Home Decisions

Decision 070/2005

Decision 070/2005 Ms R and the Scottish Tourist Board (operating as VisitScotland)

Request for response to complaint made – whether information exempt under section 38(1)(a) and should be considered under Data Protection Act 1998 - whether information exempt by virtue of section 36(2) – actionable breach of confidence


Request for the response to a complaint made


Applicant: Ms R
Authority: Scottish Tourist Board (operating as VisitScotland)
Case No: 200500728
Decision Date: 9 December 2005

 

Kevin Dunion
Scottish Information Commissioner


Facts


Ms R made a complaint to the Scottish Tourist Board (operating as VisitScotland) (referred to in this decision as VisitScotland) about a bed & breakfast she had visited. She subsequently asked to see a copy of the response from the bed & breakfast to her complaint under the Freedom of Information (Scotland) Act 2002 (FOISA). VisitScotland refused to supply the information requested on the basis that it was exempt under section 36(2) in that the information was obtained from another person and its disclosure would constitute a breach of confidence actionable by that other person. Ms R subsequently requested a review of this decision. VisitScotland upheld its original decision and advised that the information was also exempt by virtue of section 38(1)(b) (third party personal data), section 26(a) (prohibitions on disclosure) and section 33(1)(b) (commercial interests). It advised that it did not consider that the public interest in disclosing the information outweighed the public interest in withholding the information. Ms R applied to the Commissioner for a decision.


Outcome


The Commissioner found that VisitScotland partially failed to comply with Part 1 of FOISA. The Commissioner found that the majority of the information requested by Ms R was exempt by virtue of section 38(1)(a) in that the information amounted to her own personal data.


The remainder of the information requested was correctly withheld under section 36(2) of FOISA.


The Commissioner also found that VisitScotland failed to issue a refusal notice in accordance with section 16(1) of FOISA.


Appeal


Should either VisitScotland or Ms R wish to appeal against this decision, there is a right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.


Background


1. Ms R made a complaint to VisitScotland about a bed & breakfast (B&B) she had visited. On 3 January 2005 she emailed VisitScotland and asked to see a copy of the response to her complaint from the proprietor of the B&B under FOISA.


2. VisitScotland responded to this request on 28 January 2005. It advised Ms R that it had decided to refuse her request on the grounds that the exemption under section 36(2) of FOISA applied to the information requested. VisitScotland explained that the information was exempt because it was obtained from another person and its disclosure by VisitScotland would constitute a breach of confidence actionable by that other person.


3. The refusal notice advised that if Ms R wished to request a review of the decision she should contact the author of the refusal notice. The author’s address as well as his telephone number and email address were supplied. The notice advised that if Ms R was still not satisfied with the response she was entitled to appeal to the Scottish Information Commissioner.


4. Ms R appealed directly to my Office on 25 February 2005. In a telephone conversation with my office it became clear that Ms R had telephoned the author of the refusal notice but had not submitted a request for review in writing. She was advised that she was required to submit a written request for review before she could apply to my office for a decision.

5. Ms R therefore emailed VisitScotland on 24 March 2004 indicating that she was seeking a request for review. Ms R indicated that the refusal notice had not advised that the request for review should be made in writing or that the request should be made within 40 working days. She indicated that she had thought that her telephone conversation with VisitScotland had constituted her request for review.


6. She asked VisitScotland to review:


a) its refusal to provide her access to the response from the B&B
b) the way VisitScotland had dealt with her request as it did not set out the steps a person needed to take regarding requesting a review and time limits


7. VisitScotland responded to the request for review on 21 April 2005. It addressed the complaints about the way in which VisitScotland had handled the request. It accepted that it had not made it sufficiently clear that the request for review had to be submitted in writing and within 40 working days on receipt of VisitScotland’s refusal notice. VisitScotland apologised for this oversight and advised that steps had been taken to prevent a similar occurrence in the future.


8. VisitScotland indicated that in relation to the first point it had carried out an extensive review of the initial decision, which it had decided to uphold. VisitScotland advised that a number of exemptions applied to the information withheld. It advised that section 36(2) applied to the information as set out in the refusal notice in that disclosure of such information would constitute a breach of confidence actionable by another person.


9. VisitScotland indicated that section 38(1)(b) also applied to the information requested. VisitScotland advised that the information requested contained data which would fall within the definition of “personal data” under the Data Protection Act 1998 (DPA) in that the information was biographical of a third party and had that third party as its focus.


10. VisitScotland advised that disclosure of this information to Ms R without the consent of the data subject would breach the first data protection principle, which requires that personal data be “fairly and lawfully” processed. In the present case, VisitScotland advised, the proprietor had not consented to disclosure of this personal data, meaning that any disclosure by the authority would not constitute fair and lawful processing.


11. VisitScotland advised that the duty of confidentiality owed by VisitScotland meant that any disclosure of information in contravention of those duties would not be lawful. In addition, VisitScotland took the view that disclosure without the consent of the data subject would constitute a breach of the second data protection principle, namely that data must not be processed for purposes incompatible with the purposes for which it was obtained.


12. VisitScotland submitted that the personal data in complaints was received by VisitScotland for it to use in attempting to conciliate the complaint. In VisitScotland’s view, disclosure to Ms R without the consent of the data subject would not be consistent with this purpose and would therefore constitute a breach of the second data protection principle.


13. VisitScotland also submitted that the information was exempt by virtue of section 26 in that disclosure of the information was prohibited by or under an enactment. VisitScotland indicated that disclosure would be prevented under the DPA.


14. Finally, VisitScotland advised that the information was exempt by virtue of section 33(1)(b) in that disclosure would, or would be likely to, prejudice substantially the commercial interests of any person. VisitScotland advised that if it were to disclose all confidential information of this nature to the general public, then that might discourage proprietors from participating in the Quality Assurance Scheme (the Scheme). VisitScotland stated that if there were any reduction in the number of subscribers to the Scheme this would have a negative impact on the commercial viability and reputation of the Scheme.


15. VisitScotland argued that a loss of confidence in the Scheme by visitors (both domestic and overseas) would also damage the reputation of the Scheme and affect its commercial standing. All of this would prejudice both the reputation of VisitScotland and the Scottish tourist industry as a whole, which, according to VisitScotland, clearly ran contrary to the public interest in developing tourism in Scotland. In addition, VisitScotland advised that it could reduce the effectiveness of a valuable service provided to the public by VisitScotland, or even remove this service altogether.


16. VisitScotland indicated that it did not believe that the public interest in disclosing the information requested was outweighed by the public interest in withholding the information. VisitScotland took the view that the information requested was of individual interest rather than of serious concern or benefit to the public. VisitScotland indicated that it has no statutory authority to adjudicate complaints received in relation to individual proprietors or establishments. The Scheme is operated on a voluntary rather than statutory basis, with all members being required to abide by the Scheme’s condition’s of membership.


17. VisitScotland indicated that when a complaint is received by VisitScotland its role is to help parties negotiate a mutually acceptable resolution of that complaint. As a result, it did not believe that the public interest would be served in disclosing specific details of individual complaints, particularly where it has no powers of decision-making or enforcement.


18. Ms R was dissatisfied with the notice of review and on 3 May 2005 she applied to my office for a decision.


19. The case was allocated to an Investigating Officer.


The investigation


20. Ms R ’s appeal was validated by establishing that she had made a request for information to a Scottish public authority (i.e. VisitScotland), and had appealed to me only after asking the authority to review its response to her request.


21. The investigating officer contacted VisitScotland on 17 May 2005 giving notice that an appeal had been received and that an investigation into the matter had begun. VisitScotland was asked to comment on the issues raised by Ms R ’s case and to provide supporting documentation for the purposes of the investigation.


22. In particular, VisitScotland was asked to provide a copy of Ms R ’s original complaint, a copy of the response received from the B&B, information about the Scheme, any internal correspondence relating to the consideration of the request, any guidance relied on by VisitScotland in deciding whether the information requested should be disclosed or withheld and any further information or analysis on the exemptions applied.


Submissions from VisitScotland


23. VisitScotland supplied all of the information requested by the investigating officer including legal advice it had obtained. Given the detailed information on the application of the exemptions that VisitScotland had provided in its notice of review it did not consider it necessary to rehearse these arguments again.


24. In its covering letter, VisitScotland stated that it was VisitScotland’s policy to treat all correspondence and communications received in relation to complaints under the Scheme as confidential, but in this particular case the proprietor stated categorically that her correspondence should not be copied to the complainant.

25. Further information was sought from VisitScotland during the course of the investigation. I will address these points, however, in my analysis and findings below.


Commissioner’s analysis and findings


26. VisitScotland has submitted that the B&B’s response requested by Ms R is exempt by virtue of a series of exemptions contained in Part 2 of FOISA. On looking at the content of the information withheld, however, it seemed to me that much of this information could be considered to be Ms R ’s personal data.


27. Information which is the applicant’s personal data is exempt by virtue of section 38(1)(a) of FOISA. Requests for such information should, instead, be considered under the Data Protection Act 1998 (DPA). I have no powers in respect of requests considered under DPA. In such cases, dissatisfied applicants have recourse to the Information Commissioner based in Wilmslow who has responsibility for data protection on a UK-wide basis.


28. Section 38(5) of FOISA states that the definition of “personal data” is that contained in section 1(1) of DPA, which defines personal data as:


“data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of,


or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual.”


29. I sought submissions from VisitScotland on why the request had been considered under FOISA rather than DPA.


30. VisitScotland indicated that the information requested by Ms R contains personal data relating to both Ms R and to the proprietor of the B&B. VisitScotland’s legal advisors had advised that the nature of the information in question (ie. relating to a dispute between the two parties on the same issue) meant that two “sets” of personal data overlapped and it was therefore not possible to separate Ms R ’s personal data from that of the proprietor.


31. Under the circumstances VisitScotland was advised that it would have to decide whether to:


a) claim the exemption in Section 38(1)(a) and proceed to consider the request as a subject access request under DPA; or
b) claim the exemption in section 38(1)(b) and respond to the request on the basis of FOISA.


32. VisitScotland decide to adopt the latter approach for a number of reasons:


i. Ms R clearly stated that her request was to be considered under FOISA. VisitScotland recognised that where an applicant has made a request for his or her personal data only, a public authority should treat that request as a subject access request under DPA regardless of whether the request mentions FOISA (although a refusal notice should be issued to the applicant under section 16(1) of FOISA, explaining that the information is exempt under section 38(1) of FOISA). However, in the case in question, the information contained personal data relating to a third party, thereby permitting VisitScotland to consider the application under FOISA.


ii. Disclosure of the information requested by Ms R raised a variety of issues, not solely related to the protection of personal data. As highlighted in the refusal notice and notice of review, VisitScotland chose to refuse to disclose the information to Ms R on a range of grounds, including confidentiality and commercial confidentiality. In order to allow the authority to fully represent all of these issues VisitScotland considered it appropriate for the request to be reviewed under FOISA.


33. In the case of Durant v Financial Services Authority [2003] EWCA Civ 1746 the Court of Appeal concluded that data will relate to an individual if it:


“is information that affects a person’s privacy, whether in his personal or family life, business or professional capacity”.

34. The Court identified two notions that might assist in determining whether information is information that affects an individual’s privacy and, therefore, “relates to” an individual. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the individual’s involvement in a matter or an event which has no personal connotations. The second concerns focus. The information should have the individual as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest.

35. The Court emphasised that just because an investigation emanated from a complaint by an individual it does not render information obtained or generated by that investigation, without more, his or her personal data (my emphasis).


36. It seems to me that in this case the body of the information contained within the B&B’s response goes beyond a simple reference to Ms R ’s involvement in the matter but actually includes information which has personal connotations and will affect her privacy. In other words, the information fulfils the requirement that there should be something “more” than simply a reference to the individual’s name and the initiation of the complaint.


37. I consider that the information falls within the definition of personal data contained in section 1(1) of DPA. In particular, I have taken into account that the definition explicitly includes “any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”


38. While I can see that information relating to a complaint might, in some cases, have the subject of the complaint as its focus, it is also perfectly possible that the focus of the information will, in turn, be the complainant. In my view, that is the case here and I find that most of the information withheld has Ms R as its focus.


39. I am satisfied that the majority of the information withheld is Ms R ’s personal data and is exempt by virtue of section 38(1)(a). It therefore falls to be considered under DPA rather than under FOISA.


40. VisitScotland has submitted that where the information involves two disputing parties it is not possible to separate the two sets of personal data. I agree that such cases are problematic, but I do not consider that that situation applies here. I consider it possible to separate Ms R ’s personal data from the other information in the B&B’s response.


41. The response includes a small amount of information which, in my view, does not constitute Ms R ’s personal data. This information falls to be considered under FOISA.


42. VisitScotland applied a number of exemptions to the information withheld. I will consider initially the application of section 36(2) which states that information is exempt if it was obtained by a Scottish public authority from another person and its disclosure by the authority to the public would constitute a breach of confidence actionable by that person or any other person.


43. In order to rely on section 36(2), an authority needs to demonstrate certain elements. Firstly, the information must have been supplied by another person. That is the case here. The second test is that the disclosure of the information by the public authority would constitute an actionable breach of confidence either by the person who gave the information to the public authority or by any other person. I take view that actionable means that the basic requirements for a successful action appear to be fulfilled. There are three main requirements, all of which must be met before a claim for breach of confidentiality can be established. These are:


• the information must have the necessary quality of confidence;
• the public authority must have received the information in circumstances which imposed an obligation on the authority to maintain confidentiality;
• and there must be a disclosure which has not been authorised by the person who communicated the information but which would cause damage to that person.


44. In my briefing on Section 36: Confidentiality I indicated that the type of information which can be protected by the law of confidence is very wide and can range from highly personal information to information about trade and business and historical information about government. In order for information to have the necessary quality of confidence, it must not, in general, be common knowledge and a member of the public would have to apply skill and labour to produce the information him or herself.


45. In support of its reliance on section 36(2), VisitScotland submitted that the proprietor was asked whether she would consent to the release of the information to Ms R and declined. VisitScotland provided me with a copy of a telephone note to this effect.


46. VisitScotland also supplied me with a copy of VisitScotland’s complaint handling procedure to demonstrate the confidential nature of this process. This document states that complaints are confidential between VisitScotland and the complainant (Guiding Principle A). A note to this principle states that complaints will not be addressed specifically with the operator unless permission has been received by the complainant to release personal details. I have seen a copy of Ms R ’s complaint and note that she agreed to the contents of her complaint being forwarded to the B&B, but not her address.


47. I can find nothing in the complaint handling procedure which assures the operator of the confidentiality of the response to the complaint or advises that any information received from the proprietor will not be passed on to the complainant. It does, however, state that assessment visit reports are confidential between VisitScotland and the operator.

48. To rely on section 36(2), an authority must have received the information in circumstances which imposed an obligation of confidentiality. While VisitScotland has advised that the proprietor has not consented to the release of this information, I find it hard to accept that she supplied her response to VisitScotland in the expectation that its contents or sentiments would never be conveyed to Ms R.


49. There must be cases where, on receiving a complaint via VisitScotland, the hotel or B&B either offers a fully apology or attempts to explain why standards were less than satisfactory at the time of the stay. In such cases, the proprietor would surely expect this information to be passed on to the complainant. Indeed they might be irritated if it was not passed on.


50. In short, I find it difficult to understand a complaints process which assures confidentiality to the complainant and confidentiality to the operator. How is an operator expected to respond if it does not know the date of the visit and the circumstances of the complaint? Likewise, how can an operator apologise to the complainant if its comments cannot be passed on to the complainant?


51. I accept that the proprietor in this case did not consent to the disclosure of her response to Ms R but I find it hard to accept that she provided her response in the assurance that its contents would remain confidential to her and VisitScotland.


52. However, the wording of section 36(2) is such that even I considered that release of this information to Ms R would not constitute an actionable breach of confidence it would not necessarily follow that disclosure was permitted under FOISA.


53. Section 36(2) states that information is exempt if it was obtained by a Scottish public authority from another person and its disclosure by that authority to the public would constitute a breach of confidence actionable by that person.


54. Although the information was not supplied to VisitScotland with an explicit statement that the information was provided in confidence, my briefing on Section 36 Confidentiality accepts that it is possible for an actionable claim of confidentiality to arise without any express statement that the information is in fact confidential. In these circumstances, public authorities should consider the nature of the information and the circumstances in which it has been supplied.


55. The nature of the information supplied in this case is a response to a complaint made by a guest. The information was supplied to a body attempting to reach conciliation between two parties. I consider that in such circumstances it was implicit that this information should not be passed to a random member of the public or be placed in the public domain. Further, I am satisfied that detriment would be caused to the proprietor were this information to be placed in the public domain.

56. The nature of the information in this case is not simply factual information or general information about the B&B. Rather, the information responds to comments made by Ms R. It includes descriptions of actions and behaviour, the circumstances of which can only have been known and be relevant to the parties involved; that is, Ms R and the proprietor.


57. I am satisfied that the information in question has the necessary quality of confidence and was received in circumstances which imposed an obligation of confidentiality on VisitScotland in respect of its disclosure to the public.


58. The exemption in section 36(2) is an absolute exemption under FOISA. This means that the exemption is not subject to the public interest test under FOISA.


59. Given that I accept that the information withheld which does not constitute Ms R ’s personal data is exempt by virtue of section 36(2) I have not gone on to consider the application of the additional exemptions cited by VisitScotland. Therefore, I have not considered the application of section 38(1)(b), section 26 and section 33(1)(b).


60. Finally, Ms R complained that the refusal notice issued by VisitScotland did not make clear that the request for review should be made in writing and within 40 days of receipt of the notice. Section 19(b) states that a refusal notice should include particulars about the rights of application to the authority and the Commissioner conferred by section 20(1) and 47(1). I consider that authorities should make clear that a request for review must be made in writing and also advise on the time limits within which such a request should be made.


61. VisitScotland has advised that it has taken steps to prevent a similar occurrence in the future.


Decision


I find that VisitScotland partially failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002. I find that the majority of the information requested by Ms R is exempt by virtue of section 38(1)(a) in that the information constitutes her personal data.


The remainder of the information requested was correctly withheld under section 36(2) of FOISA.


I find that VisitScotland failed to issue a notice in accordance with section 16(1) (read in conjunction with section 19) of the Freedom of Information (Scotland) Act 2002.


I do not require VisitScotland to take any remedial steps in relation to this breach.

 

Kevin Dunion

Scottish Information Commissioner

9 December 2005

 

PDF IconLink to PDF file of decision 070/2005 (76.5 kb)