Decision Notice 055/2024: Employee misconduct investigation
Authority: University of Aberdeen
Case Ref: 202201242
Summary
The Authority was asked for information relating to a named employee being suspended over claims of misogyny and bullying. The Authority refused to confirm nor deny whether it held the requested information. The Commissioner investigated and found that the Authority was entitled to refuse to confirm nor deny whether it held the information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions
of “the data protection principles”, “data subject”, “personal data” and “processing”, and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) Application for a decision by the Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) Article 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.
Background
1. On 19 August 2022, the Applicant made a request for information to the Authority for all information held mentioning, and relating to, a named employee being suspended over claims of misogyny and bullying.
2. The Authority responded on 13 September 2022. The Authority applied section 18 of FOISA, in conjunction with section 38(1)(b) (Personal information) and refused to confirm nor deny whether the requested information existed or
was held. The Authority stated that, if it did hold such information, it would be the personal data of the named employee and it would be unfair to all parties to place this information in the public domain.
3. On 16 September 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because it was in the public interest for the information to be disclosed and that the public (and students) had the right to know if the named employee was under investigation for, or suspended over, alleged misconduct.
4. The Authority notified the Applicant of the outcome of its review on 13 October 2022. The Authority upheld its original decision, without modification.
5. On 7 November 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated that he was dissatisfied with the outcome of the Authority’s review for the reasons set out in his requirement for review. The Applicant also noted that the named employee was, [REDACTED] which increased the public interest in the information requested.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 11 November 2022, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments. The Authority provided its comments.
8. The case was subsequently allocated to an investigating officer.
9. Further submissions were also sought and obtained from the Applicant.
Commissioner’s analysis and findings
10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 18(1) – “neither confirm nor deny”
11. Section 18(1) of FOISA allows public authorities to refuse to confirm nor deny whether they hold information in the following limited circumstances:
- a request has been made to the authority for information which may or may not be held by it; and
- if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and
- the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.
12. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority. This means he is unable to comment in any detail on the Authority’s reliance on any of the exemption referred to, or on other matters which could have the effect of indicating whether the information exists or is held by the Authority.
Section 38(1)(b) – Personal information
13. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.
Would the information be personal data?
14. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”. Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a living
individual who can be identified, directly or indirectly, in particular with reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
15. Given that the information request is framed with reference to a named person, and given the subject matter of the request, the Commissioner is satisfied that, if this information did exist and was held by the Authority, any information captured by the request would clearly relate to the named individual. The Commissioner therefore accepts that, if it existed and was held, the information would be personal data as defined in section 3(2) of the DPA 2018.
Would disclosure contravene one of the data protection principles?
16. The Authority argued that disclosing the personal data, if it existed and were held, would breach the first data protection principle. This requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR).
17. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed when disclosed in response to a request. This means that, if it existed and were held, the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.
Lawful processing: Article 6(1)(f) of the UK GDPR
18. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data, if it existed and was held, to be disclosed.
19. The Commissioner considers that, if the information existed and was held, condition (f) is the only one condition which could potentially apply. This states that processing shall be lawful if it is “necessary for the purposes
of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...”
20. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely
on Article 6(1)(f) when responding to requests under FOISA.
21. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Would the Applicant have a legitimate interest in obtaining personal data, if held?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?
Would the Applicant have a legitimate interest in obtaining the personal data, if held?
22. The Applicant explained that the information was important to him, and to the wider public, as it is important that the details of investigations into misconduct are revealed particularly [REDACTED].
23. During the investigation, the Authority accepted that the Applicant had a legitimate interest in obtaining the personal data (if it existed and were held) for the reasons described above.
24. The Commissioner accepts that, if it existed and were held, the Applicant (and, indeed, the wider public) would have a legitimate interest in obtaining the personal data.
Would disclosure be necessary?
25. The next question is whether, if the personal data existed, disclosure would be necessary to achieve the legitimate interest in the information. “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.
26. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate
interests could reasonably be met by means which interfered less with the privacy of the data subject.
27. The Authority explained that it “could be accepted” that disclosure of the personal data, if it existed and were held, would be necessary to achieve the Applicant’s legitimate interests. However, the Authority stated that in
the event that any of its employees posed a risk to students then appropriate measures would be taken (e.g. suspension) to protect them.
28. In the Commissioner’s view, the only way the Applicant’s legitimate interest in the particular circumstances of this case could be met, would be by viewing the information requested (assuming it exists and is held). Only then
would the Applicant be able to satisfy himself as to whether the named employee had been suspended over claims of bullying or misogyny. The Commissioner accepts, therefore, that disclosure of any information held would be necessary for
the Applicant’s legitimate interests.
The data subject’s interests or fundamental rights and freedoms (and balancing exercise)
29. The Commissioner has concluded that the disclosure of the information (if existing and held) would be necessary to achieve the Applicant’s legitimate interests. However, this must be balanced against the fundamental rights and
freedoms of the named individual. Only if the legitimate interests of the Applicant outweighed those of the data subject could personal data be disclosed without breaching the first data protection principle.
30. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Authority v Scottish Information Commissioner [2013] UKSC 55 .
31. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject. Factors which will be relevant in determining reasonable expectations include:
(i) whether the information relates to the individual’s public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)
(ii) the potential harm or distress that may be caused by disclosure
(iii) whether the individual objected to the disclosure.
32. The Authority stated that the information (if it existed and was held) would generally be considered confidential and only shared among limited individuals for specific purposes.
33. The Authority also considered that disclosure of the information requested (if it existed and was held) would be likely to cause reputational damage to the named employee and to any other individuals involved.
34. The Authority concluded that the legitimate interest of the Applicant in receiving the information (if it existed and was held) would be outweighed by the unwarranted prejudice that would result to the rights and freedoms of the
named employee, as they would have no expectation that information of that nature (if it existed and was held) would be disclosed into the public domain.
35. The Commissioner agrees with the Authority that the information (if it existed and was held) would be information a person would generally expect to be kept confidential and only shared amongst limited individuals for specific
purposes.
36. The Commissioner has also considered the potential harm or distress that could be caused by disclosure of the information (if it existed and was held). Disclosure under FOISA is a public disclosure. At the most general level,
disclosing or alleging some work place impropriety has taken place is likely to cause some reputational damage to the named employee.
37. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of any
information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question in this case.
38. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it exists and is held).
Fairness and transparency
39. Given that the Commissioner has concluded that the processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be
fair and transparent in relation to the data subject.
Conclusion on the data protection principles
40. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR. Consequently, he is
satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt by
virtue of section 38(1)(b).
Section 18(1) – The public interest
41. The Commissioner must now consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.
The Applicant’s submissions
42. The Applicant considered that it was in the public interest for the public to know whether the information he had asked for existed as information surrounding a misconduct investigation relating to an employee of the Authority should be revealed, particularly if it could impact students.
43. The Applicant also noted that the named employee was, [REDACTED].
The Authority’s submissions
44. The Authority acknowledged the public interest in the transparent operation of public authorities and in identifying instances of misconduct.
45. The Authority accepted that there is a strong public interest in ensuring such cases are handled in accordance with its policies and guidance to ensure issues are thoroughly considered and all parties are treated fairly, but that this also means ensuring confidentiality in terms of any allegations made.
46. The Authority noted that the Applicant had referred to the named employee also being [REDACTED]. The Authority acknowledged that this could, in certain circumstances, affect the balancing exercise under the public interest test. However, the Authority stated that the named employee was not [REDACTED] and that it therefore did not consider this affected the public interest consideration in this case.
47. The Authority therefore concluded that confirming nor denying whether the information requested existed or was held would, of itself, lead it to breaching its duties as a data controller under data protection legislation, which would be contrary to the public interest.
The Commissioner’s conclusions
48. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and was held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.
49. The Commissioner has fully considered the submissions from the Applicant and appreciates that, where a complaint or disciplinary action has been made or taken against a member of staff, there would be a public interest in ensuring that adequate consideration had been given to all facts of the case and a full and robust investigation is carried out.
50. However, the Commissioner is aware that the action of confirming or denying whether the information existed or was held would have the effect of revealing whether the named individual was subject to a complaints, investigation or disciplinary action. Doing so, would, of itself, lead to the Authority breaching its duties as a data controller under data protection legislation. In the circumstances, the Commissioner must find that it would be contrary to the public interest for the Authority to reveal whether it held the requested information, or whether the information existed.
51. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm nor deny, whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.
Decision
The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of
this decision.
David Hamilton
Scottish Information Commissioner
17 April 2024
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –
(a) the provision does not confer absolute exemption; and
…
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
18 Further provision as respects responses to request
(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to
35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the
applicant a refusal notice by virtue of this section.
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -
(a) would contravene any of the data protection principles, or
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as
if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);
and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Authority of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such
data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.
