Home Decisions

Decision 064/2024

Decision Notice 064/2024: Accessibility Group emails

Authority:  ScotRail Trains Ltd
Case Ref:  202200593

 

Summary

The Applicant asked the Authority for emails sent to/by the Accessibility Group over a 12 month period.  The

Authority withheld the information on the basis that disclosure would, or would be likely to, inhibit

substantially  the free and frank exchange of views, or that it comprised third party personal data, disclosure of

which would contravene data protection principles.

During the investigation, the Authority identified additional in-scope information and changed its position for

some of the information held.  It disclosed some information to the Applicant, withholding the remainder under the

exemptions previously claimed.

Following an investigation, the Commissioner found that the Authority had failed to identify all in scope

information until during the investigation and had wrongly withheld some information.  He also found, however,

that the Authority had correctly withheld some other information under the exemptions claimed and he was satisfied

that, by the end of the investigation, the Authority held no further relevant information.


Relevant statutory provisions


Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 2(1) and

(2)(e)(ii) (Effect of exemptions); 30(b)(ii) (Prejudice to effective conduct of public affairs); 38(1)(b), (2A),

(5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK

GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)


United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”)

(Definitions); 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of

processing)


Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating

to the processing of personal data)

 

Background

1.    On 1 April 2022, the Applicant made a request for information to the Authority:

I understand that there's an "Accessibility Email Group" by which members of the rail industry communicate on

accessibility matters in service provision.

A FOI response at [here ]  shows that the group includes [named individual] of the Rail Delivery Group, also

[named individual] of Govia Thameslink Railway and somebody at LNER.


"Attached to this correspondence are scripts of email chains sent from Rail Delivery Group to the Accessibility

Group, of which Northern is part."

The contents of said response suggests that this group may include accessibility-related staff at all train

operating companies and possibly station operators such as Network Rail.

Please supply all emails sent to/by this Accessibility Group over the previous 12 months.

2.    The Authority responded on 27 April 2022.  It informed the Applicant, in terms of section 17 of FOISA,

that it did not hold the information requested and that it was not aware of any other public authority that could

respond to the request.

3.    On 27 April 2022, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant

stated that he was dissatisfied with the decision, as he believed that the email Group in question included at

least one representative from every train operating company (TOC) who received all emails sent to the Group.  The

Applicant believed that, in the Authority’s case, the emails would have been sent to the Authority’s Accessibility

and Integration Manager and so they would be in his email.

4.    The Authority notified the Applicant of the outcome of its review on 20 May 2022.  It informed the

Applicant that correspondence which had been provided in response to an earlier request (SRT 011 ) was not

included with its response.  The Authority confirmed that, following a search, it had identified five emails

falling within scope which had been sent or copied to the Accessibility Group email address by a staff member.  It

explained that the Accessibility Group email address was an email group with members from across the rail network,

and was mainly used to send “to” as a form of “distribution list”.

5.    The Authority withheld the information identified.  It considered some of the information comprised third

party personal data (names and contact details of individuals and companies) which was exempt from disclosure

under section 38(1)(b) of FOISA, as releasing it would contravene the data protection principles in the GDPR and

the DPA.  The Authority stated that this information was not in the public domain, and that the roles of these

individuals were not sufficiently public-facing to expect their details to be disclosed.

6.    The Authority also withheld some of the information under section 30(b)(ii) of FOISA, as it considered

disclosing the content of free and frank exchanges of views to/from the Accessibility Group email address would

inhibit the future exchange of views between TOCs, the Rail Delivery Group (RDG) and third parties in relation to

areas of future policy making.  The Authority recognised the public interest in disclosing information as part of

open, transparent and accountable government, and to inform public debate.  However, it believed this was

outweighed by the public interest in allowing a private thinking space to properly consider all options, based on

the best available advice, to take good policy decisions.  The Authority stated that the email address was used as

a means of seeking views and opinions in a safe space and this enabled TOCs to develop and amend policies to meet

the needs of rail network users.  In the Authority’s view, disclosure would undermine the quality of the decision-

making process, and this was not in the public interest.

7.    The Authority considered the request to be open ended with no topic or area of focus.. It asked the

Applicant if he could refine his request to a specific topic or area, rather than a blanket request for all

correspondence to/from the Accessibility Group email address, so that it could review the information held and

consider disclosure.

8.    On 20 May 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1)

of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because:

  • He did not believe that the exemption in section 30(b)(ii) applied.  In his view, the Authority had tried

to apply this as a class-based exemption to all of the information, based purely on its communication mechanism,

and had not considered its content.

  • He believed the Authority had failed to conduct an adequate public interest test for section 30(b)(ii) and

he considered the public interest favoured disclosure.

  • He believed the information disclosed in his previous request (SRT 011) would be caught by the request

under consideration here.  Given that information had been disclosed previously, he did not believe it could be

exempt from disclosure under section 30(b)(ii).

  • He queried why, if all the information was exempt under section 30(b)(ii), the Authority had asked him to

refine his request, so that it could review the information held and consider disclosure (again suggesting that

the Authority had failed to consider the content of the information).

  • He disagreed that the exemption in section 38(1)(b) applied as many names and roles were in the public

domain.

  • He disagreed with the Authority’s interpretation of his request.  He argued that he had made no mention of

“Accessibility Group email address” and it was clear he was seeking emails sent by the Authority to, or received

by the Authority from, this “distribution list”. i.e. as a result of their membership of that list.

 

Investigation

9.    The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the

power to carry out an investigation.

10.    On 12 July 2022, the Authority was notified in writing that the Applicant had made a valid application.  

The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority

subsequently provided the information.

11.    Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  On 21 July 2023, the Authority was asked to provide its initial comments on the application.

12.    The Authority provided its initial comments on 16 August 2023 and the case was subsequently allocated to

an investigating officer.

13.    Following consideration of the Authority’s initial comments, the Investigating Officer invited the

Authority to provide further comments and to answer specific questions.  These focussed on the Authority’s

justification for withholding the information requested under the exemptions in section 30(b)(ii) and section

38(1)(b) of FOISA, the searches carried out to identify the information requested, whether the Authority held any

further information falling within scope (which it had not provided to the Applicant or withheld under a

provision/exemption in FOISA), and the Authority’s interpretation of the request.

14.    The Applicant was also asked to provide further information in support of his application.

15.    Both parties provided submissions to the Commissioner, as required, at various stages during the

investigation.

16.    On 15 November 2023 and on 1 December 2023, the Authority confirmed that it held further information,

falling within the scope of the request.  It informed the Commissioner that, for some of the information

previously withheld, this could be now be disclosed.  The Authority disclosed this information to the Applicant on

14 December 2023.

17.    On 20 December 2023, following the Authority’s further disclosure, the Applicant informed the Commissioner

that he wished to continue with his application for a decision as he remained dissatisfied that some information

continued to be withheld by the Authority, and he also believed that it held more information than had been

identified.

 

Commissioner’s analysis and findings

18.    The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

The Authority’s interpretation of the request

The Applicant’s submissions on the interpretation of the request


19.    In his application to the Commissioner, the Applicant considered the Authority’s interpretation of his

request to be invalid.  He submitted that his request was for the content of the information sent to, or by, the

email Group, and that he had made no mention of any “Accessibility Group email address”.  He argued that it was

clear he was asking for emails sent by the Authority to, or received by the Authority from, this “distribution

list” as a result of their membership of the list.

20.    In the Applicant’s view, the Authority’s implied claim (in its review outcome), that because emails sent

by TOCs to the distribution list did not have the distribution list’s email address in the “From” header, they

were not “caught” by his request, was semantic and specious.  He believed that the Authority’s apparent reframing

of his request (to exclude, from the scope of his request, any incoming emails on the Group) was inappropriate.

21.    In his later submissions to the Commissioner, the Applicant maintained that the Authority had

intentionally misinterpreted his request too narrowly.  He explained that this was an email facility, run by RDG,

that allowed Group members to send emails that would automatically be delivered to all other Group members.  As

such, he was seeking all emails that Group members had sent to that email facility, independent of how it

operated.  The Applicant believed that a search of emails where the Accessibility Group email address was in the

“To” field would provide the information he requested.

22.    The Applicant stated that, at the time of his request, he did not know how this email facility worked, but

he assumed that the Authority would be able to identify messages sent via this facility.  From correspondence

previously disclosed by the Authority, it appeared (to the Applicant) that all emails it had received via this

facility would have “Accessibility Group” and/or “AccessiblityGroup@raildeliverygroup.com” in the “To” field.

23.    The Applicant stated that his request was intended to be for all emails the Group members sent using the

Group email facility run by RDG.  He understood that, when members posted to the Group using this email facility,

their email addresses were revealed to all recipients.  Therefore, in his view, members could collate the

addresses of those who had emailed the Group and/or guess at other Group members, and email them directly.  

However, he imagined that the only way to have reasonable surety that an email would go to all Group members would

be to use the Group email facility.


The Authority’s submissions on the interpretation of the request

24.    In its initial submissions to the Commissioner, the Authority stated that it had interpreted the request

to mean all emails sent to and from the Accessibility Email Group.  It explained that the email Group was a

distribution list created and maintained by RDG, and was a closed group made up of access and inclusion

representatives from TOCs (including the Authority).  The purpose of the list was to communicate accessibility

matters to various individuals and allow these individuals to communicate and seek advice and views from each

other.

25.    The Authority explained that it had no control over who was added, removed or unsubscribed from this Group

and that it did not hold the details of all individuals on the distribution list - this information was held and

managed by RDG.  The Authority stated that the Applicant was previously advised of this by Transport for Wales

(TfW) in April 2022 in response to a similar FOI request .  This point was subsequently accepted by the UK

Information Commissioner (UK ICO) in Decision IC-166544-K0D3  (paragraphs 16 19) which set out that it was not

possible to expand the Group email address to see the actual members and that TOCs were not privy to changes to

membership of the email Group.

26.    In its later submissions, the Authority confirmed that Group members could not send emails from this email

address and would have to use their own work email addresses to send to Group members.  It explained that the

Group email address was not expandable and, if it did not exist, members would only be able to email those whose

individual email addresses they knew.  The Authority submitted that Group email address was created to provide an

easy way for Group members to contact each other for advice and assistance and for the dissemination of

information.


The Commissioner’s views on the Authority’s interpretation of the request

27.    The Commissioner has carefully considered the submissions from both parties.  He considers that, rather

than being an “interpretation” of the Applicant’s request, the Authority’s review outcome appears to have

explained the nature of the information that was held or not held.  In the absence of any “topic” being described

(or any individual(s) specified) in the request, the Commissioner considers it reasonable for the Authority to

have searched for emails sent or copied to the Group email address.

28.    The Commissioner accepts that the Group email address cannot be expanded to show Group members, and that

members do not know who is on the Group (or of any changes to membership, as this is managed by RDG).  It is also

clear to him that emails cannot be sent from the Group email address and so cannot be identified in that way.

29.    In the Commissioner’s view, therefore, the Authority interpreted the Applicant’s request correctly as it

would only be possible to identify emails sent or copied to the Accessibility Group email address.  He can find no

failure, on the part of the Authority, to comply with FOISA in that respect.

Whether the Authority held any further information

30.    Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority

which holds it is entitled to be given that information by the public authority, subject to qualifications which,

by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for

it.  The qualifications contained in section 1(6) are not applicable in this case.

31.    The information to be given is that held by the Authority at the time the request is received, as defined

by section 1(4).  This is not necessarily to be equated with information that an applicant believes the public

authority should hold.

32.    The standard of proof to determine whether a Scottish public authority holds information is the civil

standard of the balance of probabilities.  In determining where the balance of probabilities lies, the

Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public

authority.  He also considers, where appropriate, any reason offered by the public authority to explain why it

does not hold the information.  While it may be relevant as part of this exercise to explore expectations about

what information the authority should hold, ultimately the Commissioner's role is to determine what relevant

recorded information is (or was, at the time the request was received) actually held by the public authority.

The Applicant’s submissions on whether any information was held

33.    In his application to the Commissioner, the Applicant argued that correspondence sent and received via the

email Group, which the Authority had disclosed to him in response to his previous FOI request (SRT 011), would

also be caught by the request under consideration here.  He further submitted that other TOCs had also disclosed

these four emails and more in response to similar FOI requests.  As rehearsed above, he also argued that the

Authority’s interpretation of his request had excluded any incoming emails sent via the Group email address.

34.    In his later submissions, following the Authority’s disclosure of further information during the

investigation, the Applicant remained dissatisfied as he believed it had only supplied a small portion of the

information he had requested.  He referred to an FOI request  he had submitted to TfW at the same time as the

request under consideration here, where TfW had retrieved from its servers 556 emails from TfW, RDG and 18 other

member organisations, concerning RDG’s Accessibility and Inclusion email group over a stated 12 month period.

35.    To support his view, he specifically referred to two emails provided by Northern Trains Ltd in response to

a similar FOI request  he had made.  He argued that these two emails were caught by the terms of the request under

consideration here but they had not been provided by the Authority.

36.    The Applicant believed, from the Authority’s further disclosure, that its search mechanism consisted

solely of emailing its Accessibility and Inclusion Manager for copies of any relevant correspondence, who had

provided those which he still held.  The Applicant compared this to TfW which, he submitted, had conducted an

electronic search of its email server for the same information and had identified hundreds more.  In his view,

this did not add up.

The Authority’s submissions on whether any information was held

37.    In its initial submissions to the Commissioner, the Authority explained that, at the time of the request,

only one member of its staff was a member of the Group.  This staff member undertook the initial email search but

did not recover any emails sent to or from the Group.  This search, the Authority explained, was undertaken during

the first two weeks of the Authority being subject to FOI legislation and staff were not fully conversant with the

methods for undertaking email searches.  It stated that guidance had since been provided to staff to ensure full

searches were undertaken going forward.

38.    Following the Applicant’s request for review, the Authority submitted, the FOI team provided additional

guidance to the staff member who had undertaken the initial search and supervised the search.  This identified

five emails sent to the Group email address.  The search identified no emails sent from the Group email address as

this was solely used as a distribution list where all emails were sent from an individual to the Group email

address, as previously highlighted.  The Authority’s staff member was part of the distribution and thus received

the correspondence as part of this distribution list, and responded to the Group email address.

39.    In its later submissions, the Authority accepted that the information disclosed in response to the

Applicant’s earlier request (SRT 011) fell within the scope of the request under consideration here.  It confirmed

that the information provided in response to the Applicant’s previous request (SRT 011) comprised all emails held

that were relevant to that request, and it was unknown whether other TOCs held and disclosed additional

correspondence.  The Authority confirmed it had identified no additional information, other than that previously

referenced or provided under SRT 011.

40.    The Authority explained that the staff member who had carried out the searches at initial response and

review stages was the only Authority staff member of the Group and so it was determined he would be the only

individual who would hold any relevant correspondence.  The searches carried out for emails sent or copied to the

Accessibility Group email address captured emails received by the Authority’s staff member on the Group who was

the sole staff member who would have received any such emails.  As explained above, emails could not be sent from

the Group email address (or received from that email address, rather they would be received from the individual

Group member who had sent them).  Therefore, to identify any email sent from Group members, a search would have to

be done for all individual Group members for any emails they had sent to the Group email address and received by

the Authority’s staff member on the Group.  However, the Authority did not have a list of Group members (as this

information was held by RDG).

41.    The Authority subsequently informed the Commissioner that it had uncovered further text in one of the

email chains which had been “invisible” as a result of having been formatted in white font against a white

background.  It provided the Commissioner with a copy of this information.

42.    Following its disclosure of some information to the Applicant during the investigation, the Authority

addressed the Applicant’s comments regarding the 556 emails retrieved by TfW in response to a similar FOI request.  

It explained that, prior to 1 April 2022, the provision of “ScotRail” passenger rail services and associated

activities was not undertaken by the Authority, but by a private sector franchise operator, namely Abellio

Scotrail Limited (ASR).  The Authority did not hold any correspondence sent or received by ASR and it had no

access to this information as all franchise-era email data had been transferred to ASR, including the email

journal in its entirety.  The Authority submitted that ASR may hold further relevant information, but the

Authority could not access or provide this.

43.    The Authority was satisfied that its searches were comprehensive and that these had identified every email

held relevant to the request.  In addition to the searches previously described, it had asked its staff member on

the Group to search his individual work Onedrive storage for any relevant pre-April 2022 emails which he may have

copied to that storage.  However, no further relevant emails were identified.

44.    As the information identified, from the searches carried out, included correspondence within the email

chains pre-dating 1 April 2022, the Authority submitted that this demonstrated that its searches were

comprehensive and had not excluded any information held pre dating 1 April 2022 which formed part of subsequent

exchanges.

45.    The Authority confirmed it did not hold the information disclosed by Northern Trains Ltd.  It submitted

that this was either not received by the Authority, or had been deleted prior to receiving the Applicant’s

request.  The Authority submitted that it could not be expected to know what other TOCs such as Northern Trains

Ltd or TfW held.  While there may appear to be a significant discrepancy in the number of emails held, the

Authority submitted this was presumably due to differences in retention practices, and differences in operators

and the handover processes where operators had changed.  Whatever the reason, the Authority was satisfied it had

conducted comprehensive and complete searches in response to the request.

The Commissioner’s views on whether the Authority held any further information

46.    The Commissioner has considered all of the relevant submissions and the terms of the request (including

the Authority’s interpretation of the request which the Commissioner has already deemed satisfactory, as explained

previously).

47.    The Commissioner is aware that some information, disclosed in response to the Applicant’s previous request

(SRT 011), was not provided to the Applicant at review stage or withheld under an exemption, and that some

additional text, in that same information, was not uncovered until during the investigation, having been

previously “invisible” as a result of having being formatted in white font against a white background.  He notes

that, during the investigation, the Authority accepted that this information fell within scope of the Applicant’s

request.

48.    The Commissioner has considered the Applicant’s belief that emails sent to the Accessibility Group email

address would reveal all members of the Group and that the Authority had excluded, from the scope of his request,

incoming emails originating from the Group email address.  He has also considered the Authority’s submissions that

the Group email address was not expandable (i.e. to show all individual members), a point which was accepted by

the UK ICO in Decision IC-166544-K0D3.  Accordingly, the Commissioner can see no feasible way of knowing who was

on the Group at the material time, and therefore searches of emails sent from each individual Group member to the

Group would not be possible (as this would have required further clarification from the Applicant, for example, by

specifying the individuals in the Group).  The Commissioner also recognises that it is not possible to send an

email from the Accessibility Group email address.  The Commissioner is therefore satisfied, on the balance of

probabilities, that the Authority does not hold any incoming emails originating from the Group email address.

49.    The Commissioner has considered the Authority’s submissions in relation to additional correspondence

disclosed by other TOCs in response to similar requests which, the Applicant believed, would fall within the scope

of this request but which had not been identified by the Authority.  He recognises that each organisation will

adopt different records retention practices and that the level of information held, on similar topics, would

undoubtedly differ from organisation to organisation through, for example, routine clearing of email

correspondence which had been dealt with and/or was no longer required.  The Commissioner considers that the

searches carried out and the explanations provided by the Authority appeared sufficient and would be capable of

identifying this information, were it held.  He accepts, on the balance of probabilities, that the Authority does

not hold this information.

50.    Turning to the 556 emails identified by TfW in response to a similar FOI request made by the Applicant,

the Commissioner has considered the Authority’s submissions as to why it does not hold the same amount of

information, across a similar timeframe.  As rehearsed above, the Commissioner can only consider the information

which an authority holds, and not that which an applicant believes it should hold.  It is clear, from the

explanations provided, and the timeframes in the correspondence identified by the Authority, that it does not

hold, or have access to, earlier correspondence as a result of this having been transferred to the previous

franchise operator following the Authority’s takeover of passenger rail services from that operator on 1 April

2022.  Again, the Commissioner considers that the searches carried out by the Authority would be capable of

identifying this information, if it was held.  The Commissioner is therefore satisfied, on the balance of

probabilities, that the Authority does not hold this information.

51.    In conclusion, the Commissioner is satisfied that, by the end of the investigation, the Authority had

taken adequate, proportionate steps to establish the extent of information held that was relevant to the request

and has fully explained why it does not hold any further relevant information.

52.    However, the Commissioner considers that the information referred to at paragraphs 39 and 41 above should

clearly have been identified as falling within scope by the close of the Authority’s review, at the latest.  In

failing to do this, the Authority failed to deal with the request fully in accordance with section 1(1) of FOISA.  

The Commissioner notes that not only was this a breach of FOISA, but it resulted in avoidable delay for the

Applicant.

Section 30(b)(ii) – Prejudice to effective conduct of public affairs – free and frank exchange of views for the

purposes of deliberation

53.    Section 30(b)(ii) of FOISA provides that information is exempt information if its disclosure would, or

would be likely to, inhibit substantially the free and frank exchange of views for the purposes of deliberation.  

This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

54.    In applying the exemption in section 30(b)(ii), the chief consideration is not whether the information

constitutes opinion or views, but whether the disclosure of that information would, or would be likely to, inhibit

substantially the free and frank exchange of views.  The inhibition must be substantial and therefore of real and

demonstrable significance.

55.    Each request must be considered on a case by case basis, taking into account the effect (or likely effect)

of disclosure of that particular information on the future exchange of views.  The content of the withheld

information will require to be considered, taking into account factors such as its nature, subject matter, manner

of expression, and also whether the timing of disclosure would have any bearing.

56.    As with other exemptions involving a similar test, the Commissioner expects authorities to demonstrate or

explain why there is a real risk or likelihood that actual inhibition will occur at some time in the near future,

not simply a remote or hypothetical possibility.

57.    In this case, the Authority relied on section 30(b)(ii) to withhold some information in the correspondence

requested.

The Applicant’s submissions on section 30(b)(ii)

58.    In his application to the Commissioner, the Applicant submitted that the Authority had applied this

exemption to all of the information in a “class-based” manner, based on its communication mechanism (i.e. the

circumstances in which the information was created or communicated), and had not considered the actual content of

the information.

59.    The Applicant submitted that the Authority had not explained why or how the exemption applied.  He argued:

  • The Authority had not explained how and why disclosure of the information would “likely” inhibit the

exchange of views.  It had not explained the likelihood of, or the reasons for (or any evidence of), substantial

inhibition occurring, and had failed to show any genuine link between disclosure and inhibition.  In his view, the

Authority had not given any indication that the claimed inhibition would be any more than hypothetical.

  • The Authority had not justified that the supposed inhibition would be “substantial” , or would happen at

all.  It had not explained how this inhibition would occur, at what level, why this may substantially prejudice

the exchange of views or why any such inhibition would cause any issues for any parties.

60.    The Applicant further submitted that the Accessibility Group had a wide distribution (including the UK’s

TOCs, RDG and Network Rail) and was not a private means of communication.  He stated that individual members of

the list did not have access to the list of members, and membership changed regularly as roles and personnel

changed.  He argued that those communicating via this list did so entirely in their role within their company, as

part of their day-to-day professional functions.

61.    The Accessibility Group, the Applicant stated, was not a discussion or policy-setting one, rather it was

primarily to disseminate information, policies and other material relevant to Group members’ roles and

accessibility on the railway.  Much of the content and information on the Group had been sent from RDG to other

members without seeking any feedback, interaction or discussion.  As the Group was ongoing, rather than having

been created or used to discuss any particular putative policy formulation or similar, in the Applicant’s view,

the timing of the information was not relevant.

62.    The Applicant referred to the information disclosed in response to his previous request (SRT 011) which,

he argued, would be caught by the request under consideration here.  He argued that these emails did not contain

views (“full or frank” or otherwise) or policy formulation discussions, rather they captured simple instructions

on the practical measures to be taken by TOCs in response to the likely impact of Storm Eunice on assisted travel,

and clarifications thereof.  In his view, these emails (which, he stated, had been disclosed by other TOCs in

response to similar FOI requests) did not attract the S30(b)(ii) exemption.

63.    Referring to the Authority’s review outcome where it claimed the request was “…open ended with no topic or

area of focus.”, the Applicant argued that it made no sense for the Authority to ask if he could refine his

request to a specific topic or area, rather than a blanket request for all correspondence to/from the

Accessibility Group email address, so that it would be able to review the information it held and consider

disclosure.  In his view, if all the information was subject to section 30(b)(ii), he failed to see how a more

specific request for a sub-set of that information might result in disclosure.  He believed that this further

highlighted that the Authority had failed to consider the content of the information, which was necessary for it

to be able to apply the exemption.


The Authority’s submissions on section 30(b)(ii)

64.    In its initial submissions to the Commissioner, the Authority explained that the Group email address was

established as a means of removing siloed working, with all TOCs working towards the common good and improved

accessibility for all.  This enabled all relevant individuals to be contacted with information and advice, to seek

views and to share guidance, and allowed members to seek advice and provide views on topics which RDG could then

use in the formulation of guidance and policy.

65.    The Authority submitted that the exemption recognised the need for staff to have a private space within

which to exchange free and frank views and obtain advice between other TOCs, the RDG and third parties in relation

to accessibility issues.  In its view, disclosure would lead to Group members being less likely to use this

address as a means of communication, for fear that these would be subject to disclosure.  Furthermore, it would no

longer be a “safe space” in which to discuss matters in a candid non-attributable manner where optioneering and

appropriately robust challenge on evolving positions was possible.

66.    The Authority believed that disclosure would therefore not only substantially inhibit the ability to

easily seek views and obtain advice and/or assistance on the development of policy and related processes and

procedures, but would also detrimentally impact the proactive development and improvement in accessibility across

TOCs.

67.    The Authority commented that the request was open ended with no topic or area of focus, and thus appeared

to be a “fishing trip” with the aim of analysing each email exchanged over the Group, with no context of purpose.  

As such, it believed disclosure would remove the opportunity for Group members to exchange views and advice

without fear that every email would be disclosed.

68.    As explained above, during the investigation, the Authority changed its position for some of the

information originally withheld under section 30(b)(ii) and informed the Commissioner that this information could

now be disclosed.  It confirmed that, following further review, it was now relying on section 30(b)(ii) to

withhold only specific pieces of information, particularly where sensitive views and advice were shared.

69.    The Authority provided the Commissioner with specific submissions for each piece of information which it

continued to withhold under this exemption.  Given the specificity of these submissions and how they relate to the

information, the Commissioner is limited in being able to describe these in any detail in this Decision Notice

without disclosing the content and nature of the information itself.

70.    For the remainder of the information now being withheld under section 30(b)(ii), in addition to the

submissions provided in paragraphs 65 and 66 above, the Authority submitted that disclosure of the views and

opinions therein would engage the exemption due to a combination of factors, including the identity and status of

the authors/recipients, the circumstances in which the views were given, the content of those views and the way in

which they were expressed.

71.    In these later submissions, the Authority explained that its suggestion to the Applicant - i.e. to refine

his request to a specific topic or area - was an attempt to assist the Applicant to frame future requests in a way

that was more likely to capture information held (as it only held a limited amount of information in respect of

emails shared by the Accessibility Group given that it did not have control over the Group or full visibility of

its members).  In the Authority’s view, had the Applicant framed the request slightly differently (for example, by

requesting information on a specific topic), this may have allowed for a wider search as relevant information may

have existed in various other channels.  Or, given that the Authority did not know all Group members, had the

Applicant asked for correspondence between it and RDG or a specific TOC, this could have been located and

considered for disclosure.

72.    The Authority submitted that, in light of the amount of personal email addresses contained in the

correspondence, it did not seek the views of these individuals on disclosure.  Furthermore, the only way to have

been able to seek views from all Group members would have been to email the Group email address, as individual

members were not known.  The Authority stated that it had no way of knowing whether Group membership had changed

since these emails had been sent, and therefore whether doing so would reach all relevant individuals.


The Commissioner’s views on section 30(b)(ii)

73.    The Commissioner has considered all of the relevant submissions from both parties, together with the

withheld information itself.

74.    In assessing whether the exemption in section 30(b)(ii) applies, the Commissioner has taken account of a

number of factors, including the timing of the request.  He must make his decision based on the Authority’s

position at the time it issued its review outcome.

75.    As explained above, during the investigation, the Authority provided submissions to the effect that some

of the information, originally withheld under section 30(b)(ii), could now be disclosed.  It disclosed this

information to the Applicant on 14 December 2023.

76.    The Commissioner is particularly concerned that, at both review stage and early in the investigation, the

Authority clearly appeared to have applied the exemption in section 30(b)(ii) in a “blanket fashion”.  It appears

to him that it was not until later in the investigation that the Authority gave full consideration to the actual

content of the correspondence falling within the scope of the request.

77.    The Commissioner must also address the view of the Authority (in its review outcome) that the request was

“…open ended with no topic or area of focus.”, and its suggestion to the Applicant to refine his request to a

specific topic or area, rather than a blanket request for all correspondence to/from the Accessibility Group email

address, so that it would be able to review the information it held and consider disclosure.

78.    The Commissioner concurs with the views of Applicant on this point.  He fails to see how, if the exemption

in section 30(b)(ii) was engaged for all of the in-scope information (as claimed by the Authority at review

stage), a narrowing of the request would then allow the Authority to consider the content of the information.  It

appears, to the Commissioner, that the Authority did, in fact, rely on the existence of the Group email address,

at review stage, as a “safe space” for section 30(b)(ii) to apply, and applied the exemption (erroneously) in a

“class-based” manner for all of that information.  As stated above, it is evident that the Authority failed to

consider the actual content of the information at that time and applied the exemption in a “blanket-fashion”.

79.    The Commissioner does not accept the Authority’s explanation of its reasons for making such a suggestion

to the Applicant.  It is clear, from the review outcome, that the Authority was asking the Applicant to refine

this particular request so that it could then review the information and consider disclosure – action which it

should have already undertaken at that stage, particularly given the manageable amount of in-scope information

ultimately identified.

80.    The Commissioner would urge not only the Authority, but indeed all Scottish public authorities, when

considering information for disclosure under non class-based exemptions such as section 30(b)(ii), that full

consideration is given to the actual content of the information falling within the scope of the request.  He fails

to see how an Authority can come to a considered decision on whether an exemption is engaged or not, without doing

so.  In his view, this is basic practice when considering any information for disclosure under FOISA.

81.    In light of this, the Commissioner can only conclude that the Authority was not entitled to withhold that

information (i.e. the information previously withheld under section 30(b)(ii) which the Authority disclosed during

the investigation) at the time it dealt with the Applicant’s requirement for review.  In doing so, it failed to

comply with section 1(1) of FOISA.

82.    The Commissioner will now consider whether the Authority was entitled to withhold the remainder of the

information being withheld under section 30(b)(ii).

83.    For this remaining information, which the Commissioner has fully considered, the Commissioner notes that

the information is sensitive, and sets out free and frank views which have clearly been shared and exchanged

through the safety of the Group email facility, thereby allowing only Group members to be privy to those views.  

In the Commissioner’s view, disclosure of these particular views would, in all likelihood, lead to Group members

being less willing to provide such full and frank views in future, which would be to the detriment of open

discussion regarding decisions taken on operational matters, and with regard to their relevance to the future

formulation and development of policy and guidance.

84.    The Commissioner accepts that there needs to be a safe space for Group members to be able to freely and

frankly exchange views without fear of inhibition as a result of those views likely being disclosed in future.  He

would point out, however, that this exemption will not apply to all views exchanged – much is dependent on the

content of the information and the circumstances in which it is exchanged.

85.    As such, the Commissioner is satisfied that the exemption in section 30(b)(ii) is engaged for the

remaining withheld information, in that its disclosure would, or would be likely to, inhibit substantially the

free and frank exchange of views for the purposes of deliberation, in the manner described by the Authority.

86.    As the exemption in section 30(b)(ii) has been found to apply to the remaining withheld information, the

Commissioner is now required (for this information) to go on to consider the public interest test in section 2(1)

(b) of FOISA.

Public interest test – section 30(b)(ii)

87.    As noted above, the exemption in section 30(b)(ii) is subject to the public interest test required by

section 2(1)(b) of FOISA.  The Commissioner is therefore required to consider whether, in all the circumstances of

the case, the public interest in disclosing the remaining withheld information is outweighed by the public

interest in maintaining the exemption.

The Applicant’s submissions on the public interest - section 30(b)(ii)

88.    In his application to the Commissioner, the Applicant commented that the Authority’s review response was

very brief in its consideration of the public interest test.  In his view, the Authority had failed to conduct an

adequate public interest test and, were section 30(b)(ii) found to be engaged, he believed the information should

be disclosed.

89.    The Applicant referred to the Authority’s arguments, in its review response, that disclosure would be

likely to reduce the use of this method of communication, and that this would negatively impact on the quality of

decision making.  In his view, as the Authority had not, at that stage, considered the content of the information,

no public interest test could be applied to it.

90.    The Applicant argued that the Authority had given no consideration to the impact of the age of the

information, at the time of his request.  Rather, he submitted, the Authority had claimed that the public interest

in disclosure always favoured withholding the content of the correspondence sent via the Group, implying that this

was irrespective of when the information was created, and what it contained.

91.    The Applicant also believed that the public interest arguments for disclosure put forward by the Authority

were very generic, and did not note the specific interests of disabled passengers in knowing what decisions had

been taken about aspects that may have affected their rights of assistance to travel.

92.    The Applicant referred to the disclosure of information by the Authority in response to his earlier

request (SRT 011) which, he argued, had played a part in holding to account those responsible for cancelling all

disabled people’s assistance bookings for trains that continued to run across the country for two days in February

2022 during Storm Eunice.  In his view, some other information exchanged across the email Group over the period of

his request would have a public interest in disclosure to a similar degree, but as the Authority had not

considered the content, this could not be known.

93.    In the Applicant’s view, the Authority had not considered all relevant factors in favour of disclosure,

including whether disclosure would:

  • enhance scrutiny of decision-making processes and thereby improve accountability and participation;
  • ensure fairness in relation to applications or complaints, reveal malpractice or enable the correction of

misleading claims, and

  • contribute to a debate on a matter of public interest.


94.    The Applicant further argued that the Authority had failed to show how disclosure would likely undermine

full and frank discussion of issues between the parties involved and reduce this method of communication.  In his

view, there was no evidence to suggest, show, document or prove that there was any likelihood of such an impact as

a result of disclosure.

The Authority’s submissions on the public interest - section 30(b)(ii)

95.    In its initial submissions to the Commissioner, the Authority recognised the public interest in disclosure

as part of open, transparent and accountable government, and to inform public debate.

96.    It believed, however, that there was a greater public interest in allowing a private space within which

TOCs, the RDG and third parties could exchange full and frank views, as part of the process of exploring and

refining policies to improve accessibility across the railway.  The Authority submitted that this private thinking

space was essential to enable all options to be properly considered, based on the best available advice, so that

good policy decisions could be taken.  In the Authority’s view, disclosure would likely undermine the full and

frank discussion of issues between these parties and reduce the use of this method of communication.

97.    The Authority explained that the email address was used as a means of seeking views and opinions in a safe

space, with emails sent to the distribution list.  By allowing discussion and debate, TOCs were able to develop

and amend policies to meet the needs of all using the rail network.  Without this safe space, there was a risk of

siloed working, with less opportunity for discussion to develop the best policies for the public.  It believed

that this, in turn, would undermine the quality of the decision-making process which would not be in the public

interest.  In the Authority’s view, the content of emails should be classed as confidential so as to allow Group

members to exchange free and frank views and advice.

98.    In its later submissions to the Commissioner (following its change of position for some of the information

being withheld under section 30(b)(ii)), the Authority recognised the public interest in knowing the topics being

discussed in relation to accessibility and the methods being used to tackle identified accessibility issues, thus

promoting and enabling better use of the railway by those affected by such issues.  It submitted that this

demonstrated the open and transparent methods used to ensure decisions were taken with the best interests of

customers at heart.

99.    The Authority believed, however that there was greater public interest in allowing a private space through

which TOCs, the RDG and third parties could exchange free and frank views and have debates as part of the process

of exploring and refining policies and decision-making, with a view to improving accessibility for all.  It argued

that this private thinking space was essential to remove siloed working and to allow for cross-pollination of

ideas, with all opinions considered, based on the best available advice, thus making good policy decisions and

acting in the best interests of the public.  By removing this safe space, with Group members knowing that even

their very frankly stated views may be disclosed, the Authority believed this would undoubtedly hinder the

creation of policies and the decision-making processes, thereby undermining what the email Group was created to

do.  It submitted that this would not be in the public interest.

100.    The Authority submitted, specifically in relation to information about the proper role and function of the

Office of Rail and Road (ORR) and TOCs in accessibility issues, that there was a public interest in the continued

existence of good working relationships between and among the ORR and TOCs on issues of accessibility.  It argued

that the erosion of such relationship and the loss of a forum for accessibility professionals in the rail industry

to work together to improve accessibility for the benefit of all, was contrary to the public interest.

101.    In the Authority’s view, there was no public interest in substantially inhibiting the ability of RDG and

TOCs to seek views and obtain advice/assistance from Group members (who have skill and knowledge in the

development of accessibility policy and related processes and procedures), which would ultimately affect the

public and customers that the Group was set up to help.

102.    The Authority believed that the public were ultimately concerned with having an accessible railway.  In

its view, hindering the exchange of views and returning to siloed working would be significantly detrimental to

the achievement of an accessible railway for all.  On balance, the Authority believed that there was greater

public interest in allowing these discussions to take place uninhibited.

The Commissioner’s views on the public interest - section 30(b)(ii)

103.    The Commissioner has considered carefully the public interest submissions made by both the Applicant and

the Authority, together with the remaining withheld information in question.  He is required to balance the public

interest in disclosure of the information requested against the public interest in maintaining the exemption.  In

the context of FOISA, the public interest should be considered as “something which is of serious concern and

benefit to the public”.

104.    The Commissioner has given weight to the Applicant’s arguments that there is a public interest in disabled

passengers knowing what discussions took place that led to decisions being taken, and how these may have affected

their right of assistance to travel.  He recognises that disclosure would, as argued by the Applicant, play a part

in holding those involved to account and would help inform public debate in that respect.  In the Commissioner’s

view, this public interest has been satisfied, to some extent, by the Authority’s disclosure, during the

investigation, of the majority of the in-scope information previously withheld under section 30(b)(ii).

105.    The Commissioner also recognises that, for the remaining withheld information, there is a strong public

interest in Group members being able to freely and frankly seek and exchange internal views in a private space in

relation to matters concerning accessibility on the railway, which would inform decision-making and have an effect

on future policy formulation.  He acknowledges that the ability to do so, safe in the knowledge that information

will not routinely be publicly disclosed, will be required on occasion to enable open and frank exchanges to

support informed decision-making.

106.    The Commissioner also recognises the public interest in maintaining good working relationships across the

various organisations represented by Group members which is enabled through Group members being able to safely

exchange their views concerning accessible travel freely and candidly.

107.    In the Commissioner’s view, there is no public interest in disclosing information that would lead to Group

members being less willing to seek or share their views in a free and frank manner in future.  This, the

Commissioner considers, would adversely impact the quality of decisions made and may lead to less-effective

policies being formulated in future.  It may also impair the good working relationships established across the

Group.

108.    As set out above, the Commissioner has already accepted that disclosure of the remaining information being

withheld under section 30(b)(ii) would, or would be likely to, inhibit substantially the free and frank exchange

of views for the purposes of deliberation.  Having balanced the public interest arguments for and against

disclosure, he is satisfied that, on balance, the public interest in maintaining the exemption in section 30(b)

(ii) outweighs that in disclosure of the remaining withheld information.

109.    The Commissioner therefore concludes that the Authority was entitled to withhold the remaining information

under the exemption in section 30(b)(ii) of FOISA.

Section 38(1)(b) – Personal information

110.    Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from

disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would

contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where

relevant) in the DPA 2018.

111.    The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an


absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b) of

FOISA.

112.    To rely on this exemption, the Authority must show that the information withheld is personal data for the

purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of

disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1)

of the UK GDPR.

113.    The Commissioner must decide whether the Authority was correct to withhold some of the information

requested under section 38(1)(b) of FOISA.

The Authority’s change of position during the investigation – section 38(1)(b)

114.    As explained above, during the investigation, the Authority disclosed some of the information, originally

withheld under section 38(1)(b), to the Applicant on 14 December 2023.

115.    In light of this, the Commissioner can only conclude that the Authority was not entitled to withhold that

information at the time it dealt with the Applicant’s requirement for review.  In doing so, it failed to comply

with section 1(1) of FOISA.

116.    The Commissioner will now consider whether the Authority was entitled to withhold the remainder of the

information being withheld under section 38(1)(b).


Is the withheld information personal data?

117.    The first question that the Commissioner must address is whether the withheld information is personal data

for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable

individual.  "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1.  (This

definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix 
1.)

118.    Information which could identify individuals will only be personal data if it relates to those

individuals.  Information will "relate to" a person if it is about them, linked to them, has biographical

significance for them, is used to inform decisions affecting them or has them as its main focus.

119.    In both its review outcome and its initial submissions to the Commissioner, the Authority explained that

the information comprised the names and contact details of individuals and companies.  It subsequently explained,

in later submissions, that the information comprised the names, job titles, contact email address and phone

numbers of individual staff members, who could be identified and contacted from that information, particularly

where only one person held that role.

120.    Having considered the remaining withheld information, it is clear to the Commissioner that some of this

information comprises either statements which cannot be considered to be personal data, and the latter part of one

email address.  The Commissioner must therefore find that the Authority was not entitled to withhold this

information under section 38(1)(b) as it does not constitute personal data, in that it is not capable of

identifying a living individual.  As the Authority is not relying on any other exemption to withhold this

particular information, the Commissioner requires the Authority to disclose it to the Applicant.  This will be

indicated to the Authority along with a copy of this Decision Notice.

121.    The Commissioner considers it prudent to point out that information comprising the names and contact

details of companies cannot be accepted as constituting personal data, as initially claimed by the Authority,

unless (in certain circumstances) it relates to a sole trader.

122.    For the remainder of the information being withheld as personal data, which comprises the names, job

titles and contact details of individuals, the Commissioner is satisfied that this “relates to” identifiable

living individuals.

123.    The Commissioner therefore concludes that the remaining withheld information is personal data for the

purposes of section 3(2) of the DPA 2018.


Which of the data protection principles would be contravened by disclosure?

124.    The Authority stated that disclosure of this personal data would contravene the first data protection

principle (Article 5(1)(a) of the UK GDPR).  Article 5(1)(a) states that personal data shall be processed

lawfully, fairly and in a transparent manner in relation to the data subject.

125.    In terms of section 3(4)(d) of the DPA 2018, disclosure is a form of processing.  In the case of FOISA,

personal data is processed when it is disclosed in response to a request.

126.    The Commissioner must now consider if disclosure of the personal data would be lawful (Article 5(1)(a)).  

In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow

the data to be disclosed.  The Commissioner considers that condition (f) in Article 6(1) is the only condition

which could potentially apply in the circumstances of this case.


Condition (f): legitimate interests

127.    Although Article 6 states that condition (f) cannot apply to processing carried out by a public authority

in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities

can rely on Article 6(1)(f) when responding to requests under FOISA.

128.    The tests which must be met before Article 6(1)(f) can be met are as follows:

(i)    Does the Applicant have a legitimate interest in obtaining the personal data?

(ii)    If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii)    Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by

the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

129.    In his application to the Commissioner, the Applicant stated that he wanted the names and roles of those

on the list to be made public, in order to know the identities of the individuals responsible for the decisions

reflected or made, corporately or individually, which had a significant impact on disabled people’s travel on the

national rail network.  He also stated he had a legitimate interest in scrutiny of the actions of the public

bodies concerned, the industry representative body and the licensed TOCs.

130.    In its initial submissions to the Commissioner, the Authority believed it was in the public interest to

know which organisation the correspondence had been sent from, but not details of the individual senders.

131.    In its later submissions, the Authority stated that it had not asked the Applicant to explain why he

wanted the information or what his legitimate interests were.  However, with reference to Decision IC 166544 K0D3

issued by the UK ICO, the Authority understood his legitimate interest was in information regarding the rail

industry’s accessibility-related issues, and that he considered the public had a legitimate interest in knowing

who was making and receiving critical decisions on this matter.

132.    The Authority did not consider that the Applicant had a legitimate interest in knowing what any

identifiable individual did or said in the Group, or who had provided or received the views in the correspondence.  

While the Authority acknowledged that the Applicant may have a legitimate interest in knowing the content of the

contributions in the emails about the rail industry’s accessibility activities, and which organisation these were

made on behalf of, this did not extend to needing to know which individual in the Group made them.  As such, the

Authority considered the Applicant had no legitimate interest in receiving the remaining withheld personal data.


133.    Having considered the submissions from both parties, the Commissioner acknowledges that disclosure of the

remaining personal data would facilitate transparency and accountability to the Applicant (and the wider public)

regarding which individual (in which organisation) contributed and received views on matters relating to

accessibility in the rail industry.  There is clearly a legitimate interest in the public being aware of such

matters where they relate to discussions that inform decisions taken and policies formulated on this important

topic.  Consequently, the Commissioner accepts that the Applicant has a legitimate interest in disclosure of this

personal data.

Is disclosure of the personal data necessary?

134.    Having accepted that the Applicant has a legitimate interest in the remaining personal data, the

Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate

interests.  In doing so, he must consider whether these interests might reasonably be met by any alternative

means.

135.    The Commissioner has considered this carefully in light of the decision by the Supreme Court in South

Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 .  In this case, the Supreme Court stated

(at paragraph 27):


A measure which interferes with a right protected by Community law must be the least restrictive for the

achievement of a legitimate aim.  Indeed, in ordinary language we would understand that a measure would not be

necessary if the legitimate aim could be achieved by something less.

136.    "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether

disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a

means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be

met by means which interfere less with the privacy of the data subject.

137.    In his application to the Commissioner, the Applicant submitted that he had considered whether it would be

sufficient to have only the roles of the individuals concerned.  However, as these roles were exclusively

individual, he believed disclosure of the individuals’ roles would, effectively, constitute disclosure of their

names.  The Applicant argued, therefore, that disclosure of the individuals’ names was necessary to achieve his

legitimate interests.

138.    In its submissions to the Commissioner, the Authority stated that it was in the public interest to know

the organisations the correspondence had originated from, but not the details of the individual members of staff.

139.    As the Authority did not consider the Applicant had a legitimate interest in the personal data, it

believed, accordingly, that there was no requirement to consider necessity of disclosure to meet that interest.  

The Authority stated, however, that should the Commissioner find that the Applicant did have a legitimate interest

in knowing which individual had provided or received the views in the emails, it would alternatively accept that

disclosure of the names and job titles would be necessary to achieve that legitimate interest, but not their

contact details.

140.    In this case, the Commissioner must consider the information requested against the legitimate interest he

has identified (i.e. in relation to the scrutiny of the views exchanged in the emails by identifiable individuals

regarding accessibility in the rail industry), and whether disclosure of that information is necessary to achieve

the Applicant’s identified legitimate interest.

141.    Having done so, the Commissioner accepts that, to some extent, disclosure of the information is necessary

in order to fulfil the Applicant’s legitimate interests.  In the Commissioner’s view, disclosure of the names and

job titles of the individuals, as recorded in the withheld information, would provide the Applicant with

information which would aid his understanding of the level of involvement by the individuals named in the

correspondence.

142.    However, the Commissioner does not share the same view for the contact details of the individuals in the

correspondence.  He is satisfied that disclosure of their contact details is not necessary for the purposes of the

identified legitimate interests of the Applicant, and finds that the Authority properly withheld this particular

information under section 38(1)(b) of FOISA.

The data subjects' interests or fundamental rights and freedoms

143.    The Commissioner must balance the legitimate interests in disclosure against the data subjects' interests

or fundamental rights and freedoms.  In doing so, it is necessary for him to consider the impact of disclosure.  

For example, if the data subjects would not reasonably expect that the information would be disclosed to the

public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests

or rights are likely to override any legitimate interests in disclosure.  Only if the legitimate interests of the

Applicant outweigh those of the data subjects can the information be disclosed without breaching the first data

protection principle.

144.    The Commissioner's guidance on section 38 of FOISA  notes factors that should be taken into account in

balancing the interests of parties.  He notes that much will depend on the reasonable expectations of the data

subjects.  These are some of the factors public authorities should consider:

  • Does the information relate to an individual's public life (their work as a public official or employee)

or to their private life (their home, family, social life or finances)?

  • Would the disclosure cause harm or distress?
  • Whether the individual has objected to the disclosure.


Does the information relate to public or private life?

145.    In its submissions to the Commissioner, the Authority explained that it took the approach that, where a

staff member was of seniority (e.g. an executive or head of service), they would expect their details (i.e.

name/role) to be released as it is those staff who are making decisions in relation to the running of the

Authority, and so it is in the public interest to understand who is making decisions.

146.    The Authority stated that its staff member [on the Group] was not a senior manager and his role did not

carry the same level of accountability, nor would he expect his details to be released.  In addition, the

Authority stated it was not aware of the seniority of the individuals of the other TOCs involved in the

correspondence.

147.    The Authority further submitted that while the information may relate to the individuals’ work as public

authority employees (where the organisation was subject to FOI, as not all organisations on the Group were), it

did not know the role of each individual Group member within their respective organisation.  In the Authority’s

view, members of the Group (including its own staff member) were not senior members of staff with roles carrying a

high level of public accountability, or who were subject to a level of public scrutiny that would warrant

disclosure of their details.

148.    In his application to the Commissioner, the Applicant submitted that the information related solely to

communications sent by these individuals in their public lives, in their professional roles, rather than in their

private lives.  He contended that they held senior positions with responsibility for their companies’ provision of

service to disabled people and the information was not private, nor did it pertain to family life.

149.    The Commissioner acknowledges that the withheld information relates to the individuals' public lives, in

that it identifies them as staff in the Authority and other rail industry organisations, who were involved in the

work to which the information relates.  However, he also acknowledges that, by association, the information also

relates to their private lives.

150.    In the circumstances, the Commissioner concludes that the withheld information relates to both the private

and public lives of the data subjects.


Would disclosure cause harm or distress to the data subjects and have the individuals objected to the disclosure?

151.    In its submissions to the Commissioner, the Authority stated that the individuals concerned did not expect

their personal details to be disclosed and that staff welfare was a priority.

152.    The Authority explained that the Applicant was a disability activist with his own website.  It drew

attention to the Applicant’s blog on which he referred to having received a letter from lawyers representing an

individual, following defamatory comments which the Applicant had made on his blog about that individual.  The

individual’s personal details had been released in correspondence disclosed by another rail operator in response

to an earlier information request.  The Authority submitted it was this behaviour it wished to protect those on

the Group from.  In its view, disclosure could result in further unwarranted levels of interference with the

individuals’ personal rights, and lead to further harm and distress.

153.    Furthermore, the Authority submitted that another individual had been the subject of a serious safety

incident as a result of his contact details having been disclosed online, resulting in that individual having to

remove himself and his family from social media in order to protect their safety and wellbeing.  As the withheld

information included work email addresses and phone numbers, the Authority believed there was a risk that

disclosure would result in unwarranted conduct that could cause harm to that individual’s private life.  In the

Authority’s view, the risk posed by releasing the personal data significantly outweighed any legitimate interest

in disclosing it.

154.    The Authority submitted that disclosure of the personal data would go beyond what the individuals

concerned expected, and could have unjustified adverse effects on them, such as those set out above.  It believed

there was a risk of disproportionate and unwarranted intrusion into the private and family lives of the

individuals involved, as a result of disclosure of their personal data.

155.    The Authority was asked to explain what steps it had taken to ascertain which of the personal data was

already in the public domain.  In response, the Authority submitted that although some of the names and job titles

of Accessibility Managers were available online, other personal data was not, notably their contact details and

membership of/participation in the Group, which the exemption was used to protect.

156.    The Authority explained that searches were undertaken to ascertain whether individual membership of the

Group was in the public domain, but it had been unable to find a publicly-available list of Group members, or any

other information which would provide details as to membership of the Group.

157.    Online searches carried out for its own Accessibility and Inclusion Manager identified instances where

that individual’s name and role appeared within public articles.  The Authority explained, however, that these

were instances where that individual had given express permission for his name to be used, e.g. for a quote,

otherwise he would not expect his details to be released.

158.    In conclusion, the Authority considered that the legitimate interests of the Applicant did not outweigh

the data subjects’ fundamental rights and freedoms and, as such, there was no lawful basis for disclosure.

159.    In his submissions to the Commissioner, the Applicant could not see how disclosure of the personal data

would cause any significant harm or distress, and did not believe that it would increase the risk of fraud or pose

a security risk.  He submitted that there was no evidence that the individuals concerned had objected to its

disclosure.

160.    The Applicant argued that the Authority’s statement, in its review outcome that ”This information is not

in the public domain…” was not true.  He argued that many of the individuals had put their own names and roles

into the public domain and, in other cases, their companies had.  The Applicant submitted that a quick search of

Google for “accessibility inclusion manager (organisation name)” returned the identities of approximately 30

accessibility and inclusion managers across rail companies.  Given these individuals and their organisations

proactively published their roles, and given that, in his view, they would be on the Accessibility Email Group,

their presence on the Group was almost axiomatic.

161.    The Applicant believed that his legitimate interest outweighed the interests of the individuals involved

in the correspondence and that disclosure would not result in unwarranted privacy intrusion.

162.    The Commissioner has considered the harm or distress that might be caused by disclosure.  He notes that

disclosure of any information under FOISA – although in response to a request made by a specific Applicant –

effectively places that information into the public domain.  As such, he must consider the effects of publicly

disclosing any personal data under FOISA.

163.    The Commissioner has considered the relevant submissions from both parties, together with the personal

data withheld.  He recognises that it records the involvement of those individuals in the information, in relation

to their expressed views.

164.    The Commissioner acknowledges that some of these individuals’ personal data is publicly available through

online searches.  He notes, however, that this is not in the context of being linked with the Accessibility Email

Group.  As such, it is therefore still appropriate to consider what reasonable expectations these individuals

would have in relation to disclosure of their personal data in response to the request under consideration here.

165.    The Commissioner also recognises that the role of the Authority’s own staff member is not considered

senior, and that the Authority is unable to verify the seniority of the roles of other Group members in other rail

industry organisations whose personal data is contained in the correspondence.

166.    The Commissioner has also considered the Authority’s submissions about the risks to the welfare and safety

of staff, as a result of disclosure, and the supporting evidence provided on this.  In this respect, he believes

that it is a fundamental right that the individuals involved in the correspondence can maintain control over who

can access their personal data, and therefore limit any future misuse, particularly as any information disclosed

under FOISA is essentially a disclosure “to the world”.

167.    In the Commissioner’s view, all of these individuals would have a reasonable expectation that their

personal data, as contained in the withheld information, would remain confidential.  He accepts, therefore, that

these individuals would have no expectation that their personal details (names and job titles) would be disclosed

into the public domain, in response to a request under FOISA.


Balance of legitimate interests

168.    The Commissioner has carefully balanced the legitimate interests of the data subjects against those of the

Applicant.  He has concluded that the legitimate interest in the remaining personal data is overridden by the

interests or fundamental rights and freedoms of the data subjects and that the requirements of condition (f)

cannot be met here.  In the absence of a condition which would permit disclosure of the remaining withheld

personal data, the Commissioner must conclude that disclosure would be unlawful.

169.    Given that the Commissioner has concluded that the processing of the remaining personal data would be

unlawful, he is not required to go on to consider whether disclosure of that personal data would otherwise be

fair.


Conclusion on the data protection principles

170.    The Commissioner finds that disclosure of the personal data under consideration here would breach the

first data protection principle and that this information is therefore exempt from disclosure (and was properly

withheld) under section 38(1)(b) of FOISA.

 

Decision

The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland)

Act 2002 (FOISA) in responding to the information request made by the Applicant.


The Commissioner finds that, by the conclusion of his investigation, the Authority complied with Part 1 in the

following respects:

  • The Authority correctly interpreted the request and carried out relevant searches in line with that

interpretation.

  • Other than the additional information identified during the investigation, the Commissioner was satisfied

that the Authority held no further information.

  • The Authority correctly withheld some information at review stage under (variously) the exemptions in

section 30(b)(ii) and section 38(1)(b) of FOISA.

However, the Commissioner finds that, by the conclusion of his investigation, the Authority failed to comply with

Part 1 in the following respects:

  • By failing to provide some in-scope information, or to withhold it under an exemption, at review stage,

the Authority failed to comply with section 1(1) of FOISA.

  • The Authority wrongly withheld some information at review stage under (variously) the exemptions in

section 30(b)(ii) and section 38(1)(b) of FOISA.


As the Authority has already disclosed to the Applicant the additional in-scope information identified during the

investigation along with the majority of the information found to have been wrongly withheld at review stage under

the exemptions claimed, the Commissioner does not require the Authority to take any further action in respect of

the information already disclosed, in response to these failures.


However, for the remaining information which the Commissioner has found to have been wrongly withheld under

section 38(1)(b) of FOISA, and which has not yet been disclosed, the Commissioner requires the Authority to

disclose this to the Applicant, by 10 June 2024.

 


Appeal


Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of

intimation of this decision.

 

Enforcement


If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of

Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal

with the Authority as if it had committed a contempt of court.

 


David Hamilton
Scottish Information Commissioner


25 April 2024


Appendix 1: Relevant statutory provisions


Freedom of Information (Scotland) Act 2002

1     General entitlement

(1)     A person who requests information from a Scottish public authority which holds it is entitled to be given

it by the authority.

(2)     The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(4)     The information to be given by the authority is that held by it at the time the request is received,

except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the

receipt of the request, between that time and the time it gives the information may be made before the information

is given.

(6)    This section is subject to sections 2, 9, 12 and 14.

 

2     Effect of exemptions

(1)     To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to

the extent that –

(a)    the provision does not confer absolute exemption; and

(b)     in all the circumstances of the case, the public interest in disclosing the information is not outweighed

by that in maintaining the exemption.

(2)     For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are

to be regarded as conferring absolute exemption –

(e)     in subsection (1) of section 38 –

(ii)     paragraph (b) where the first condition referred to in that paragraph is satisfied.


30     Prejudice to effective conduct of public affairs


Information is exempt information if its disclosure under this Act-

(b)     would, or would be likely to, inhibit substantially-

(ii)     the free and frank exchange of views for the purposes of deliberation; or


38     Personal information

(1)     Information is exempt information if it constitutes-

(b)     personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A)     The first condition is that the disclosure of the information to a member of the public otherwise than

under this Act -

(a)     would contravene any of the data protection principles, or

(b)     would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data

held by public authorities) were disregarded.


(5)     In this section-

"the data protection principles" means the principles set out in –

(a)     Article 5(1) of the UK GDPR, and

(b)     section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see

section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)

of that Act).

(5A)    In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the

UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be

read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public

authorities) were omitted.

 

47     Application for decision by Commissioner

(1)     A person who is dissatisfied with -

(a)     a notice under section 21(5) or (9); or

(b)     the failure of a Scottish public authority to which a requirement for review was made to give such a

notice.


may make application to the Commissioner for a decision whether, in any respect specified in that application, the

request for information to which the requirement relates has been dealt with in accordance with Part 1 of this

Act.

(2)     An application under subsection (1) must -

(a)     be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);

(b)     state the name of the applicant and an address for correspondence; and

(c)     specify –

(i)   the request for information to which the requirement for review relates;

(ii)   the matter which was specified under sub-paragraph (ii) of section 20(3)(c);

and

(iii)  the matter which gives rise to the dissatisfaction mentioned in subsection (1).

...

 


UK General Data Protection Regulation

Article 4    Definitions    

For the purpose of this Regulation:

1    ‘personal data’ means any information relating to an identified or identifiable natural person ('data

subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location data, an online identifier or to one

or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of

that natural person:

    …

Article 5    Principles relating to processing of personal data

1    Personal data shall be:

    a.    processed lawfully, fairly and in a transparent manner in relation to the data subject     
    (“lawfulness, fairness and transparency”)

    …


Article 6    Lawfulness of processing

1    Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f.    processing is necessary for the purposes of the legitimate interests pursued by the     

    controller or by a third party, except where such interests are overridden by the         

    interests or fundamental rights and freedoms of the data subject which require the         protection

of personal data, in particular where the data subject is a child.

 

Data Protection Act 2018

3    Terms relating to the processing of personal data

    …

    (2)    “Personal data” means any information relating to an identified or identifiable living     

    individual (subject to subsection (14)(c)).

    (3)    “Identifiable living individual” means a living individual who can be identified, directly     

    or indirectly, in particular by reference to –

        (a)    an identifier such as a name, an identification number, location data or an         

    online identifier, or

        (b)    one or more factors specific to the physical, physiological, genetic, mental,         

    economic, cultural or social identity of the individual.

    (4)    “Processing”, in relation to information, means an operation or set of operations         

    which is performed on information, or on sets of information, such as –

        …

        (d)    disclosure by transmission, dissemination or otherwise making available,

        …


(10)    “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons with regard to the processing of personal data and on the free movement

of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and

Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see

section 205(4)).


(14)    In Parts 5 to 7, except where otherwise provided –

    (a)    references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c)    references to personal data, and the processing of personal data, are to personal data and processing to

which Part 2, Part 3 or Part 4 applies;

(d)    references to a controller or processor are to a controller or processor in relation to the processing of

personal data to which Part 2, Part 3 or Part 4 applies.