Decision 001/2006 - Mr Edward Milne and the Crown Office and Procurator Fiscal Service
Request for information relating to the applicant – whether exempt under section 38(1)(a) of the Freedom of Information (Scotland) Act 2002 – personal information – whether personal information of persons other than the applicant is exempt in terms of section 38(1)(b) – information not held – section 17 – failure to respond to request within the 20 working day timescale set out in section 21(1) of the Act.
Request for information relating to the applicant
Applicant: Mr Edward Milne
Authorities: The Crown Office and Procurator Fiscal Service
Case No: 200502483
Decision Date: 5 January 2006
Kevin Dunion
Scottish Information Commissioner
Facts
Mr Milne wrote to Mr Colin Boyd, the Lord Advocate, requesting all of the information held that related to Mr Milne, including minutes of meetings, internal memos, correspondence and e-mails. The Crown Office and Procurator Fiscal Service responded to Mr Milne, informing him that his request would be dealt with under the Data Protection Act 1998 (DPA) since the information he had requested related to him. Mr Milne submitted his subject access request, accompanied by proof of his identity, but was not content with the information he received under the DPA. He then submitted a request for the same information under the Freedom of Information (Scotland) Act 2002 (FOISA).
The Crown Office and Procurator Fiscal Service provided Mr Milne with copies of correspondence it held in a file which related to Mr Milne’s application to the Scottish Criminal Cases Review Commission. It also informed Mr Milne that some of the information he had requested was exempt from disclosure under section 38(1)(a) of FOISA since it constituted personal information of which Mr Milne was the data subject. It also informed Mr Milne that the personal data of other individuals, which was exempt from release under the DPA, was also exempt under section 38(1)(b) of FOISA. Finally, it informed Mr Milne that the rest of the information he had requested was not held by the Crown Office as it had been destroyed in line with its records management procedures.
Mr Milne requested a review under FOISA but received no reply. He then applied to the Scottish Information Commissioner for a decision.
Outcome
The Commissioner found that the Crown Office and Procurator Fiscal Service complied with Part 1 of FOISA in deciding to withhold personal information under section 38(1)(a) of FOISA on the grounds that Mr Milne’s request for all information relating to him constituted a request for personal data of which he was the data subject and as such should be dealt with under the DPA.
The Commissioner found that the disclosure of third party personal data requested by Mr Milne would have contravened the first and second data protection principles of the DPA. This information was correctly withheld by the Crown Office and Procurator Fiscal Service under section 38(1)(b) of FOISA. The Commissioner was also satisfied that the Crown Office was correct to have informed Mr Milne that the rest of the information he requested was not held, under section 17 of FOISA.
The Commissioner found that the Crown Office and Procurator Fiscal Service failed to respond to Mr Milne’s request for a review within the 20 working day timescale set out in section 21(1) of FOISA. The Commissioner was satisfied that procedures had been implemented by the Crown Office and Procurator Fiscal Service in order to improve its response to information requests. No further remedial steps require to be taken.
Appeal
Should Mr Milne or the Crown Office and Procurator Fiscal Service wish to appeal against this decision, there is a right of appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.
Background
1. On 5 May 2005, Mr Milne wrote to Mr Colin Boyd, the Lord Advocate, requesting “all information that relates to me, Edward Milne, and which includes minutes of meetings, internal memo’s, correspondence and e-mails” under the Freedom of Information (Scotland) Act 2002 (FOISA). This was acknowledged by the Crown Office and Procurator Fiscal Service (the Crown Office) on 10 May 2005 and a representative from the Crown Office sent Mr Milne a letter on 16 May 2005. In her letter the representative stated:
“As the information you have requested relates to yourself, we require to treat it as a request for information under the Data Protection legislation, rather than the Freedom of Information Act.”
2. A data subject access request application form was enclosed for Mr Milne to fill in and return. Mr Milne submitted his subject access request to the Crown Office on 17 May 2005. The Crown Office responded to Mr Milne on 17 June 2005, and processed his request under the provisions of the Data Protection Act 1998 (DPA). Some information was provided and some was withheld on the basis of exemptions applied under the DPA. The Crown Office provided Mr Milne with an explanation of its reasons for withholding some of the information and also provided details of how he could write to the Information Commissioner in Wilmslow if he considered that his request had not been dealt with in accordance with the DPA.
3. Mr Milne wrote to the Crown Office on 18 June 2005, asking for a review of its decision. Mr Milne emphasised that he wanted his request to be treated under FOISA. This was responded to on 18 July 2005. In its letter the Crown Office reiterated that Mr Milne’s initial request was made in terms of the DPA and was a request for his personal information which the Crown Office held about him. The Crown Office maintained that Mr Milne could not obtain information, the provision of which would necessarily disclose the personal information of any other person. It held that such information was exempt from disclosure in terms of section 7(4) of the DPA.
4. Mr Milne’s letter of 18 June 2005 was treated by the Crown Office as a new request for information under the provisions of FOISA. It was explained to Mr Milne, in a letter dated 18 July 2005, that freedom of information legislation is not a means by which a person can obtain the personal information that relates to other individuals which would not otherwise be disclosable. For this reason the Crown Office insisted that information which was withheld from Mr Milne in response to his request under the DPA was also exempt under FOISA in terms of section 38(1)(b). This exempts third party personal data if the release of the information would breach any of the data protection principles.
5. The Crown Office also stated that it had provided Mr Milne with copies of correspondence it held in a file which related to Mr Milne’s application to the Scottish Criminal Cases Review Commission (SCCRC). Certain parts of that correspondence had been deleted because they contained the personal data of other individuals. The Crown Office advised Mr Milne that this information had been appropriately withheld under section 38(1)(b) of FOISA since it constituted the personal data of other individuals and disclosure would breach the data protection principles.
6. In Mr Milne’s letter, of 18 June 2005, he expanded upon the information he required. In its response the Crown Office recognised the fact that Mr Milne’s FOISA request was wider than the previous DPA request which related only to his personal information. However, other than the SCCRC correspondence that had been supplied to him, the Crown Office advised Mr Milne that the information he had requested was not held by the Crown Office, in line with section 17 of FOISA.
7. Mr Milne sent a fax to the Crown Office on 20 July 2005, requesting a review of its refusal to provide him with the information he had requested. In his fax, he further expanded upon the information that he was seeking. This fax was not received by the Crown Office.
8. Mr Milne was dissatisfied with the lack of response from the Crown Office in relation to his request for review and applied to me for a decision on 24 August 2005. The case was assigned to an investigating officer.
The Investigation
9. Mr Milne’s appeal was validated by establishing that he had made a written request for information to a Scottish public authority, and had appealed to me only after requesting a review from the authority.
10. The Crown Office was contacted by my Office on 26 August 2005. It was informed that Mr Milne had applied to me for a decision in relation to his dissatisfaction with the way the Crown Office had dealt with his request for information. The Crown Office was also asked to provide information that would allow the investigation to proceed and to comment on the issues raised by Mr Milne’s request in terms of section 49(3) of FOISA.
11. When Mr Milne applied to me for a decision he complained that he had not received a reply to his request for review which was sent by fax to the Crown Office on 20 July 2005. The investigating officer provided the Crown Office with a copy of Mr Milne’s request for review on 26 August 2005. The Crown Office contacted my Office on 5 September 2005 and confirmed that it had no record of ever receiving the original fax but agreed to carry out the review.
12. The Crown Office was asked to provide comments regarding the apparent non-receipt of Mr Milne’s fax. In its response, the Crown Office provided an overview of the procedures that are in place for monitoring and logging incoming faxes. This matter is considered in more detail in paragraph 31 below.
13. On 23 September 2005, the Crown Office contacted Mr Milne to inform him of the outcome of its review. The review upheld the initial decision that the information requested (insofar as it was held by the Crown Office) was either personal data which required to be dealt with under the DPA (i.e. the personal information of Mr Milne) or had been appropriately withheld under section 38(1)(b) of FOISA since it constituted the personal data of other individuals and disclosure would breach the data protection principles.
14. The investigating officer contacted the Crown Office on 23 November 2005, to ascertain which of the data protection principles would be breached by disclosing such information under FOISA. The Crown Office responded on 25 November 2005, providing the investigating officer with the details requested. This is discussed in paragraphs 27 and 28 below.
15. As part of the Crown Office’s review an independent search had been carried out to determine whether any documents were available. The issues with which Mr Milne is concerned date back to 1989, and the Crown Office confirmed that many of the papers relating to such matters had been destroyed in line with its paper retention policy under the terms of the Disposal of Court Records (Scotland) Regulations 1990. No further documentation was found at the review stage in addition to that already considered and the Crown Office upheld its previous decision.
The Commissioner’s Analysis and Findings
16. To date, Mr Milne has made a number of applications to me for a decision. In each case, Mr Milne’s requests for information to public authorities were formulated in the following way:
“I require all information that relates to me, Edward Milne, and which includes minutes of meetings, internal memos, correspondence and e-mails.”
17. It is my view that this constitutes a request for all of the information that is held about Mr Milne. In other words, it is a request for personal information and should be dealt with under the terms of the DPA. Indeed, the long title of the DPA states that it is an Act to make provision for “the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.”
Sections 38(1)(a) and (b) of FOISA – personal information
18. Section 38(1)(a) of FOISA states that information is exempt information if it constitutes personal data of which the applicant is the data subject.
19. The term “personal data” is defined in section 1(1) of the DPA as:
“data which relate to a living individual who can be identified:
a) from those data, or
b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller...”
20. The definition is subject to the interpretation contained in Durant v Financial Services Authority [2003] EWCA Civ 1746. In this decision, the Court of Appeal held that if information is to be viewed as personal data, the information has to be biographical in a significant sense, i.e. go beyond the recording of the individual’s involvement in a matter or event that has no personal connotations. The individual also has to be the focus of the information, rather than some other person with whom that individual may have been involved. The Court of Appeal summarised these two aspects as information affecting a person’s privacy whether in his personal or family life, business or professional capacity.
21. In my view, Mr Milne’s initial request clearly constituted a request for personal information and the Crown Office was correct to consider such a request as being exempt from FOISA by virtue of section 38(1)(a) on the basis that it constituted a request for personal data of which the applicant was the data subject.
22. Mr Milne has been advised by my office on a number of occasions that a request for information that relates to him is a request for personal information and that public authorities were correct to treat such requests under the DPA rather than FOISA. He was also advised to submit a subject access request under the DPA to the relevant public authorities who had invited him to do so in order to obtain the information he required.
23. It should be noted that FOISA and the DPA are mutually exclusive, i.e. information that is available under one piece of legislation is not available under the other: the two pieces of legislation serve two entirely different purposes.
24. Where a request is made to a public authority for personal information relating to the individual making the request, that request must be dealt with under the DPA. This is to protect the privacy of individuals – the information is made available to that person only.
25. As mentioned above, under section 38(1)(a) of FOISA information is exempt if it constitutes personal data of which the applicant is the data subject. In other words, it is not possible for a person to obtain his or her own personal information under FOISA. This is because disclosure of information under FOISA is effectively disclosure to the world at large and the release by a public authority of an individual’s personal information into the public domain without their consent would constitute a breach of their privacy rights.
26. Similarly, where third party personal information is held to be exempt from disclosure under the DPA because it would breach one or more of the data protection principles, that information will also be exempt from disclosure under FOISA in terms of section 38(1)(b). This exemption is absolute (i.e. it is not subject to the public interest test) in cases where disclosure of the information would breach any of the data protection principles.
27. The investigating officer contacted the Crown Office to ascertain which of the data protection principles would be breached by disclosure of the information. The Crown Office responded by stating that the provision of the personal data sought by Mr Milne would contravene the first principle of the DPA which states that data shall be processed fairly and lawfully and shall not be processed unless at least one of the conditions in Schedule 2 of the DPA is met. The Crown Office stated that in this case none of the conditions in Schedule 2 are satisfied and the disclosure of this data would therefore contravene the first principle.
28. The Crown Office also stated that the second principle of the DPA would be contravened by disclosing the information because disclosure would be incompatible with the purpose for which the information was obtained. Personal information of this nature is provided to the prosecution service on the understanding that it will be used for the purposes of prosecution and not for general disclosure to members of the public. I am satisfied that the Crown Office’s reasoning is correct and that disclosure of the third party personal data would breach the data protection principles as stipulated above.
Records management procedures
29. The paper retention policy which relates to case papers held by the Crown Office and Procurator Fiscal Service was provided to my investigating officer on 26 October 2005. This sets out the periods for which the case papers that are held by procurators fiscal are retained. The general practice in the Ministerial Private Office in Crown Office is to keep such correspondence for a period of 5 years where that correspondence relates to an investigation or, where appropriate, the preparation for court proceedings. In light of the assurances provided by the Crown Office, I am satisfied that all such correspondence had been destroyed in line with the Crown Office’s document retention policy and was therefore not held when Mr Milne made his information request.
30. Mr Milne’s request for a review appears to have been sent to the Crown Office by fax on 20 July 2005, but it was never received. In order to investigate this matter the Crown Office was asked to provide details of the procedures it has in place for monitoring and logging incoming faxes. It responded by stating that the Personal Assistant to the Head of Policy checks the fax machine periodically throughout the day and keeps an ear open for the ringing tone at all times. If she is absent, she arranges for another member of the administrative staff to check the fax machine.
31. The Crown Office stated that, since most correspondents appear to prefer to send either letters or e-mail, it does not receive as many faxes as it used to. However, those that are received are associated with any previous correspondence and passed to the appropriate official for reply. Where a new request for information is received it is logged and passed to an official in the appropriate team for a response. The Crown Office assured me that it aims to ensure that faxes receive immediate attention upon receipt.
32. None of the staff in the Crown Office recall ever having received Mr Milne’s fax and there is no evidence to suggest that any problems have occurred with the Crown Office’s fax machine previous to or since that date. However, the Crown Office has assured me that the need to be vigilant has been stressed to staff and I am satisfied that sufficient procedures are in place to respond to information requests received in this manner.
Decision
I find that the Crown Office and Procurator Fiscal Service complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in deciding to withhold personal information under section 38(1)(a) on the basis that Mr Milne’s request for all information relating to him constituted a request for personal data of which he was the data subject and as such should be dealt with under the terms of the Data Protection Act 1998.
I also find that the disclosure of third party personal data requested by Mr Milne under FOISA would have contravened the first and second data protection principles of the DPA. This information was correctly withheld by the Crown Office and Procurator Fiscal Service under section 38(1)(b) of FOISA. I am also satisfied that the Crown Office was correct to have informed Mr Milne that the rest of the information he requested was not held, under section 17 of FOISA.
I find that the Crown Office and Procurator Fiscal Service failed to respond to Mr Milne’s request for a review within the 20 working day timescale set out in section 21(1) of FOISA. However, I am satisfied with the Crown Office and Procurator Fiscal Service’s assurances that procedures have now been implemented in order to improve its response to information requests and I require no further remedial steps to be taken.
Kevin Dunion
Scottish Information Commissioner
5 January 2006
Link to PDF file of decision 001/2006 (62.8 kb)