Home Decisions

Decision 125/2022

Decision Notice 125/2022: Data protection impact assessments and terms and conditions for cloud services

Applicant:  The Applicant
Public authority:  Chief Constable of the Police Service of Scotland
Case Ref:  202100669


Summary

Police Scotland were asked for information about cloud services they used (or planned to use), including corresponding terms and conditions and data protection impact assessments.

Police Scotland disclosed some information, initially withholding the remainder on the basis that some of it comprised personal data, or that disclosure of some of it would prejudice commercial interests or the prevention or detection of crime.  They later claimed that the disclosure of some other information would prejudice the effective conduct of public affairs.  Police Scotland also refused to confirm or deny whether they held any further information.

The Commissioner investigated and found that Police Scotland had partially breached FOISA in responding to the request.  While the Commissioner found that Police Scotland had correctly withheld some information, he found that they had failed to respond within the legislative timescales, had failed to identify all relevant information, had wrongly withheld some information under the exemptions claimed, and were not entitled to neither confirm nor deny whether any further information existed or was held.  He required Police Scotland to disclose certain information and to issue a revised review outcome in respect of any further information which might be held.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 10(1)(a) (Time for compliance); 15 (Duty to provide advice and assistance); 16(1) (Refusal of request); 18(1) (Further provision as respects responses to request); 21(5) (Review by Scottish public authority); 30(c) (Prejudice to effective conduct of public affairs); 31(1) (National security and defence); 33(1)(b) (Commercial interests and the economy); 35(1)(a) (Law enforcement); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 39(1) (Health, safety and the environment)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of ”personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision.  The Appendix forms part of this decision.

Background

1. On 15 January 2021, the Applicant made a request for information to the Chief Constable of the Police Service of Scotland (Police Scotland).  The information requested was:

1)    A list of all cloud services currently consumed, or planned to be consumed, by Police Scotland from Microsoft, AWS and Google Cloud Platform with indicative budgetary expenditures planned for each.  This should include any services which utilise these services as part of their underpinning cloud service provision for storage or processing of data - such as some Body words Video or Digital Evidence cloud services.

2) A copy of the applicable Terms and Conditions applicable to these services for use by Police Scotland.

3) Copies of the Data Protection Impact Assessments (DPIAs) conducted for these services under the terms applicable for personal data types falling under the GDPR (now UK GDPR/Data Protection Act 2018 other than Parts 3 & 4) provisions.

4) Copies of the DPIAs conducted for these services under the terms applicable for data types falling under the Law Enforcement Directive (Data Protection Act 2018 Part 3) provisions. [Section 64 of the 2018 Act]

5) Details of any correspondence or guidance received from the [UK] Information Commissioner or other professional sources relating to the use of these services or the DPIAs performed for the processing of personal data for Law Enforcement purposes.

2. Having received no response within 20 working days, on various occasions between 15 February 2021 and 9 April 2021, the Applicant wrote to Police Scotland chasing up their response and asking for progress updates.  On each occasion, Police Scotland responded.  They apologised for the delay in responding, and informed the Applicant of his right to request a review on the basis of their late response (pointing out that this could only be done once, and that he would not be able to request a further review if unhappy with its content).  Police Scotland explained that the information requested was being collated and considered, and that the impact of the COVID 19 pandemic on staff availability had affected the speed of response.  During this time, the Applicant confirmed he was happy to wait for a full response.

3. On 7 May 2021, still having received no response, the Applicant wrote to Police Scotland, requesting a review of their failure to respond to his request within 20 working days.

4. On 19 May 2021, Police Scotland responded to the Applicant’s request.  They apologised for the delay in responding, explaining it had taken longer than hoped to obtain the information and redact the documents requested.  Police Scotland noted the Applicant had requested a review of their late response which, they stated, they would respond to shortly.

5. For parts 1)   4) of the Applicant’s request, Police Scotland disclosed some information, with redactions.  For the information withheld, Police Scotland applied the exemptions in section 33(1)(b) (Commercial interests and the economy), section 35(1)(a) (Law enforcement) and section 38(1)(b) (Personal information) of FOISA, with explanation and consideration of the public interest test, where required.  Police Scotland also refused to confirm or deny whether any additional information was held or existed, and applied section 18 (Further provision as respects responses to requests) of FOISA in conjunction with section 35, for (they claimed) the reasons already stated.

6. For part 5) of the Applicant’s request, Police Scotland confirmed that they had not received any such guidance, and applied section 17 (Notice that information is not held) of FOISA.

7. On 24 May 2021, the Applicant wrote to Police Scotland, expressing several matters of dissatisfaction with the content of the response and the delay in responding.  He asked Police Scotland to clarify a number of elements.  The Applicant stated that, depending on Police Scotland’s response, he might formally request a review of these points, in addition to the late response, or may escalate the matter to the Commissioner.

8. On 24 May 2021, Police Scotland notified the Applicant of the outcome of their review of their failure to respond.  They accepted they had failed to respond to the Applicant’s request within 20 working days and apologised, noting they had issued their response on 19 May 2021.

9. Later that day, Police Scotland informed the Applicant that they could only process one internal review.  As the Applicant had previously requested a review of the late response, they stated they had disregarded his second request for review.  In response, the Applicant maintained he had not sought a second review, rather had asked for clarification of the response provided.  Police Scotland subsequently maintained that the Applicant’s email of 24 May 2021 (referred to in paragraph 7) appeared to be a request for review, which they were not able to address due to the previous request for review submitted (i.e. on 7 May 2021, referred to in paragraph 3).

10. To be of assistance, Police Scotland clarified that the refusal to provide the information withheld, under the exemptions articulated, related only to the redacted information in the documents provided.  In relation to any other information held and covered by the Applicant’s request, Police Scotland explained that section 18 of FOISA applied.

11. On 26 May 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of Police Scotland’s review for parts 1) - 4) of his request because:

  • the delay in Police Scotland’s response being issued was unacceptably long, with no explanation for the delay;
  • he believed further information was held which had not been disclosed; and
  • he believed that Police Scotland had provided inappropriate reasons for refusing to disclose the information withheld under the exemptions applied, including their public interest arguments for doing so.

Investigation

12. The application was accepted as valid.  The Commissioner confirmed that the Applicant had made a request for information to a Scottish public authority and had asked the authority to review its response to that request before applying to him for a decision.

13. On 7 June 2021, Police Scotland were notified in writing that the Applicant had made a valid application and were asked to send the Commissioner the information withheld from the Applicant.  Police Scotland provided the information and the case was subsequently allocated to an investigating officer.

14. When providing the information, Police Scotland explained they had identified additional information, falling within the scope of the request, which they were happy to disclose to the Applicant (with redactions), along with some further information in one of the documents previously disclosed.  Police Scotland stated they were now also applying the exemption in section 30(c) (Prejudice to effective conduct of public affairs) of FOISA to withhold some information in all of the documents identified.

15. On 10 August 2021, the investigating officer asked Police Scotland to disclose this further information to the Applicant and they did so on 6 September 2021.  In doing so, Police Scotland explained why the exemptions in section 33(1)(b), section 35(1)(a) and section 38(1)(b) applied, but made no mention as to why some of the information was now being withheld under section 30(c) of FOISA.

16. In light of Police Scotland’s revised position, the Applicant was invited to clarify the scope of his dissatisfaction.  He was also invited to provide any further comments on the public interest in disclosure of the information being withheld under the exemptions being relied on, including his legitimate interests in obtaining the personal data withheld under section 38(1)(b).

17. On 24 September 2021, the Applicant provided submissions to the Commissioner.  He also confirmed that, in addition to those matters already raised in his application to the Commissioner (in paragraph 11 above), he was further dissatisfied with Police Scotland’s decision to now also rely on section 30(c) to withhold some information, and their failure to identify which exemption applied to which section of redacted information.  The Applicant confirmed he was raising no dissatisfaction with Police Scotland’s response to part 5) of his request.

18. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  Police Scotland were invited to comment on this application and to answer specific questions.  These focused on:

  • Police Scotland’s failure to respond to the initial request within statutory timescales, and the reasons for the delay
  • whether Police Scotland held any further information falling within the scope of parts 1) - 4) of the Applicant’s request, and the searches carried out for the information requested
  • Police Scotland’s justification for withholding (variously) some of the information requested under the exemptions in section 30(c), section 33(1)(b), section 35(1)(a) and section 38(1)(b), including consideration of the public interest test (where applicable)
  • whether Police Scotland believed they had complied with the duty in section 15 of FOISA to advise and assist, by not providing a separate response to each part of the Applicant’s request, and by not making clear which exemption was being applied to each part of the request, or to each section of redacted information in the documents disclosed, and
  • Police Scotland’s reliance on section 18 of FOISA for “any further information held”.  (NB:  Although the Applicant did not directly raise any dissatisfaction with this matter, the Commissioner considers it relevant to explore this, in light of the Applicant’s belief that further information was held which was not disclosed to him.)

19. Police Scotland duly provided submissions to the Commissioner.  Further submissions were requested from, and provided by, Police Scotland during the course of the investigation.

Commissioner’s analysis and findings

20. In coming to a decision on this matter, the Commissioner has considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and Police Scotland.  He is satisfied that no matter of relevance has been overlooked.

Section 10(1) – Time for compliance

21. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information.  This is subject to qualifications which are not relevant in this case.

22. In his application to the Commissioner, the Applicant was dissatisfied with the time taken by Police Scotland to issue their response.  He considered the delay to have been unacceptably long, with no explanation for the delay.

23. In their submissions to the Commissioner, Police Scotland explained that, at the time of the Applicant’s request, although their FOI workload was returning to normal levels, they were working with a reduced number of staff due to the impact of the COVID 19 pandemic, and simply did not have sufficient staff resource to meet demand.  This, they explained, was further compounded by the number of business areas requiring to be involved in the request, to consider the information requested.

24. Police Scotland submitted that they provided the Applicant with updates and an apology for the delay in responding.  They accepted they had breached the legislative timescale in section 10(1) of FOISA and apologised.

25. The Commissioner notes, from the correspondence between the two parties at the time (i.e. during the period from 15 February 2021 to 9 April 2021), that the Applicant had sought regular updates on the progress of his request.  This shows that Police Scotland responded on each occasion, apologising for and explaining the delay in responding, and advising the Applicant of his right to request a review on the basis that their response was late.  The Commissioner also notes that the Applicant appeared to have accepted these explanations at the material times, in order to allow Police Scotland the opportunity to provide a full response.

26. Notwithstanding this, it is a matter of fact that Police Scotland did not provide a response to the Applicant’s original information request of 15 January 2021 within 20 working days, so the Commissioner finds that they failed to comply with section 10(1) of FOISA.

Whether Police Scotland held any further relevant information

27. In terms of section 1(4) of FOISA, the information to be provided in response to a request under section 1(1) is that falling within the scope of the request and held by the authority at the time the request is received.

28. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities.  In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.  He also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information.  While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority.

The Applicant’s submissions on the information held

29. The Commissioner has taken account of the arguments in both the Applicant’s application and his further submissions to the Commissioner, in which he provides reasons as to why he considers Police Scotland should hold further information falling within the scope of his request.

30. In his submissions to the Commissioner, the Applicant believed that Police Scotland had failed to fulfil his request.  He submitted that:

  • for part 1), the information disclosed was very limited and Police Scotland had failed to provide a list of all cloud services or any indicative budgetary spend.  He sought confirmation that Police Scotland made no use of other cloud services, or for a fuller list to be provided;
  • for part 2), he believed Police Scotland had not fully responded; and
  • for parts 3) and 4), while Police Scotland had provided limited information on DPIAs, he believed that further information relating to other core cloud based systems used by Police Scotland had not been provided or confirmed as held or not held.  In support of his view, he argued that the wider use of such services had been confirmed from other public disclosures and from references in the information disclosed in response to his request (in particular to AWS, Google Cloud Platform, Microsoft Azure and M365 (MS Teams)), but the corresponding DPIAs had not been provided.

Police Scotland’s submissions on the information held

31. Police Scotland explained the searches and enquiries they had undertaken to identify the information requested, with explanations of why they considered these adequate in the circumstances.

32. Police Scotland submitted that the request was forwarded to their Information Assurance Unit (IAU), which maintains records of all DPIAs.  They explained that the tracking of DPIAs was held on their Sharepoint system, and all documents associated with each of these records were held within a separate folder on the shared drive.  A manual search was carried out which identified the information falling within the scope of the request, which was partially disclosed to the Applicant on 19 May 2021 (Road Traffic (CRASH) and Wellbeing Training DPIAs, and Perform Plus Call Off Order Form), with some information redacted.

33. Police Scotland explained that services which were developed on their own servers, and which did not use cloud technology, were not considered to fall within the scope of the request.  They submitted that their IAU had provided the details of all relevant systems at the time of the original request.

34. Although the “Terms and Conditions” for any identified projects had been requested, Police Scotland explained that they had interpreted this to also include any “Data Processing Agreements” and any other contractual documentation, which were in addition to the Police Scotland Standard Terms and Conditions that the IAU has had cause to seek or implement during the DPIA process.

35. Police Scotland further submitted that the request was also sent to their Information and Communications Technology (ICT) team, who provided information regarding MS Teams (although this was not included at that time, on the basis that the DPIA had not been finalised and was subject to change).

36. As rehearsed above, on 6 September 2021, Police Scotland partially disclosed some further information identified (Perform Plus DPIA) to the Applicant, along with some additional information which had been originally withheld in the Wellbeing Training DPIA previously disclosed, with some information redacted in both documents.

37. Police Scotland were asked to explain why this further information (Perform Plus DPIA), now identified as falling within scope, had not been disclosed to the Applicant when they issued their review outcome on 19 May 2021.  In response, Police Scotland explained that the information had originally been gathered for inclusion, but had been missed by the time the response was issued.  It was only discovered as having been omitted following receipt of the Commissioner’s request for submissions.

38. During the investigation, Police Scotland changed their position in relation to the MS Teams DPIA.  They confirmed this was being worked on at the time of the request and, in light of the findings in Decision 153/2021 , they now considered this information to fall within scope.  They explained that they used the standard Microsoft Terms and Conditions for Office 365, which are held by Microsoft and which are publicly available.  Police Scotland confirmed they were happy to partially disclose the MS Teams DPIA to the Applicant, with some information redacted.

39. Police Scotland were also asked to confirm whether they held the information requested in part 1) of the request (list of cloud services and indicative budgetary spend) and, if so, to provide the Commissioner with that information.  Police Scotland duly did so, and confirmed they were happy to disclose that information to the Applicant.

40. In light of the Applicant’s contention that Police Scotland had not fully responded to his request, Police Scotland submitted that the response had been provided collectively for all questions and documents.  They accepted that clarification should have been provided at the time of responding, and that this could be rectified with a revised response.

The Commissioner’s view on the information held

41. The Commissioner has considered all relevant submissions and the terms of the request, including the searches undertaken by Police Scotland to establish whether they held any further information that was relevant to the request.

42. The Commissioner will consider Police Scotland’s disclosure of the further information in the Wellbeing Training DPIA (referred to in paragraph 36) later in this Decision Notice, given this was originally withheld under an exemption in FOISA.

43. It is evident that the other information referred to in paragraphs 36-37 (Perform Plus DPIA) should clearly have been identified as falling within scope by the close of Police Scotland’s review (i.e. their response of 19 May 2021), at the latest.  The Commissioner accepts Police Scotland’s position regarding this information, which they omitted to disclose to the Applicant in their response of 19 May 2021, but which has since been partially disclosed.

44. It is equally clear that the information referred to in paragraph 38 (MS Teams DPIA) should have been identified as falling within scope at that time.  The Commissioner acknowledges Police Scotland’s subsequent change of position regarding this information.

45. Further, the Commissioner notes that Police Scotland failed to provide a response to part 1) of the Applicant’s request.  Again, the identification and consideration of the information requested (list of cloud services and corresponding indicative budgetary spend referred to in paragraph 39) is something Police Scotland ought to have addressed in their review outcome of 19 May 2021.

46. In the Commissioner’s view, these are all matters which Police Scotland should have addressed at that time.  Given that these matters were not resolved definitively until during the investigation, it is clear that Police Scotland failed to take adequate steps to provide the Applicant with all of the information he was entitled to, when responding to him.  In this respect, the Commissioner finds that Police Scotland failed to comply with section 1(1) of FOISA.

47. Not only were these failures breaches of FOISA, they resulted in avoidable delay for the Applicant in receiving the information to which he is entitled.

48. The Commissioner therefore requires Police Scotland to disclose to the Applicant the additional information identified during the investigation (referred to in paragraphs 38 and 39), namely the list of cloud services and indicative budgetary spend, plus the information in the MS Teams DPIA which Police Scotland have confirmed they are happy to disclose.  For the remainder of the information in the MS Teams DPIA, which Police Scotland are seeking to withhold, the Commissioner will consider this later in this Decision Notice, under the relevant exemptions claimed.

Section 30(c) – Prejudice to effective conduct of public affairs

49. Section 30(c) of FOISA provides that information is exempt information if its disclosure would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.  This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

50. The word "otherwise" distinguishes the harm required from that envisaged by the exemptions in section 30(a) and (b).  This is a broad exemption and the Commissioner expects any public authority applying it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by disclosure of the information, and how that harm would be expected to follow from disclosure.

51. There is no definition of "substantial prejudice" in FOISA, but the Commissioner considers the harm in question would require to be of real and demonstrable significance.  The authority must also be able to satisfy the Commissioner that the harm would, or would be likely to, occur: therefore, the authority needs to establish a real risk or likelihood of actual harm occurring as a consequence of disclosure at some time in the near (certainly the foreseeable) future, not simply that the harm is a remote possibility.

The Applicant’s submissions on section 30(c)

52. In his submissions to the Commissioner, the Applicant accepted that the exemption would apply in certain circumstances, for example to protect legal opinion and obtain full and frank guidance in the pursuit of public sector delivery.  He asked the Commissioner to examine exactly where this exemption had been applied (as this was unclear in the information disclosed), and whether it had been correctly applied.  In his view, it would be unlikely to apply to certain parts of the DPIAs disclosed.

Police Scotland’s submissions on section 30(c)

53. In their submissions to the Commissioner, Police Scotland confirmed that they wished to continue to rely on section 30(c) to withhold some of the information requested in all four documents disclosed.

54. Police Scotland explained that the information withheld under section 30(c) related to email addresses and telephone numbers of non public-facing departments, which would not ordinarily be in receipt of emails from members of the public, and external partner agencies.

55. Police Scotland submitted that, in their experience, public disclosure of internal or personal email addresses had a detrimental impact on staff having to read through volumes of emails received to ensure they were appropriately dealt with (including from individuals whose agenda was to hinder the police).  Where an internal email address becomes publicly known, Police Scotland argued, an influx of correspondence to that email address is received, often not for the department concerned.  Where a personal email address is made public, there is a risk of emails not being picked up (for example, when the member of staff is absent) or of spam emails being received.  Further, disclosure of the telephone numbers would allow an individual to continually make direct calls to these numbers and disrupt the ability of officers and staff to perform their core functions.  In any case, Police Scotland had a number of public contact routes available for public use which were monitored and actioned promptly.

56. Police Scotland accepted that section 30(c) ought to have been applied at the time of their initial response, and explained that this had been missed at the time of drafting the response.

The Commissioner’s views on section 30(c)

57. The Commissioner has taken account of all of the relevant submissions, together with the withheld information.

58. Under section 16(1)(c) (Refusal of request) of FOISA, Scottish public authorities must specify the exemption or exemptions which they are relying on to withhold information.  It is a matter of fact that Police Scotland failed to make it clear to the Applicant, in their response of 19 May 2021, that they were relying on section 30(c) of FOISA to withhold some of the information requested.  Police Scotland’s failure to do so was a breach of section 16(1)(c) of FOISA.

59. In assessing whether the exemption in section 30(c) applies, the Commissioner has taken account of a number of factors, including the timing of the request.  He must make his decision based on Police Scotland’s position at the time they issued their review outcome (i.e. their response of 19 May 2021).

60. Turning to his examination of the information withheld under section 30(c), the Commissioner does not accept that disclosure of all of this information into the public domain would substantially prejudice the free and frank exchange of views for the purposes of deliberation, as claimed by Police Scotland.

61. For information comprising the latter parts of email addresses (i.e. from “@”), the Commissioner can identify no harm in the disclosure of that information and can see no reasonable basis for Police Scotland seeking to withhold it.

62. Furthermore, the Commissioner notes that details of certain email addresses withheld under this exemption have been disclosed in one of the documents disclosed.  In light of this, he cannot see how Police Scotland can justify withholding the same information under the same exemption, elsewhere in the information under consideration here.

63. For this information (parts of email addresses from “@” and details of certain email addresses already disclosed), the Commissioner is therefore not persuaded, from the submissions he has received, that disclosure of this information would result in the harm claimed by Police Scotland.

64. In the absence of any submissions persuading him otherwise, the Commissioner does not accept that disclosure of this information would, or would be likely to, inhibit substantially the free and frank exchange of views for the purposes of deliberation.  He does not believe that such a conclusion can be reached on the basis of the arguments provided for that particular information.

65. The Commissioner does not, therefore, accept that the exemption in section 30(c) of FOISA should be upheld in respect of this particular information.

66. Given that the Commissioner does not accept the application of the exemption for this particular information withheld under section 30(c), he is not required to consider the public interest test in section 2(1)(b) for that information.

67.  As Police Scotland are not relying on any other exemption to withhold this information, he requires Police Scotland to disclose it to the Applicant.

68. For the remainder of the information being withheld under section 30(c), comprising the first parts of email addresses (i.e. before “@”) and contact telephone numbers, the Commissioner concurs with Police Scotland’s position that disclosure of this remaining information into the public domain would, or would be likely to, substantially prejudice their ability to effectively conduct their business.  He accepts that disclosure of this information would enable individuals to circumvent the established routes set up by Police Scotland for public contact and cause unnecessary disruption, whether intentional or not.  The Commissioner is therefore satisfied that the exemption in section 30(c) is engaged for this information.

69. In respect of the information for which the Commissioner has found section 30(c) to be engaged, he will now go on to consider where the balance of public interest lies in relation to disclosure of that information, as required by section 2(1)(b) of FOISA.

The public interest – section 30(c)

70.  As noted above, the exemption in section 30(c) is subject to the public interest test required by section 2(1)(b) of FOISA.

71. In their submissions to the Commissioner, Police Scotland recognised the public interest in transparency and public awareness of how they conduct their business.  They considered, however, that this was outweighed by the undue pressure on departments which would ensue from disclosure of the information and which would, in turn, adversely impact the effective running of the organisation.  In their view, the public interest was catered for by the existence of the already established routes for public contact and disclosure of these additional details would not support the effective conduct of public affairs.

72. The Commissioner has considered the submissions, along with the remaining information withheld under section 30(c).  He recognises there is a general public interest in disclosing information held by Scottish public authorities.

73. However, the Commissioner has already accepted that disclosure of this information would provide opportunity for unnecessary disruption and substantially prejudice Police Scotland’s ability to effectively conduct their business.  He also considers that the public interest in disclosure of this particular information is met, to some extent, by the existing routes for public contact.

74. On balance, the Commissioner concludes that the public interest in maintaining the exemption outweighs that in disclosure in respect of the remaining information withheld under section 30(c).  Accordingly, he finds that Police Scotland were entitled to withhold this information under section 30(c) of FOISA.

Section 33(1)(b) – Commercial interests and the economy

75. Section 33(1)(b) of FOISA provides that information is exempt information if its disclosure under this Act would, or would be likely to, prejudice substantially the commercial interests of any person (including, without prejudice to that generality, a Scottish public authority).  This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

76. There are a number of elements an authority needs to demonstrate are present when relying on this exemption.  In particular, it needs to establish:

(i)    whose commercial interests would (or would be likely to) be harmed by disclosure

(ii)    the nature of those commercial interests, and

(iii)    how those interests would (or would be likely to) be prejudiced substantially by disclosure.

77. The prejudice must be substantial, in other words of real and demonstrable significance.  Where the authority considers that the commercial interests of a third party would (or would be likely to) be harmed, it must make this clear.  Generally, while the final decision on disclosure will always be one for the authority, it will assist matters if the third party has been consulted on the elements referred to above.

The Applicant’s submissions on section 33(1)(b)

78. In his submissions to the Commissioner, the Applicant accepted that the exemption would apply in certain circumstances, for example to retain commercial confidence, but he did not believe it could simply be applied to withhold the overall budgetary spend on services.  Noting that Police Scotland claimed it was necessary to apply the exemption to protect the interests of bidders in a tender process (an argument which he considered to be, at best, tenuous), the Applicant argued that many of the public cloud services used by public sector bodies were not publicly tendered, but were directly awarded through preferential pricing mechanisms put in place by the Government.  As a result, the means by which the public could identify the actual spend on core services, and the distribution of such expenditure, was already difficult to ascertain.

79. The Applicant asked the Commissioner to examine exactly where this exemption had been applied (as this was unclear in the information disclosed), whether it had been correctly applied to protect a genuine commercial interest, and where the interests of the public were best served by disclosure.

Police Scotland’s submissions on section 33(1)(b)

80. In their submissions to the Commissioner, Police Scotland confirmed that they wished to maintain reliance on section 33(1)(b) to withhold some of the information relating to Perform Plus.

81. For some of the information in these documents that Police Scotland had initially sought to withhold under section 33(1)(b), they confirmed that some of this information could now be disclosed.

82. For some other information, Police Scotland submitted that they now considered this to fall outwith the scope of the Applicant’s request.  Some of this information, they explained, related to the delivery of consultancy services rather than the use of cloud based software, and certain other information did not relate to the terms and conditions, or to the DPIA associated with the cloud based service.

Commercial interests

83. Police Scotland submitted that the information comprised a specific part of the contract between them and the service provider, and that the interests of both parties were of concern were the information to be disclosed.

84. Having considered Police Scotland’s submissions on this point, the Commissioner is satisfied that the interests identified are commercial interests for the purposes of the exemption in section 33(1)(b) of FOISA.  He recognises that Police Scotland must be able to freely enter into contracts with third parties, which stipulate the corresponding terms and conditions of business, some of which may be commercially sensitive.

85. The Commissioner must now go on to consider whether the commercial interests identified by Police Scotland would, or would be likely to, be prejudiced substantially by disclosure of the information.

How would disclosure prejudice these commercial interests substantially?

86. Police Scotland explained that the tendering process was open to competition where companies were invited to submit their bids, with details of costs and processes to be used for successful completion of the contract.  This included detailed information regarding the capabilities and financial ability of bidders to complete the contract.

87. Police Scotland submitted that any relevant information supplied by a successful tendering company was provided in the expectation that, whilst remaining relevant, commercially sensitive information within the bid will be held by Police Scotland, and not publicly disclosed.  Disclosure would, Police Scotland argued, likely give competitive advantage to other similar companies, which would have a damaging impact on the company concerned.

88. Police Scotland further submitted that disclosure might, in the future, reduce the number of companies tendering for the supply of goods and services, in the knowledge that Police Scotland would disclose commercially sensitive information.  This, they claimed, would be likely to negatively impact on the tendering process used to ensure the purchase of the most efficient and cost effective services in the future, thus prejudicing the commercial interests of Police Scotland.

Third party comments

89. Police Scotland submitted that they had contacted the third party to seek their views, not only on the disclosure of the information in the contract, but also on that information which they proposed to withhold on the basis that it was commercially sensitive information.

90. In response, the third party suggested that a small amount of additional information also be redacted, relating to the support provided.

The Commissioner’s views on section 33(1)(b)

91. The Commissioner has carefully considered all the arguments put forward, along with the withheld information.

92. In assessing whether the exemption in section 33(1)(b) applies, the Commissioner has taken account of a number of factors, including the timing of the request.  He must make his decision based on Police Scotland’s position at the time they issued their review outcome (i.e. their response of 19 May 2021).

93. For the information originally withheld under section 33(1)(b), which Police Scotland has stated they are now prepared to disclose to the Applicant (referred to in paragraph 81), the Commissioner notes Police Scotland’s change of position for this information.  However, he is not persuaded, from the submissions provided, that disclosure of that particular information, when responding to the Applicant’s request, would have resulted in the harm claimed by Police Scotland.  The Commissioner must therefore find that Police Scotland were not entitled to withhold this information under section 33(1)(b).

94. For the information which Police Scotland considers to fall outwith scope of the Applicant’s request (referred to in paragraph 82), having fully considered this information, the Commissioner is satisfied that it does not fall within the scope of the Applicant’s request.

95. For the remainder of the information withheld under section 33(1)(b), the Commissioner is being asked to determine whether disclosure of that information would, or would be likely to, prejudice the commercial interests of Police Scotland and/or the third party.  Police Scotland have argued why they believe this to be at least likely, and the impact of doing so.

96. The Commissioner has fully considered the specific remaining information being withheld under section 33(1)(b).  In the Commissioner’s view, for some of this information, which is either factual or generic in nature, Police Scotland’s submissions appear to be over zealous.  The Commissioner fails to see, from the arguments put forward by Police Scotland, how disclosure of that information would, or would be likely to, prejudice substantially the commercial interests of either party to the contract.  Furthermore, for certain other information which is clearly already publicly available on the third party’s website, the Commissioner can identify no reasonable grounds for accepting that such information is commercially sensitive, as claimed by Police Scotland.

97. In the absence of any submissions persuading him otherwise, the Commissioner does not believe that disclosure of this information would, or would be likely to, prejudice substantially the commercial interests of either party.  He does not consider, for that particular information, that this conclusion can be reached based on the submissions made by Police Scotland.

98. The Commissioner does not, therefore, accept that the exemption in section 33(1)(b) of FOISA should be upheld in respect of this particular information.

99. Given that the Commissioner does not accept the application of the exemption for this particular information withheld under section 33(1)(b), he is not required to consider the public interest test in section 2(1)(b) for that information.

100. As Police Scotland are not relying on any other exemption to withhold this information, he requires Police Scotland to disclose it to the Applicant.

101. For the remainder of the information being withheld under section 33(1)(b), which the Commissioner has fully considered, he accepts that disclosure of this information would allow further insight into the arrangements agreed between both parties for the provision of Perform Plus.

102. The Commissioner recognises that Police Scotland have identified commercial interests relating to themselves, which might be adversely impacted should disclosure of the information impact their relationship with the third party.  The Commissioner accepts that disclosure would jeopardise Police Scotland’s ability to secure best value in future contracts, on the basis that companies would be less likely to participate in the tender process, in fear that their confidential commercial information would be publicly disclosed which, in turn, would be likely to prejudice their commercial interests substantially.

103. The Commissioner also accepts that Police Scotland have identified commercial interests relating to the third party, which might be prejudiced in negotiating future tenders, should disclosure of the information give unfair advantage to similar competitors in future bidding processes.  The Commissioner recognises that these factors would, or would be likely to, prejudice the third party’s commercial interests, in these respects, to a significant extent.

104. In conclusion, the Commissioner agrees that disclosure of this remaining information into the public domain would, or would be likely to, substantially prejudice the commercial interests of both parties.  He is therefore satisfied that the remaining withheld information is of sufficient commercial relevance to engage the exemption in section 33(1)(b) of FOISA, and that the exemption was correctly applied on that basis.

Public interest test – section 33(1)(b)

105. Section 33(1)(b) is subject to the public interest test required by section 2(1)(b) of FOISA.  As the Commissioner has found that the exemption in section 33(1)(b) was correctly applied to the withheld information, he is now therefore required to consider whether, in all the circumstances of the case, the public interest in disclosing the information is outweighed by the public interest in maintaining the exemption.

106. In the Applicant’s view, disclosure was of importance as the general terms of these services were not compatible with the requirements of Part 3 of the DPA 2018 (Law enforcement processing).  He believed that, in determining whether there was a risk to the public interest, Police Scotland should confirm whether they had negotiated special terms or not.

107. In their submissions to the Commissioner, Police Scotland recognised the public interest in procuring services competitively to ensure best value for money.  They acknowledged that disclosure would allow increased accountability, transparency and scrutiny of the way they spent public funds.

108. Police Scotland considered, however, that there was no public interest in disclosure of information which would:

(i)    be commercially unfair to current suppliers

(ii)    impact the tender process, the purpose of which was to ensure all options were presented to enable the selection of the best option in terms of service and cost

(iii)    impact their ability, as a publicly funded organisation, to obtain best value for money for particular services which required maintaining working relationships with tendering companies, and

(iv)    dissuade companies from engaging in the tender process in the belief that conducting business with Police Scotland would result in disclosure of their confidential information.

109. In Police Scotland’s view, these factors, favouring non-disclosure, outweighed any public interest in disclosure of the information.

110. The Commissioner has considered the submissions from both parties, together with the remaining withheld information.  He recognises that there is general public interest in disclosing information held by Scottish public authorities.  He acknowledges that disclosure in this case would aid the public's understanding of certain aspects of how the Perform Plus contract would be delivered by the third party, and Police Scotland’s decision-making in relation to the contract.

111. However, the Commissioner is also of the view that disclosure of the information in question would give competitors a valuable insight into specific aspects of the contract delivery which are specific to the third party, thus giving their competitors unfair commercial advantage.  He considers there is no public interest in placing a particular organisation at a commercial disadvantage, simply as a result of entering into a contract with a Scottish public authority, where the authority concerned is obliged to hold the third party’s sensitive commercial information in relation to that contract.  In addition, the Commissioner considers the public interest in disclosure is met, to some extent, by the further information he requires Police Scotland to disclose in this case.

112. On balance, the Commissioner concludes that the public interest in maintaining the exemption in section 33(1)(b) outweighs that in disclosure in respect of the remaining withheld information.  Accordingly, he finds that Police Scotland were entitled to withhold this information under section 33(1)(b) of FOISA.

Section 35(1)(a) – Law enforcement

113. Section 35(1)(a) of FOISA provides that information is exempt information if its disclosure would, or would be likely to, prejudice substantially the prevention or detection of crime.  This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

114. As the Commissioner's guidance on this exemption  highlights, the term "prevention or detection of crime" is wide ranging, encompassing any action taken to anticipate and prevent crime, or to establish the identity and secure prosecution of persons suspected of being responsible for crime.  This could mean activities in relation to specific (anticipated) crime or wider strategies for crime reduction and detection.

115. As noted above, there is no definition of "substantial prejudice" in FOISA, but the Commissioner considers the authority would have to identify harm of real and demonstrable significance, which would be likely, at least, to follow disclosure, and more than simply a remote possibility.

The Applicant’s submissions on section 35(1)(a)

116. In his submissions to the Commissioner, the Applicant accepted that the exemption would apply in certain circumstances, for example where disclosure would divulge information relating to systems that could facilitate attacks.  However, he believed that some redactions were not justified, and that a clear understanding of the risks posed to the data subject from data processing (as opposed to, for example, from security risks requiring technical measures) should be fully disclosed.  He failed to see what possible basis existed for Police Scotland’s claim that disclosure of the risks to the interests of a data subject from data processing would prejudice the prevention or detection of crime.

117. Noting that it was unclear where, in the information withheld, each exemption had been applied, the Applicant believed the exemption would be unlikely to apply to all of the information withheld under section 35(1)(a).  He argued that it should be limited to the data specifically likely to engage the exemption (if, indeed, any of the data met that criteria).

Police Scotland’s submissions on section 35(1)(a)

118. In their submissions to the Commissioner, Police Scotland confirmed that, for the further information disclosed to the Applicant on 6 September 2021 (specifically that originally withheld in the Wellbeing Training DPIA, previously partially disclosed), they had withdrawn reliance on the exemption in section 35(1)(a) in respect of that particular information.  Police Scotland explained that this information had originally been withheld under this exemption due to the data, which indicated staffing shortages, being unconfirmed at the time, and the risk to law enforcement should reduced staffing become known.

119. For the remainder of the information withheld under section 35(1)(a), Police Scotland confirmed they wished to maintain reliance on section 35(1)(a) to withhold, in the main, information relating to system capabilities or links/pathnames to Police Scotland documents.

120. Police Scotland argued that it was not exceptional for individuals to enquire about the information technology in use, and reports conducted into their capabilities, but there was concern that the disclosure of such data could provide attack opportunities or give those individuals wishing to evade detection for criminal activities the opportunity to do so.

121. In Police Scotland’s view, the information withheld under section 35(1)(a) could be used by a hostile party to plan and execute an attack on their systems, for example, in the form of data theft, denial of service or other deliberate disruptions.  This, they submitted, would reduce their ability to undertake relevant activities.  Revealing Police Scotland’s cyber capabilities could, they submitted, also provide those intent on avoiding detection the information necessary to do so, reducing the ability of the police to prevent and detect crime.

The Commissioner’s views on section 35(1)(a)

122. The Commissioner has taken account of all of the relevant submissions from both parties, together with consideration of the withheld information itself.

123. In assessing whether the exemption in section 35(1)(a) applies, the Commissioner has taken account of a number of factors, including the timing of the request.  He must make his decision based on Police Scotland’s position at the time they issued their review outcome (i.e. their response of 19 May 2021).

124. For the information originally withheld under section 35(1)(a) in the Wellbeing Training DPIA, and subsequently disclosed to the Applicant on 6 September 2021, the Commissioner notes Police Scotland’s change of position for this information.  However, he is not persuaded, from the submissions provided, that disclosure of that particular information, when responding to the Applicant’s request, would have resulted in the harm claimed by Police Scotland.  The Commissioner must therefore find that Police Scotland were not entitled to withhold this information under section 35(1)(a).

125. For the remainder of the information withheld under section 35(1)(a), the Commissioner is of the view that he is being asked to judge whether disclosure of the information would increase the likelihood of an individual being able to plan and execute an attack on Police Scotland’s data systems, or to evade detection for criminal activity, which would affect Police Scotland’s ability to prevent and detect crime.  Police Scotland have explained why they believe this to be the case, and the consequences that would follow any such potential exploitation of their systems and capabilities as a result of disclosure of the information.

126. The Commissioner has fully considered the specific information being withheld under section 35(1)(a).  In the Commissioner’s view, for some of the information being withheld under this exemption, Police Scotland’s arguments are somewhat overstated.  The Commissioner cannot see how, for some of this information, it would, even to a minimal extent, enable a hostile individual, intent on causing disruption to police systems, to plan or execute such an attack, or contribute in any way to an individual’s ability to circumvent detection for criminal activity.  The Commissioner is not persuaded, by the arguments put forward by Police Scotland, that disclosure of some of that information would result in the harm claimed by Police Scotland.

127. In the absence of any submissions persuading him otherwise, the Commissioner does not accept that disclosure of this information would, or would be likely to, prejudice substantially the prevention or detection of crime.  He does not believe that such a conclusion can be reached on the basis of the arguments provided for that particular information.

128. The Commissioner does not, therefore, accept that the exemption in section 35(1)(a) of FOISA should be upheld in respect of this particular information.

129. Given that the Commissioner does not accept the application of the exemption for this information withheld under section 35(1)(a), he is not required to consider the public interest test in section 2(1)(b) for that information.

130.  As Police Scotland are not relying on any other exemption to withhold this information, he requires Police Scotland to disclose it to the Applicant.

131. For the remainder of the information being withheld under section 35(1)(a), the Commissioner concurs with Police Scotland’s position that disclosure of this remaining information into the public domain would, or would be likely to, substantially prejudice their ability to prevent and detect crime.  While the Commissioner has not been presented with any substantive evidence to show that their systems would be threatened in any immediate sense, if the information were disclosed, he accepts that it could provide individuals with enhanced opportunity to plan or execute an attack on Police Scotland’s systems, leading to potential data loss or disruption to service.

132. The Commissioner notes that disclosure of information under FOISA is, effectively, disclosure into the public domain, and not just to the individual requesting the information.  While the Applicant’s motive for seeking the information may be reasonable, he is not the only individual to whom information would be accessible, were it disclosed in response to an information request.  The Commissioner therefore accepts Police Scotland’s arguments that information pertaining to their cyber capabilities could be used by those individuals, so intent, to evade detection for criminal activity.

133.The Commissioner is therefore satisfied that the exemption in section 35(1)(a) is engaged for this information.

134. In respect of the remaining information for which the Commissioner has found section 35(1)(a) to be engaged, he will now go on to consider where the balance of public interest lies in the disclosure of the information, as required by section 2(1)(b) of FOISA.

Public interest test – section 35(1)(a)

135. As noted above, the exemption in section 35(1)(a) is subject to the public interest test required by section 2(1)(b) of FOISA.

136. In the Applicant’s view, the public interest favoured disclosure of the information, particularly that relating to the risks to the data subject from processing and how those risks were treated.  This would enable the impacted data subjects to take necessary measures, or control consent, to protect their interests.

137. In their submissions to the Commissioner, Police Scotland recognised the public interest in accountability for public funds in terms of cost to the public purse.  They considered, however, that there was no public interest in disclosure of information which would:

(i)    have an adverse effect on the efficiency of the police service

(ii)    provide those intent on disrupting police activities with sufficient information to plan and execute a targeted attack

(iii)    give potential for sensitive information (such as personal data, security information etc.) to be made public as a result of compromising systems, and

(iv)    enable those intent on criminal activity to take steps to evade detection.

138. In Police Scotland’s view, these factors, favouring non-disclosure, outweighed any public interest in disclosure of the information.

139. The Commissioner has considered the submissions from both parties, together with the remaining withheld information.  He recognises there is general public interest in disclosing information held by Scottish public authorities.  He acknowledges that disclosure, in this case, would aid more in-depth public scrutiny of the systems used by Police Scotland.

140. However, the Commissioner has already accepted that disclosure of this remaining information would provide increased opportunity for disruption to Police Scotland’s systems and capabilities, and afford those intent on evading detection increased opportunity to do so.  He can see no public interest in disclosing information which would enable this.

141. On balance, the Commissioner concludes that the public interest in maintaining the exemption in section 35(1)(a) outweighs that in disclosure in respect of the remaining withheld information.  Accordingly, he finds that Police Scotland were entitled to withhold this information under section 35(1)(a) of FOISA.

Section 38(1)(b) – Personal information

142. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

143. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

144. To rely on this exemption, Police Scotland must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the UK GDPR.

145. The Commissioner must decide whether Police Scotland were correct to withhold the information requested under section 38(1)(b) of FOISA.

Is the withheld information personal data?

146. The first question that the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual.  "Identifiable living individual" is defined in section 3(3) of the DPA 2018   see Appendix 1.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix 1.)

147. Information which could identify individuals will only be personal data if it relates to those individuals.  Information will "relate to" a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

148. In their submissions to the Commissioner, Police Scotland explained that the information, which comprised the names of staff below head of department level, officers below the rank of superintendent and third party organisation staff, clearly identified those individuals by name, along with the nature of the documents and department.

149. Having considered the withheld information, it is clear that the information withheld in this case (i.e. the names of individuals) “relates to” identifiable living individuals.  The Commissioner therefore concludes that the information withheld is personal data, for the purposes of section 3(2) of the DPA 2018.

Which of the data protection principles would be contravened by disclosure?

150. Police Scotland stated that disclosure of this personal data would contravene the first data protection principle (Article 5(1)(a)).  Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

151. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing.  In the case of FOISA, personal data is processed when it is disclosed in response to a request.

152. The Commissioner must now consider if disclosure of the personal data would be lawful (Article 5(1)(a)).  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.  The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstances of this case.

Condition (f): legitimate interests

153. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).

154. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

155. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i)    Does the Applicant have a legitimate interest in obtaining the personal data?

(ii)    If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii)   Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

156. In his submissions to the Commissioner, the Applicant stated he had no general issue with the redaction of personal data.  However, where a named individual was a decision-maker in a public authority, or held a post that had a statutory basis, he believed there was no public interest in allowing them to shelter behind a “cloak of anonymity” in the context of their professional role.  In the Applicant’s view, accountability of those holding public office or employed in roles where they made decisions affecting public interest matters was fundamentally important, and hard to achieve when a blanket redaction was applied.

157. As it was unclear to the Applicant where, in the information withheld, each exemption had been applied, he wished the Commissioner to examine the withholding of the names of individuals in such roles, including accreditors and decision-makers signing off on statutory documents such as DPIAs or making risk decisions affecting the public interest.

158. Police Scotland confirmed they had not sought details of the Applicant’s legitimate interest in the personal data.  However, they were prepared to accept that the Applicant had a legitimate interest, recognising that people were interested in holding public authority employees to account in terms of the decisions they made.

159. The Commissioner accepts that disclosure of the majority of the withheld personal data would facilitate transparency and accountability to the Applicant (and the wider public) regarding the role and accountability of the individuals involved in the processes to which the information relates, and there is clearly a legitimate interest in the public being aware of such matters.  Consequently, the Commissioner accepts that the Applicant has a legitimate interest in disclosure of these personal data.

Is disclosure of the personal data necessary?

160. Having accepted that the Applicant has a legitimate interest in the withheld personal data, the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate interests.  In doing so, he must consider whether these interests might reasonably be met by any alternative means.

161. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 .  In this case, the Supreme Court stated (at paragraph 27):

A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim.  Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

162. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

163. In their submissions to the Commissioner, Police Scotland stated that, whatever the Applicant’s motivation for accessing the personal data, they were happy to accept his interests as legitimate.  However, they did not consider it could ever be necessary to disclose the personal data under FOISA.

164. The Commissioner accepts that disclosure of the personal data is necessary to achieve the Applicant's legitimate interests.  He can identify no viable means of fully meeting the Applicant's legitimate interests which would interfere less with the privacy of the data subjects than providing the withheld personal data in full.  In all the circumstances, therefore, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of the Applicant's legitimate interests identified above.

165. The Commissioner will now consider whether the Applicant’s legitimate interests in obtaining the withheld personal data outweighs the rights and freedoms of the data subjects.

The data subjects' interests or fundamental rights and freedoms

166. The Commissioner must balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms.  In doing so, he must consider the impact of disclosure.  For example, if the data subjects would not reasonably expect that the information would be disclosed to the public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override any legitimate interests in disclosure.  Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be disclosed without breaching the first data protection principle.

167. The Commissioner's guidance on section 38 of FOISA  notes factors that should be taken into account in balancing the interests of parties.  He notes that Recital (47) of the General Data Protection Regulation states that much will depend on the reasonable expectations of the data subjects.  These are some of the factors public authorities should consider:

(i)    Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)?

(ii)    Would the disclosure cause harm or distress?

(iii)    Whether the individual has objected to the disclosure.

Does the information relate to public or private life?

168. Disclosure under FOISA is public disclosure; information disclosed under FOISA is effectively placed into the public domain.

169. The Commissioner acknowledges that the withheld information relates to the individuals' public lives, in that it identifies them as Police Scotland staff below head of department level or officers below superintendent rank, or external third party individuals.  However, he also acknowledges that, by association, the information also relates to their private lives.

170. In the circumstances, the Commissioner concludes that the withheld information relates to both the private and public lives of the data subjects.

Would disclosure cause harm or distress to the data subjects and have the individuals objected to the disclosure?

171. The Commissioner has also considered the harm or distress that might be caused by disclosure.

172. He has considered Police Scotland’s arguments that disclosure of the withheld information would have potential consequences for the data subjects.  Police Scotland argued that, given the nature of policing, it would not be appropriate to identify staff members by name due to the sensitivities around investigations or the nature of the department they worked in.  The information was held in documents originating from non public-facing departments, therefore the individuals in question had no expectation that their details would be made public.

173. Police Scotland submitted that, while those officers and staff in senior or public-facing roles had an expectation that their details may be made public, this did not apply to all officers and staff who, depending upon their role, had a legitimate expectation of privacy.

174. Police Scotland believed that, for any personal data, the fundamental rights and freedoms of the data subjects overrode any third party interest.  In their view, individuals had an overwhelming right to privacy and that right should only be overridden in exceptional circumstances.

175. The Commissioner has taken account of all relevant submissions, together with the personal data withheld.  He is not persuaded that the harm or distress claimed by Police Scotland applies to all of the remaining withheld personal data.  Research carried out during the investigation by the investigating officer identified that some of that information is already in the public domain, published in articles or documents on reputable websites.  The Commissioner cannot accept, therefore, that disclosure of that same information, in response to the Applicant’s request, would equate to an unwarranted intrusion into the private lives of those individuals, regardless of the individual’s position or rank.  Accordingly, the Commissioner does not accept that Police Scotland have sufficiently evidenced that disclosure of some of the remaining withheld personal data would cause any harm or distress to the data subjects, or that they have objected to disclosure.

176. For the remainder of the personal data withheld, the Commissioner recognises that it records the involvement of those individuals in the processes to which the information relates.  Insofar as the withheld personal data relates to Police Scotland officers or staff, the Commissioner acknowledges that some of these individuals can be considered relatively senior and therefore subject to a higher level of scrutiny.  It is still appropriate, however, to consider what reasonable expectations they would have in relation to disclosure of the information concerned.  In all the circumstances, having considered the information in question and all relevant submissions, the Commissioner does not believe any of these individuals, to whom the remaining personal data relates, would have a reasonable expectation that their personal data would be publicly disclosed in response to a request for information under FOISA.  He recognises their right to privacy in this regard.

Balance of legitimate interests

177. After carefully balancing the legitimate interests of the data subjects against those of the Applicant, the Commissioner finds that, for the personal data which is already publicly available, the balance of legitimate interests falls in favour of the Applicant.

178. For that information, the Commissioner notes that Police Scotland have not chosen to apply section 25(1) (Information otherwise accessible) of FOISA.  Given this information is already available in the public domain, the Commissioner cannot identify any reason why disclosure of that same information, in the context of the request under consideration here, could prejudice the rights and freedoms or legitimate interests of the data subjects.

179. The Commissioner does not accept that there would be a degree of distress caused to the data subjects by the disclosure of this information, sufficient to override the legitimate interests of the Applicant and the wider public interest.  In all the circumstances, he concludes that condition (f) could be met in this case and that disclosure of the information would therefore be lawful.

180.  Accordingly, the Commissioner does not accept that Police Scotland were entitled to rely on section 38(1)(b) to withhold the personal data which is already in the public domain.  He requires Police Scotland to disclose this information to the Applicant.

181. For the remainder of the withheld personal data, the Commissioner has balanced the competing interests set out above.  Having done so in this particular case, in relation to this particular information, the Commissioner finds that the legitimate interest in transparency is outweighed by the prejudice to the rights and freedoms of the data subjects that would result from disclosure.  He therefore finds that the balance of legitimate interests falls in favour of the data subjects, for the remaining withheld personal data, and that the requirements of condition (f) cannot be met here.

182. In the absence of a condition which would permit disclosure of the remaining withheld personal data, the Commissioner must conclude that disclosure would be unlawful.

Fairness

183. Given that the Commissioner has determined that the processing of certain of the personal data (i.e. that which is already in the public domain) would be lawful, and bearing in mind his reasons for reaching that conclusion, he can identify no reason for finding that disclosure would be other than fair.

Conclusion on the data protection principles

184. For the personal data found to have been correctly withheld, the Commissioner finds that disclosure of this information would breach the first data protection principle and that this particular information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.

185. For the remaining withheld personal data (i.e. other than the personal data found to have been correctly withheld) which is publicly available, the Commissioner is satisfied that this particular information has been wrongly withheld under section 38(1)(b), and can be disclosed without breaching the data protection principles in Article 5(1) of the UK GDPR.

186.  As Police Scotland are not relying on any other exemption to withhold this information, the Commissioner requires them to disclose it to the Applicant.

Section 18 – Neither confirm nor deny

187. In their review outcome (i.e. their response of 19 May 2021), Police Scotland applied section 18 of FOISA, refusing to confirm or deny whether they held any further information falling within the scope of parts 1) - 4) of the Applicant’s request, or whether that information existed.  Police Scotland adhered to this position in their submissions to the Commissioner, during which, in addition to relying on section 18 in conjunction with section 35 of FOISA, they also considered the exemptions in section 31(1) (National security and defence) and section 39(1) (Health, safety and the environment) to be relevant.

188. Section 18 of FOISA allows Scottish public authorities to refuse to reveal whether they hold information (or whether it exists) in the following limited circumstances:

(i)    a request has been made to the authority for information which may or may not be held by it;

(ii)    if the information were held by the authority (and it need not be), the authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

(iii)    the authority considers that to reveal whether the information exists or is held would be contrary to the public interest.

189. It is not sufficient for the public authority to simply claim that one or more of the relevant exemptions applies.  Section 18(1) makes it clear that the authority must be able to give a refusal notice under section 16(1), on the basis that any relevant information, if it existed and was held, would be exempt information under one or more of the listed exemptions.  Where the exemption is subject to the public interest test in section 2(1)(b) of FOISA, the authority must also be able to satisfy the Commissioner that the public interest in maintaining the exemption outweighs any public interest there would be in disclosing any relevant information (if held).

190. If the Commissioner accepts this, he must then go on to establish whether the authority is justified in stating that to reveal whether the information exists or is held would be contrary to the public interest.

191. In their review outcome (i.e. their response of 19 May 2021), Police Scotland confirmed that they held information for parts 1)   4) of the Applicant’s request.  They disclosed some of that information, and withheld some other information under the exemptions considered earlier in this Decision Notice.  Police Scotland also sought to rely on section 18, refusing to confirm or deny whether they held any further information or whether it existed, a position which Police Scotland maintained in their submissions to the Commissioner.

192. It is therefore a matter of fact that Police Scotland hold information falling within the scope of parts 1) - 4) of the Applicant’s request.

193. In light of this, the Commissioner can see no logical argument for Police Scotland seeking to rely on section 18 for any remaining information that they may or may not hold for these parts of the request.

194. Where Police Scotland consider that any information, further to that already disclosed to the Applicant or withheld under the exemptions considered earlier in this Decision Notice, is exempt from disclosure under any exemption in Part 2 of FOISA, in the Commissioner’s view the correct response would have been to issue a refusal notice in terms of section 16(1) (Refusal of request) of FOISA, applying the relevant exemptions and explaining why they considered the information to be exempt (including any consideration of the public interest that may be required).

195. Given the generality of the Applicant’s request (in that it sought information on cloud services in general, and did not focus on any specific area of police business or operations), the Commissioner does not accept that there is any scope for Police Scotland to rely, in part, on the provision in section 18 of FOISA.  As rehearsed earlier in this Decision Notice, Police Scotland have confirmed that they hold information relating to cloud services, corresponding terms and conditions and DPIAs.  In the Commissioner’s view, in this case, to also “neither confirm nor deny” whether any further information is held or exists bears no logic, particularly in light of the opportunity available to Police Scotland to rely on the provision in section 16(1) of FOISA, i.e. to refuse to disclose any information they may hold, which they might consider to be exempt from disclosure.  The Commissioner can identify no harm in doing so.  Equally, were it the case that Police Scotland did not hold any further information falling within the scope of the Applicant’s request, the Commissioner can identify no harm in Police Scotland confirming this.

196. In the Commissioner’s view, regardless of whether or not any further information is held, and whether or not any such information could be considered exempt from disclosure under any of the exemptions Police Scotland sought to rely on in conjunction with section 18, he can find no public interest in relying on the provision in section 18 to neither confirm nor deny whether any further information is held or exists.

197. In all the circumstances, therefore, the Commissioner finds that Police Scotland were not entitled to apply section 18 of FOISA in responding to parts 1) - 4) of the Applicant’s request.  He therefore requires Police Scotland to issue a revised review outcome otherwise than in terms of section 18 for these parts of the request.

Other issues

198. Section 15(1) of FOISA requires a Scottish public authority, so far as is reasonable to expect it to do so, to provide advice and assistance to a person who proposes to make, or has made, a request for information to it.  Section 15(2) states that a Scottish public authority shall be taken to have complied with this duty where (in relation to the provision of advice and assistance in a particular case) it conforms with the Scottish Ministers' Code of Practice on the discharge of functions by Scottish public authorities under FOISA and the Environmental Information (Scotland) Regulations 2004 (the Section 60 Code ).

199. Section 16(1) of FOISA requires a Scottish public authority, when refusing to disclose information it holds because it considers it to be exempt from disclosure by virtue of any provision in Part 2 of FOISA, to give an applicant a “refusal notice” which confirms that it holds the information, states that it so claims, specifies the exemption in question and states (if not otherwise apparent) why the exemption applies.

200. Section 21(5) of FOISA requires a Scottish public authority, when complying with a requirement for review, to give an applicant notice, in writing, of the outcome of its review, and a statement of its reasons for doing so.

201. The Section 60 Code states, at paragraph 5.1.1 in Part 2:

Authorities have a duty to provide advice and assistance at all stages of a request.  It can be given either before a request is made, or to clarify what information an applicant wants after a request has been made, whilst the authority is handling the request, or after it has responded.

202. It further states, in section 9.2 in Part 2:

Duty to advise and assist when responding to a request

The obligation to provide advice and assistance continues at the point of issuing a response.  For example, if directing the applicant to a website, the authority should take all reasonable steps to direct the applicant to the relevant section.

203. In his submissions to the Commissioner, the Applicant was dissatisfied that Police Scotland had failed to make clear which exemption(s) had been applied to each section of redacted information.  Police Scotland were asked to comment on this matter, and to explain:

  • why they did not provide a separate response to each part of the request (specifically parts 1) - 4));
  • why they did not make clear which exemption(s) was/were relevant to each part of the request, and to each redaction in the information disclosed; and 
  • why they considered their clarification of 26 May 2021, i.e. “the section 16 exemptions were being applied to the redacted information in the documents disclosed”, to be an acceptable explanation and how this would have allowed the Applicant to understand which exemption was being relied on for each part of his request.

204. In their submissions, Police Scotland submitted that this ought to have been addressed separately.  They stated that their response (to the Applicant) had been provided collectively for all questions and documents, and clarification should have been provided at the time of responding.  Police Scotland stated that this could be rectified by providing a more comprehensive review response, if appropriate, which might address the issues raised, but exemptions would still apply to some of the information.

The Commissioner’s views

205. The Commissioner is of the view that it ought to have been clear to Police Scotland, from the wording and layout of the request, that each part could, to a certain extent, be deemed to be a request in its own right.  Each part of the Applicant’s request was perfectly clear, and sought different information from that sought in the other parts.

206.  As indicated above, the Applicant’s request was clearly a request in a number of separate parts.  The Commissioner questions the adequacy of the advice and assistance Police Scotland gave to the Applicant to aid his understanding of what information fell within the scope of each part of his request, and also which exemption(s) was/were being applied for each part of his request and to each section of information redacted in the documents disclosed.  In the absence of this, the Applicant’s consequent dissatisfaction was understandable.

207. The Commissioner considers it would not only have been reasonable for Police Scotland to respond in the manner described in the preceding paragraph, but also that this would have been a requirement, as a minimum, in line with their obligations under FOISA.  Where different exemptions are being applied, the Commissioner would expect authorities to make clear how each redaction links to the relevant exemption and (where a request is in multiple parts) which parts of the request this ties in with.  Without a clear explanation of what information fell within the scope of each part of the request, and which exemption(s) was/were being applied to which part and to each redaction, the Commissioner cannot see how the Applicant could reasonably understand the response provided by Police Scotland.

208. The Commissioner therefore concludes that, in the respects considered above, Police Scotland failed to comply with the duty in section 15 of FOISA to provide advice and assistance.  He also finds that, by failing to indicate which exemption applied where, Police Scotland failed to comply with section 16(1) of FOISA.  He further finds that by providing a review outcome which was unclear to the Applicant, Police Scotland failed to comply with section 21(5) of FOISA.

Action required by Police Scotland

209. In line with this Decision Notice, the Commissioner requires Police Scotland to:

(i)    disclose to the Applicant the additional information identified during the investigation (referred to in paragraphs 38 and 39), namely the list of cloud services and indicative budgetary spend, plus the information in the MS Teams DPIA which Police Scotland have confirmed they are happy to disclose.

(ii)    disclose to the Applicant the information which the Commissioner has found to have been incorrectly withheld under the exemptions in sections 30(c), 33(1)(b), 35(1)(a) and 38(1)(b) of FOISA.  This will be marked up on copies of the withheld information to be provided to Police Scotland with this Decision Notice.

(iii)    carry out a further review, and issue a revised review outcome, otherwise than in terms of section 18 of FOISA, in respect of any additional information that might be held by Police Scotland for which they were not entitled to rely on section 18 of FOISA.  In respect of any information that might be held, which Police Scotland seeks to withhold, Police Scotland must make clear which exemption is being relied on for each piece of withheld information, and the revised review outcome must clearly specify which part(s) of the request the particular information (and any exemption(s) applied) relates to.

Decision 

The Commissioner finds that the Chief Constable of the Police Service of Scotland (Police Scotland) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that Police Scotland partially complied with Part 1 of FOISA by correctly withholding some information under the exemptions in sections 30(c), 33(1)(b), 35(1)(a) and 38(1)(b) of FOISA.

However, the Commissioner also finds that Police Scotland failed to comply with Part 1 by:

  • failing to comply with section 10(1) of FOISA by not responding to the initial request within statutory timescales
  • failing to identify all information falling within the scope of the request and, in so doing, failing to comply with section 1(1) of FOISA
  • failing to comply with sections 16(1) and 21(5) of FOISA respectively, by not making clear which exemption applied where and by issuing a review outcome which was unclear.  In doing so, Police Scotland failed to comply with the duty in section 15 of FOISA to provide adequate advice and assistance to the Applicant
  • incorrectly withholding certain information under (variously) the exemptions in sections 30(c), 33(1)(b), 35(1)(a) and 38(1)(b) of FOISA (and thereby failing to comply with section 1(1) of FOISA), and
  • incorrectly relying on the provision in section 18 of FOISA for any additional information which might be held.

The Commissioner therefore requires Police Scotland to provide the Applicant with:

  • the additional information identified during the investigation (referred to in paragraphs 38 and 39), namely the list of cloud services and indicative budgetary spend, plus the information in the MS Teams DPIA which Police Scotland have confirmed they are happy to disclose
  • the information which the Commissioner has found to have been incorrectly withheld under the exemptions in sections 30(c), 33(1)(b), 35(1)(a) and 38(1)(b) of FOISA, and
  • a revised review outcome, otherwise than in terms of section 18 of FOISA, in respect of any further information that might be held by Police Scotland for which they were not entitled to rely on section 18.  For any such information held, this must clearly indicate which part(s) of the request the particular information relates to and any exemption(s) being applied to specific information.  If no further information is held, notice under section 17 of FOISA shall be given to that effect.

by 30 December 2022.

Appeal

Should either the Applicant or Police Scotland wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If Police Scotland fail to comply with this decision, the Commissioner has the right to certify to the Court of Session that Police Scotland have failed to comply.  The Court has the right to inquire into the matter and may deal with Police Scotland as if they had committed a contempt of court.


Margaret Keyse
Head of Enforcement

10 November 2022

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1     General entitlement

(1)     A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2)     The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(4)     The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6)    This section is subject to sections 2, 9, 12 and 14.

 

2     Effect of exemptions 

(1)     To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that – 

(a)    the provision does not confer absolute exemption; and

(b)     in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2)     For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption – 

(e)     in subsection (1) of section 38 – 

(ii)     paragraph (b) where the first condition referred to in that paragraph is satisfied.

 

10     Time for compliance

(1)     Subject to subsections (2) and (3), a Scottish public authority receiving a request which requires it to comply with section 1(1) must comply promptly; and in any event by not later than the twentieth working day after-

(a)     in a case other than that mentioned in paragraph (b), the receipt by the authority of the request; or

15     Duty to provide advice and assistance

(1)     A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and assistance to a person who proposes to make, or has made, a request for information to it.

(2)     A Scottish public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice issued under section 60 is, as respects that case, to be taken to comply with the duty imposed by subsection (1).

16     Refusal of request

(1)     Subject to section 18, a Scottish public authority which, in relation to a request for information which it holds, to any extent claims that, by virtue of any provision of Part 2, the information is exempt information must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant a notice in writing (in this Act referred to as a "refusal notice") which-

(a)    discloses that it holds, the information;

(b)    states that it so claims;

(c)     specifies the exemption in question; and

(d)    states (if not otherwise apparent) why the exemption applies.

18     Further provision as respects responses to request

(1)     Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the applicant a refusal notice by virtue of this section.

21     Review by Scottish public authority

(5)     Within the time allowed by subsection (1) for complying with the requirement for review, the authority must give the applicant notice in writing of what it has done under subsection (4) and a statement of its reasons for so doing.

30     Prejudice to effective conduct of public affairs

Information is exempt information if its disclosure under this Act-

(c)     would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs.

 

31     National security and defence

(1)    Information is exempt information if exemption from section 1(1) is required for the purpose of safeguarding national security.

33     Commercial interests and the economy

(1)     Information is exempt information if-

(b)     its disclosure under this Act would, or would be likely to, prejudice substantially the commercial interests of any person (including, without prejudice to that generality, a Scottish public authority).

          …

35     Law enforcement

(1)     Information is exempt information if its disclosure under this Act would, or would be likely to, prejudice substantially-

(a)     the prevention or detection of crime;

38     Personal information 

(1)     Information is exempt information if it constitutes-

(b)     personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A)     The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a)     would contravene any of the data protection principles, or

(b)     would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(5)     In this section-

"the data protection principles" means the principles set out in – 

(a)     Article 5(1) of the UK GDPR, and

(b)     section 34(1) of the Data Protection Act 2018; 

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A)    In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

39     Health, safety and the environment

(1)     Information is exempt information if its disclosure under this Act would, or would be likely to, endanger the physical or mental health or the safety of an individual.

…  

UK General Data Protection Regulation

Article 4    Definitions

For the purpose of this Regulation:

1    'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

    …

Article 5    Principles relating to processing of personal data 

1    Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

Article 6    Lawfulness of processing 

1    Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f.    processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the             interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3    Terms relating to the processing of personal data 

    …

    (2)    “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3)    “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to – 

        (a)    an identifier such as a name, an identification number, location data or an online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4)    “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as – 

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …

(10)    “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14)    In Parts 5 to 7, except where otherwise provided – 

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c)    references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d)    references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.