Decision Notice 126/2022: Information relating to internal processes
Public authority: Grampian Housing Association Ltd
Case Ref: 202000178
GHA was asked for information relating to internal processes about a particular matter. GHA provided some information to the Applicant, but withheld some information it considered to be third party personal data or legal advice. The Commissioner investigated and found that GHA had generally complied with FOISA in withholding information as the Applicant’s personal data, although it should have identified the information falling within the scope of the request more accurately.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General Entitlement); 2(1)(a) and (2)(e)(i) (Effect of exemptions); 38(1)(a) and (5) (definitions of “data subject” and “personal data”) (Personal information)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3) and (5) (Terms relating to processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
1. On 21 November 2019, the Applicant made a request for information to Grampian Housing Association Ltd (GHA). The information requested was related to internal processes to do with a particular matter, and was in three parts. It is the usual practice of the Commissioner to replicate, as far as practicable, the request as asked by the Applicant. However, in this case, doing so would risk the identification of individuals. The Commissioner has therefore given a very general outline of the request to ensure compliance with all relevant legislation.
2. GHA responded on 19 December 2019. It provided the information in relation to two parts of the request. With regard to the remaining part, GHA provided some information, with redactions under sections 38(1)(a), 38(1)(b) (Personal information) and 36(1) (Confidentiality) of FOISA. GHA reminded the Applicant that he had an unredacted copy of a particular document but offered a further copy if required. (It also provided a separate response to his request in line with his subject access rights under article 15 of the General Data Protection Regulation (the GDPR).)
3. On 2 January 2020, the Applicant wrote to GHA, requesting a review of its decision on the basis that he considered the information provided had been redacted more than was necessary, and that full disclosure was in the public interest. He highlighted that he was requesting both the draft and final versions of a particular document.
4. GHA notified the Applicant of the outcome of its review on 29 January 2020, upholding its original decision with regard to the information withheld under sections 38(1)(a), 38(1)(b) and 36(1) of FOISA.
5. On 3 February 2020, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of GHA’s review because he considered the information provided had been redacted more than necessary. He did not think the reasons given were competent and considered disclosure was in the public interest. Additionally, he stated that he had not received a copy of the draft version of a particular document that he had requested.
6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.
7. On 19 March 2020, GHA was notified in writing that the Applicant had made a valid application. GHA was asked to send the Commissioner the information withheld from the Applicant. GHA provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. GHA was invited to comment on this application and to answer specific questions. These related to its reasons for relying in sections 38(1)(a), 38(1)(b) and 36(1) to withhold the information.
9. Both the Applicant and the public authority provided submissions to the Commissioner.
Commissioner’s analysis and findings
10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and GHA. He is satisfied that no matter of relevance has been overlooked.
Information falling within the scope of the request
11. The Commissioner was provided with documents comprising meeting minutes, emails and reports, each with information redacted. Some of the information contained in these documents had already been provided to the Applicant, in line with his subject access rights (see above).
12. The Commissioner carefully considered each of these redactions in turn, with reference to the request. He concluded that some of the withheld information fell outwith the scope of the request, as it was not directly related to it. In not identifying correctly the information falling within the scope of the request, the Commissioner finds that GHA failed to comply fully with section 1(1) of FOISA.
Section 38(1)(a) – Personal information (requestor’s own personal data)
13. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject. The fact that it is an absolute exemption means that it is not subject to the public interest test set out in section 2(1) of FOISA.
14. This exemption exists under FOSIA because individuals have a separate right to make a request for their own personal data under the United Kingdom General Data Protection Regulation (the UK GDPR) (now – at the time of the request, under the GDPR). This route is more appropriate for individuals accessing their personal data, as it ensures it is disclosed only to the individual. Information disclosed under FOISA is considered to be disclosed into the public domain. Section 38(1)(a) does not deny individuals a right to access information about themselves, but ensures that the right is exercised under the correct legislation (the UK GDPR, and previously the GDPR) and not under FOISA.
15. It is not for the Commissioner to comment on whether disclosures to the data subject under the GDPR or the UK GDPR have been made in accordance with the appropriate legislation. That would be a matter for the (UK) Information Commissioner.
16. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the UK GDPR:
“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
17. The definition of personal data is set out in full in Appendix 1.
18. The Commissioner has carefully considered the information falling within the scope of the Applicant’s request. It is apparent that the subject matter of the request, and the withheld information, relates to a matter directly concerning the Applicant. It is also apparent that the Applicant could be identified from the information, particularly in conjunction with other information that is in the public domain. In some instances, there is third-party personal data mixed with the personal data of the Applicant, but it is the Commissioner’s view that all of the information is, in any case, the Applicant’s personal data. He considers, therefore, that the appropriate action is to consider the information under the exemption in section 38(1)(a) of FOISA.
19. Overall, in the circumstances, the Commissioner is satisfied that all of the withheld information, that he has deemed to be within the scope of the Applicant’s request, is the Applicant’s own personal data and can therefore be withheld under section 38(1)(a) of FOISA.
20. As the Commissioner has determined that all of the information falling within the scope of the request should be withheld under section 38(1)(a), he is not required to go on to consider the other exemptions applied by GHA. He would ask GHA to consider, however, whether (given that it was all absolutely exempt under section 38(1)(a) in any case) it was helpful to the Applicant to suggest in its responses that elements of the withheld information might be considered separately under other exemptions.
The Commissioner finds that Grampian Housing Association Ltd (GHA) failed to comply with Part 1 (and in particular section 1(1)) of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant, as it identified and located information which had not, in fact, been requested.
Given that the Commissioner has found that all of the information withheld either falls outwith the scope of the request or should be withheld under section 38(1)(a) of FOISA, the Commissioner does not require GHA to take any action in respect of this failure, in response to the Applicant’s application.
Should either the Applicant or GHA wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Scottish Information Commissioner
23 November 2022
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
(e) in subsection (1) of section 38 –
(i) paragraphs (a), (c) and (d); and
38 Personal information
(1) Information is exempt information if it constitutes-
(a) personal data of which the applicant is the data subject;
(5) In this section-
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
Data Protection Act 2018
3 Terms relating to the processing of personal data
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.