Decision Notice 037/2024: Employment contract of named individual
Authority: East Lothian Council
Case Ref: 202200752
Summary
The Applicant asked the Authority for a named individual’s employment contract. The Authority refused to disclose
the requested information, as it was third party personal data. The Commissioner investigated and agreed that the
employment contract was exempt from disclosure under section 38(1)(b) of FOISA.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and
(2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A), (5) (definitions of “data protection principles”, “data
subject”,” personal data”, “processing” and “UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application
for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of "personal data");
5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14) (Terms relating to the
processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The
Appendix forms part of this decision.
Background
1. On 12 March 2022, the Applicant made a request for information to the Authority. The Applicant asked for
a copy of a named individual’s employment contract with the Authority (from the date they commenced their
employment to the date of his information request).
2. The Authority responded on 6 April 2022. The Authority informed the Applicant that the employment
contract was considered exempt under section 38(1)(b) of FOISA, as it was the personal data of the named
individual.
3. On 9 April 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant
stated that he was dissatisfied with the decision because he considered that the named individual was not
currently employed by the Authority and was not employed by the Authority in 2016, when the named individual
submitted a letter of evidence relating to him to Edinburgh Sheriff Court.
4. The Authority notified the Applicant of the outcome of its review on 11 May 2022. The Authority upheld it
original decision, without modification. The Authority provided further explanation why it considered the
requested information was personal data of the named individual and why it was exempt under section 38(1)(b) of
FOISA.
5. On 1 July 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1)
of FOISA. The Applicant stated that he was dissatisfied with the outcome of the Authority’s review for the
reasons set out in his requirement for review.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the
power to carry out an investigation.
7. On 12 July 2022, the Authority was notified in writing that the Applicant had made a valid application.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide
comments on an application. The Authority was invited to comment on this application and did so.
9. The case was subsequently allocated to an investigating officer.
Commissioner’s analysis and findings
10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 38(1)(b): Personal information
11. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from
disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would
contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
12. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an
absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of
FOISA.
Is the information personal data?
13. The first question the Commissioner must address is whether the information withheld by the Authority
under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information
relating to an identified or identifiable living individual. “Identifiable living individual” is defined section
3(3) of the DPA 2018 – see Appendix 1. (This definition reflects the definition of personal data in Article 4(1)
of the UK GDPR.)
14. Information will "relate to" a person if it is about them, is linked to them, has biographical
significance for them, is used to inform decisions affecting them, or has them as its main focus.
15. The Applicant named the individual whose employment contract he sought.
16. The Commissioner is satisfied that the withheld information relates to an identifiable individual and
accepts that the information is personal data for the purposes of section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
17. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the
UK GDPR. Article 5(1) states that personal data shall be processed “lawfully, fairly and in a transparent manner
in relation to the data subject.”
18. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d))
disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore
covers disclosing information into the public domain in response to a FOISA request.
19. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering
lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be
disclosed.
20. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could
potentially apply in the circumstances of this case.
Condition (f): legitimate interests
21. Condition (f) states that processing shall be lawful if it -
is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a child.
22. Although Article 6 states that this condition cannot apply to processing carried out by a public authority
in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on
Article 6(1)(f) when responding to requests under FOISA.
23. The three tests which must be met before Article 6(1)(f) are as follows (see paragraph 18 of South
Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 – although this case was decided before
the GDPR (and UK GDPR) came into effect, the relevant tests are almost identical):
- does the Applicant have a legitimate interest in the personal data?
- if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
- even if the processing would be necessary to achieve the legitimate interest, would that be overridden by
the interests or fundamental rights and freedoms of the data subjects which require protection of personal data
(in particular where the data subject is a child)?
Does the Applicant have a legitimate interest?
24. The Applicant explained that he had a legitimate interest in the disclosure of the employment contract in
order to prove that the data subject worked for the Authority, and that they did so when they submitted a letter
of evidence relating to him to Edinburgh Sheriff Court in 2016 when the Authority was seeking to have an
Antisocial Behaviour Order (ASBO) imposed on him.
25. The Applicant explained that he believed the data subject had left their employment at the Authority when
their letter of evidence relating to him was submitted to Edinburgh Sheriff Court, and that their letter therefore
had no “merit” and should not “carry any sway”.
26. The Authority provided an overview of the Applicant’s correspondence with itself since 2000 and the effect
it has had on its employees. The Authority noted that every request from applicants must be considered on its own
merits, and that it is possible that the Applicant might have a legitimate interest in the disclosure of the
information requested in this instance.
27. However, based on the body of evidence of the Applicant’s history of contact with the Authority, the
Authority considered it likely, on the balance of probabilities, that the Applicant did not have a legitimate
interest in the disclosure of the information requested in this instance.
28. The Commissioner has considered submissions from the Applicant and the Authority carefully. In the
circumstances, the Commissioner accepts that the Applicant has a legitimate interest in the personal data.
Is disclosure necessary to achieve that legitimate interest?
29. Here, “necessary” means “reasonably” rather than absolutely or strictly necessary. The Commissioner must
therefore consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be
achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the
privacy of the data subjects (the two panel members).
30. The Commissioner notes that, if the information the Applicant has requested is disclosed in response to a
FOISA request, it is, in effect, disclosed into the public domain.
31. The Commissioner notes the Applicant’s reasons for considering that the data subject’s employment contract
should be disclosed, and accepts that the Applicant has a legitimate interest in establishing whether the data
subject was an employee of the Authority at the time they submitted a letter of evidence relating to him to
Edinburgh Sheriff Court.
32. However, the Applicant has not provided any argument as to why he considers that it is necessary for the
data subject’s employment contract (rather than, for example, the dates of their employment) to be disclosed in
order for him to achieve this legitimate interest.
33. While there are legal processes available to challenge the imposition of ASBOs and it is for Edinburgh
Sheriff Court to satisfy itself as to the validity of the evidence it receives, the Commissioner also notes that
the Applicant’s information request post-dates the events in question by some six years.
34. The Commissioner therefore considers it highly unlikely that disclosure of the data subject’s employment
contract would allow the Applicant to challenge the evidence the data subject provided to Edinburgh Sheriff Court
in any meaningful sense.
35. The Applicant clearly believes that he needs the data subject’s employment contract to challenge the
evidence they submitted relating to him to Edinburgh Sheriff Court. However, in the circumstances of this case,
the Commissioner considers that insofar as it is possible for the Applicant to meaningfully pursue any concerns
about that evidence, he can do so without the data subject’s employment contract being disclosed to him (or,
consequently, to the world at large).
36. The Commissioner is therefore satisfied that, although the Applicant has a legitimate interest in the
personal data, disclosure is not necessary to achieve that legitimate interest.
37. In the absence of a condition in Article 6 of the UK GDPR which would allow the data subject’s employment
contract to be disclosed lawfully, disclosure would breach Article 5 of the UK GDPR. The data subject’s
employment contract is, therefore, exempt from disclosure under section 38(1)(b) of FOISA.
Decision
The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002
(FOISA) in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal
to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of
intimation of this decision.
David Hamilton
Scottish Information Commissioner
20 March 2024
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given
it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to
the extent that –
(a) the provision does not confer absolute exemption; and
…
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are
to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than
under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data
held by public authorities) were disregarded.
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
which relates to an identifiable person or household;
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see
section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)
of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the
UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be
read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public
authorities) were omitted.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a
notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the
request for information to which the requirement relates has been dealt with in accordance with Part 1 of this
Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used
for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);
and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject
(“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require the protection of
personal data, in particular where the data subject is a child.
…
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living
individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly
or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an
online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations
which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and
Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see
section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to
which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of
personal data to which Part 2, Part 3 or Part 4 applies.