Decisions Round-up: 10 to 14 November 2014

We published four decisions between 10 and 14 November, most of which considered the relationship between FOI and data protection law in some way.  Here are the key messages:

Key messages:


  • Confirming whether you hold personal data can, in itself, breach the Data Protection Act (DPA)
    The FOI Act allows you to refuse to confirm whether you hold personal data in certain circumstances (section 18). In Decision 230/2014, we agreed that the public authority was entitled to refuse to confirm whether it had taken any sanctions against a named employee. If the Council had confirmed whether or not it had taken action, this would have breached the DPA, and so would not have been in the public interest.


  • Disclosing personal data - the more senior the employee, the more likely disclosure will be fair
    Third party personal data can be disclosed under the FOI Act provided the disclosure is fair and lawful. We'll consider a number of criteria in deciding whether disclosure would be fair and lawful  - one of these, the seniority of the employees, was considered in Decision 232/2014.


  • FOI requests for the requester's personal data
    If a requester asks for his or her own personal data under FOI, the personal data is exempt from disclosure and you should offer to treat the request as a subject access request under the DPA. Of course, it's not always straightforward to work out whether information is personal data. In Decision 233/2014, the requester did not believe that all of the information he had asked for was his personal data.

To learn more about the relationship between data protection and the FOI Act, read our briefing on the section 38 exemption.

Decisions issued:

  • Decision 230/2014 Jonathan and Carol Flynn and Perth and Kinross Council
    Mr and Mrs Flynn asked the Council whether it had taken disciplinary action against a named employee. The Council refused to confirm or deny whether it held any information falling within the scope of the request. We agreed this was the correct approach.


  • Decision 231/2014 Daniel Smillie and Scottish Public Pensions Agency (SPPA)
    Here, we found that the SPPA failed to respond to Mr Smillie's request and request for review in line with the timescales set down by the FOI Act.


  • Decision 232/2014 John Mauger and the Scottish Police Authority (SPA)
    Mr Mauger wanted to know whether six named Assistant Chief Constables (ACCs) had obtained a particular qualification. We ordered the SPA to disclose the information. While the information was the personal data of the ACCs, given the seniority of the officers involved we considered it was fair to disclose it.


  • Decision 233/2014 Mr T and the Scottish Prison Service (SPS)
    Mr T asked the SPS for copies of the notes taken during an Internal Complaints Committee meeting which had discussed a number of his complaints. The SPS withheld the information under section 38(1)(a) on the basis that the notes were all Mr T's personal data. The SPS suggested he make a subject access request for the notes under the Data Protection Act. Having viewed the information, we agreed that it was all Mr T's personal data and so was exempt from disclosure under FOI.


Back to Top