Decision 106/2022: Data Controllers for Scottish Borders Multi-Agency Risk Assessment Conference (MARAC)
Authority: Scottish Borders Council
Case Ref: 202100491
The Applicant asked the Authority to detail the data controllers recorded by it for the Scottish Borders MARAC. The Authority provided the Applicant with the information it held, but the Applicant was not satisfied that all the information had been provided. The Applicant was also dissatisfied that the Authority’s review had been late. The Commissioner found that the Authority had provided all the information it held, but had failed to carry out a review within the statutory timescale.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); section 21(1) (Review by Scottish public authority); 47(1) and (2) (Application for decision by Commissioner)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 7 February 2021, the Applicant made a request for information to the Authority. He asked the Authority to detail the data controllers that were recorded by the Authority for the Scottish Borders Multi-Agency Risk Assessment Conference (MARAC).
2. The Authority responded on 23 February 2021. It explained that MARAC was not a legal entity in its own right and it was the responsibility of each agency to ensure that the information they shared was compliant with the Data Protection Act 2018 (DPA)/GDPR (UK General Data Protection Regulation). The Authority provided a list of organisations that had signed the MARAC information sharing protocol (ISP) and stated that “as such would have their own data controller”.
3. On 25 February 2021, the Applicant wrote to the Authority requesting a review of its decision. The Applicant was dissatisfied with the Authority’s response because he did not believe that he had been provided with the information requested. He questioned whether some of the organisation names (in the supplied list) were accurate, and whether some of the organisations were registered with the ICO (the (UK) Information Commissioner). He requested a list of data controllers (as defined by the DPA 2018) who are recorded as attending the MARACs. He specified that the data controllers could be identified by their full and accurate name as recorded on the ICO’s register or by the Data Protection Reference Number. The Applicant also highlighted his concern that the Authority had provided excess information, as several departments from the same organisation had been listed, and whom (he contended) would fall under the same data controller.
4. The Authority notified the Applicant of the outcome of its review on 16 April 2021. The Authority provided the Applicant with a copy of an ISP which had been agreed by all who have responsibility for their agency role within the MARAC. It explained that these were core agencies that had signed-up to the MARAC process. The Authority also apologised for time it had taken to respond to the request for review. The Authority redacted signatures in terms of section 38(1)(b) of FOISA. (This redaction was not challenged by the Applicant and is not considered further in this decision.)
5. On 18 April 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not consider that the Authority had provided all the information he had requested, as the information did not allow the organisations to be unequivocally identified as data controllers, and also that the Authority had not responded to his request for review on time.
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 28 April 2021, the Authority was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. On 21 July 2022, the Authority was invited to comment on this application and to answer specific questions. These related to the searches it had carried out and how it had determined what information it held falling within the scope of the request.
Commissioner’s analysis and findings
9. The Commissioner has considered all the submissions made to him by the Applicant and the Authority.
Determining what information was held by the Authority
10. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable in this case.
11. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). This is not necessarily to be equated with the information an applicant believes an authority should hold.
Submissions from the Applicant
12. When seeking a review from the Authority, the Applicant referred to the ICO register of Data Controllers, and his concern that some of organisations on the list provided to him by the Authority did not appear to be on this register. He stressed that his request for a full list of Data Controllers (as defined by the DPA 2018).
13. The Applicant highlighted that, although the Authority had provided a long list of organisations who participate in the MARAC, the organisations could not be identified as Data Controllers on the ICO register.
Submissions from the Authority
14. In its submissions, the Authority explained that it had interpreted the review as trying to ascertain:
- whether the Authority’s Information Sharing Agreement was compliant with GDPR and the DPA 2018, and
- a list of Data Controllers who are recorded as attending MARACs
15. The Authority provided the Applicant with a copy of the ISP in its review to demonstrate to the Applicant that it was compliant with UK GDPR and the DPA 2018, as it considered that it was evident from the document that it contained a list of Information Sharing Partner Organisations (Data Controllers).
16. The Authority explained that the most appropriate way to provide a list of Data Controllers who were recorded as attending MARACs was by providing a copy of the MARAC ISP.
17. The Authority had provided the information in the form it was held, and it did not check whether organisations were, or were required to be, registered with the ICO, as it is was for each individual organisation to determine whether it should be registered.
18. The Authority explained that a wide range of potential agencies can refer to MARAC, with many only referring once, and it was not possible to have all potential referring organisations included in the ISP. The Authority described how the MARAC meets every four weeks, and that an organisation can refer up to eight days before a meeting, so the opportunity to include one off organisations in the protocol and have them sign and return it was not practical.
19. The Authority explained that the ISP is updated every few years, unless there is a significant change in the law or the constitution of MARAC that requires to be reflected in the protocol. It stated that the ISP is currently being reviewed and updated, and that the current version was reviewed to ensure it was fit for purpose when MARAC meetings moved online during the Covid-19 pandemic.
20. The Authority explained the reasons why there may have been differences in the organisations listed in the ISP and the organisations which had signed.
21. The Authority confirmed that the only information it held in relation to data controllers for the purposes of MARAC was within the ISP that was provided to the Applicant.
The Commissioner's findings
22. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities. In determining where the balance lies, the Commissioner will consider the scope, quality, thoroughness and results of the searches carried out by the public authority. He will also consider, where appropriate, any reason offered by the public authority to explain why the information is not held.
23. As was mentioned before, FOISA provides the right to access information, falling within the scope of the request, held by an authority at the time of the request.
24. This request was for information about the Data Controllers recorded by the Authority for MARAC. The Commissioner is satisfied that the Authority interpreted the request reasonably (and accurately) and provided the Applicant with the relevant information it held at the time of the request, in the form it was held. The Authority has explained the context of the information it held – about MARAC and those agencies involved in the MARAC process - and although the Applicant believed the information he had requested would exist and be recorded in a particular way, the Commissioner is satisfied that this was not the case at the time the request was received by the Authority.
25. In the circumstances, the Commissioner is satisfied the Authority complied with section 1(1) of FOISA, in that it provided the Applicant with the information it held falling within the scope of the request.
Handling of the request – requirement for review
26. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review. This is subject to qualifications which are not relevant in this case.
27. It is a matter of fact that the Authority did not provide a response to the Applicant’s requirement for review within 20 working days, so the Commissioner finds that it failed to comply with section 21(1) of FOISA.
28. The Authority responded to the Applicant’s requirement for review on 16 April 2021, and apologised to him for its failure to respond to the requirement for review in time. As such, the Commissioner does not require the Authority to take any further action.
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that, by providing the information held by it at the time of the request in the format it was held, the Authority complied with Part 1 of FOISA.
However, in failing to provide a response to the Applicant’s requirement for review within the timescale laid down by section 21(1) of FOISA, the Authority breached Part 1 of FOISA.
Given that the Authority provided a review response to the Applicant, the Commissioner does not require the Authority to take any action in respect of this failure in response to the Applicant’s application.
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Head of Enforcement
17 October 2022
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.
(6) This section is subject to sections 2, 9, 12 and 14.
21 Review by Scottish public authority
(1) Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later than the twentieth working day after receipt by it of the requirement.
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).