Decision 042/2006 – Mr W and the Scottish Prison Service
Request for a copy of an investigation report into allegations of misconduct – withheld on the basis of section 38(1)(b) – section 30(c) and 35(1)(g) also cited
Request for a copy of an investigation report into allegations of harassment
Applicant: Mr W
Authority: Scottish Prison Service
Case No: 200501222
Decision Date: 15 March 2006
Kevin Dunion
Scottish Information Commissioner
Facts
Mr W, an employee of the Scottish Prison Service (SPS), submitted a request to the SPS for a copy of an investigation report into allegations of misconduct he had made against SPS staff. The SPS refused this request, citing the exemption in section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA). During the course of the investigation, the exemptions in section 30(c) and section 35(1)(g) were also cited by the SPS.
Outcome
The Commissioner found that the SPS acted in accordance with Part 1 of FOISA in withholding the investigation report under section 38(1)(b) of FIOSA.
The Commissioner also found that the SPS should have applied section 38(1)(a) of FOISA to the personal data relating to Mr W, and advised him about the process for requesting access to this information under section 7 of the Data Protection Act 1998 (the DPA).
The Commissioner found that the SPS committed technical breaches in its handling of Mr W’s request, in relation to sections 19, 21(1) and 21(10) of FOISA.
Appeal
Should either the SPS or Mr W wish to appeal against this decision, there is an appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.
Background
1. Mr W submitted a request for information to the SPS on 2 January 2005 (dated 2 January 2004 in error). In this request, Mr W sought access to an investigation report which was prepared following allegations of misconduct made by Mr W against staff within the SPS.
2. The SPS responded to Mr W on 31 January 2005. In this response, the SPS refused access, stating that the exemption under section 38 of FOISA applied to the requested information. The SPS did, however, offer to provide Mr W with background information relating to his request, including copies of the draft policy for investigating complaints and details of witness interview procedures.
3. Mr W requested that the SPS review its decision on 15 February 2005 and asked for the report to be released with sensitive information relating to third parties redacted. Mr W also requested copies of the background information offered by the SPS.
4. The SPS responded to Mr W’s request for review on 22 March 2005. In this response the SPS upheld its position that the investigation report contains personal information relating to third parties, and therefore should be withheld under section 38 of FOISA.
5. Mr W submitted an application for decision to my Office on 28 March, and the case was allocated to an Investigating Officer.
The Investigation
6. Mr W’s appeal was validated by establishing that he had made a valid information request under FOISA to a Scottish public authority and had appealed to me only after asking the public authority to review its response to his request.
7. The Investigating Officer then contacted the SPS for their comments and for further information in relation to the case. The SPS responded to this correspondence on 4 May 2005. Information provided by the SPS at this time included:
- A copy of the investigation report sought by Mr W
- Internal communications and correspondence relating to the case
- The SPS’s draft guidance on investigating complaints of this type
- The code of conduct relating to investigations
- Witness transcripts gathered during the investigation
- Various supporting information, including details of general SPS policies and procedures.
8. In its submission, the SPS stated its belief that section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i), applied to the requested information. Section 38(1)(b), read with section 38(2)(a)(i) exempts information from release if that information constitutes third party personal data and its release would breach any of the data protection principles.
9. The SPS also indicated in later submissions that it believed that the information was exempt under section 30(c) and section 35(1)(g), read in conjunction with 35(2)(b).
10. Section 30(c) of FOISA exempts information it its release would, or would be likely to, prejudice substantially the effective conduct of public affairs, while section 35(1)(g), read with 35(2)(b), exempts information if the disclosure would, or would be likely to, prejudice substantially the exercise by any Scottish public authority of its function to ascertain whether a person is responsible for conduct which is improper.
The Commissioner’s Analysis and Findings
11. The SPS has asserted in its submissions to my Office that three of the exemptions contained within FOISA apply to the information requested by Mr W. These exemptions are as follows:
- Section 38(1)(b) – Personal information
- Section 35(1)(g) – Law enforcement
- Section 30(c) – Prejudice to the effective conduct of public affairs
Section 38(1)(b) – Personal Information relating to third parties
12. The SPS stated that the requested information was exempt under section 38(1)(b) of FOISA. The effect of section 38(1)(b), read in conjunction with section 38(2)(a)(i), is to exempt third party personal data if its release would contravene one or more of the data protection principles.
Is the requested information personal data?
13. The Data Protection Act 1998 (the DPA) defines ‘personal data’ as:
‘data which relates to a living individual who can be identified:
a) from those data, or
b) from those data and from other information which is in the possession of, or is likely to come into the possession of the data controller…’
14. The (UK) Court of Appeal ruling in Durant v Financial Services Authority [2003] EWCA Civ 1746 (the Durant ruling) provides further guidance when considering the definition of personal data. In this decision, the Court held that, if information is to be viewed as personal data, that information must be ‘biographical in a significant sense’. It therefore has to go beyond simply recording an individual’s involvement in a matter or event that has no personal connotations, and should feature the individual as the focus of the information. The Court of Appeal summarised personal data as information which ‘affects [a person’s] privacy, whether in his personal or family life, business or professional capacity’.
15. There are likely to be many circumstances where information relating to the professional life of an authority employee will not constitute personal data. For example, information detailing an employee’s professional duties or responsibilities will rarely relate directly to that individual’s private life. However, there will also frequently be circumstances where information relating to an employee in a working environment should be considered to be personal. Such information might include performance reviews, occupational health records, the content of disciplinary hearings, or information relating to allegations of misconduct.
16. In his information request Mr W sought a copy of an investigation report produced by the SPS following his allegations of bullying and harassment by staff members. The purpose of this type of report will be to investigate such allegations in order to determine whether evidence exists which supports those allegations and, if so, whether or what disciplinary action should be taken in relation to those involved.
17. Following consideration of the investigation report requested in this case, it is clear that the report relates solely and specifically to the allegations of misconduct brought by Mr W, and, as such, consists of personal data relating to the three staff members against whom Mr W made these allegations. Where evidence has been gathered from third party witnesses, that evidence again relates directly to the allegations made against the staff members in question, and will therefore constitute personal data about those staff members. In addition, it should also be noted that the report contains a significant amount of personal data relating to Mr W himself.
Will release of third party data breach the data protection principles?
18. The SPS has stated in its submissions that the release of the report under FOISA would breach the first data protection principle. The first data protection principle states that personal data must be processed fairly and lawfully.
19. The SPS argues that the release of the third party personal data contained in the report would not be fair to the data subjects, given that those subjects would have no expectation that the information supplied to the SPS during the course of the investigation would be released into the public domain.
20. The Information Commissioner, who is responsible for enforcing the DPA, has issued guidance on the consideration of the data protection principles within the context of freedom of information legislation. In this guidance, the Information Commissioner provides examples of the types of questions which should be considered by authorities when assessing whether the release of personal data would amount to ‘fair’ processing. These include:
- Would disclosure cause unnecessary or unjustified distress or damage to the data subject?
- Would the data subject expect that his or her information might be disclosed to others?
- Has the person been led to believe that his or her information would be kept secret?
21. In its submissions to my Office, the SPS has stated that there is a general understanding amongst staff that information which is disclosed during the course of a disciplinary investigation will be disclosed only to those staff directly involved in the disciplinary process.
22. The SPS also confirmed that a verbal statement was made at the start of each interview which highlighted that the information gathered would be treated as confidential, but that it may be disclosed to others being interviewed as part of the investigation, where events or information needed to be cross-referenced.
23. While I acknowledge that the confidentiality statement provided at the start of each interview does facilitate disclosure under certain limited circumstances, these circumstances relate solely to situations where limited disclosure is appropriate for the purposes of furthering an ongoing investigation. This type of disclosure is markedly different from that which would be required were the requested information to be made generally available under FOISA.
24. I am therefore satisfied that the circumstances under which the information was supplied in this case means that those interviewed have no expectation that their data would be released beyond the limited disclosure required for the purposes of the investigation. I accept the SPS’s position that there was a general expectation of confidentiality with regard to the personal information provided during the course of the investigation.
25. I therefore conclude that the SPS was correct to conclude that the release of third party personal data contained within the investigation report would breach the first data protection principle. The decision to exempt this information under section 38(1)(b) of FOISA was therefore appropriate.
26. Section 38(1)(b) of FOISA is an absolute exemption. As a result, it does not fall to me to consider the public interest in relation to the release or withholding of third party personal data contained within the report.
27. It is important to note that the fact that it was Mr W who made the allegations upon which the investigation was based can have no bearing on the consideration of whether the information should be released to him under FOISA. Those submitting information requests should be aware that information which is appropriate for release under FOISA will generally be available to all who seek it, regardless of the requestor’s involvement or non-involvement in a particular case. It would not be appropriate for the personal information contained within this report to be made publicly available in this way, and release of this information into the public domain would clearly breach the first data protection principle.
28. Indeed, it should also be noted that the report contains a significant amount of personal data relating to Mr W himself, which would also breach the first principle were it to be made available under FOISA.
Section 38(1)(a) – Personal Information relating to the applicant
29. As discussed above, much of the investigation report contains personal data relating to Mr W himself. As such, it would have been appropriate for the SPS to also apply the exemption contained under section 38(1)(a) to the requested information.
30. Section 38(1)(a) of FOISA permits authorities to exempt information absolutely if it constitutes personal data about the applicant. This is because applicants have a separate legal right to access their personal information under section 7 of the DPA.
31. As a result, when a public authority receives a request for information where the applicant is attempting to access their own personal data under FOISA, the authority should respond by refusing the request under section 38(1)(a) of FOISA. The authority can then advise the applicant of the separate process for requesting information under the DPA.
32. I also find, therefore, that the personal data relating to Mr W is exempt from release under section 38(1)(a) of FOISA. As with the personal data relating to third parties described above, it would not generally be appropriate for this information to be released in the public domain in response to FOISA requests.
33. The SPS states in its correspondence with my Office that, “Mr W could have been entitled to some of the withheld information under a data protection subject access request, and in retrospect we should perhaps have raised this possibility with him.” The SPS, however, failed to do so in their dealings with Mr W in relation to this case. It should be noted, however, that the SPS has also stressed that, if it were to do so, the information released to Mr W under the DPA would likely to contain only information of which he was already aware, such as details of the allegations he made which prompted the investigation.
Application of the exemptions - conclusions
34. I therefore find that the SPS acted correctly in applying section 38(1)(b) to the information requested by Mr W. I also find that section 38(1)(a) applies to that information relating directly to Mr W himself.
35. Both section 38(1)(a) and section 38(1)(b) of FOISA are absolute exemptions. As a result, it does not fall to me to consider the public interest in relation to these exemptions.
36. Given that it is my view that the information contained within the investigation report will be absolutely exempt under sections 38(1)(a) and 38(1)(b) of FOISA, it is not necessary to discuss the SPS’s assertion that sections 30(c) and 35(1)(g) of FOISA also apply to the requested information.
The handling of the request
37. Finally, I would like to discuss briefly a number of technical breaches of FOISA which arose during the SPS’s handling of Mr W’s information request.
38. Firstly, when responding to both Mr W’s initial information request and his request for review, the SPS failed to inform Mr W of his rights of appeal, in breach of both section 19 and section 21(10) of the Act.
39. The SPS also failed to respond to Mr W’s request for review within the timescales provided by FOISA. Mr W’s review request was submitted to the SPS on 15 February 2005. When he received no response to this correspondence within 20 working days, Mr W again contacted the SPS on 17 March 2005. A response to Mr W’s request for review was eventually sent by the SPS on 22 March 2005, 25 working days after receipt of Mr W’s request for review. In failing to respond to Mr W’s request within 20 working days, the SPS was in breach of section 21(1) of FOISA.
40. It should also be noted that the review carried out by the SPS in relation to this case was undertaken by the same staff member who had processed Mr W’s original request. It is likely that, had this review been carried out by a separate officer who had the opportunity to consider the matters afresh, as recommended in the Scottish Ministers’ Code of Practice on the Discharge of Functions by Public Authorities under the Freedom of Information (Scotland) Act 2002 (the Section 60 Code), some of the technical failures in the handling of Mr W’s information request would have been avoided.
41. In relation to the failures outlined above, the SPS has informed my Office that systems and procedures have since been put in place to prevent a reoccurrence.
Decision
I find that the Scottish Prison Service (SPS) acted in accordance with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in withholding the investigation report under section 38(1)(b) of FOISA. I also find, however, that the SPS should have applied section 38(1)(a) of FOISA to the personal data relating to Mr W, and advised him accordingly regarding the process for requesting access to this information under the Data Protection Act 1998.
The SPS also committed technical breaches in its handling of Mr W’s request in relation to the following sections of FOISA:
- Section 19 – failure to inform Mr W of his right of appeal in response to his initial information request.
- Section 21(1) – failure to respond to Mr W’s request for review within 20 working days.
- Section 21(10) – failure to inform Mr W of his right of appeal in response to his request for review.
I do not, however, require the SPS to take remedial action in relation to these failures.
Kevin Dunion
Scottish Information Commissioner
15 March 2006
Link to PDF file of decision 042/2006 (69.3 kb)