Decision 061/2007 - Ms X and Scottish Borders Council |
Request for extracts of a report commissioned by Scottish Borders Council and a note of a meeting |
Applicant: Ms X
Authority: Scottish Borders Council
Case No: 200502673
Decision Date: 25 April 2007
Decision 061/2007 - Ms X and Scottish Borders Council
Request for extracts of a report commissioned by Scottish Borders Council - whether the information requested is exempt under section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA)
Relevant Statutory Provisions
The Freedom of Information (Scotland) Act 2002 section 38(1)(b) (personal data).
Data Protection Act 1998 section 1 (Basic interpretative provisions); section 2 (sensitive personal data); Schedule 1, Part 1, paragraph 1 (the first data protection principle); Schedule 2 (Conditions relevant for the first principle: processing of personal data); Schedule 3 (Conditions relevant for the first principle: processing of sensitive personal data)
For the full text of these sections see the appendix attached to this decision. The appendix forms part of this decision.
Facts
Ms X has made a series of information requests to Scottish Borders Council (the Council) under the Freedom of Information (Scotland) Act 2002 (FOISA). The request to which this decision relates sought three extracts from a report commissioned by the Council, together with a note of a meeting.
Ms X was dissatisfied with the Council's response to her request and asked the Commissioner to consider whether it had acted in accordance with the requirements of Part 1 of FOISA in dealing with the request.
The Commissioner found that the information requested was, insofar as held by the Council, exempt from disclosure under section 38(1)(b) of FOISA.
Background
1. On 8 April 2005 Ms X emailed the Council and requested certain extracts of a report commissioned by the Council from consultants relating to an employment matter.
2. On 11 April 2005, Ms X emailed the Council again and requested a note of a specified meeting which she attended along with representatives of the Council.
3. On 18 April 2005 the Council responded to Ms X, providing a transcript of a note of the meeting she had referred to in her 11 April request. The Council did not respond to her request to be provided with extracts of the consultants' report.
4. Ms X emailed the Council on 20 April 2005, specifying in greater detail the information she required (within the parameters of her original request of 8 and 11 April), and again on 21 April 2005 stating that she had not received the information requested. In particular, she stated that the note of the meeting she had been provided with on 18 April was not the one she was seeking.
5. Ms X did not receive a response to her emails of 20 and 21 April 2005, and on 12 May 2005 she again emailed the Council stating that the information requested had not been provided to her. In that email she requested that the Council review its response.
6. The Council did not respond to Ms X's email of 12 May 2005.
7. Ms X remained dissatisfied with the manner in which the Council had handled her request and wrote to me on 10 June 2005 asking me to investigate on her behalf.
8. The case was allocated to an investigating officer.
9. Ms X's appeal was validated by establishing that she had made a valid request for information to a Scottish public authority (the Council) and had appealed to me only after asking the authority to review its response to her request.
The Investigation
10. After significant delays in the validation of this case, a letter was sent to the Council on 25 April 2006 giving notice that an appeal had been received and an investigation into the matter had begun, as required by section 49(3)(a) of FOISA. The Council was asked to comment on the issues raised by Ms X's case and to provide supporting documentation for the purposes of the investigation.
11. There followed correspondence with the Council concerning the scope of Ms X's information request and whether the information was held by the Council.
12. As part of this correspondence the Council provided me with a copy of the consultants' report.
13. The Council also clarified that it wished to rely on section 38(1)(b) of FOISA in withholding extracts of the consultants' report, in that the information was personal data relating to third parties, and its disclosure would breach the first data protection principle contained in the Data Protection Act 1998 (the DPA).
14. Due to the lengthy discussions concerning the nature of Ms X's request, the Council did not provide all of the information required to my office until 14 June 2006.
15. The investigating officer also raised questions about of the note of the meeting requested by Ms X in her email of 11 April 2005 . The Council subsequently located a copy of the handwritten note on which the transcript earlier had been based and posted a copy of this to Ms X on 5 February 2006.
The Commissioner's Analysis and Findings
The note of the meeting
16. The handwritten note sent to Ms X on 5 February 2007 was not made by the person referred to in her original request for the note of the meeting. I am, however, satisfied from my investigation that all reasonable steps have been taken by the Council to locate the note requested and that it can be concluded that no further relevant information is held.
The Consultants' Report
17. Ms X requested excerpts of a report written by consultants following an investigation into allegations made by employees within a certain section of the Council. Ms X appears to have been looking for certain parts of the report dealing with issues surrounding the conduct of 3 specific individuals. As she was referring to a report she had not in fact seen, it would not have been surprising if Ms X's references to those parts were not entirely clear and unambiguous to the recipient. If that lack of clarity presented any problem, however, it fell to the Council, in pursuance of its duties under sections 1 and 15 of FOISA, to seek further information from Ms X to ensure that the request was intelligible. At no point does the Council appear to have regarded this as necessary.
18. Although the Council never specified any exemptions contained within FOISA as applying to the report extracts in its dealings with Ms X, in its submissions to me it clarified that it wished to rely on section 38(1)(b) of FOISA, read in conjunction with 38(2)(a)(i), in this connection.
Section 38(1)(b) - personal data
19. Under section 38(1)(b) of FOISA (read in conjunction with section 38(2)(a)(i) or, as appropriate section 38(2)(b)), information is exempt information if it constitutes personal data and the disclosure of the information would contravene any of the data protection principles contained in Schedule 1 to the Data Protection Act 1998 (DPA).
20. In considering this exemption, I am therefore required to consider two separate matters: firstly, whether the information under consideration is personal data and, if so, whether the release of the information to Ms X would breach any data protection principles.
21. It must be borne in mind that this particular exemption is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1) of FOISA.
22. "Personal data" is defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."
23. Having considered all the information that might be held to fall within the scope of Ms X's request, I am satisfied that the information (in its entirety) should be considered the personal data of certain employees of the Council.
24. Mr X's request was for excerpts of a report following an investigation into personnel issues within a certain section of the Council. The relevant parts of the report (and indeed the report as a whole) contain narrative of the relevant events, appraisal of the affected employees' responses to the issues arising and recommendations as to any action that should be taken by those individuals to address the situation. In my view the information concerned relates in a significant sense to the lives of the employees concerned. Some of the information requested by Ms X also contains personal data relating to further third parties.
25. Having concluded that the information under consideration is personal data, I must now go on to consider whether the disclosure of this information would breach any of the data protection principles. In this case, the Council has argued that release of the information would breach the first data protection principle.
Would release of the information breach the first data protection principle?
26. The first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 [to the DPA] is met and, in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Having concluded that all of the information withheld is personal data, I have considered the application of the first principle.
27. I have considered the definition of "sensitive personal data" in section 2 of the DPA.
28. Section 2 of the DPA defines certain categories of personal information, such as information about a person's physical and mental health, as being "sensitive personal data". Certain of the information contained within the consultants' report relates to the physical or mental health or condition of the employees concerned and therefore would be sensitive personal data relating to them.
29. At least one of the conditions in each of Schedules 2 and 3 to the DPA must be satisfied before processing of sensitive data can be considered to be fair and lawful. Further conditions for the processing of sensitive personal data were set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000. I have considered the conditions in Schedule 3 and in the Data Protection (Processing of Sensitive Personal Data) Order 2000 first as they are generally more restrictive than the conditions in Schedule 2.
30. I have looked carefully at the conditions in Schedule 3 to the DPA and the Data Protection (Processing of Sensitive Personal Data) order 2000 and have been unable to identify a condition that would justify disclosure of sensitive personal data in this case.
31. Given that I am satisfied that the release of the sensitive personal data would be unfair and that there is no condition in Schedule 3 to the DPA to permit the processing of the information, I must find that the processing of the sensitive personal data which comes under the scope of this request would breach the first data protection principle. Therefore, I must conclude that the sensitive personal data is exempt from disclosure under section 38(1)(b) of FOISA.
32. I now turn to consider whether the release of the remainder of the personal data contained the consultants' report would breach the first data protection principle.
33. According to the relevant guidance from the Information Commissioner ("Freedom of Information Awareness Guidance 1", which can be viewed here: http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/awareness_guidance_1_-_personal_information.pdf ), the assessment of fairness includes looking at whether the third party would expect that his/her information might be disclosed to others and/or whether the third party would expect that his/her information would be kept private.
34. I have considered whether disclosure to a member of the public would satisfy condition 6 in Schedule 2 to the DPA. This condition applies to processing (which in this case would be by disclosure) which is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the information would be disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
35. Like any other citizen and tax payer, Ms X has a legitimate interest in the manner in which the Council, a public authority, conducts its affairs. This might be argued to be particularly the case where the information related to alleged involvement in wrongdoing or malpractice. In certain circumstances, this will mean that personal information about the employees of a public authority, particularly those holding senior positions, could be disclosed without any breach of the first data protection principle.
36. Ms X has indicated that she believes that it would be in the public interest to disclose information contained within the consultants' report. She holds that the excerpts contain inaccurate comments about her. She is clearly dissatisfied about the outcomes of the consultants' report and the fact that it has not been disclosed in its entirety to those who contributed to it.
37. It could be argued that Ms X has a legitimate interest in ensuring that the matters raised in the report were considered fully and knowing to what extent the recommendations in the report had been taken up by the Council.
38. At the time Ms X made her request under FOISA for the relevant excerpts of the report, she was pursuing a number of grievances against the Council relating to the way in which it had dealt with the issues that arose within the section of the Council discussed within the report, and which led to the report being commissioned. It could be argued that disclosure of the report would serve to more fully inform Ms X in pursuing her grievances with the Council.
39. It should be noted here that the contributors to the consultants' report were all provided with a truncated version of it on its completion, with all personal data (apart from their own) excluded. Disclosure of the report in full would not in itself provide Ms X with any additional evidence (which she does not already have access to) to show that the matter had been fully and properly investigated.
40. One of the DPA's functions is to protect the privacy of data subjects. In this case, the consultants' report was written in order to determine what factors contributed to the breakdown of working relationships in a team. It follows that the report highlights the working practices of members of that team, and suggests changes to those working practices where necessary in order to prevent such a situation occurring again.
41. It is clear that the subject matter of the report would be seen by the employees as extremely sensitive. It is also clear that they were candid in their evaluation of the issues facing the section in interviews given to the consultants. The consultants were also candid in their evaluation of the working practices of members of the team and in their suggestions for moving the team forward.
42. Employees of an organisation would expect that organisation to provide feedback on their performance, and suggestions for improvement of that performance where necessary. The report written by the Consultants contains such feedback and suggestions on various employees' performance. However, in any organisation it is also expected that such information remain among the employer, employee, and in this case, the consultant employed to write the report. I concur that to disclose the information contained in the report to the general public under FOISA would firstly not be in the reasonable expectations of the data subjects, and secondly, to some extent breach the privacy of their relationship with their employer.
43. Having read the report I am satisfied that the employees concerned would not have expected that the information which was personal data relating to them to be made available to the general public, or more specifically to the other individuals who contributed to the report.
44. The Council has argued that the employees interviewed for the purposes of the investigation participated on the basis that the information provided by them would not be disclosed to third parties. Disclosure would therefore be unlawful, being a breach of confidence. I am not convinced that the disclosure of information in this case would be an unlawful breach of confidence; however, I am convinced that disclosure would be contrary to the legitimate expectations of the employees.
45. Having considered all of the relevant arguments, I do not regard any other condition in Schedule 2 as being relevant to the circumstances of Ms X's request.
46. I have therefore concluded that disclosure of any of the information requested by Ms X from the consultants' report would entail a breach of the first data protection principle. I have therefore concluded that all of that information is exempt from disclosure under section 38(1)(b) of FOISA.
Decision
I find that Scottish Borders Council (the Council) was entitled in the circumstances to apply the exemption in section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA) to the extracts from the consultants' report requested by Ms X. I also find that the Council has provided Ms X with all the information it holds falling within the scope of her request for a note of a specified meeting.
Appeal
Should either Scottish Borders Council or Ms X wish to appeal against this decision there is an appeal to the Court of Session on a point of law only. Any such appeal should be made within 42 days of receipt of this notice.
Kevin Dunion
Scottish Information Commissioner
25 April 2007
APPENDIX
Relevant Statutory Provisions
Freedom of Information (Scotland) Act 2002
38 Personal information
(1) Information is exempt information if it constitutes-
(a) personal data of which the applicant is the data subject;
(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;
(?)
(2) The first condition is-
(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
(i) any of the data protection principles; or
(ii) section 10 of that Act (right to prevent processing likely to cause damage or distress); and
(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.
(?)
Data Protection Act 1998
Basic interpretative provisions
1. (1) In this Act, unless the context otherwise requires-
"data" means information which-
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;
"data controller" means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
"data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
"data subject" means an individual who is the subject of personal data;
"personal data" means data which relate to a living individual who can be identified-
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;
"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
(2) In this Act, unless the context otherwise requires-
(a) "obtaining" or "recording", in relation to personal data, includes obtaining or recording the information to be contained in the data, and
(b) "using" or "disclosing", in relation to personal data, includes using or disclosing the information contained in the data.
(3) In determining for the purposes of this Act whether any information is recorded with the intention-
(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) that it should form part of a relevant filing system,
it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.
(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.
Sensitive personal data
2. In this Act "sensitive personal data" means personal data consisting of information as to-
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
SCHEDULE 1
|
|
|
THE DATA PROTECTION PRINCIPLES |
|
PART I |
|
THE PRINCIPLES |
|
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
|
|
(a) at least one of the conditions in Schedule 2 is met, and |
|
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. |
SCHEDULE 2
|
|
|
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA |
|
[?] |
|
6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
|
|
(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
|