Home Decisions

Decision 104/2023

Decision Notice 104/2023: Emails, notes, minutes and transcripts of conversations between named individuals

Authority: University of Edinburgh
Case Ref: 202101501


Summary

The Applicant asked the Authority for information relating to correspondence exchanged between named individuals.  

The Authority refused to confirm or deny whether this information was held, arguing that to do so would endanger

the health and safety of named individuals.  The Commissioner investigated and found that the Authority was not

entitled to refuse to confirm or deny whether it held the information.


Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b)

(Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5)

(definitions of “data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and

(5A) (Personal information); 39(1) (Health, safety and the environment); 47(1) and (2) (Application for decision

by Commissioner)


United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to

processing of personal data); 6(1)(f) (lawfulness of processing)  


Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms

relating to the processing of personal data)


The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The

Appendix forms part of this decision.

 

Background


1.    On 2 August 2021, the Applicant made a request for information to the Authority.  He asked for:
(i)    All details of research or other funding by Chinese state, companies, universities or individuals, for

work involving a named employee over the past decade.


(ii)    All emails, minutes, notes and transcripts of conversations between a named employee and other named

individuals on, since, or between specific dates.


2.    The Authority responded on 5 October 2021.  It apologised for the delay in responding to the request, and

it notified the Applicant that the named employee had not received any funding from Chinese organisations or

individuals.  In relation to the request for emails, minutes, notes or transcripts of conversations between named

individuals, the Authority applied section 18 of FOISA (neither confirming nor denying whether the information

existed or was held), read in conjunction with sections 38(1)(b) and 39(1) of FOISA.  


3.    On 6 October 2021, the Applicant wrote to the Authority, requesting a review of its decision.  The

Applicant stated that he was dissatisfied because he considered that there was an overwhelming public interest in

disclosure of the information.


4.    The Authority notified the Applicant of the outcome of its review on 11 October 2021.  It upheld its

reliance on section 18(1) of FOISA, read in conjunction with sections 39(1) and 38(1)(b) of FOISA, and argued that

it would be contrary to the public interest to reveal whether the requested information existed or was held.


5.    On 6 December 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section

47(1) of FOISA.  The Applicant stated that he was dissatisfied with the outcome of the Authority’s review because

he believed it was against the public interest to keep this information private.

 

Investigation


6.    The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the

power to carry out an investigation.


7.    On 18 January 2022, the Authority was notified in writing that the Applicant had made a valid application.  

The case was allocated to an investigating officer.


8.    Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide

comments on an application.  The Authority was invited to comment on this application and to answer specific

questions.  These related to its reasons for neither confirming nor denying whether it held the information, or

whether it existed, and to the potential application of the exemptions cited in its response to the Applicant

Commissioner’s analysis and findings


9.    The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

 

Section 18(1) – Neither confirm nor deny


10.    Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold

information in the following limited circumstances:


•    a request has been made to the authority for information, which may or may not be held by it;


•    if the information existed and were held by the authority (and it need not be), it could give a refusal

notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any

exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and


•    the authority considers that to reveal whether the information exists or is held by it would be contrary

to the public interest.


11.    Where section 18(1) is under consideration, the Commissioner must ensure that his decision does not

confirm one way or the other whether the information requested actually exists or is held by the authority.  This

means he is unable to comment in any detail on the Authority’s reliance on any of the exemptions referred to, or

on other matters that could have the effect of indicating whether or not the information existed or was held by

the Authority.


12.    In this case, the Authority submitted that, if it held any information falling within the scope of the

Applicant’s request, it would be exempt from disclosure under 38(1)(b) and 39(1) of FOISA.
 

Section 38(1)(b) – Personal information


13.    The Commissioner will first consider whether, if the information existed and were held by the Authority,

the Authority would be justified in refusing to disclose the information by virtue of the exemption in section

38(1)(b) of FOISA.


14.    Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure

if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or

more of the data protection principles set out in Article 5(1) of the UK GDPR.


Would the information, if held, be personal data?


15.    The Applicant asked for correspondence and communications between a named employee and other named

individuals, as well as information about the research funding of the named employee.  The Commissioner must first

address whether this information, if it existed and were held, would be personal data for the purposes of section

3(2) of the DPA 2018.


16.    Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the

definition of personal data in Article 4(1) of the UK GDPR:


"… any information relating to an identified or identifiable natural person ("data subject"); an identifiable

natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier

such as a name, an identification number, location data, an online identifier or to one or more factors specific

to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"


17.    The Authority submitted that, if it existed and were held, the information sought would comprise the names

of individuals who sent or received emails, as well as their personal thoughts and opinions.  The Authority has

argued that this constitutes personal data, as defined in section 3(2) of the DPA 2018.


18.    The Commissioner has considered the specific wording of the requests and the information they would

capture, and he is satisfied that, if the information did exist and were held by the Authority, it would clearly

relate to the named employee and other identifiable living individuals.  The Commissioner therefore accepts that,

if it existed and were held, the information would be personal data as defined in section 3(2) of the DPA 2018.

 

Would disclosure contravene one of the data protection principles?

19.    Article 5(1)(a) of the UK GDPR requires personal data to be processed "lawfully, fairly and in a

transparent manner in relation to the data subject".  The definition of "processing" is wide and includes (section

3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available".  In the case

of FOISA, personal data are processed when disclosed in response to a request.  Personal data can only be

disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing

listed in Article 6(1) of the UK GDPR) and fair.


Lawful processing: Article 6(1)(f) of the UK GDPR


20.    Among other questions, therefore, the Commissioner must consider if disclosure of the personal data (if it

existed and were held) would be lawful.  In considering lawfulness, he must consider whether any of the conditions

in Article 6 of the UK GDPR would allow the personal data to be disclosed.


21.    The Authority has submitted that only condition (f) in Article 6(1) could potentially allow it to lawfully

disclose the information (if it existed and were held) in this case.


Condition (f): legitimate interests


22.    Condition (f) states that processing would be lawful if it … is necessary for the purposes of the

legitimate interests to be pursued by the controller or by a third party, except where such interests are

overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of

personal data, in particular where the data subject is a child.


23.    Although Article 6 states that this condition cannot apply to processing carried out by a public authority

in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities

can rely on Article 6(1)(f) when responding to requests under FOISA.


24.    The tests which must be met before Article (6)(f) can be apply are as follows.


a)    Does the Applicant have a legitimate interest in obtaining the personal data?


b)    If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?


c)    Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by

the interests or fundamental rights and freedoms of the data subject(s)?


Does the Applicant have a legitimate interest in obtaining the personal data?


25.    There is no definition within the DPA 2018 of what constitutes a "legitimate interest ", but the

Commissioner takes the view that the term indicates that matters in which an individual properly has an interest

should be distinguished from matters about which he or she is simply inquisitive.  The Commissioner's published

guidance on section 38(1)(b) of FOISA  states:


In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the

information in order to bring legal proceedings.  With most requests, however, there are likely to be wider

legitimate interests, such as the scrutiny of the actions of public bodies or public safety.


26.    The Authority accepted that the Applicant was pursuing a legitimate interest.  


27.    Having considered the nature of the request and the Applicant's concerns, the Commissioner is satisfied

that the Applicant has a legitimate interest in the sought communications sent and received by the named employee,

along with details of the bodies who might have funded his research.  The Commissioner notes that Covid-19 has had

an enormous impact on society and its citizens, and he accepts that the Applicant has a legitimate interest in the

communications and research funding relating to its study.


28.    Given this, the Commissioner agrees with the Authority that the Applicant is pursuing a legitimate

interest in obtaining the personal data (if it existed and were held).


Would disclosure be necessary?


29.    Having accepted that the Applicant has a legitimate interest in the personal data (if it existed and were

held), the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's

legitimate interests.  In doing so, he must consider whether these interests might be reasonably be met by any

alternative means.


30.    The Commissioner has considered this carefully in light of the decision by the Supreme Court in South

Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 . In this case, the Supreme Court stated

(at paragraph 27):


A measure which interferes with a right protected by Community law must be the least restrictive for the

achievement of a legitimate aim.  Indeed, in ordinary language we would understand that a measure would not be

necessary if the legitimate aim could be achieved by something less.


31.    "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether

disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a

means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be

met by means which interfere less with the privacy of the data subject.


32.    The Authority submitted that it did not consider that disclosure of the personal data sought, if it

existed and were held, was necessary to achieve this legitimate interest.  It argued that disclosure of the

personal data (if it existed and were held) was not necessary to understand what was known about the origins of

the Covid-19 pandemic, as the information was already in the public domain.


33.    The Applicant submitted that knowing what caused the outbreak of Covid-19 was of great public interest, as

failure to understand the origins of the pandemic would impede efforts to prevent subsequent or similar outbreaks

of disease.  He argued that there were grounds to believe that leading scientists had colluded to stifle the quest

to determine the origins of the virus, and he rejected the Authority’s arguments that disclosure of the personal

data sought (if it existed and were held) would risk the safety of the individual.


34.    The Commissioner notes that the named employee has had his research on Covid-19 published in various peer-

reviewed journals.   He also notes that the Applicant is aware of these publications, and referenced some of those

articles in his information request.   The Commissioner recognises that in order to meet the criteria to be

published in peer-reviewed journals, the work in question would have been scrutinised to some degree, and this

goes some way towards satisfying the Applicant’s (and wider public’s) legitimate interest in the veracity of the

research that was published.


35.    However, given the importance of the subject matter, in the absence of other viable means of meeting the

legitimate interest in full, the Commissioner’s view is that the legitimate interests could only reasonably be met

by the disclosure of the information, if it existed and were held.


36.    Consequently, he will go in to consider whether the interest in obtaining the personal data (if held)

outweighs the rights and fundamental freedoms of the data subjects.  


Interests and fundamental freedoms of the data subjects


37.    The Commissioner must balance the legitimate interests in disclosure of the information, if it existed and

were held, against the data subject’s interests or fundamental rights and freedoms.  In doing so, it is necessary

for him to consider the impact of such a disclosure. For example, if the data subjects would not reasonably expect

that the information, if it existed and were held, would be disclosed to the public under FOISA in response to the

request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override any

legitimate interests in disclosure.  Only if the legitimate interests of the Applicant outweighed those of the

data subjects could the information, if it existed and were held, be disclosed without breaching the first data

protection principle.


38.    The Commissioner's guidance on section 38 of FOISA notes factors that should be taken into account when

balancing the interests of parties.  He notes that Recital (47) of the General Data Protection Regulation states

that much will depend on the reasonable expectations of the data subjects.  These are some of the factors public

authorities should consider:


(i)    Does the information relate to an individual's public life (their work as a public official or employee)

or to their private life (their home, family, social life or finances)?


(ii)    Would the disclosure cause harm or distress?


(iii)    Whether the individual has objected to the disclosure.


39.    The Commissioner acknowledges that the information, if it existed and were held, would relate to the

public lives of individuals.  He notes that the request is seeking information regarding communications exchanged

by the named employee while they were carrying out work as part of their employment with the Authority, as well as

the funding sources of that work.  However, he also accepts that such information, if it existed and were held,

indirectly concerns the private lives of the individuals named in the correspondence, as they could receive

personal threats or harm as a result of their work activities.  The Authority has provided the Commissioner with

evidence that some of the individuals named in the request for information have been subject to threats and

intimidation as a result of their published work, and it is therefore not possible to separate out the public and

private domains in this instance.


40.    In the circumstances, the Commissioner concludes that the information, if it existed and were held, would

relate to both the private and public lives of the data subjects.  The Commissioner accepts that the data subjects

involved in the correspondence (if it existed) would not have expected it to be published, instead they would have

expected a degree of confidentiality.  Furthermore, the Commissioner notes that the named employee has not given

consent for disclosure of his personal data.


41.    The Commissioner has also considered the distress and damage to the data subjects that the Authority has

described; such as threats to their health and safety made on social media, and intimidation tactics which have

focused on the homes of some individuals.  In the circumstances, the Commissioner agrees that disclosing the

personal data, if it existed and were held, would be likely to cause harm or distress to the data subjects.


42.    After carefully balancing the legitimate interests of the individuals concerned against those of the

Applicant, the Commissioner finds that the legitimate interests served by disclosure of the personal data , if it

existed and were held, are outweighed by the unwarranted prejudice that would result to the rights and freedoms or

legitimate interests of the data subject.   While the Commissioner recognises that the background to this case

relates to matters of public concern, he is satisfied that, in all the circumstances of this case, disclosure

would be likely to cause harm and distress and that the data subject would reasonably expect that their personal

data, if it existed, would not be disclosed into the public domain.  


43.    Having found that the legitimate interests served by disclosure of the personal data, (if it existed and

were held) are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate

interests of the data subject, the Commissioner finds that condition (f) in Article 6(1) of the GDPR cannot be met

and that disclosure would be unlawful.  


Fairness


44.    Given that the Commissioner has concluded that the processing of the personal data, if it existed and were

held, would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be


fair and transparent in relation to the data subject.


Conclusion on the data protection principles


45.    For the reasons set out above, the Commissioner is satisfied that disclosure of any relevant personal

data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  

46.    In all the circumstances, the Commissioner is satisfied that any such personal data, if it existed and

were held, would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a

refusal notice under section 16(1) of FOISA, on the basis that the information would be so exempt.


Section 39(1) – Health, safety and the environment


47.    Section 39(1) of FOISA states that the information is exempt if its disclosure under FOISA would, or would

be likely to, endanger the physical or mental health or the safety of an individual.  This is a qualified

exemption and is subject to the public interest test required by section 2(1)(b) of FOISA.


48.    As the Commissioner notes in his briefing on this exemption , section 39(1) does not contain the usual

harm test.  Instead of the "substantial prejudice" test found in many other harm-based exemptions in Part 2 of

FOISA, this exemption refers to the "endangerment" of health or safety.  This test is less demanding than the

"substantial prejudice" test.


49.    The Authority submitted that the physical or mental health or safety of any individual named in the

request for information, as well as those who sent or received any emails would, or would be likely to, be

endangered by the disclosure of the information, if it existed or were held.


50.    The Authority argued that the risks it had identified fell into two categories: (1) that disclosure would

act as a catalyst for further threats against an Authority employee; and (2) the risk of actual harm to that

employee.


51.    In respect of risk (1) the Authority submitted that there was a risk that disclosure of the emails, if

held, would foment existing online abuse and threats against the named employee and the others involved in the

correspondence sought, if it existed and were held.


52.    The Authority submitted that there had already been numerous examples of this happening, in relation to

emails released (in a redacted form) by other institutions.  The Authority also submitted that it was aware of

“tweets” suggesting the individuals referenced in this request were responsible for millions of deaths and should

be prosecuted.  One of these individuals, in particular, had been a target of death threats related to this

matter.  The Authority provided the Commissioner with evidence to support these arguments.


53.    The Authority noted that, in his submission to the Commissioner, the Applicant used incendiary language

when he describes uncovering how “influential scientists colluded to squash concerns over a possible lab incident

to protect themselves and their funding bodies.”   The Authority understood that the Applicant was making this

serious accusation of wrongdoing regarding the employee, and that disclosing this information (if existing and

held) would further exacerbate the existing threats that the named employee and his colleagues faced.


54.    The Authority argued that a further example of this incitement included the organisation called “US Right

to Know”.   It submitted that this organisation promulgated its belief that the Covid-19 pandemic arose from a

Wuhan laboratory, and that this was being “covered up” by figures including the Authority employee.   The employee

was mentioned multiple times on the organisation’s website and this had resulted in responses on social media that

were violent, abusive, and threatening to the people referred to.  The Authority provided the Commissioner with

examples of these social media messages.  


55.    In respect of risk (2) the Authority submitted that the named employee had also raised what it considered

to be a genuine risk of actual harm to him should the information requested, if held, be disclosed.  The Authority

noted that one of the employee’s colleagues in this field, who faced the same accusations as the Applicant was

making against the named employee, had received threats of physical violence such that their employers had felt

the need to provide protection for them.  The Authority submitted that another colleague involved in this matter

had a rock with an abusive message thrown at their house.  


56.    In light of the significant level of threats and abuse aimed at the named employee and his colleagues

working in this narrow field, the Authority argued that there was a genuine (that is to say, non-hypothetical)

link between disclosure of the information (if it existed and were held) and endangerment of the individuals

named, and that this concern for physical or mental health was real and of a serious nature.


Commissioner’s view on 39(1)


57.    In considering the Authority’s submissions, the Commissioner has to be satisfied that it has evidenced

threats to the physical health or safety of the named employee (or other named individuals) resulting directly

from disclosure of the information sought (if it existed and were held).  He needs to be persuaded that such

instances would be made more likely, at least, as a result of disclosing the information, if it existed and were

held.


58.    The Commissioner has reviewed the evidence provided by the Authority, which comprises a series of “tweets”

or messages on social media.  The Commissioner acknowledges that “tweets” and other social media comment are not

necessarily incitements to do actual harm; in some cases they are designed to garner attention and followers, and

so what they say will not necessarily marry up with what the author of the tweet intends to happen.  However, it

is also clear to the Commissioner that public comments that call for named individuals to be arrested or harmed -

and in the worst instances, killed - would have an impact on the mental wellbeing of those individuals, and it

could also impact on their health or physical safety (whether those consequences were intended by the writer or

not).  


59.    Social media comments, like the ones viewed by the Commissioner in this case, can whip up anger and can

lead to other parties making similar or more threatening comments, and in the worst instances it can lead to

individuals taking violent action in response to comments that made by others.   The Authority has referred to

instances where some of the named individuals in this case have received threats of physical violence or have had

their home targeted.  


60.    The Authority has argued that, if the information were held and if it were disclosed, it would ignite a

further spate of threats that would be harmful to all of the individuals named in the request.  In the

circumstances, and having considered the detail of the threats already in the public domain, the Commissioner is

satisfied that disclosure of the information, if it existed and were were held, would cause the harm claimed by

the Authority, and accordingly he finds that the exemption in section 39(1) of FOISA is engaged.  He is persuaded

that the risk of harm is real and is not hypothetical.


61.    Having reached this conclusion, the Commissioner is required to consider the public interest test in

relation to this information.


The public interest test - section 2(1)(b)

62.    Section 39(1) is a qualified exemption, which means that its application is subject to the public interest

test in section 2(1)(b) of FOISA.  Therefore, having decided that the information, if it were held, would be

exempt under section 39(1), the Commissioner must go on to consider whether, in all the circumstances of the case,

the public interest in disclosing the information, if it existed and was held, would be outweighed by the public

interest in maintaining the exemption.  If it is, then he must order the Authority to disclose the information.


The authority’s submissions on the public interest


63.    The Authority acknowledged that there was a clear public interest in the transparent operation of public

authorities.  However, it referred to the threatening behaviour it had highlighted earlier in its submissions and

argued that, should this information be disclosed (if it existed and were held), it was likely that individuals

would be targeted further.  Given this, the Authority contended that the public interest in withholding this

information, if held, would outweigh the public interest in releasing it.


64.    The Authority noted that FOISA is “applicant blind”.  It submitted that this meant it could not, and did

not, ask about the motives of anyone asking for information.  In providing a response to one person, it must then

provide the same information to anyone, including those who might represent a threat to an individual.  In this

context, the Authority highlighted that the named employee had become the subject of abuse and unfounded

allegations about his knowledge of the origins of Covid-19.  


65.    The Authority acknowledged that there was a public interest in openness and transparency.  The Authority

also acknowledged that there was a public interest in information relating to the Covid-19 pandemic and related

work carried out by relevant academics.  However, when considering the public interest in this case, the Authority

took account of the fact that the named employee (among others who had been the targets of threats and abuse as

referenced above) has published his findings publicly.  It noted that both of these articles are freely available

to the public online, and one article had been accessed over five and half million times.


66.    The Authority argued that the named employee’s findings and opinions in relation to the origins of the

Covid-19 pandemic were already in the public domain, including in a peer-reviewed journal.  Given the above, the

Authority argued that it did not consider the public interest to favour disclosure of the information requested

(if it existed and were held).


The Applicant's submissions about the public interest


67.    The Applicant argued that the issue at the centre of his request related to the publication of arguably

the most influential statement in a journal during the pandemic, which was published by the named employee with

four other prominent experts.  He highlighted alleged controversy in relation to this statement and claimed

oversight by others.  


68.    The Applicant submitted that there were clear grounds for concern, given the importance of these issues,

and he argued that a publicly-funded organisation should not be involved in this lack of transparency on such an

important issue.  The Applicant contended that there were grounds to believe that leading scientific figures had

been deceiving the public and stifling the quest to determine the origins of the pandemic.  He rejected the

Authority’s arguments that disclosure of the information, if held, would cause risk to the named employee.


The Commissioner's view on the public interest - section 2(1)(b)


69.    The Commissioner has considered all of the submissions received regarding the public interest test, and

while acknowledging why the Applicant made the request and that disclosure might be of wider interest to the

public, he has to consider whether disclosure of the information, if in existence and held, would be in the

interests of the public.  This has to be set against the public interest in maintaining the exemption and

preventing the “endangerment” of health or safety, claimed and accepted above.


70.    The Commissioner accepts that there is general public interest in disclosure of the requested information,

should it exist and be held by the Authority.  This would contribute to ensuring that individuals involved in

investigating the origins of Covid-19, with the use of public funds, are communicating their findings accurately,

and that information which does not fit their published narrative is not being withheld.  This would contribute to

ensuring that bodies which benefit from public funds are transparent and open and would increase public knowledge.  


71.    Nevertheless, a balancing exercise must be undertaken.  The Commissioner has found that disclosure of the

information (if it existed and were held) would, or would be likely to, endanger the physical or mental health or

the safety of individuals.  This means, the public interest arguments in favour of disclosure must be strong to

outweigh the public interest in ensuring that individuals are not endangered as a result of such disclosure.


72.    In all of the circumstances of the case, the Commissioner finds that the public interest arguments put

forward by the Applicant are not strong enough to outweigh the public interest in ensuring that individuals are

not endangered.  He therefore finds that the public interest in maintaining the exemption in section 39(1) would

outweigh any public interest in disclosure of the information (if it existed and were held).


The public interest test - section 18(1)


73.    Having accepted that the Authority could give a refusal notice under section 16(1) of FOISA on the basis

that any relevant information would be exempt information by virtue of section 38(1)(b) and section 39(1) of

FOISA, the Commissioner is required by section 18(1) to go on to consider whether the Authority was entitled to

conclude that it would be contrary to the public interest to reveal whether the information existed or was held.


74.    The Authority submitted that revealing whether or not it held the information would be contrary to the

public interest, because it would further link the Authority’s employee to the individuals already with abuse in

relation to the allegations that the Applicant had raised.  The Authority submitted that disclosing whether or not

the information was held carried substantially the same risks as the disclosure of the information itself.


75.    The Authority noted that it had legal duties as the employer of the named individual, both in relation to

the processing of their personal data, and their health and safety.   It explained that the named employee had

raised concerns with the Authority about confirming whether or not the information existed.  In the circumstances,

the Authority submitted that confirming whether or not the information was held risked breaching its legal duties

to the named employee.


76.    The test the Commissioner must consider is whether (having already concluded that the information, if it

existed and were held, would be exempt from disclosure) revealing whether the information exists or is held would

be contrary to the public interest.


77.    As discussed above, the Commissioner has accepted the engagement of section 38(1)(b) and 39(1) of FOISA.


78.    The Commissioner notes that the Applicant’s request is for communications between scientists who

collaborated on research, and co-authored a published article.  The named employee is the focus of the request,

and the request is also seeking information on the funding he has received, as well as his correspondence with

named individuals.  The Commissioner would expect it to be likely that co-authors of a scientific paper, from

various Institutes, written during a period of global travel restrictions, would have communicated with each other

in a recorded format.  

79.    The Commissioner is not convinced that confirming or denying whether the information exists or not, or is

held or not, would be the catalyst for the harm the Authority has described.  Given the nature of the subject

matter, any decision on the matter might be expected to draw attention to the topic and, by extension, to the

named individuals and their field of interest, and possibly generate a degree of additional comment.  Given what

is in the public domain already, however, it is not apparent to the Commissioner that the impact of simply

confirming or denying would be significant.  


80.    The Commissioner notes that all of these individuals work in the scientific field, and the publication of

their research is a key objective, and often a requirement, of their posts.


81.    The Applicant’s arguments on the public interest are set out at paragraphs 67 to 68 above.  


82.    Taking account of all of the relevant submissions received, the Commissioner is not satisfied that, were

the Authority to reveal whether the information requested by the Applicant existed or was held by it, it would

lead to the endangerment of the mental wellbeing, health or safety of the named employee and the other individuals

named in the request.  


83.    Having carefully considered the submissions from both parties and the information already in the public

domain, the Commissioner’s view is that there is not a strong argument to refuse to confirm or deny whether the

information exists and is held.  


84.    On balance, therefore, the Commissioner concludes that the Authority was not entitled to refuse to confirm

or deny, in line with section 18(1) of FOISA, whether it held the information requested, or whether the

information existed.


85.    The Commissioner requires the Authority to issue the Applicant with a revised review outcome, otherwise

than in terms of section 18(1) of FOISA.  He requires the Authority to confirm to the Applicant whether the

information requested existed and was held by it when it received the request, and to issue a fresh review in

terms of section 21(4)(b) of FOISA.

 

 

Decision


The Commissioner finds that the Authority failed to comply with Part 1 (in particular section 1(1)) of the Freedom

of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.  


He finds that the Authority was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA,

whether it held the information requested, or whether that information existed.  


The Commissioner therefore requires the Authority to reveal to the Applicant whether the information requested

existed and was held by it when it received the request, and to provide the Applicant with a fresh review outcome

in terms of section 21(4) of FOISA, by 27 November 2023.

 


Appeal


Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of

intimation of this decision.

 

Enforcement


If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of

Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal

with the Authority as if it had committed a contempt of court.

 

Daren Fitzhenry
Scottish Information Commissioner

12 October 2023

 

 

Appendix 1: Relevant statutory provisions


Freedom of Information (Scotland) Act 2002


1     General entitlement


(1)     A person who requests information from a Scottish public authority which holds it is entitled to be given

it by the authority.


(2)     The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”



(6)    This section is subject to sections 2, 9, 12 and 14.

 

 

2     Effect of exemptions


(1)     To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to

the extent that –



(b)     in all the circumstances of the case, the public interest in disclosing the information is not outweighed

by that in maintaining the exemption.


 

 

18     Further provision as respects responses to request


(1)     Where, if information existed and was held by a Scottish public authority, the authority could give a

refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of

sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is

so held would be contrary to the public interest, it may (whether or not the information does exist and is held by

it) give the applicant a refusal notice by virtue of this section.


 

 

38     Personal information


(1)     Information is exempt information if it constitutes-



(b)     personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);



(2A)     The first condition is that the disclosure of the information to a member of the public otherwise than

under this Act -


(a)     would contravene any of the data protection principles, or



(5)     In this section-


"the data protection principles" means the principles set out in –


(a)     Article 5(1) of the UK GDPR, and


(b)     section 34(1) of the Data Protection Act 2018;


"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);



“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see

section 3(2), (4) and (14) of that Act);


“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)

of that Act).


(5A)    In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the

UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be

read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public

authorities) were omitted.


 

 

39     Health, safety and the environment


(1)     Information is exempt information if its disclosure under this Act would, or would be likely to, endanger

the physical or mental health or the safety of an individual.


 

 

47     Application for decision by Commissioner


(1)     A person who is dissatisfied with -


(a)     a notice under section 21(5) or (9); or


(b)     the failure of a Scottish public authority to which a requirement for review was made to give such a

notice.


may make application to the Commissioner for a decision whether, in any respect specified in that application, the

request for information to which the requirement relates has been dealt with in accordance with Part 1 of this

Act.


(2)     An application under subsection (1) must -


(a)     be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);


(b)     state the name of the applicant and an address for correspondence; and


(c)     specify –


    (i)    the request for information to which the requirement for review relates;


    (ii)    the matter which was specified under sub-paragraph (ii) of section 20(3)(c);   and


    (iii)    the matter which gives rise to the dissatisfaction mentioned in subsection (1).


    …

 

 

 


UK General Data Protection Regulation


Article 5    Principles relating to processing of personal data


1    Personal data shall be:


    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject     

    (“lawfulness, fairness and transparency”)


    …

 

 


Article 6    Lawfulness of processing


1    Processing shall be lawful only if and to the extent that at least one of the following applies:


    …


    f.    processing is necessary for the purposes of the legitimate interests pursued by the     

    controller or by a third party, except where such interests are overridden by the         

    interests or fundamental rights and freedoms of the data subject which require the         protection

of personal data, in particular where the data subject is a child.

 

 

Data Protection Act 2018


3    Terms relating to the processing of personal data


    …


    (2)    “Personal data” means any information relating to an identified or identifiable living     

    individual (subject to subsection (14)(c)).


    (3)    “Identifiable living individual” means a living individual who can be identified, directly     

    or indirectly, in particular by reference to –


        (a)    an identifier such as a name, an identification number, location data or an         

    online identifier, or


        (b)    one or more factors specific to the physical, physiological, genetic, mental,         

    economic, cultural or social identity of the individual.

 

    (4)    “Processing”, in relation to information, means an operation or set of operations         

    which is performed on information, or on sets of information, such as –


        …


        (d)    disclosure by transmission, dissemination or otherwise making available,


        …

 


(5)    “Data subject” means the identified or identifiable living individual to whom personal data relates.



(10)    “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April


2016 on the protection of natural persons with regard to the processing of personal data and on the free movement

of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and

Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see

section 205(4)).



(14)    In Parts 5 to 7, except where otherwise provided –


    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;


    …


(c)    references to personal data, and the processing of personal data, are to personal data and processing to

which Part 2, Part 3 or Part 4 applies;


(d)    references to a controller or processor are to a controller or processor in relation to the processing of

personal data to which Part 2, Part 3 or Part 4 applies.