Decision 078/2006 Mr Pryde and Falkirk Council
Request for travel and expenses claims of Council employees - personal data relating to third parties – section 38(1)(b) – Commissioner upheld decision of Council
Request for the travel and expenses claims of Council employees
Applicant: Mr Leslie Pryde
Authority: Falkirk Council
Case No: 200501885
Decision Date: 18 May 2006
Kevin Dunion
Scottish Information Commissioner
Facts
Mr Pryde made a request for the travel and expenses claims of named employees from two departments within Falkirk Council (the Council). The departments responded to the requests separately, but both refused to disclose the information on the basis that it was exempt under section 38(1)(b) of the Freedom of Information (Scotland) Act 2002 (FOISA). Mr Pryde then requested that both departments review their responses to his request. One department responded within 20 working days, upholding its initial decision. The other department did not respond to Mr Pryde’s request for review within 20 working days. After 20 working days had expired from the date of request for review, Mr Pryde applied to the Scottish Information Commissioner on both counts, arguing that in the first case the information that he had requested should be disclosed by the authority, and in the second case that the Council had not responded to his request for information.
Outcome
The Commissioner found that the Council did not comply with section 21(1) of FOISA, in that it did not respond to one of Mr Pryde’s requests for review within the statutory timescale. As the Council subsequently carried out a review of its decision to withhold information from Mr Pryde, and Mr Pryde’s right to apply to the Commissioner was not prejudiced, the Commissioner did not require the Council to take any action as a result of this failure.
The Commissioner found that the information requested by Mr Pryde was exempt from disclosure by virtue of section 38(1)(b) of FOISA. As a result, the Commissioner did not require the Council to take any action as a result of his decision.
Appeal
Should either the Council or Mr Pryde wish to appeal against this decision, there is a right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days of receipt of this notice.
Background
1. On 14 March 2005, Mr Pryde submitted two requests for information to Falkirk Council (the Council). The first request was made to the Corporate and Commercial Services Department of the Council and was for the expenses and travel claims made by five named employees in that Department in the financial year 2004/2005. The second request was made to the Leisure Services Department of the Council and was for the travel and expenses claims of three named employees in that Department.
2. The Corporate and Commercial Services Department of the Council responded to Mr Pryde on 5 April 2005, refusing to disclose the information requested on the basis that it was exempt from disclosure by virtue of section 38 of FOISA.
3. Following this, on 12 April 2005, the Leisure Services Department of the Council responded to Mr Pryde, also stating that the information was exempt from disclosure under section 38 of FOISA.
4. Mr Pryde wrote to the Corporate and Commercial Services Department of the Council on 12 April 2005 and to the Leisure Services Department of the Council on 17 April 2005. In both cases, he specified that he was dissatisfied with the response that he had received and requested a review of the Council’s responses.
5. On 11 May 2005, the Leisure Services Department of the Council responded to Mr Pryde, stating that it upheld its original decision not to disclose the information requested.
6. On 26 May 2005, Mr Pryde made an application to me to investigate the matter, on the basis that the Leisure Services Department of the Council had refused to disclose the information which he had requested, and that the Corporate and Commercial Services Department of the Council had not responded to his request for review within the timescales laid down by section 21(1) of FOISA.
7. The case was allocated to an investigating officer.
The Investigation
8. Mr Pryde’s appeal was validated by establishing that he had made requests for information to a Scottish public authority, and had appealed to me only after asking the authority to review its responses to his request.
9. On 10 June 2005, the Council wrote again to Mr Pryde, accepting that it had not responded to his request for review within the timescale set out in section 21(1) of FOISA, as it claimed that the Corporate and Commercial Services Department of the Council had misplaced a copy of Mr Pryde’s request for review. However, in the meantime it had carried out a review of its initial decision not to release the information requested, and advised Mr Pryde that it upheld its initial decision not to disclose the information.
10. On 29 August 2005, my Office contacted the Council, inviting it to comment on Mr Pryde’s application to me for a decision under section 49(3)(a) of FOISA. In particular, the Council was asked to comment on its application of the exemption contained within section 38(1)(b) of FOISA to the information requested.
11. On 14 September 2005, the Council sent its comments on Mr Pryde’s application to my Office. The comments from the Council were detailed and well argued and proved to be helpful in coming to a decision on this matter. I will address the comments made by the Council in more detail below, but, to summarise, the Council took the view that the information requested by Mr Pryde was exempt by virtue of section 38(1)(b) of FOISA, as the information requested was personal data (as defined by section 1 of the Data Protection Act 1998 (the DPA)) relating to third parties. In this instance, the third parties were the employees of the Council. The Council argued that to disclose the information requested would breach the first principle of the DPA, which states that the processing of data must be fair and lawful.
12. The Council also argued that the requests from Mr Pryde were vexatious requests, on the basis of the history of communications between Mr Pryde and the Council. Section 14(1) of FOISA states that an authority is not obliged to respond to a request for information if the request is deemed to be vexatious. Similarly, section 21(8) states that a Scottish public authority is not obliged to comply with a requirement for review if the requirement is vexatious. In both of these situations, FOISA requires public authorities to serve a notice on the applicant confirming that no action is being taken because the request or requirement for review is considered to be vexatious.
13. However, I note that the Council did not serve such notices on Mr Pryde, either at the time of dealing with his initial requests for information or at the time of his requirements for review. Taking this into account, together with the other information provided to me by the Council, I am not satisfied that Mr Pryde’s requests to the Council can be treated as vexatious.
14. The Council also commented that I have a right to refuse to make a decision if I consider a request to be frivolous or vexatious. However, it should be noted that section 49(1) of FOISA allows me to refuse to make a decision where I consider the application to me for a decision (and not an information request itself) to be frivolous or vexatious. In any event, there is nothing to suggest that the actual application made to me by Mr Pryde is either frivolous or vexatious.
The Commissioner’s Analysis and Findings
15. This decision will consider whether the Council was justified in withholding information relating to travel and expenses claims made by specific employees on the grounds that this information is exempt under section 38(1)(b) of FOISA.
Section 38(1)(b) and information relating to employees of a public authority
16. The issues to be addressed are whether the information requested by Mr Pryde constitutes personal data, as defined by the DPA, and whether the release of the information under FOISA would contravene any of the data protection principles. If this is the case, the information requested by Mr Pryde is exempt from disclosure by virtue of section 38(1)(b) of FOISA. It should be noted that this part of the section 38 exemption (i.e. section 38(1)(b) as read in conjunction with section 38(2)(a)(i)) is an absolute exemption and is not subject to the public interest test contained in section 2(1)(b) of FOISA.
17. As mentioned above, the Council argues that the information requested is personal data, as defined by the DPA, and that to release the information would breach the first data protection principle. The first data protection principle states that information must be processed fairly and lawfully and, in particular, should not be processed unless at least one of the conditions in Schedule 2 of the DPA is met.
Personal Data
18. The DPA defines personal data as “data which relate to a living individual who can be identified…from those data” (section 1(1)(a)).
19. The definition of what amounts to “personal data” for the purposes of the DPA was considered in the case of Durant v Financial Services Authority [2003] EWCA Civ 1746 Court of Appeal (Civil Division). In that case, the court held that whether or not data constituted “personal data” for the purposes of the legislation depended on the relevance or proximity of the data to the data subject. The court considered that the information required to be biographical in a significant sense and that the information should have the subject as its focus. In short, it was necessary that the information affected the subject’s privacy.
20. Mr Pryde requested information relating to named individuals’ expenses and travel claims. Were the information to be disclosed, it would necessarily disclose the identities of the individuals in question. I consider that information relating to an individual’s expenses claims made to their employer is biographical, with that individual as its focus. I am therefore satisfied that the information requested by Mr Pryde constitutes the personal data of those individuals as defined by the DPA.
21. I will now go on to consider whether the release of the personal data would contravene the first data protection principle.
Consideration of the first data protection principle
22. As mentioned above, the first data protection principle states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 (of the DPA) is met.
23. It should be noted that the first data protection principle also states that in the case of sensitive personal data, at least one of the conditions in Schedule 3 must be met. In this case, having considered the definition of sensitive personal data in section 2 of the DPA, I am satisfied that the personal data in question is not sensitive personal data. Therefore, I am not required to consider whether any of the conditions in Schedule 3 can be met.
24. I will first of all consider whether the processing of the data (i.e. the release of information to Mr Pryde) would be lawful.
25. The Information Commissioner, who is responsible for enforcing and for providing guidance on the DPA, has issued guidance on the personal data exemption contained in section 40 of the Freedom of Information Act 2000 (Freedom of Information Act Awareness Guidance no. 1 (http://www.ico.gov.uk/documentUploads/AG%201%20personal%20info.pdf). This guidance suggests that it would be unlawful to release information if to do so would constitute a breach of confidence or contrary to a law forbidding such disclosure. The Council has argued in this instance that it has an obligation of confidentiality towards its employees implicit within its employee/ client relationship and that to release the information would be unlawful and so would automatically breach the first data protection principle.
26. However, having had sight of the documents requested by Mr Pryde, I am satisfied that there is no explicit obligation of confidentiality attached to them and, further, that any obligation of confidentiality implicit in the employer/employee relationship would not automatically be breached by release of the information. I am aware of no other legal requirement which would be breached should the information be released (and the Council did not advise me of any other such legal requirement) and therefore conclude that it would not be unlawful to release the documents in question.
27. I will now go on to consider whether the release of the information to Mr Pryde would meet at least one of the conditions in Schedule 2 to the DPA.
Schedule 2 of the DPA
28. Schedule 2 of the DPA sets out a number of different conditions, at least one of which must be complied with if the processing of data is to be carried out in line with the first data protection principle. For example, processing may (subject to the other tests contained in the first data protection principle) be carried out if the data subject has given his consent to the processing, if the processing is necessary for the performance of a contract or to protect the vital interests of the data subject.
29. I do not intend to list or comment on all of the conditions contained in Schedule 2, except to say that from the information provided to my by the Council, I am satisfied that the data subjects have not consented to the processing and that the only condition which, in my view, could possibly apply is condition 6(1).
30. Condition 6(1) reads as follows:
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
31. Before deciding whether condition 6(1) can be met, I must first of all consider whether Mr Pryde has a legitimate interest in receiving the information about the employees. If I find that Mr Pryde does have a legitimate interest in receiving this information, I must then balance his interests against the interests of the employees.
32. Mr Pryde has argued that he has a legitimate interest in disclosure of the information, as information relating to the expenses claims of individuals has been released into the public domain by other authorities and as council employees they should be accountable in their actions to taxpayers. However, I take a broader view of this particular test. I am of the view that as FOISA gives members of the public the right, in law, to make an information request to a public authority, then a person making an information request has legitimate interests to that information, subject of course to the balancing exercise which must be carried out in the latter part of condition 6(1) and subject to the exemptions contained in Part 2 of FOISA. Given that I am satisfied that Mr Pryde has legitimate interests in making the information request and that for Mr Pryde to receive the information the processing of the information would be necessary, I will go on to consider the interests of the employees.
33. The Council has provided me with detailed arguments as to why the processing would be unwarranted. For example, the Council has argued that the obligation of confidentiality implicit in the employer/client relationship means that the employees in question had no reason to expect that the information would be disclosed to third parties.
34. The Council has also submitted that the effect which the disclosure of the information would have on the data subjects would be extremely negative, given the history of the applicant’s relationship with the staff members concerned. While I do not wish to comment in any detail on the history of this case, I am aware that Mr Pryde is an ex-employee of the Council, who has already made a number of other information requests relating to the employees in question. According to the Council, this has had an affect on the attitude of the staff members to disclosure of the information requested. The members of staff are very unhappy about the applicant requesting detailed information specifically about them.
35. I note that the Council approached a number of the employees for their views on the disclosure of the information requested. Their reaction to this was negative, and, in responses which have been provided to me, they made it very clear that they felt they were being harassed by Mr Pryde, again given their previous relationship with him. The Council has submitted that it owes a duty of care to its employees and that, in this instance, to release the information would cause unnecessary and unjustified stress to the staff members and contravene that duty of care.
36. I referred earlier to guidance from the Information Commissioner. That guidance considers the question of expenses incurred in the course of official business and states that:
“It would be unlikely to be unfair to publish details of the expenses incurred in the course of official business……While this information clearly does relate to staff personally; there is a strong public interest in the provision of information about how a public authority has spent money”.
37. I agree with this view. In the past, I have ordered the release of information about travelling expenses and I would certainly expect to do so again in the future. However, each case must be considered on its own merits. In this particular case, the history between the applicant and the employees in question is long and acrimonious. In most cases, the circumstances of the request or of the applicant would have little or no bearing on whether the information requested should be disclosed. However, having had sight of the evidence provided by the Council, I am of the view that to release the information requested by Mr Pryde about the employees concerned would cause unjustified stress to those individuals. Therefore I have concluded that disclosure of the information, in this particular case, would have a substantially negative effect on the data subjects, and would thus not be in the legitimate interests of the employees.
Conclusions
38. I conclude that, in the circumstances of this particular case, Mr Pryde’s legitimate interests in disclosure of the information do not outweigh the legitimate interests of the employees in withholding the information. As mentioned above, I take the view that there is no other condition in Schedule 2 which can be met. As a result, the release of the information would breach the first data protection principle.
39. I have not considered separately whether the processing of the data would be fair, given that fairness is only one of the tests for complying with the first data protection principle and I have already found that the first data protection principle would be breached. In any event, many of the matters I have taken into account in considering condition 6(1) of Schedule 2 are similar to the matters I would have taken into account in considering whether the release of the information would be fair.
40. Given that I am satisfied that the first data protection principle would be breached were the information to be released to Mr Pryde, it follows that the information which Mr Pryde has requested is exempt in terms of section 38(1)(b) of FOISA, as read in conjunction with section 38(2)(a)(i).
Decision
I find that Falkirk Council (the Council) failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA), in that it did not respond to one of Mr Pryde’s requests for review within the statutory timescale. In failing to do this, the Council breached section 21(1) of FOISA. However, as the Council subsequently carried out a review of its decision to withhold information from Mr Pryde, and Mr Pryde’s right to apply to the Commissioner was not prejudiced, I do not require the Council to take any action in this respect.
I also find that the information requested by Mr Pryde is exempt from disclosure by virtue of section 38(1)(b) of FOISA and, therefore, that the Council applied Part 1 of FOISA correctly by refusing Mr Pryde’s request for information on the basis of that exemption.
Kevin Dunion
Scottish Information Commissioner
Link to PDF file of decision 078/2006 (57.8 kb)