Decision Notice 104/2023: Emails, notes, minutes and transcripts of conversations between named individuals
Authority: University of Edinburgh
Case Ref: 202101501
Summary
The Applicant asked the Authority for information relating to correspondence exchanged between named individuals.
The Authority refused to confirm or deny whether this information was held, arguing that to do so would endanger
the health and safety of named individuals. The Commissioner investigated and found that the Authority was not
entitled to refuse to confirm or deny whether it held the information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b)
(Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5)
(definitions of “data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and
(5A) (Personal information); 39(1) (Health, safety and the environment); 47(1) and (2) (Application for decision
by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to
processing of personal data); 6(1)(f) (lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms
relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The
Appendix forms part of this decision.
Background
1. On 2 August 2021, the Applicant made a request for information to the Authority. He asked for:
(i) All details of research or other funding by Chinese state, companies, universities or individuals, for
work involving a named employee over the past decade.
(ii) All emails, minutes, notes and transcripts of conversations between a named employee and other named
individuals on, since, or between specific dates.
2. The Authority responded on 5 October 2021. It apologised for the delay in responding to the request, and
it notified the Applicant that the named employee had not received any funding from Chinese organisations or
individuals. In relation to the request for emails, minutes, notes or transcripts of conversations between named
individuals, the Authority applied section 18 of FOISA (neither confirming nor denying whether the information
existed or was held), read in conjunction with sections 38(1)(b) and 39(1) of FOISA.
3. On 6 October 2021, the Applicant wrote to the Authority, requesting a review of its decision. The
Applicant stated that he was dissatisfied because he considered that there was an overwhelming public interest in
disclosure of the information.
4. The Authority notified the Applicant of the outcome of its review on 11 October 2021. It upheld its
reliance on section 18(1) of FOISA, read in conjunction with sections 39(1) and 38(1)(b) of FOISA, and argued that
it would be contrary to the public interest to reveal whether the requested information existed or was held.
5. On 6 December 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section
47(1) of FOISA. The Applicant stated that he was dissatisfied with the outcome of the Authority’s review because
he believed it was against the public interest to keep this information private.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the
power to carry out an investigation.
7. On 18 January 2022, the Authority was notified in writing that the Applicant had made a valid application.
The case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide
comments on an application. The Authority was invited to comment on this application and to answer specific
questions. These related to its reasons for neither confirming nor denying whether it held the information, or
whether it existed, and to the potential application of the exemptions cited in its response to the Applicant
Commissioner’s analysis and findings
9. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 18(1) – Neither confirm nor deny
10. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold
information in the following limited circumstances:
• a request has been made to the authority for information, which may or may not be held by it;
• if the information existed and were held by the authority (and it need not be), it could give a refusal
notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any
exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and
• the authority considers that to reveal whether the information exists or is held by it would be contrary
to the public interest.
11. Where section 18(1) is under consideration, the Commissioner must ensure that his decision does not
confirm one way or the other whether the information requested actually exists or is held by the authority. This
means he is unable to comment in any detail on the Authority’s reliance on any of the exemptions referred to, or
on other matters that could have the effect of indicating whether or not the information existed or was held by
the Authority.
12. In this case, the Authority submitted that, if it held any information falling within the scope of the
Applicant’s request, it would be exempt from disclosure under 38(1)(b) and 39(1) of FOISA.
Section 38(1)(b) – Personal information
13. The Commissioner will first consider whether, if the information existed and were held by the Authority,
the Authority would be justified in refusing to disclose the information by virtue of the exemption in section
38(1)(b) of FOISA.
14. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure
if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or
more of the data protection principles set out in Article 5(1) of the UK GDPR.
Would the information, if held, be personal data?
15. The Applicant asked for correspondence and communications between a named employee and other named
individuals, as well as information about the research funding of the named employee. The Commissioner must first
address whether this information, if it existed and were held, would be personal data for the purposes of section
3(2) of the DPA 2018.
16. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the
definition of personal data in Article 4(1) of the UK GDPR:
"… any information relating to an identified or identifiable natural person ("data subject"); an identifiable
natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
17. The Authority submitted that, if it existed and were held, the information sought would comprise the names
of individuals who sent or received emails, as well as their personal thoughts and opinions. The Authority has
argued that this constitutes personal data, as defined in section 3(2) of the DPA 2018.
18. The Commissioner has considered the specific wording of the requests and the information they would
capture, and he is satisfied that, if the information did exist and were held by the Authority, it would clearly
relate to the named employee and other identifiable living individuals. The Commissioner therefore accepts that,
if it existed and were held, the information would be personal data as defined in section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
19. Article 5(1)(a) of the UK GDPR requires personal data to be processed "lawfully, fairly and in a
transparent manner in relation to the data subject". The definition of "processing" is wide and includes (section
3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available". In the case
of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be
disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing
listed in Article 6(1) of the UK GDPR) and fair.
Lawful processing: Article 6(1)(f) of the UK GDPR
20. Among other questions, therefore, the Commissioner must consider if disclosure of the personal data (if it
existed and were held) would be lawful. In considering lawfulness, he must consider whether any of the conditions
in Article 6 of the UK GDPR would allow the personal data to be disclosed.
21. The Authority has submitted that only condition (f) in Article 6(1) could potentially allow it to lawfully
disclose the information (if it existed and were held) in this case.
Condition (f): legitimate interests
22. Condition (f) states that processing would be lawful if it … is necessary for the purposes of the
legitimate interests to be pursued by the controller or by a third party, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of
personal data, in particular where the data subject is a child.
23. Although Article 6 states that this condition cannot apply to processing carried out by a public authority
in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities
can rely on Article 6(1)(f) when responding to requests under FOISA.
24. The tests which must be met before Article (6)(f) can be apply are as follows.
a) Does the Applicant have a legitimate interest in obtaining the personal data?
b) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
c) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by
the interests or fundamental rights and freedoms of the data subject(s)?
Does the Applicant have a legitimate interest in obtaining the personal data?
25. There is no definition within the DPA 2018 of what constitutes a "legitimate interest ", but the
Commissioner takes the view that the term indicates that matters in which an individual properly has an interest
should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's published
guidance on section 38(1)(b) of FOISA states:
In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the
information in order to bring legal proceedings. With most requests, however, there are likely to be wider
legitimate interests, such as the scrutiny of the actions of public bodies or public safety.
26. The Authority accepted that the Applicant was pursuing a legitimate interest.
27. Having considered the nature of the request and the Applicant's concerns, the Commissioner is satisfied
that the Applicant has a legitimate interest in the sought communications sent and received by the named employee,
along with details of the bodies who might have funded his research. The Commissioner notes that Covid-19 has had
an enormous impact on society and its citizens, and he accepts that the Applicant has a legitimate interest in the
communications and research funding relating to its study.
28. Given this, the Commissioner agrees with the Authority that the Applicant is pursuing a legitimate
interest in obtaining the personal data (if it existed and were held).
Would disclosure be necessary?
29. Having accepted that the Applicant has a legitimate interest in the personal data (if it existed and were
held), the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's
legitimate interests. In doing so, he must consider whether these interests might be reasonably be met by any
alternative means.
30. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South
Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 . In this case, the Supreme Court stated
(at paragraph 27):
A measure which interferes with a right protected by Community law must be the least restrictive for the
achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be
necessary if the legitimate aim could be achieved by something less.
31. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether
disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a
means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be
met by means which interfere less with the privacy of the data subject.
32. The Authority submitted that it did not consider that disclosure of the personal data sought, if it
existed and were held, was necessary to achieve this legitimate interest. It argued that disclosure of the
personal data (if it existed and were held) was not necessary to understand what was known about the origins of
the Covid-19 pandemic, as the information was already in the public domain.
33. The Applicant submitted that knowing what caused the outbreak of Covid-19 was of great public interest, as
failure to understand the origins of the pandemic would impede efforts to prevent subsequent or similar outbreaks
of disease. He argued that there were grounds to believe that leading scientists had colluded to stifle the quest
to determine the origins of the virus, and he rejected the Authority’s arguments that disclosure of the personal
data sought (if it existed and were held) would risk the safety of the individual.
34. The Commissioner notes that the named employee has had his research on Covid-19 published in various peer-
reviewed journals. He also notes that the Applicant is aware of these publications, and referenced some of those
articles in his information request. The Commissioner recognises that in order to meet the criteria to be
published in peer-reviewed journals, the work in question would have been scrutinised to some degree, and this
goes some way towards satisfying the Applicant’s (and wider public’s) legitimate interest in the veracity of the
research that was published.
35. However, given the importance of the subject matter, in the absence of other viable means of meeting the
legitimate interest in full, the Commissioner’s view is that the legitimate interests could only reasonably be met
by the disclosure of the information, if it existed and were held.
36. Consequently, he will go in to consider whether the interest in obtaining the personal data (if held)
outweighs the rights and fundamental freedoms of the data subjects.
Interests and fundamental freedoms of the data subjects
37. The Commissioner must balance the legitimate interests in disclosure of the information, if it existed and
were held, against the data subject’s interests or fundamental rights and freedoms. In doing so, it is necessary
for him to consider the impact of such a disclosure. For example, if the data subjects would not reasonably expect
that the information, if it existed and were held, would be disclosed to the public under FOISA in response to the
request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override any
legitimate interests in disclosure. Only if the legitimate interests of the Applicant outweighed those of the
data subjects could the information, if it existed and were held, be disclosed without breaching the first data
protection principle.
38. The Commissioner's guidance on section 38 of FOISA notes factors that should be taken into account when
balancing the interests of parties. He notes that Recital (47) of the General Data Protection Regulation states
that much will depend on the reasonable expectations of the data subjects. These are some of the factors public
authorities should consider:
(i) Does the information relate to an individual's public life (their work as a public official or employee)
or to their private life (their home, family, social life or finances)?
(ii) Would the disclosure cause harm or distress?
(iii) Whether the individual has objected to the disclosure.
39. The Commissioner acknowledges that the information, if it existed and were held, would relate to the
public lives of individuals. He notes that the request is seeking information regarding communications exchanged
by the named employee while they were carrying out work as part of their employment with the Authority, as well as
the funding sources of that work. However, he also accepts that such information, if it existed and were held,
indirectly concerns the private lives of the individuals named in the correspondence, as they could receive
personal threats or harm as a result of their work activities. The Authority has provided the Commissioner with
evidence that some of the individuals named in the request for information have been subject to threats and
intimidation as a result of their published work, and it is therefore not possible to separate out the public and
private domains in this instance.
40. In the circumstances, the Commissioner concludes that the information, if it existed and were held, would
relate to both the private and public lives of the data subjects. The Commissioner accepts that the data subjects
involved in the correspondence (if it existed) would not have expected it to be published, instead they would have
expected a degree of confidentiality. Furthermore, the Commissioner notes that the named employee has not given
consent for disclosure of his personal data.
41. The Commissioner has also considered the distress and damage to the data subjects that the Authority has
described; such as threats to their health and safety made on social media, and intimidation tactics which have
focused on the homes of some individuals. In the circumstances, the Commissioner agrees that disclosing the
personal data, if it existed and were held, would be likely to cause harm or distress to the data subjects.
42. After carefully balancing the legitimate interests of the individuals concerned against those of the
Applicant, the Commissioner finds that the legitimate interests served by disclosure of the personal data , if it
existed and were held, are outweighed by the unwarranted prejudice that would result to the rights and freedoms or
legitimate interests of the data subject. While the Commissioner recognises that the background to this case
relates to matters of public concern, he is satisfied that, in all the circumstances of this case, disclosure
would be likely to cause harm and distress and that the data subject would reasonably expect that their personal
data, if it existed, would not be disclosed into the public domain.
43. Having found that the legitimate interests served by disclosure of the personal data, (if it existed and
were held) are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate
interests of the data subject, the Commissioner finds that condition (f) in Article 6(1) of the GDPR cannot be met
and that disclosure would be unlawful.
Fairness
44. Given that the Commissioner has concluded that the processing of the personal data, if it existed and were
held, would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be
fair and transparent in relation to the data subject.
Conclusion on the data protection principles
45. For the reasons set out above, the Commissioner is satisfied that disclosure of any relevant personal
data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.
46. In all the circumstances, the Commissioner is satisfied that any such personal data, if it existed and
were held, would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a
refusal notice under section 16(1) of FOISA, on the basis that the information would be so exempt.
Section 39(1) – Health, safety and the environment
47. Section 39(1) of FOISA states that the information is exempt if its disclosure under FOISA would, or would
be likely to, endanger the physical or mental health or the safety of an individual. This is a qualified
exemption and is subject to the public interest test required by section 2(1)(b) of FOISA.
48. As the Commissioner notes in his briefing on this exemption , section 39(1) does not contain the usual
harm test. Instead of the "substantial prejudice" test found in many other harm-based exemptions in Part 2 of
FOISA, this exemption refers to the "endangerment" of health or safety. This test is less demanding than the
"substantial prejudice" test.
49. The Authority submitted that the physical or mental health or safety of any individual named in the
request for information, as well as those who sent or received any emails would, or would be likely to, be
endangered by the disclosure of the information, if it existed or were held.
50. The Authority argued that the risks it had identified fell into two categories: (1) that disclosure would
act as a catalyst for further threats against an Authority employee; and (2) the risk of actual harm to that
employee.
51. In respect of risk (1) the Authority submitted that there was a risk that disclosure of the emails, if
held, would foment existing online abuse and threats against the named employee and the others involved in the
correspondence sought, if it existed and were held.
52. The Authority submitted that there had already been numerous examples of this happening, in relation to
emails released (in a redacted form) by other institutions. The Authority also submitted that it was aware of
“tweets” suggesting the individuals referenced in this request were responsible for millions of deaths and should
be prosecuted. One of these individuals, in particular, had been a target of death threats related to this
matter. The Authority provided the Commissioner with evidence to support these arguments.
53. The Authority noted that, in his submission to the Commissioner, the Applicant used incendiary language
when he describes uncovering how “influential scientists colluded to squash concerns over a possible lab incident
to protect themselves and their funding bodies.” The Authority understood that the Applicant was making this
serious accusation of wrongdoing regarding the employee, and that disclosing this information (if existing and
held) would further exacerbate the existing threats that the named employee and his colleagues faced.
54. The Authority argued that a further example of this incitement included the organisation called “US Right
to Know”. It submitted that this organisation promulgated its belief that the Covid-19 pandemic arose from a
Wuhan laboratory, and that this was being “covered up” by figures including the Authority employee. The employee
was mentioned multiple times on the organisation’s website and this had resulted in responses on social media that
were violent, abusive, and threatening to the people referred to. The Authority provided the Commissioner with
examples of these social media messages.
55. In respect of risk (2) the Authority submitted that the named employee had also raised what it considered
to be a genuine risk of actual harm to him should the information requested, if held, be disclosed. The Authority
noted that one of the employee’s colleagues in this field, who faced the same accusations as the Applicant was
making against the named employee, had received threats of physical violence such that their employers had felt
the need to provide protection for them. The Authority submitted that another colleague involved in this matter
had a rock with an abusive message thrown at their house.
56. In light of the significant level of threats and abuse aimed at the named employee and his colleagues
working in this narrow field, the Authority argued that there was a genuine (that is to say, non-hypothetical)
link between disclosure of the information (if it existed and were held) and endangerment of the individuals
named, and that this concern for physical or mental health was real and of a serious nature.
Commissioner’s view on 39(1)
57. In considering the Authority’s submissions, the Commissioner has to be satisfied that it has evidenced
threats to the physical health or safety of the named employee (or other named individuals) resulting directly
from disclosure of the information sought (if it existed and were held). He needs to be persuaded that such
instances would be made more likely, at least, as a result of disclosing the information, if it existed and were
held.
58. The Commissioner has reviewed the evidence provided by the Authority, which comprises a series of “tweets”
or messages on social media. The Commissioner acknowledges that “tweets” and other social media comment are not
necessarily incitements to do actual harm; in some cases they are designed to garner attention and followers, and
so what they say will not necessarily marry up with what the author of the tweet intends to happen. However, it
is also clear to the Commissioner that public comments that call for named individuals to be arrested or harmed -
and in the worst instances, killed - would have an impact on the mental wellbeing of those individuals, and it
could also impact on their health or physical safety (whether those consequences were intended by the writer or
not).
59. Social media comments, like the ones viewed by the Commissioner in this case, can whip up anger and can
lead to other parties making similar or more threatening comments, and in the worst instances it can lead to
individuals taking violent action in response to comments that made by others. The Authority has referred to
instances where some of the named individuals in this case have received threats of physical violence or have had
their home targeted.
60. The Authority has argued that, if the information were held and if it were disclosed, it would ignite a
further spate of threats that would be harmful to all of the individuals named in the request. In the
circumstances, and having considered the detail of the threats already in the public domain, the Commissioner is
satisfied that disclosure of the information, if it existed and were were held, would cause the harm claimed by
the Authority, and accordingly he finds that the exemption in section 39(1) of FOISA is engaged. He is persuaded
that the risk of harm is real and is not hypothetical.
61. Having reached this conclusion, the Commissioner is required to consider the public interest test in
relation to this information.
The public interest test - section 2(1)(b)
62. Section 39(1) is a qualified exemption, which means that its application is subject to the public interest
test in section 2(1)(b) of FOISA. Therefore, having decided that the information, if it were held, would be
exempt under section 39(1), the Commissioner must go on to consider whether, in all the circumstances of the case,
the public interest in disclosing the information, if it existed and was held, would be outweighed by the public
interest in maintaining the exemption. If it is, then he must order the Authority to disclose the information.
The authority’s submissions on the public interest
63. The Authority acknowledged that there was a clear public interest in the transparent operation of public
authorities. However, it referred to the threatening behaviour it had highlighted earlier in its submissions and
argued that, should this information be disclosed (if it existed and were held), it was likely that individuals
would be targeted further. Given this, the Authority contended that the public interest in withholding this
information, if held, would outweigh the public interest in releasing it.
64. The Authority noted that FOISA is “applicant blind”. It submitted that this meant it could not, and did
not, ask about the motives of anyone asking for information. In providing a response to one person, it must then
provide the same information to anyone, including those who might represent a threat to an individual. In this
context, the Authority highlighted that the named employee had become the subject of abuse and unfounded
allegations about his knowledge of the origins of Covid-19.
65. The Authority acknowledged that there was a public interest in openness and transparency. The Authority
also acknowledged that there was a public interest in information relating to the Covid-19 pandemic and related
work carried out by relevant academics. However, when considering the public interest in this case, the Authority
took account of the fact that the named employee (among others who had been the targets of threats and abuse as
referenced above) has published his findings publicly. It noted that both of these articles are freely available
to the public online, and one article had been accessed over five and half million times.
66. The Authority argued that the named employee’s findings and opinions in relation to the origins of the
Covid-19 pandemic were already in the public domain, including in a peer-reviewed journal. Given the above, the
Authority argued that it did not consider the public interest to favour disclosure of the information requested
(if it existed and were held).
The Applicant's submissions about the public interest
67. The Applicant argued that the issue at the centre of his request related to the publication of arguably
the most influential statement in a journal during the pandemic, which was published by the named employee with
four other prominent experts. He highlighted alleged controversy in relation to this statement and claimed
oversight by others.
68. The Applicant submitted that there were clear grounds for concern, given the importance of these issues,
and he argued that a publicly-funded organisation should not be involved in this lack of transparency on such an
important issue. The Applicant contended that there were grounds to believe that leading scientific figures had
been deceiving the public and stifling the quest to determine the origins of the pandemic. He rejected the
Authority’s arguments that disclosure of the information, if held, would cause risk to the named employee.
The Commissioner's view on the public interest - section 2(1)(b)
69. The Commissioner has considered all of the submissions received regarding the public interest test, and
while acknowledging why the Applicant made the request and that disclosure might be of wider interest to the
public, he has to consider whether disclosure of the information, if in existence and held, would be in the
interests of the public. This has to be set against the public interest in maintaining the exemption and
preventing the “endangerment” of health or safety, claimed and accepted above.
70. The Commissioner accepts that there is general public interest in disclosure of the requested information,
should it exist and be held by the Authority. This would contribute to ensuring that individuals involved in
investigating the origins of Covid-19, with the use of public funds, are communicating their findings accurately,
and that information which does not fit their published narrative is not being withheld. This would contribute to
ensuring that bodies which benefit from public funds are transparent and open and would increase public knowledge.
71. Nevertheless, a balancing exercise must be undertaken. The Commissioner has found that disclosure of the
information (if it existed and were held) would, or would be likely to, endanger the physical or mental health or
the safety of individuals. This means, the public interest arguments in favour of disclosure must be strong to
outweigh the public interest in ensuring that individuals are not endangered as a result of such disclosure.
72. In all of the circumstances of the case, the Commissioner finds that the public interest arguments put
forward by the Applicant are not strong enough to outweigh the public interest in ensuring that individuals are
not endangered. He therefore finds that the public interest in maintaining the exemption in section 39(1) would
outweigh any public interest in disclosure of the information (if it existed and were held).
The public interest test - section 18(1)
73. Having accepted that the Authority could give a refusal notice under section 16(1) of FOISA on the basis
that any relevant information would be exempt information by virtue of section 38(1)(b) and section 39(1) of
FOISA, the Commissioner is required by section 18(1) to go on to consider whether the Authority was entitled to
conclude that it would be contrary to the public interest to reveal whether the information existed or was held.
74. The Authority submitted that revealing whether or not it held the information would be contrary to the
public interest, because it would further link the Authority’s employee to the individuals already with abuse in
relation to the allegations that the Applicant had raised. The Authority submitted that disclosing whether or not
the information was held carried substantially the same risks as the disclosure of the information itself.
75. The Authority noted that it had legal duties as the employer of the named individual, both in relation to
the processing of their personal data, and their health and safety. It explained that the named employee had
raised concerns with the Authority about confirming whether or not the information existed. In the circumstances,
the Authority submitted that confirming whether or not the information was held risked breaching its legal duties
to the named employee.
76. The test the Commissioner must consider is whether (having already concluded that the information, if it
existed and were held, would be exempt from disclosure) revealing whether the information exists or is held would
be contrary to the public interest.
77. As discussed above, the Commissioner has accepted the engagement of section 38(1)(b) and 39(1) of FOISA.
78. The Commissioner notes that the Applicant’s request is for communications between scientists who
collaborated on research, and co-authored a published article. The named employee is the focus of the request,
and the request is also seeking information on the funding he has received, as well as his correspondence with
named individuals. The Commissioner would expect it to be likely that co-authors of a scientific paper, from
various Institutes, written during a period of global travel restrictions, would have communicated with each other
in a recorded format.
79. The Commissioner is not convinced that confirming or denying whether the information exists or not, or is
held or not, would be the catalyst for the harm the Authority has described. Given the nature of the subject
matter, any decision on the matter might be expected to draw attention to the topic and, by extension, to the
named individuals and their field of interest, and possibly generate a degree of additional comment. Given what
is in the public domain already, however, it is not apparent to the Commissioner that the impact of simply
confirming or denying would be significant.
80. The Commissioner notes that all of these individuals work in the scientific field, and the publication of
their research is a key objective, and often a requirement, of their posts.
81. The Applicant’s arguments on the public interest are set out at paragraphs 67 to 68 above.
82. Taking account of all of the relevant submissions received, the Commissioner is not satisfied that, were
the Authority to reveal whether the information requested by the Applicant existed or was held by it, it would
lead to the endangerment of the mental wellbeing, health or safety of the named employee and the other individuals
named in the request.
83. Having carefully considered the submissions from both parties and the information already in the public
domain, the Commissioner’s view is that there is not a strong argument to refuse to confirm or deny whether the
information exists and is held.
84. On balance, therefore, the Commissioner concludes that the Authority was not entitled to refuse to confirm
or deny, in line with section 18(1) of FOISA, whether it held the information requested, or whether the
information existed.
85. The Commissioner requires the Authority to issue the Applicant with a revised review outcome, otherwise
than in terms of section 18(1) of FOISA. He requires the Authority to confirm to the Applicant whether the
information requested existed and was held by it when it received the request, and to issue a fresh review in
terms of section 21(4)(b) of FOISA.
Decision
The Commissioner finds that the Authority failed to comply with Part 1 (in particular section 1(1)) of the Freedom
of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
He finds that the Authority was not entitled to refuse to confirm or deny, in line with section 18(1) of FOISA,
whether it held the information requested, or whether that information existed.
The Commissioner therefore requires the Authority to reveal to the Applicant whether the information requested
existed and was held by it when it received the request, and to provide the Applicant with a fresh review outcome
in terms of section 21(4) of FOISA, by 27 November 2023.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal
to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of
intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of
Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal
with the Authority as if it had committed a contempt of court.
Daren Fitzhenry
Scottish Information Commissioner
12 October 2023
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given
it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to
the extent that –
…
(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed
by that in maintaining the exemption.
…
18 Further provision as respects responses to request
(1) Where, if information existed and was held by a Scottish public authority, the authority could give a
refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of
sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is
so held would be contrary to the public interest, it may (whether or not the information does exist and is held by
it) give the applicant a refusal notice by virtue of this section.
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than
under this Act -
(a) would contravene any of the data protection principles, or
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see
section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)
of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the
UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be
read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public
authorities) were omitted.
…
39 Health, safety and the environment
(1) Information is exempt information if its disclosure under this Act would, or would be likely to, endanger
the physical or mental health or the safety of an individual.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a
notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the
request for information to which the requirement relates has been dealt with in accordance with Part 1 of this
Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used
for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
…
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject
(“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require the protection
of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living
individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly
or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an
online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations
which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and
Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see
section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to
which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of
personal data to which Part 2, Part 3 or Part 4 applies.