Decision Notice 132/2022: School management of a child’s behaviour
Authority: Perth and Kinross Council
Case Ref: 202100790
The Council was asked for guidelines on dealing with children with behavioural issues and for information about a specified incident at a school. The Council withheld the majority of information. The Commissioner investigated and found that the Council had complied with FOISA in responding to the request.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a), (5) (definition of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information)
United Kingdom General Data Protection Regulation (the UK GDPR) 5(1)(a) (Principles relating to the processing of personal data; 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 29 April 2021, the Applicant made a request for information to Perth and Kinross Council (the Council). The information requested was:
a) A copy of national guidelines on dealing with children with behavioural issues, framework to moving children from a mainstream environment and into special measures or additional supervision and support. Guidelines used when identifying significant behavioural issues and if a child presents a danger to pupils and staff.
b) All documentation, emails and recorded phone conversations in regards to recording concerns raised in regards to the perpetrator of a specified assault.
c) All documentation, emails and recorded phone conversations in regards to parents complaining about the perpetrator of the assault.
d) A welfare report if the incident was reported to the police or social services, or documentation evidencing the decision if this was not done.
e) Health and safety near-miss report and all personal incident reports for both events.
f) All incident reports involving the perpetrator of the assault held on file and action plans resulting from each event.
g) National health and safety “duty of care” guidelines for schools and their pupils.
The Application stated, in relation to parts b), c) and d), that he understood some personal information would need to be redacted.
2. The Council responded on 26 May 2021, providing a link to the Scottish Government website for documents relevant to part a), withholding information relating to parts b) to f) under section 38(1)(b) of FOISA (as it believed disclosure would breach data protection principles) and stating no information was held for part g).
3. On the same day, the Applicant wrote to the Council, requesting a review of its decision. He was unhappy with the limited information issued and with documentation having been refused in its entirety, rather than redacted where required.
4. The Council notified the Applicant of the outcome of its review on 18 June 2021, upholding the original response. The Council provided further explanation as to why information was exempt from disclosure and referred to information previously provided on making a Subject Access Request (SAR) for access to his own child’s personal data.
5. On 29 June 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Council’s review as documents were withheld because they contained names of other individuals: he had requested redactions be made and considered making a SAR would result in information being similarly withheld.
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 20 July 2021, the Council was notified in writing that the Applicant had made a valid application and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Council was invited to comment on this application and to answer specific questions. These related to the determination of the withheld information as personal data, the relevant aspects of the UK GDPR and the DPA 2018, and reasons why redaction of the information was not considered in this instance.
Commissioner’s analysis and findings
9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Council. He is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) (Personal information)
10. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.
11. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
12. In order to rely on this exemption, the Council must show that the information being withheld is personal data for the purposes of the DPA 2018 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1) of the GDPR.
Is the withheld information personal data?
13. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018. (The definition of “personal data” is set out in full in Appendix 1.)
14. The two main elements of personal data are that:
(i) the information must “relate to” a living person; and
(ii) the living individual must be identifiable.
15. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.
16. An “identifiable living individual” is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018).
17. The Council stated that it considered the information requested to be personal data as it relates to an identified individual (a child) and all the information falling within the scope of the request related to that individual.
18. Having considered the submissions received, the Commissioner accepts the subject matter of the request, regarding behavioural issues and incidents involving an identified child, relates to that child. The Commissioner is satisfied that it is apparent that the information withheld is the personal data of an identifiable individual and, as such, is personal data in terms of section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
19. Article 5(1)(a) of the GDPR, which the Council considered applicable in this case, requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”
20. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available.” In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the GDPR) and fair.
21. The Council provided submissions with regard to Article 5(1)(a) of the GDPR and considered it would be contravened as it could not identify a lawful basis for disclosure. Disclosure would also be unfair to a child.
22. The Commissioner will now consider whether the disclosure of the information would contravene Article 5(1)(a) of the GDPR. As mentioned above, personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions for lawful processing listed in Article 6(1) of the GDPR) and fair.
Lawful processing: Article 6(1)(f) of the GDPR
23. The Commissioner must consider if disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6(1) of the GDPR would allow the personal data to be disclosed. The Council considered whether Article 6(1)(f) could apply in this case. (The Commissioner accepts that this is the only condition which could potentially apply in this case.)
Condition (f): legitimate interest
24. Condition (f) states that processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child”.
25. Although Article 6 states that this condition cannot apply to processing carried out by public authorities in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
26. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?
27. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the data subject before condition (f) will permit the personal data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Council was correct to refuse to disclose the personal data to the Applicant.
Does the Applicant have a legitimate interest in obtaining the personal data?
28. In the application to the Commissioner, the Applicant provided background information for the reason for the request and explaining why he was dissatisfied with the Council’s response. The Applicant stated that his main complaint was the withholding of documentation in its entirety, when he considered that redacting names and addresses from the documents would resolve issues about disclosing private information.
29. The Council did not consider the Applicant had a legitimate interest in obtaining the information, although it understood the motivation to the request was to ensure the safety and wellbeing of his own child, through knowing the concerns others had raised about the behaviour of the data subject and seeing any reports held, including those sent to other authorities.
30. The Council explained that advice and assurance had been provided to the Applicant about the handling of the situation, along with reassurances about the school’s commitment to supporting the wellbeing and safety of all children at the school, in accordance with the relevant policies.
31. The Council also addressed the question of redaction. It submitted that disclosure of any of the information held, even in redacted form, would effectively disclose information related to the individual to whom the request related. Given the terms of the request, the Commissioner must agree with this view: the request could only capture the personal data of a specific, identifiable individual.
32. Having considered all relevant submissions he has received on this point, the Commissioner accepts that the Applicant, as a parent of a child attending the school where the incident occurred, has an interest in the investigative process and the processes to ensure the wellbeing of the other children attending the school. In this regard, the Commissioner notes that the Council provided the Applicant with advice and assistance, including policies and reassurance that the school was undertaking appropriate steps to alleviate the issues arising.
33. However, the Commissioner does not accept that any legitimate interest the Applicant might have would extend to the personal data under consideration in this case. He notes that the data relate to a child, of primary school age. It is clear from the UK GDPR (and the General Data Protection, or GDPR, from which it is derived) that there is a high threshold to be met before disclosure of the personal data of children can be contemplated. In addition to the specific reference to the personal data of a child in Article 6(1)(f), the Commissioner notes Recital (38) of the GDPR:
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
34. While the existence of a legitimate interest in the disclosure (into the public domain, as disclosure under FOISA must be) of children’s personal data cannot be ruled out, the Commissioner considers the circumstances in which such a legitimate interest could exist will be rare.
35. In this case, the Commissioner cannot regard such circumstances as present. While he cannot comment on the specific content of the personal data under consideration here, he does not consider information at that level of detail with regard to an individual child to be relevant to fulfilling any legitimate interest the Applicant might have.
36. In all the circumstances of this particular case, therefore, in the absence of a relevant legitimate interest, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR cannot be met in relation to the withheld personal data. The Commissioner can identify no other Article 6(1) condition which would be relevant, in the circumstances. Disclosure would therefore be unlawful.
Fairness and transparency
37. Given the Commissioner’s finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.
38. The Commissioner therefore finds no condition in Article 6(1) of the GDPR can be met and that disclosure of the information requested would contravene Article 5(1)(a) of the GDPR. That being the case, the Commissioner does not consider it necessary to look at Article 5(1)(b) (which the Council also considered applicable), or whether the personal data include special category data in terms of Article 9(1) of the UK GDPR. He therefore concludes that the information was therefore properly withheld under section 38(1)(b) of FOISA.
The Commissioner finds that Perth and Kinross Council complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.
Should either the Applicant or the Council wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Head of Enforcement
28 November 2022
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
(e) in subsection (1) of section 38 –
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
38 Personal information
(1) Information is exempt information if it constitutes-
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
(d) disclosure by transmission, dissemination or otherwise making available,
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.