Decision 077/2005 - Mr Edward Milne and the Chief Constable of Tayside Police
Request for information relating to the applicant – information exempt under section 38(1)(a) of the Freedom of Information (Scotland) Act 2002 – personal information – failure to respond to the request within the 20 working day timescale set out in section 10(1) of the Act – failure to respond to the request for review within the 20 working day timescale set out in section 21(1) of the Act – content of certain notices under section 19 of the Act.
Request for information relating to the applicant
Applicant: Mr Edward Milne
Authority: The Chief Constable of Tayside Police
Case No: 200502186
Decision Date: 15 December 2005
Kevin Dunion
Scottish Information Commissioner
Facts
Mr Milne wrote to the Chief Constable of Tayside Police (Tayside Police) requesting all of the information held that related to him, including minutes of meetings, internal memos, correspondence and e-mails. Tayside Police failed to respond to his request or to his subsequent requirement for review. When Tayside Police did deal with the matter, Mr Milne was informed that his request constituted a request for personal information and should be dealt with under the Data Protection Act 1998 (DPA). Mr Milne refused to have his request processed under the DPA and maintained that it should be dealt with under the Freedom of Information (Scotland) Act 2002 (FOISA). Mr Milne was dissatisfied with the response from Tayside Police and applied to the Scottish Information Commissioner for a decision.
Outcome
The Commissioner found that the Chief Constable of Tayside Police (Tayside Police) had complied with section 1(1) of the Freedom of Information (Scotland) Act 2002 (FOISA) in deciding to withhold personal information under section 38(1)(a) of FOISA on the basis that Mr Milne’s request for all information relating to him constituted a request for personal data of which he was the data subject and as such should be dealt with under the terms of the Data Protection Act 1998 (DPA).
However, the Commissioner also found that Tayside Police had not complied with the requirements of Part 1 of FOISA by initially failing to respond to Mr Milne’s request for information (and consequently failing to inform him of his rights to seek a review and appeal to the Commissioner) and his subsequent request for review. Taking into account Tayside Police’s response to the investigation and its processing of Mr Milne’s request under the terms of the DPA, the Commissioner was satisfied that no further action was required in response to these breaches.
Appeal
Should Mr Milne or the Chief Constable of Tayside Police wish to appeal against this decision, there is a right of appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.
Background
1. Mr Milne wrote to the Chief Constable of Tayside Police (Tayside Police) on 5 May 2005, requesting all information that related to him. No response was received to his request and, after allowing a period of 20 working days to elapse, Mr Milne submitted a request for review, on 6 June 2005.
2. Mr Milne applied to me for a decision on 12 July 2005, since he had not received a response to his original request or to his subsequent request for review. The case was then allocated to an investigating officer.
The Investigation
3. Mr Milne’s appeal was validated by establishing that he had made a written request for information to a Scottish public authority, and had appealed to me only after requesting a review from the authority.
4. An information notice was issued by my Office and sent to Tayside Police on 3 August 2005. In the notice an explanation was required regarding the alleged technical breach of FOISA by Tayside Police, since no response appeared to have been provided in relation to Mr Milne’s original request or to his subsequent request for review.
5. The Deputy Chief Constable of Tayside Police responded on 15 August 2005. He explained that Mr Milne had made two separate requests to Tayside Police and these had been accidentally mixed up due to an administrative error. Reassurances were given (in this and subsequent correspondence) that since these errors had come to light steps had been taken to ensure that this would not happen again. The previous manually operated administrative system for freedom of information requests had now been incorporated into the standard administrative system operated by the relevant department. It was now supported by an electronic recording and tracking system.
6. The Force Information Co-ordinator informed me, in his letter of 1 September 2005, that Mr Milne’s request would be dealt with under the terms of the Data Protection Act 1998 (DPA) since Mr Milne had clearly requested all information that related to him. The request would therefore be refused under section 38(1)(a) of FOISA and would be treated as a subject access request under section 7 of the DPA.
7. Rather than requiring Mr Milne to go through the process of re-submitting a separate subject access request under the DPA, Tayside Police immediately started the process of in-gathering any information that it held about him and told Mr Milne that his request would be processed under the terms of the DPA. I am satisfied that this was the correct approach in the circumstances and Tayside Police contacted my office on 25 November 2005 to confirm that Mr Milne’s request had in fact been dealt with as a subject access request and that the information he was entitled to under the DPA has now been provided to him.
8. Mr Milne has been advised by my Office on a number of occasions that his request is effectively a request for personal information and should be dealt with by means of a subject access request under the DPA, but he has continued to maintain that his request should be dealt with under FOISA.
The Commissioner’s Analysis and Findings
9. To date, Mr Milne has made a number of applications to my Office for a decision. In each of the cases, Mr Milne has generally formulated his request in the following way:
“I require all information that relates to me, Edward Milne, and which includes minutes of meetings, internal memos, correspondence and e-mails.”
10. It is my view that this constitutes a request for all of the information that is held by the authority which is about Mr Milne. In other words, it is a request for personal information which should be dealt with under the terms of the DPA. Indeed, the long title of the DPA states that it is an Act to make provision for “the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.”
11. Section 38(1)(a) of FOISA states that information is exempt information if it constitutes personal data of which the applicant is the data subject.
12. The term “personal data” is defined in section 1(1) of the DPA as:
“data which relate to a living individual who can be identified: a) from those data, or b) from those data and from other information which is in the possession of or is likely to come into the possession of the data controller...”
13. The definition is subject to the interpretation contained in Durant v Financial Services Authority [2003] EWCA Civ 1746. In this decision, the Court of Appeal held that if information is to be viewed as personal data, the information has to be biographical in a significant sense, i.e. go beyond the recording of the individual’s involvement in a matter or event that has no personal connotations. The individual also has to be the focus of the information, rather than some other person with whom that individual may have been involved. The Court of Appeal summarised these two aspects as information affecting a person’s privacy whether in his or her personal or family life, business or professional capacity.
14. In my view, Mr Milne’s request clearly constituted a request for personal information and Tayside Police was correct to consider such a request as being exempt from FOISA by virtue of section 38(1)(a) on the basis that it constituted a request for personal data of which the applicant was the data subject.
15. It should be noted that FOISA and the DPA are mutually exclusive, i.e. information that is available under one piece of legislation is not available under the other: the two pieces of legislation serve two entirely different purposes.
16. Where a request is made to a public authority for personal information relating to the individual making the request, that request must be dealt with under the DPA. This is to protect the privacy of individuals – the information is made available to that person only.
17. It is not possible for a person to obtain his or her own personal information under FOISA. This is because disclosure of information under FOISA is disclosure to the world at large and the release by a public authority of an individual’s personal information into the public domain without their consent would constitute a breach of their privacy rights.
18. It is important to note that where an applicant requests information that relates to him or herself under FOISA and a public authority attempts to assist the applicant by providing them with their personal information without requiring them to submit a separate subject access request, that authority will need to make it clear to the applicant that the information has been provided under the terms of the DPA. This is important in order to enable applicants to exercise their rights under the relevant piece of legislation (e.g. in cases where some information is provided under FOISA and some under the DPA, the applicant must be made aware of his or her respective rights of appeal under both pieces of legislation, in relation to the specific information provided or withheld).
Failure to respond
19. Tayside Police failed to respond to Mr Milne’s request for information within 20 working days as specified under section 10(1) of FOISA. As a result of this, Mr Milne was not provided with any information regarding his rights to request a review and appeal to me, as required by section 19 of FOISA. Tayside Police also failed to respond to Mr Milne’s request for a review within 20 working days as specified under section 21(1) of FOISA.
20. The failure of Tayside Police to respond to Mr Milne’s request appears to have been the result of an administrative error and assurances have been given by Tayside Police that since these errors came to light steps have been taken to ensure that this will not happen again. The previous administrative system has now been incorporated into the standard administrative system operated by the relevant department, supported by an electronic recording and tracking system. I am satisfied that Tayside Police has acknowledged that problems existed with its procedures and that steps have been taken to improve the way that information requests are dealt with and to ensure that the relevant timescales within FOISA are complied with.
Decision
I find that the Chief Constable of Tayside Police (Tayside Police) initially failed to respond to Mr Milne’s request for information within the 20 working day timescale set out in section 10 of the Freedom of Information (Scotland) Act 2002 (FOISA). Given the absence of any response to Mr Milne’s request, Tayside Police failed to provide Mr Milne with information about his right to a review and his right to appeal to me under section 19 of FOISA. Tayside Police also failed to respond to Mr Milne’s request for review within the 20 working day timescale set out in section 21 of FOISA. However, I am satisfied with Tayside Police’s assurances that procedures have now been implemented in order to improve responses to information requests and I require no further remedial steps to be taken.
I also find that Tayside Police complied with section 1(1) of FOISA in deciding to withhold personal information under section 38(1)(a) on the basis that Mr Milne’s request for all information relating to him constituted a request for personal data of which he is the data subject and as such required to be dealt with under the terms of the Data Protection Act 1998 (DPA). I note that Tayside Police has processed Mr Milne’s request as a subject access request under the DPA and I understand that he has now been provided with information under that legislation.
Kevin Dunion
Scottish Information Commissioner
15 December 2005
Link to PDF file of decision 077/2005 (51 kb)