Decision Notice 103/2022: Ethnicity of individuals marking job applications
Public authority: University of Strathclyde
Case Ref: 202101007
The University was asked for the ethnicity of the individuals who marked specific job application forms. The University withheld this information as it considered it to be third party personal data which was exempt from disclosure. The Commissioner investigated and found that the University had been entitled to withhold certain information from the Applicant. He required the University to disclose other information to him.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions), 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 12 May 2021, the Applicant made a request for information to the University of Strathclyde (the University). In his information request, the Applicant asked for various pieces of information, but only one part of his request is covered by this Decision Notice. That part of the request which is the subject of this Decision Notice read:
I also want to know the ethnicity of the markers who marked the application
2. The University responded on 24 May 2021. It refused to disclose the ethnicity of the markers as it considered this to be special category personal data, exempt from disclosure under section 38(1)(b) (read with section 38(2)) of FOISA.
3. On the same day, the Applicant wrote to the University, requesting a review of its decision as he was unhappy with the response and wanted it to be reviewed. The Applicant also stated that he believed it to be critical information to know the markers.
4. The University notified the Applicant of the outcome of its review on 23 June 2021. The University upheld its reliance on the exemption in section 38(1)(b). Whilst the University noted that disclosure of the ethnicity data itself would not identify individuals, it believed it could lead to individuals being identifiable taken together with other information which was publicly available. The University referred to specific sources of information in the public domain that it believed could, if accessed, assist in the identification of individuals. The University went on to explain why it considered this information to be special category personal data, and why it had determined that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR and would not fulfil any condition of processing in Articles 6 or 9 of the UK GDPR.
5. On 12 August 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the University’s review because he believed it to be critical to know who marked the application for employment, and he did not agree with the exemption applied by the University.
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 7 September 2021, the University was notified in writing that the Applicant had made a valid application. The case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The University was invited to comment on this application and to answer specific questions. These related to what information it considered was available in the public domain which would enable identification of the individuals whose ethnicity data was being withheld. Submissions were also sought from the University as to why it considered disclosure of the ethnicity information to be a breach of the UK GDPR.
Commissioner’s analysis and findings
9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the University. He is satisfied that no matter of relevance has been overlooked.
Section 38(1)(b) – Personal information
10. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.
11. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.
12. To rely on this exemption, the University must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR.
13. The Commissioner must decide whether the University was correct to withhold the information requested under section 38(1)(b).
Is the withheld information personal data?
14. The first question the Commissioner must address is whether the ethnicity of those individuals who marked application forms for a specific job vacancy is personal data for the purposes of section 3(2) of the DPA 2018.
15. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”. Section 3(2) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, in particular by reference to –
(i) an identifier, such as a name, an identification number, location data, or an online identifier, or
(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
16. The University explained that it considered the ethnicity data of those marking the application forms to be personal data, as it, together with other information available in the public domain, could lead to identification of those individuals.
17. In its submissions, the University set out in detail what information, readily available in the public domain at the time the Applicant made his request, it considered could be used to identify those individuals involved in the marking of the application forms. This included information contained within the advert for the job vacancy concerned and information readily available from staff directories accessible from its externally facing website.
18. The two main elements of personal data are that the information must “relate” to a living person, and that the person must be identified – or identifiable – from the data, or from the data and other accessible information.
19. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
20. An individual is “identified” or “identifiable” if it is possible to distinguish them from other individuals.
21. In the case of Breyer v Bundesrepublik Deutschland (C-582/14) the Court of Justice of the European Union looked at the question of identification. The Court took the view that the correct test to consider is whether there is a realistic prospect of someone being identified. When making that determination, account can be taken of the information in the hands of a third party. However, there must be a realistic causal link.
22. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner considers that the same rules will apply. In accordance with Recital 26 of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, taking into consideration the available technology at the time of processing and technological developments.
23. The Commissioner has considered the University’s submissions, together with the withheld information. He does not accept that the withheld information on its own “relates to” identifiable individuals.
24. However, he does accept that, in the case of one of the individuals involved in marking the application forms, the withheld information, taken together with certain information which was readily available in the public domain at the time the Applicant made his request, would “relate to” that person, allowing them to be identified. Therefore, it would be their personal data, as defined in section 3(2) of the DPA.
25. The Commissioner is not satisfied that this is the case in relation to the other individual(s) who were involved in marking the application forms. It is the Commissioner’s view that there would be a need for the Applicant to know something of the University’s recruitment procedure to understand who, and from which parts of the University, it would involve in selection panels (those individuals responsible for marking completed job application forms) to enable him to be able to narrow down, or focus in, on likely staff members who might have been involved in marking the application forms.
26. In its submissions, the University directed the Commissioner to information available on its external facing website which relates to the recruitment process and procedures followed. The Commissioner is not satisfied that sufficient detail is included here to enable the Applicant, or anyone else, to identify with any level of confidence who would be most likely to make up a selection panel for this particular post.
27. For these reasons, the Commissioner does not accept that there is a realistic causal chain that could lead to the identification of the other individual(s) involved in marking the application forms, as claimed by the University. The Commissioner does not agree that those individual(s) would be identified, or identifiable, as a consequence of disclosure of the withheld information and other information already in the public domain, with the result that the information does not qualify as personal data, as defined in section 3(2) of the DPA.
28. As the Commissioner is satisfied that it would be possible to identify one of the members of staff responsible for marking the application forms from the withheld information and other information in the public domain, he accepts that certain of the withheld information “relates” to an identifiable individual. Therefore, the Commissioner concludes that this withheld information (relating to the one individual) is personal data for the purposes of section 3(2) of the DPA 2018.
29. Because the Commissioner is not satisfied that the remaining withheld information is personal data, he must find that the University was not entitled to withhold the ethnicity of other individual(s) involved in marking the application forms under section 38(1)(b) of FOISA.
30. The Commissioner therefore requires the University to provide the Applicant with the ethnicity of the other individual(s) involved in marking the application forms.
Which of the data protection principles would be contravened by disclosure?
31. The University stated that disclosure of the personal data would not meet the requirements of the first data protection principle (Article 5(1)(a) of the UK GDPR). Article 5(1)(a) states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
32. In terms of section 3(4) of the DPA 2018, disclosure is a form of processing. In the case of FOISA, personal data is processed when it is disclosed in response to a request for information.
33. The University argued that processing of the withheld information would be unlawful, as no condition of processing in Article 6 could be fulfilled by disclosure in response to the Applicant’s request. The University also submitted that information relating to an individual(s) ethnicity was special category personal data under Article 9 of the UK GDPR, and that no condition of processing in Article 9 could be fulfilled by disclosure.
34. The Commissioner must now consider if disclosure of the personal data would be lawful (Article 5(1)(a)). In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow for this data to be disclosed. The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstances of this case.
Condition (f): legitimate interests
35. Condition (f) states that the processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).
36. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
37. The tests that must be met before Article 6(1)(f) can be satisfied are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?
Does the Applicant have a legitimate interest in obtaining the personal data?
38. In his application to the Commissioner, the Applicant explained that he believed it to be critical for him to know who had marked the application for employment.
39. The University acknowledged that the Applicant has a right to request information under FOISA, subject to certain exceptions. It also recognised that the Applicant considered the requested information was “critical information”.
40. Having considered the submissions from both the Applicant and the University, the Commissioner accepts that the Applicant does have a legitimate interest in receiving the withheld information, as it would give him an understanding of who was involved in marking his application form for a job vacancy.
Is disclosure of the personal data necessary?
41. The Commissioner will now consider whether disclosure of the personal data requested is necessary for the Applicant’s identified legitimate interest. In doing so, he must consider whether these interests might reasonably be met by any alternative means.
42. The Commissioner has considered this carefully in light of the decision of the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner  UKSC 55 .
43. “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester’s legitimate interests can be met by means which interfere less with the privacy of the data subject(s).
44. In its submissions, the University commented on the background to the Applicant’s request and explained that it had already provided information to him as to why his application had not been shortlisted and how it was scored in comparison to other applicants. It also noted that a complaint raised by the Applicant had already been dealt with as part of a separate process (outwith FOISA). The University therefore considered that it was not necessary to disclose this information to meet the Applicant’s legitimate interests.
45. In this case, the Commissioner must consider the information requested against the legitimate interest he has identified (in relation to the ethnicity of the individual(s) involved in marking the application forms) and whether disclosure of that information is necessary to achieve the Applicant’s identified legitimate interest.
46. The Commissioner understands that the Applicant considers it critical to know the ethnicity of those individual(s) who marked his application form. However, from reading the submissions from the University, together with the context of the whole information request made by the Applicant (part of which is covered by this Decision Notice), it is evident that information has already been disclosed to him to enable him to understand how many applicants there were for the vacancy, how many of those who applied were shortlisted and what score his application was given as compared to other applicants. It also appears that the University has sought to address a concern the Applicant raised over the personnel involved in the marking of the application forms by following an appropriate process, outwith FOISA. The Commissioner is therefore not convinced that it is “necessary” for the Applicant to be provided with the ethnicity of one of the individuals marking his application form in order to fulfil his legitimate interests, as he considers these interests to have been satisfied by the University already – outwith the FOISA process.
47. As the Commissioner has concluded that it is not necessary for the ethnicity of one of the individuals involved in marking his application form to be disclosed in order to fulfil the Applicant’s legitimate interest, he finds that condition (f) of Article 6(1) of the UK GDPR cannot be satisfied.
48. As mentioned above, the University argued that the withheld information falls within the definition of special category personal data under Article 9 of the UK GDPR, and the Commissioner agrees that this is the case.
49. In order for special category personal data to be processed lawfully a condition of processing in both Article 6 and Article 9 of the UK GDPR must be satisfied. As the Commissioner is not satisfied that any condition of processing in Article 6 can be fulfilled by disclosure, he is not required to go on to consider whether any condition in Article 9 would be satisfied. Accordingly, he accepts that making this personal data available would be unlawful.
50. Given that the Commissioner has found that the processing would be unlawful, he is not required to go on to consider separately the data subject’s interests or fundamental rights and freedoms (or balance them against any legitimate interest in disclosure of the information).
51. In all the circumstances of the case, in the absence of a condition in Article 6(1) of the UK GDPR being met, the Commissioner must conclude that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the UK GDPR. Consequently, he is satisfied that disclosure of the personal data is exempt under section 38(1)(b) of FOISA.
The Commissioner finds that the University of Strathclyde (the University) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that, by relying on the exemption in section 38(1)(b) of FOISA for withholding certain information, the University complied with Part 1.
However, as the Commissioner was not satisfied that all of the withheld information was personal data, he found that the University failed to comply with Part 1 (in particular section 1(1)) in relying on section 38(1)(b) for that information.
The Commissioner therefore requires the University to disclose the ethnicity of the other individuals involved in marking the application forms for the job vacancy in question, by 5 December 2022.
Should either the Applicant or the University wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
If the University fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the University has failed to comply. The Court has the right to inquire into the matter and may deal with the University as if it had committed a contempt of court.
Head of Enforcement
19 October 2022
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
(e) in subsection (1) of section 38 –
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
38 Personal information
(1) Information is exempt information if it constitutes-
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
(d) disclosure by transmission, dissemination or otherwise making available,
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.