Home Decisions

Decision 101/2023

Decision Notice 101/2023: Records held relating to a research project

Applicant: The Applicant
Authority: University of Edinburgh
Case Ref: 202200058


Summary

The Applicant asked the Authority for records and correspondence related to an employee and a research project.

The Authority refused to confirm or deny that it held the information, stating that – if the information existed

and was held by the Authority – it would be exempt from disclosure and that it was not in the public interest for

the Authority to reveal whether the information existed.   The Commissioner found that the Authority was not

entitled to refuse to reveal whether the information requested existed or was held.  He required the Authority to

issue a revised response to the Applicant.  

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 10(1) (Time

for compliance); 15 (Duty to provide advice and assistance); 18(1) (Further provisions as respects to responses to

request); 21(1) (Review by Scottish public authority); 38(1)(b), (2A)(a), (5) (definitions of “data protection

principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (personal information);

39(1) (Health, safety and the environment); 47(1) and (2) (Application for decision by Commissioner)


United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to

processing of personal data); 6(1)(f) (lawfulness of processing)  


Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating

to the processing of personal data)


The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The

Appendix forms part of this decision.


Background

1.    On 3 December 2020, the Applicant made a request for information to the Authority.  The Applicant asked

for records of correspondence in relation to a specific Covid-19-related research project of a named employee of

the Authority, with the exception of correspondence of peer-reviewers and editors of the scientific journals in

which the research was published. The time period covered by the request was 1 November 2019 to 2 December 2020,

and the Applicant asked that the Authority “narrow the search results to exclude any published papers,

organizational newsletters or other widely available published materials”. The Applicant explained why it believed

the Authority should supply the information.  


2.    An automated response was sent by the Authority on 3 December 2020 that highlighted the effect the

Covid-19 pandemic was having on the Authority’s ability to respond to requests within the statutory timeframe of

FOISA.


3.    On 21 January 2021, the Applicant wrote to the Authority asking about progress in dealing with its request

for information.


4.    The Authority apologised on 22 January 2021 for not meeting the statutory timescale. The Authority

explained that it still was not in a position to provide a response and that the Applicant had the right to

request a review under FOISA, but that only one review could be provided, and that if this was provided in

relation to the lateness of the response, a further review request could not be made relating to the actual

response.


5.    On 12 March 2021, the Applicant asked the Authority for an update and a reasonable estimate of when a

response could be expected.


6.    The Authority responded on 15 March 2021.  It apologised again and informed the Applicant that it still

was not in a position to provide a response and that it would let the Applicant know when a caseworker began

processing the request.


7.    On 4 June 2021, the Applicant asked the Authority to provide a review on the ground that the Authority had

failed to provide a response to the request.


8.    The Authority informed the Applicant on 8 June 2021 that it was unable to say when a response might be

received.


9.    The Authority notified the Applicant of the outcome of its review on 14 October 2021.  The Authority

apologised for the delay in responding to the request and explained that the Authority’s “normal operations [had]

been affected by the Covid-19 pandemic”. The Authority’s review refused the request and applied section 18, in

conjunction with section 38(1)(b) (Personal Information) and section 39(1)(Health, safety and the environment) of

FOISA.


10.    On 13 January 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section

47(1) of FOISA.  The Applicant stated that it was dissatisfied with the outcome of the Authority’s review because:

  • of the time taken by the Authority to respond to the request;
  • it did not agree with the exemptions applied by the Authority to refuse its request;
  • it considered disclosure of the information it had requested to be in the public interest; and
  • it was concerned that the offer of advice and assistance had not been made by the Authority.


Investigation

11.    The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the

power to carry out an investigation.

12.    On 8 February 2022, the Authority was notified in writing that the Applicant had made a valid application.  

The case was allocated to an investigating officer on 28 November 2022.

13.    Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide

comments on an application. The Authority was invited to comment on this application and to answer specific

questions. These related to the reasons why the Authority considered it was justified to neither confirm nor deny

whether it held information falling within the scope of the Applicant’s request, and to the potential application

of the exemptions cited in its response to the Applicant.


Commissioner’s analysis and findings

14.    The Commissioner has considered all the submissions made to him by the Applicant and the Authority.  

Section 18 – Neither confirm nor deny

15.    Section 18 (1) of FOISA allows public authorities to refuse to confirm or deny whether they hold

information in the following circumstances:

  • a request has been made to the authority for information, which may or may not be held by it;

    if the information existed and were held by the authority (and it need not be), it could give a refusal

  • notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA;

  • the authority considers that to reveal whether the information exists or is held by it would be contrary

    to the public interest.


16.    Where section 18(1) is under consideration, the Commissioner must ensure that his decision does not

confirm one way or the other whether the information requested actually exists or is held by the authority. This

means he is unable to comment in any detail on the Authority’s reliance on any of the exemptions referred to, or

on other matters that could have the effect of indicating whether or not the information existed or was held by

the authority.


17.    In this case, the Authority submitted that, if it held the information falling within the scope of the

Applicant’s request, then the information would be exempt from disclosure under sections 38(1)(b) and 39(1) of

FOISA.

Section 38(1)(b) – Personal information


18.    The Commissioner will first consider whether, if the information existed and were held by the Authority,

the Authority would be justified in refusing to disclose the information by virtue of the exemption in section

38(1)(b) of FOISA.


19.    Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure

if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or

more of the data protection principles set out in Article 5(1) of the UK GDPR.


Would the information, if held, be personal data?


20.    The Applicant sought correspondence in relation to a specific research project of a named employee of the

Authority.  The Commissioner must first address whether this information , if it existed and were held by the

Authority, would be personal data for the purposes of section 3(2) of the DPA 2018.


21.    “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified

or identifiable individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living

individual who can be identified, directly or indirectly, particularly by reference to an identifier such as a

name, an identification number, location data, or an online identifier, or one or more factors specific to the

physical, psychological, genetic, mental, economic, cultural or social identity of the individual.


22.    Information will “relate” to a person if it is about them, linked to them, has biographical significance

for them, issued to inform decisions about them, or has them as its main focus.  An individual is “identifiable”

if it is possible to distinguish them from other individuals.


23.    The Applicant’s request was for correspondence related to a named individual in relation to a specific

research project.  


24.    The Authority considered the information, if held, would be “personal data”, as it would relate to the

named person, would name others involved in any correspondence, and would contain their thoughts and opinions.


25.    The Applicant, in its submissions, agreed that the information was personal data, as it related to

identifiable living individuals.


26.    The Commissioner has considered the specific wording of the request and the information it would capture,

and he is satisfied that, if the information did exist and were held by the Authority, it would clearly relate to

the named employee (and other identifiable living individuals).  The Commissioner therefore accepts that, if it

existed and were held, the information would be personal data as defined in section 3(2) of the DPA 2018.


Would disclosure contravene one of the data protection principles?


27.    The Authority argued that disclosing the personal data, if it existed and were held, would contravene the

first data protection principle.  This requires personal data to be processed “lawfully, fairly and in a

transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR).


28.    The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by

transmission, dissemination or otherwise making available”.  In the case of FOISA, personal data are processed

when disclosed in response to a request.  This means that the personal data could only be disclosed if disclosure

would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of

the UK GDPR) and fair.


29.    The Commissioner will consider whether disclosure, if the information existed and was held, would breach

the first data protection principle.


Lawful processing: Article 6(1)(f) of the UK GDPR


30.    In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of

the UK GDPR would allow the personal data to be disclosed, if it existed and were held.


31.    The Commissioner considers that condition (f) is the only one which could potentially apply, assuming the

personal data existed and were held.


32.    The tests that must be met before Article 6(1)(f) could be met are as follows:


(i)    Would the Applicant (or wider public) have a legitimate interest in obtaining the personal data, if held?


(ii)    If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?


(iii)    Even if processing would be necessary to achieve that legitimate interest, would that be overridden by the

interest or fundamental rights and freedoms of the data subject/s?


33.    Although Article 6(1) states that this condition cannot apply to processing carried out by a public

authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public

authorities can rely on Article 6(1)(f) when responding to requests under FOISA.


Would the Applicant (or wider public) have a legitimate interest in obtaining the personal data, if held?


34.    There is no definition within the DPA 2018 of what constitutes a "legitimate interest ", but the

Commissioner takes the view that the term indicates that matters in which an individual properly has an interest

should be distinguished from matters about which he or she is simply inquisitive.  The Commissioner's published

guidance on section 38(1)(b) of FOISA  states:


In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the

information in order to bring legal proceedings.  With most requests, however, there are likely to be wider

legitimate interests, such as the scrutiny of the actions of public bodies or public safety.


35.    The Authority accepted that the Applicant was pursuing a legitimate interest.  

36.    Having considered the nature of the information covered by the request, if it existed and was held, the

Commissioner agrees with the Authority that the Applicant is pursuing a legitimate interest in obtaining the

personal data (if it existed and was held).


Would disclosure be necessary?


37.    The next question is whether disclosure of the personal data (if held) would be necessary to achieve that

legitimate interest.  


38.    In this context, “necessary” means “reasonable” rather than “absolutely” or “strictly” necessary.  When

considering whether disclosure would be necessary, public authorities should consider whether disclosure is

proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate 

interests can be met by means which interfered less with the privacy of the data subjects.


39.    The Authority submitted that it did not consider that disclosure of the personal data, if it existed and

were held, was necessary to achieve this legitimate interest.  The Authority’s view was that disclosure of the

personal data (if held), was not necessary to understand the issues related to the matter, as they were already in

the public domain through peer-reviewed articles that had been published.


40.    The Applicant explained that it was seeking information related to an individual’s work as a scientist and

related to an article published in a peer-reviewed journal.  Its view was that the wider public had a right to

understand how the views expressed in the article in question had come about.


41.    The Commissioner recognises that, to be published in peer-reviewed journals, the work in question would

have been scrutinised to some degree, and this goes some way to satisfying the Applicant’s (and wider public’s)

legitimate interest.  


42.    However, given the importance of the subject matter, in the absence of other viable means of meeting the

legitimate interest in full, the Commissioner’s view is that the legitimate interests of the Applicant could only

reasonably be met by the disclosure of the information, if it existed and was held. There are many types of

additional information that may be exchanged in correspondence that are not in the final published article.


43.    Consequently, the Commissioner will go in to consider whether the interest in obtaining the personal data

(if it existed and was held) outweighs the rights and fundamental freedoms of the data subjects.  


Interests and fundamental freedoms of the data subjects


44.    The Commissioner must now balance the legitimate interests in disclosure against the data subject’s’

interest or fundamental rights and freedoms.  Only if the legitimate interests of the Applicant outweigh those of

the data subjects can the information be disclosed.


45.    In considering the balance between the legitimate interests and the rights and interests of the data

subjects, it is important to take account of whether the proposed disclosure of the information, if it existed and

was held, would be within the reasonable expectations of an individual.  There are factors that assist in this

determination, including the distinction between private and public life; the nature of the information; how the

personal data were obtained; whether any specific assurances were given to individuals; privacy notices; and any

policy or standard practice.


46.    The Applicant submitted that the information it sought was work-related data that should belong to the

wider public.


47.    The Authority submitted that, due to the subject matter of the research project, the personal data (if it

existed and was held), although work-related, would be a matter that concerned both the public and private life of

the data subjects.  It submitted that the data subjects had already experienced harm related to this matter.


48.    The Commissioner notes that the information relates to the data subjects’ public life; in this case a

research project.  However, he accepts that the data subjects would have reasonably expected that any

correspondence (if it existed and were held) would not be published and that there would be a degree of

confidentiality.  


49.    The Commissioner has also considered the distress and damage to the data subjects that the Authority has

described.  In the circumstances, the Commissioner agrees that disclosing the personal data would cause harm or

distress to the data subjects.  (The consideration on the exemption in section 39(1)(a) below discusses likely

harm or distress to the data subjects.)


50.    After carefully balancing the legitimate interests of the individuals concerned against those of the

Applicant, the Commissioner finds that the legitimate interests served by disclosure of the personal data (if it

existed and was held),were outweighed by the unwarranted prejudice that would result to the rights and freedoms or

legitimate interests of the data subjects.   While the Commissioner recognises that the background to this case

relates to matters of public concern, he is satisfied that, in the circumstances of this case, disclosure of the

personal data (if it existed and was held) would cause harm and distress and that the data subjects would

reasonably expect that their personal data would not be disclosed into the public domain.  


51.    Having found that the legitimate interests served by disclosure of the personal data are outweighed by the

unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject,

the Commissioner finds that condition (f) in Article 6(1) of the UK GDPR cannot be met and that disclosure, if the

information existed and was held, would be unlawful.  


Fairness


52.    Given that the Commissioner has concluded that the processing of the personal data would be unlawful, if

it existed and was held, he is not required to go on to consider separately whether disclosure would otherwise be

fair and transparent in relation to the data subject.


Conclusion on the data protection principles


53.    For the reasons set out above, the Commissioner is satisfied that disclosure of any relevant personal

data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  


54.    In all of the circumstances, the Commissioner is satisfied that any such personal data, if it existed and

were held, would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a

refusal notice under section 16(1) of FOISA, on the basis that the information would be so exempt.


Section 39(1) – Health, safety and the environment


55.    Section 39(1) of FOISA states that information is exempt if its disclosure under FOISA would, or would be

likely to, endanger the physical or mental health or safety of an individual.  This is a qualified exemption and

is subject to the public interest test required by section 2(1)(b) of FOISA.


56.    As the Commissioner notes in his briefing on this exemption , section 39(1) does not contain the usual

harm test.  Instead of the “substantial prejudice” test found in many other harm-based exemptions in Part 2 of

FOISA, this exemption refers to the “endangerment” of health or safety.  This test is less demanding than the

“substantial prejudice” test.


57.    The Authority considered there was a genuine, as opposed to hypothetical, link between confirming whether

or not the requested information was held, and the endangerment to the physical and mental health and safety of

its employee, and others associated with the research project.  

58.    The Authority identified health and safety risks that fell into two categories: first, the risk that

confirming whether or not information was held would act as a catalyst to further threats; and secondly, the risk

of actual harm to its employee.


59.    With regard to the first risk, the Authority believed that confirming or denying whether the information

was held would foment existing online abuse and threats against its employee and others.


60.    The Authority stated that it was aware of threatening behaviour and accusations of collusion and cover-up,

directed against several academics in the same field as its employee, in particular those working on the research

project named in the request.


61.    The Authority submitted that the Applicant had been raised as a specific example of this incitement, and

that as a result of this wider context of threats and abuse relating to this research project and the discussions

around it, its considered disclosure of this information, if it were to exist, would risk the wellbeing of its

employee.


62.    The Authority submitted that individuals linked through the named research project had already been

targets of abuse and threats, and that confirming whether or not information were held would further fuel these

attacks.


63.    It noted that its employee and others linked to the named research project had already been the subject of

abuse and serious allegations. It submitted that if the information were to be held, its disclosure would lead to

an increased risk of real harm, and provided a link to an example of a planned attack on another person linked to

the topic.


64.    The Authority provided the Commissioner with examples of the abuse directed at its employee and other

linked to the named research project.


65.    The Authority submitted that disclosure of the requested information (if it existed and was held), would

further fuel these threats and abuse.  It considered that the level of abuse went far beyond the ordinary

disagreement of lay people and academics, not so much questioning the science but rather making serious

allegations about the behaviour and integrity of the individuals concerned.  


66.    The Authority considered that to confirm or deny whether it holds this information, or to disclose it, if

it were held, would further link its employee to other individuals who have been targeted in a manner that raises

significant concern for its named employee’s safety and well-being, and that it was therefore correct to apply

section 39(1) in conjunction with section 18.


Commissioner’s view on section 39(1)


67.    In considering the Authority’s submissions, the Commissioner has to be satisfied that it has evidenced

threats to the physical health or safety of the employee named in the request (or other named individuals) that

would result directly from disclosure of the information sought (if it existed and was held).  


68.    The Commissioner has reviewed the evidence provided by the Authority.  Much of this is based on social

media, and the Commissioner recognises that it is difficult to predict how much of this is rhetoric, as opposed to

threats that might manifest into physical action, either by the original posters or those who follow their

accounts.  Nonetheless, it is evident to the Commissioner that this type of commentary would have an impact on the

mental wellbeing of those individuals who were subjected to it, and that it could also affect their health and/or

physical safety.  


69.    In the circumstances, the Commissioner is satisfied that disclosure of the information, if it were held,

would cause the harm claimed by the Authority, and he finds therefore that the exemption in section 39(1) of

FOISA, is engaged.  


70.    Having reached this conclusion, the Commissioner is required to consider the public interest tests in

relation to this information.


Public interest test – section 2(1)(b)


71.    Section 39(1) is a qualified exemption, which means that its application is subject to the public interest

test in section 2(1)(b) of FOISA.  Therefore, having decided that the information, if it existed and was held,

would be exempt under section 39(1), the Commissioner must go on to consider whether, in all the circumstances of

the case, the public interest in disclosing the information (if it existed and was held) would be outweighed by

the public interest in maintaining the exemption.


The Authority’s submission on the public interest


72.    The Authority recognised that there was a strong public interest in the transparent operation of public

authorities.  


73.    However, the Authority submitted that it had a legal obligation to its employees, and that as such it did

not think it was in the public interest to disclose information (if it existed and was held) that would lead to

harm to the mental and physical wellbeing of others.  


The Applicant’s submission on the public interest


74.    The Applicant submitted that the research project named in its request had been highly influential, and

that the information sought pertained to the scientific work that led to the publication of the article, rather

than the article itself.  It considered that the correspondence it had requested was a crucial dataset that could

shed light on the integrity of the scientific process.


75.    It submitted that scientific transparency was in the public interest, particularly in matters concerning

public health.  In its view, disclosure would give a better understanding of the publication and contribute to

critical scientific discussion. It believed disclosure was in the interests of the public, and not just of

interest to the public.


The Commissioner’s view on the public interest – section 2(1)(b)


76.    The Commissioner has considered all the submissions received regarding the public interest test.  He

acknowledges the reasons the Applicant has made the request and that disclosure may be of wider interest to the

public.  However, the Commissioner has to consider whether disclosure of the information, if it existed and were

held, would be in the interest of the public, whilst also taking into consideration the public interest in

maintaining the exemption and preventing the “endangerment” of health and safety that was claimed, and accepted

above.


77.    The Commissioner accepts, particularly given the subject matter, that there is a general public interest

in disclosure of the requested information, should it exist and be held by the Authority.  This would, as the

Applicant has suggested, contribute to an understanding of the work behind the article in question, and provide

reassurance (or otherwise), that findings had been communicated accurately, and that information that did not fit

with this narrative was not being withheld. This would contribute to increasing public knowledge and ensuring that

public bodies which benefit from public funding are open and transparent.


78.    The Commissioner must balance this against the impact that disclosure of the information (if it existed

and was held) would, or would be likely to have to the physical or mental health and safety of individuals.  The

public interest arguments in favour of disclosure must be strong to outweigh the public interest in ensuring that

individuals are not endangered as a result of such disclosure.


79.    In all of the circumstances of the case, the Commissioner finds that the public interest arguments of the

Applicant are not strong enough to outweigh the public interest in ensuring that individuals are not endangered,

particularly given that the article has been peer-reviewed.  He therefore finds that the public interest in

maintaining the exemption in section 39(1) would outweigh any public interest in disclosure of the information (if

it existed and was held) and that the Authority could give a refusal notice under section 16(1) of FOISA, on the

basis that the information would be so exempt.


80.    The Commissioner is required by section 18(1) of FOISA to go on to consider whether the Authority was

entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or

was held.

The public interest – section 18(1)


81.    The Authority submitted that, due to the reasons it had given in relation to sections 38(1)(b) and 39(1),

to confirm whether or not the information was held would result in a breach of its legal duties under data

protection and health and safety legislation.  It considered that there was a strong public interest in public

authorities complying with their legal obligations.


82.    The Authority considered that confirmation whether or not the information existed and was held would not

benefit the public interest, but rather that it was clear that the public interest was not met when scientists are

subject to threats and abuse in relation to their work. The Authority submitted that disclosing whether or not

this information existed would increase the risk of this happening, as it would fuel the abuse that has already

occurred.  


83.    The Applicant’s arguments relating to the public interest have been highlighted above at paragraphs 74 and

75.  


84.    The Applicant also highlighted the public interest in exploring whether there were any undisclosed

conflicts of interest that could have raised questions about the motivations of the research project.


85.    The Commissioner has carefully considered the arguments by both parties.  The test he must consider is

whether (having already concluded that the information, if it existed and were held, would be exempt from

disclosure) revealing whether the information exists or is held would be contrary to the public interest.


86.    As discussed above, the Commissioner has accepted the engagement of section 38(1)(b) and 39(1).


87.    The request specifies a timescale for information (correspondence) within a period of just over a year.

This is a relatively large timescale.  The request also excludes a specific type of information that may fall

within the terms of the request: for example, the Applicant excludes correspondence of peer-reviewers and editors

of the scientific journals in which the research was published and “organizational newsletters”. These exclusions

still leave a relatively wide variety of information that could fall within the terms of the request.


88.    Confirming that relevant information were held (were it actually to be held) would not in itself lead to

the categorisation or identification of the content of that information, save that the named employee had

corresponded in respect of the published paper within the time period and that the information did not fall within

the categories excluded.


89.    Or, confirming that relevant information were not held (were this to be the case) would simply indicate

that at the time of the request (3 December 2020) the Authority held no recorded information of the named employee

in respect of the published paper within the time period (with no information conveyed as to whether information

was held of the type the Applicant had explicitly excluded).


90.    The Commissioner is not satisfied that the act of confirming or denying whether the information exists or

is held would be the catalyst for the harm that the Authority has described.  The Commissioner notes the

sensitivity of the subject (and the feelings in respect of it).  However, he cannot accept that the simple fact of

confirming whether any information is held on this subject would result in sparking the type of reaction the

Authority has highlighted.  


91.    Having carefully considered the submissions from both parties, and the information already in the public

domain, the Commissioner concludes that the Authority was not entitled to refuse to confirm or deny, in line with

section 18(1) of FOISA, whether it held the information requested, or whether the information existed.


92.    The Commissioner requires the Authority to issue the Applicant with a revised review outcome, otherwise

than in terms of section 18(1) of FOISA.  He requires the Authority to confirm to the Applicant whether the

information requested existed and was held by it when it received the request, and to issue a fresh review in

terms of section 21(4)(b) of FOISA.


Section 15 – duty to provide advice and assistance


93.    Section 15(1) of FOISA requires a Scottish public authority, so far as is reasonable to expect it to do

so, to provide advice and assistance to a person who has made, or proposes to make, a request for information to

it.


94.    The Applicant expressed concern that the duty to advise and assist was not offered in this process.


95.    The Authority submitted that, as it had neither confirmed nor denied whether the information was held, it

was not clear what further advice and assistance would have been appropriate in respect of the requested

information.  It noted that it had highlighted in its response its reasons for neither confirming nor denying, and

that the findings of the research in question were already in the public domain.


96.    Given the Authority’s reliance on section 18, and its position of neither confirming nor denying that it

held any information falling within the scope of the request, the Commissioner accepts that the Authority could

not reasonably have provided any meaningful advice and assistance without compromising its position.


Handling of the request


Section 10(1) – Time for compliance


97.    Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date

of receipt of the request to comply with a request for information. This is subject to qualifications which are

not relevant in this case.


98.    The Authority explained to the Applicant the reasons for the delay in responding to its request, outlining

the affect the Covid-19 pandemic had had on its normal operations.  


99.    It is a matter of fact that the Authority did not provide a response to the Applicant’s request for

information within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of

FOISA.  The Authority apologised to the Applicant for this delay.


Section 21 of FOISA – Review by Scottish public authority


100.    Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date

of receipt of the requirement to comply with a requirement for review.  Again, this is subject to qualifications

which are not relevant in this case.


101.    The Authority explained to the Applicant that its normal operations had been affected by the Covid-19

pandemic, and that this continued to be the case at the date of the review response.  


102.    It is a matter of fact that the Authority did not provide a response to the Applicant’s requirement for

review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA. The

Authority apologised to the Applicant for this delay.  


103.    The Commissioner makes no further comment on the Authority’s handling of the request here, but notes that

a level 2 Intervention  was opened with the Authority to support it in improving its performance and that there

has subsequently been an improvement in the Authority’s performance.  


Decision


The Commissioner finds that the Authority failed to comply fully with Part 1 of the Freedom of Information

(Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.  


He finds that the Authority:

  • was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA, whether it held the

    information requested, or whether that information existed

  • failed to comply with section 10(1) of FOISA by not responding to the initial request within statutory

    timescales

  • failed to comply with section 21(1) of FOISA by not providing a review outcome within statutory timescales

The Commissioner therefore requires the Authority to reveal to the Applicant whether the information requested

existed and was held by it when it received the request, and to provide the Applicant with a fresh review outcome

in terms of section 21(4) of FOISA, by 28 November 2023

 

Appeal


Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of

intimation of this decision.

 

Enforcement


If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of

Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal

with the Authority as if it had committed a contempt of court.

 

 

 


Daren Fitzhenry
Scottish Information Commissioner

12 October 2023


Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1     General entitlement

(1)     A person who requests information from a Scottish public authority which holds it is entitled to be given 
it by the authority.

(2)     The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6)    This section is subject to sections 2, 9, 12 and 14.

 

10     Time for compliance

(1)     Subject to subsections (2) and (3), a Scottish public authority receiving a request which requires it to

comply with section 1(1) must comply promptly; and in any event by not later than the twentieth working day after-

(a)     in a case other than that mentioned in paragraph (b), the receipt by the authority of the request; or

(b)     in a case where section 1(3) applies, the receipt by it of the further information.

 

15     Duty to provide advice and assistance

(1)     A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and

assistance to a person who proposes to make, or has made, a request for information to it.

(2)     A Scottish public authority which, in relation to the provision of advice or assistance in any case,

conforms with the code of practice issued under section 60 is, as respects that case, to be taken to comply with

the duty imposed by subsection (1).

 

 

18     Further provision as respects responses to request

(1)     Where, if information existed and was held by a Scottish public authority, the authority could give a

refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of

sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is

so held would be contrary to the public interest, it may (whether or not the information does exist and is held by

it) give the applicant a refusal notice by virtue of this section.


21     Review by Scottish public authority

(1)     Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless

that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later

than the twentieth working day after receipt by it of the requirement.


38     Personal information

(1)     Information is exempt information if it constitutes-

(b)     personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A)     The first condition is that the disclosure of the information to a member of the public otherwise than

under this Act -

(a)     would contravene any of the data protection principles, or



(5)     In this section-

"the data protection principles" means the principles set out in –

(a)     Article 5(1) of the UK GDPR, and

(b)     section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see

section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)

of that Act).

(5A)    In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the

UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be

read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public

authorities) were omitted.

 


39     Health, safety and the environment

(1)     Information is exempt information if its disclosure under this Act would, or would be likely to, endanger

the physical or mental health or the safety of an individual.


47     Application for decision by Commissioner

(1)     A person who is dissatisfied with -

(a)     a notice under section 21(5) or (9); or

(b)     the failure of a Scottish public authority to which a requirement for review was made to give such a

notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the

request for information to which the requirement relates has been dealt with in accordance with Part 1 of this

Act.

(2)     An application under subsection (1) must -

(a)     be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);

(b)     state the name of the applicant and an address for correspondence; and

(c)     specify –

    (i)    the request for information to which the requirement for review relates;

    (ii)    the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and

    (iii)    the matter which gives rise to the dissatisfaction mentioned in subsection (1).

 

 

UK General Data Protection Regulation

Article 5    Principles relating to processing of personal data

1    Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject     
    (“lawfulness, fairness and transparency”)

    …


Article 6    Lawfulness of processing

1    Processing shall be lawful only if and to the extent that at least one of the following applies:

    …
    
f.    processing is necessary for the purposes of the legitimate interests pursued by the controller

or by a third party, except where such interests are overridden by the interests or fundamental

rights and freedoms of the data subject which require the protection of personal data, in particular

where the data subject is a child.


Data Protection Act 2018

3    Terms relating to the processing of personal data 
    …
    


(2)    “Personal data” means any information relating to an identified or identifiable living individual

(subject to subsection (14)(c)).
    
(3)    “Identifiable living individual” means a living individual who can be identified, directly         or

indirectly, in particular by reference to – 
        
(a)    an identifier such as a name, an identification number, location data or an online identifier, or
        
(b)    one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
    
(4)    “Processing”, in relation to information, means an operation or set of operations             
which is performed on information, or on sets of information, such as – 
        

        
(d)    disclosure by transmission, dissemination or otherwise making available,
        

(10)    “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons with regard to the processing of personal data and on the free movement

of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and

Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see

section 205(4)).



(14)    In Parts 5 to 7, except where otherwise provided –


    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;


    …


(c)    references to personal data, and the processing of personal data, are to personal data and processing to

which Part 2, Part 3 or Part 4 applies;


(d)    references to a controller or processor are to a controller or processor in relation to the processing of

personal data to which Part 2, Part 3 or Part 4 applies.