decision 101/2022: Staff disciplined for incidents relating to drugs, harassment, bullying, alcohol or poor performance

Authority:  Scottish Ministers
Case Ref:  202101520

Summary

The Applicant asked the Authority for the numbers of staff who had been disciplined, or whose employment had been terminated, for incidents relating to drugs, harassment, bullying, alcohol or poor performance.  The Authority disclosed some information and withheld the remainder on the basis that disclosure would breach data protection principles.  The Commissioner found that the Authority had wrongly withheld some information under section 38(1)(b) of FOISA.  As, during the investigation, the Authority had issued a response in different terms for some of this information, and had fully disclosed the remainder, he did not require it to take any action.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Notice that information is not held); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) article 4(1) (definition of ”personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 16 September 2021, the Applicant made a request for information to the Authority.  He asked for the numbers of Scottish Government staff who had been disciplined or had their employment terminated for incidents relating to drugs, harassment, bullying, alcohol or poor performance.

2. The Authority responded on 14 October 2021.  It explained that poor performance was dealt with under its Performance Management policy rather than its Discipline Policy and therefore, in terms of section 17(1) of FOISA, it did not hold the information requested for the numbers of staff disciplined or whose employment had been terminated for poor performance.

3. The Authority provided data for the numbers of staff disciplined for incidents relating to drugs, harassment, bullying or alcohol.  In respect of the numbers of staff whose employment had been terminated for these reasons, the Authority withheld the information requested under section 38(1)(b) of FOISA, on the basis that the information was personal data and disclosure would breach data protection principles.  The Authority believed that, given the small numbers involved, there was a realistic prospect of the data subjects being identified.  The Authority provided the combined total number of staff dismissed following disciplinary action for incidents relating to harassment, bullying or alcohol.

4. On 21 October 2021, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant argued that, given that the Authority had disclosed a low number of individuals disciplined for a particular reason (as low as two), its refusal, on personal data grounds, to release a further breakdown of individuals whose employment had been terminated for the reasons specified, did not follow.  In his view, given the low numbers involved and already disclosed, disclosing the numbers of staff who had their employment terminated provided no increased chance of identification.

5. The Authority notified the Applicant of the outcome of its review on 18 November 2021, fully upholding its original decision.  The Authority provided additional explanation in support of its decision.  This focussed on the Authority’s belief that there was a realistic prospect that the disclosure of the requested information would enable former colleagues and witnesses (who may have observed behaviours of concern) to identify that certain individuals had left the organisation as a result of dismissal.  In the Authority’s view, this contravened data protection principles and therefore the information was exempt from disclosure in terms of section 38(1)(b) of FOISA.

6. In providing the cumulative figure for the numbers dismissed following disciplinary action for incidents relating to harassment, bullying or alcohol, although this total figure was small, the Authority did not believe its disclosure posed the same risk of identification.  In the Authority’s view, those individuals could have been dismissed for any one of those reasons, making it more difficult to establish a link between the information provided and a living individual.

7. On 13 December 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not believe there was any real risk of identification of those dismissed for the reasons stated in the request.

Investigation

8. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

9. On 19 January 2022, the Authority was notified in writing that the Applicant had made a valid application and it was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was subsequently allocated to an investigating officer.

10. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These focussed on the Authority’s justification for withholding the remainder of the information requested under section 38(1)(b) of FOISA.

11. Both parties provided submissions to the Commissioner.

12. During the investigation, the Authority changed its position and withdrew reliance on section 38(1)(b) to withhold the remaining information.  On 30 August 2022, it provided the Applicant with a revised response in terms of section 17(1) of FOISA for the numbers of individuals whose employment had been terminated for incidents relating to drugs or harassment.  On 23 September 2022, it fully disclosed to the Applicant the numbers of individuals whose employment had been terminated for incidents relating to bullying or alcohol.

13. The Applicant acknowledged receipt of the further information disclosed by the Authority.  However, he continued to seek a decision from the Commissioner.

Commissioner’s analysis and findings

14. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

Section 38(1)(b) – Personal information

15. At both initial response and review stages, the Authority withheld some information under section 38(1)(b) of FOISA.  Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

16. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. To rely on this exemption, an Authority must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

18. The Commissioner must decide whether the Authority was correct to withhold the information requested under section 38(1)(b) of FOISA when it responded to the Applicant’s request for review.

Is the withheld information personal data?

19. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual.  "Identifiable living individual" is defined in section 3(3) of the DPA 2018   see Appendix 1.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix 1.)

20. The two main elements of personal data are that the information must “relate to” a living individual and the living individual must be identifiable.  An “identifiable living individual” is one who can be identified, directly or indirectly, by reference to an identifier (such as a name or one or more factors specific to the individual) (see section 3(3) of the DPA 2018, set out in Appendix 1).

21. In the case of Breyer v Bundesrepublik Deutschland (C-582/14), the Court of Justice of the European Union looked at the question of identification.  The Court took the view that the correct test to consider is whether there is a realistic prospect of someone being identified.  In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party.  However, there must be a realistic causal chain - if the risk of identification is "insignificant", the information will not be personal data.

22. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply.  As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.  In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments.  It confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.

The Authority’s submissions

23. In its initial submissions to the Commissioner, the Authority explained that it had changed its position for the numbers of individuals whose employment had been terminated for incidents relating to drugs or harassment as no dismissals had occurred for these categories.  It conceded that disclosure could not lead to identification as there was no-one to identify.

24. For the numbers of staff who had their employment terminated for incidents relating to bullying or alcohol, the Authority argued that the information in question was personal data, as disclosure of the extremely low figures would likely lead to these individuals being identified.  In the Authority’s view, colleagues who had likely observed behaviours of concern where alcohol was involved, could then draw an inference from knowing that a person was no longer employed, to identifying who that person was.  Similarly, for dismissals relating to bullying - where the individual’s actions will have been visible to the complainer or witnesses, some of whom may have participated in an investigation but would not know its outcome – the Authority believed there was a high risk of identification.

25. While the Authority recognised that there were various reasons for leaving employment, it submitted that breaking down the information to the categories and timeframe specified in the request, would pose a far greater risk of identifying the individuals concerned using the process of jigsaw identification.

26. Later in the investigation, the Authority subsequently confirmed that it was no longer relying on the exemption in section 38(1)(b) to withhold any of the information requested.

The Commissioner’s conclusions

27. As stated above, during the investigation, the Authority withdrew its reliance on section 38(1)(b) of FOISA to withhold any information in this case.

28. The Commissioner has considered the submissions from the Authority explaining why the information was initially considered exempt from disclosure when it responded to the Applicant’s request for review.

29. For information relating to the number of dismissals for incidents relating to drugs or harassment, the Commissioner notes the Authority’s change of position during the investigation, where it confirmed that no terminations had taken place for these reasons.  Given that there were no living individuals to whom any such data could relate (in terms of the request under consideration here), the Commissioner has no option but to find that the Authority was not entitled to inform the Applicant that it held corresponding personal data.

30. For the remaining information, the Commissioner has taken into account the cumulative figure already available to the Applicant for individuals terminated for incidents relating to bullying or alcohol (as disclosed in the Authority’s review outcome, for which the Authority subsequently confirmed, during the investigation, that no employees were dismissed for incidents relating to harassment).  He has also taken regard of the timespan covered by the request (five years, nine months) and the number of employees across the whole of the Scottish Government (7,968 FTE directly employed staff plus 1,965 (headcount) non-directly employed staff, as at the end of September 2021, as stated in the Scottish Government Work Force Statistics September 2021).

31. While the Commissioner recognises that colleagues of those whose employment has been terminated could take a reasonable guess as to the reason why a person left their employment, and may already know via other means, he is not satisfied that disclosure of the actual figures requested would add to, or confirm, any suspicion a colleague may have.

32. Consequently, in all the circumstances of the case, the Commissioner is not satisfied that, at the time the Authority responded to the Applicant’s request for review, a realistic causal chain existed where living individuals could be identified as a direct result of disclosure of the information.  The Commissioner therefore does not accept that the remaining withheld information qualified as personal data, as defined in section 3(2) of the DPA.  Having reached this conclusion, he is not required to go on to consider any of the further tests for section 38(1)(b) to apply.

33. In light of the Authority’s change of position during the investigation, the Commissioner has no option but to find that it wrongly withheld the information in question under section 38(1)(b), when it responded to the request for review.

34. As the Commissioner has concluded that the withheld information under consideration here was not personal data, he must find that the Authority had not been entitled to rely on section 38(1)(b) of FOISA to withhold that information when it responded to the Applicant’s request for review and, by so doing, breached part 1 of FOISA.

35. Given that, by the conclusion of the investigation, the Authority had issued a revised response in different terms for some of the information, and had disclosed to the Applicant all of the remaining information, all of which the Commissioner has found to have been wrongly withheld under section 38(1)(b), the Commissioner does not require the Authority to take any specific action in this case.

36. The Commissioner cannot stress enough the importance of giving full and proper consideration to the tests which require to be met for an exemption under FOISA (or an exception under the Environmental Information (Scotland) Regulations 2004 (the EIRs)) to apply, when considering requests under FOISA/the EIRs.

37. He would urge the Authority, and indeed all Scottish public authorities, to ensure that, when responding to information requests, thorough consideration is given to whether any applicable test for an exemption or exception to apply, can actually be met in the circumstances.  In this case, it appears likely that such consideration would not only have resulted in earlier disclosure of the information, but also a saving in staff time and effort.

Decision

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that the Authority wrongly withheld some information under section 38(1)(b) of FOISA.

Given that, during the investigation, the Authority withdrew reliance on section 38(1)(b) and provided the Applicant with a response in different terms for some information and fully disclosed the remainder, the Commissioner does not require the Authority to take any action in response to this failure, in response to the Applicant’s application.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement 

10 October 2022

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions 

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

…     section 37; and 

(e) in subsection (1) of section 38 – 

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant notice in writing that it does not hold it.

    …

38 Personal information 

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in – 

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1)     A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must - 

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify – 

    (i)    the request for information to which the requirement for review relates;

    (ii)    the matter which was specified under sub-paragraph (ii) of section 20(3)(c);    and

    (iii)    the matter which gives rise to the dissatisfaction mentioned in subsection (1).

    …

UK General Data Protection Regulation

Article 4 Definitions

For the purpose of this Regulation: 

1 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

Article 5 Principles relating to processing of personal data     

1 Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject         (“lawfulness, fairness and transparency”)

    …

Data Protection Act 2018

3 Terms relating to the processing of personal data 

    …

    (2) “Personal data” means any information relating to an identified or identifiable living         individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly         or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an             online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental,             economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations             which is performed on information, or on sets of information, such as – 

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided – 

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.