Decision 086/2024 | Scottish Information Commissioner

Home Decisions

Decision 086/2024

Decision Notice 086/2024: Information relating to care of relative

Authority: Fife Council
Case Ref: 202200967

Summary

The Applicant requested information regarding their relative’s care arrangements and their related concerns about

those arrangements. The Authority withheld most of the information requested as it was personal data and stated

that it did not hold the remaining information. The Commissioner investigated and found that the Authority’s

response complied with FOISA.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), 1(2), 1(4) and (6) (General entitlement); 2(1)

(a) and (2)(e)(ii) (Effect of exemptions); 17(1) (Information not held); 20(1), 20(3), 20(5) and 6 (Requirement

for review of refusal etc.); 38(1)(b), (2A), (5) (definitions of “data protection principles”, “data subject”,

“personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for

decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of "personal data");

5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), 5(A), (10) and (14) (Terms relating to

the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The

Appendix forms part of this decision.

Background

1. On 2 March 2022, the Applicant made a request for information to the Authority. The Applicant requested

answers to the following questions:

(i) When was [named member of staff] “allocated” my [relative’s] case?

(ii) What are [named member of staff’s] qualifications to undertake such an assessment?

(iii) On what date was [named member of staff] appointed to his “investigation” and by whom?

(iv) By the time of our meeting on 15 February 2022 had anyone from [the Authority] been to see my [relative]?

(v) For what reason was the essence and purpose of the meeting on 15 February 2022 altered without informing

me in advance?

(vi) Why was I denied written confirmation of what had been stated to me at the meeting?

2. The Authority responded on 15 March 2022, withholding the information requested under section 38(1)(b)

(personal information) of FOISA.

3. On 26 July 2022 the Applicant wrote to the Authority requesting a review of its decision (having

previously submitted two invalid requests). While the Applicant’s 26 July review request was out of time, the

Authority decided to respond to it. The Applicant stated that they were dissatisfied with the decision because:

for requests (i), (iii) and (iv), they sought only a date or a “yes/no” answer which they did not consider

would relate to be the personal data of other individuals

for request (ii), they thought that it was normal practice for authorities to disclose a public service

professional’s qualifications

for request (v), they considered that they should have received information regarding changes to their

meeting with the Authority and did not consider this information related to their relative

for request (vi), they thought that they should have received a written record of what had been stated to

them at their meeting with the Authority.

4. The Authority notified the Applicant of the outcome of its review on 24 August 2022, upholding its

original decision for all elements of the request except request (v). For request (v), the Authority instead

stated that it did not hold the information requested and issued a notice under section 17(1) of FOISA. The

Authority also provided further information in line with its duty under section 15 of FOISA to advise and assist:

for request (ii), it provided a link to job role profiles for relevant staff members
for request (v), it provided information relating to the purpose of its meeting with the Applicant
for request (vi), it explained why a written summary of the meeting could not be provided.

5. On 30 August 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section

47(1) of FOISA. The Applicant stated that they were dissatisfied with the outcome of the Authority’s review

because they considered that the Authority was wrong to withhold information in relation to requests (i)-(iv) and

(vi) and that the public interest favoured disclosure of the requested information. The Applicant also did not

consider that the job profile provided satisfied request (ii) and believed that the Authority did hold information

relating to request (v).

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the

power to carry out an investigation.

7. On 14 September 2022, the Authority was notified in writing that the Applicant had made a valid

application and the case was subsequently allocated to an investigating officer

8. The Authority was also asked to send the Commissioner the information withheld from the Applicant, which

it did.

9. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide

comments on an application. The Authority was invited to comment on this application and to answer specific

questions. These focused on the searches and enquiries undertaken by the Authority to establish what information

(if any) it held falling within the scope of the Applicant’s request and its application of section 38(1)(b) of

FOISA.

Commissioner’s analysis and findings

10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

Section 17 – Information not held

11. This section is limited to considering request (v).

12. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority

which holds it is entitled to be given that information by the authority, subject to qualifications which, by

virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

The qualifications contained in section 1(6) are not applicable in this case.

13. The information to be given is that held by the authority at the time the request is received, as defined

in section 1(4). This is not necessarily to be equated with information an applicant believes the authority

should hold. If no such information is held by the authority, section 17(1) of FOISA requires it to give the

applicant notice in writing to that effect.

14. The standard of proof to determine whether a Scottish public authority holds information is the civil

standard of the balance of probabilities. In determining where the balance of probabilities lies, the

Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public

authority. He also considers, where appropriate, any reason offered by the public authority to explain why it

does not hold the information. The Commissioner’s remit here, however, extends only to the consideration of

whether the authority actually held the relevant information requested and whether it complied with Part 1 of

FOISA in responding to the request. The Commissioner cannot comment on whether a public authority should have

recorded any, or more, information about a particular event or process.

The Applicant’s submissions

15. The Applicant submitted correspondence with the Authority in which they raised concerns regarding their

relative’s care arrangements and sought a meeting to discuss these concerns.

16. The Applicant explained that a meeting was initially proposed to take place (virtually) for one hour on 10

February 2022. The Applicant noted that the actual in-person meeting of 15 February only took ten minutes and

presented them with a verbal summary of matters relating to their relative only, including the outcome of the

Authority’s investigation into their concerns.

17. The Applicant therefore considered the purpose of the meeting had changed from discussion of concerns to

the mere conveyance of information by the Authority. As a result, the Applicant did not find it credible that the

Authority held no associated communications in relation to this change over the period 8 February 2022 to 15

February 2022.

The Authority’s submissions

18. The Authority noted the scope of request (v) related to “changes to the essence and purpose” of a meeting

between it and the Applicant on 15 February 2022.

19. The Authority acknowledged the date and venue of the meeting had changed to accommodate the Applicant’s

desire for an in-person meeting, rather than a virtual meeting but submitted that it did not hold information

relating to changes in the meeting’s “essence and purpose”.

The Commissioner’s view

20. The Commissioner considers that the Authority did hold information about changes to the date and location

of the meeting of 15 February 2022, but, having reviewed the submissions and withheld information it provided, he

agrees that information did not relate to a change in the essence or purpose of the meeting.

21. The Commissioner therefore concludes that the Authority was correct to give the Applicant notice, in terms

of section 17(1) of FOISA, that it did not hold the information requested.

Section 38(1)(b) – Personal information

22. This section is limited to considering requests (i)-(iv) and (vi).

23. Section 38(1)(b), read in conjunction with section 38(2A)(a), exempts information from disclosure if it is

“personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the

data protection principles set out in Article 5(1) of the GDPR.

Would the information be personal data?

24. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified

or identifiable living individual”. Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a
living individual who can be identified, directly or indirectly, in particular with reference to –

an identifier such as a name, an identification number, location data or an online identifier, or
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social

identity of the individual.”

25. Information will “relate to” a person if it is about them, linked to them, has biographical significance

for them, is used to inform decisions affecting them or has them as its main focus.

26. In the Commissioner’s view, requests (i)-(iv) clearly relate to the Applicant’s relative or a named member

of the Authority’s staff (or both). The Commissioner is satisfied the information in those requests are personal

data for the purposes of section 3(2) of the DPA 2018.

27. Having considered request (vi) carefully, the Commissioner considers it to be seeking a written record of

what was stated at a meeting (of which the focus was a third party and their care). The Commissioner is therefore

satisfied the information (in this specific context) relates to the Applicant’s relative and is also personal data

for the purposes of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

28. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the

UK GDPR. Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent

manner in relation to the data subject.”

29. "Processing" of personal data is defined in section 3(4) of the DPA 2018. It includes (section 3(4)(d))

disclosure by transmission, dissemination or otherwise making available personal data. The definition therefore

covers disclosing information into the public domain in response to a FOISA request.

30. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering

lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be

disclosed.

31. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could

potentially apply in the circumstances of this case.

Article 6(1)(f) of the UK GDPR – legitimate interests

32. The Commissioner considers that, with regard to the withheld information, condition (f) is the only

condition which could potentially apply, and notes the Authority identified condition (f) as such in its review

response to the Applicant.

33. Condition (f) states that processing shall be lawful if it is “necessary for the purposes of the

legitimate interests pursued by the controller or by a third party, except where such interests are overridden by

the interests or fundamental rights and freedoms of the data subject which require protection of personal
data ...”

34. Although Article 6(1) states that this condition cannot apply to processing carried out by a public

authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public

authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

35. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Would the applicant have a legitimate interest in obtaining personal data, if held?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by

the interests or fundamental rights and freedoms of the data subject?

Would the Applicant have a legitimate interest in obtaining the personal data?

36. The Applicant stated they were their relative’s primary carer for the three-month period from November

2021 to February 2022 and, in this context, had raised concerns about their relative’s care.

37. The Authority accepted that the Applicant has a legitimate interest in obtaining the personal data in

question, as it either related to their relative or to a wider interest in ensuring staff were qualified for their

roles and that it was carrying out its duties correctly.

38. Taking the above into consideration, the Commissioner also accepts the Applicant has a legitimate interest

in obtaining the personal data.

Would disclosure be necessary?

39. The next question is whether, if the personal data existed, disclosure would be necessary to achieve the

legitimate interest in the information.

40. “Necessary” means “reasonably” rather than absolutely or strictly necessary. The Commissioner must

therefore consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be

achieved, or whether the Applicant’s legitimate interests can be met by means which interfere less with the

privacy of the named individuals.

41. The Authority did not accept that disclosure would be necessary in relation to any of the relevant

requests and identified specific alternative routes to the information requested which it considered interfered

less with the privacy of the named individuals.

42. For request (ii), the Authority did not consider disclosure of the named member of staff’s qualifications

necessary as it had provided the Applicant with a weblink to job profiles for all its roles (including that of the

named staff member).

43. While the Commissioner acknowledges the information provided, he does not consider it fully satisfies the

Applicant’s request as the qualifications set out in the relevant job profile are listed as “desirable”, rather

than “essential”.

44. In the circumstances, the Commissioner is therefore satisfied that disclosure of the information would be

necessary for the purposes of fully satisfying the Applicant’s legitimate interests.

45. For the remaining requests, the Authority did not accept disclosure was necessary as it considered verbal

information it provided to the Applicant in the meeting on 15 February 2022 was sufficient to address their
concerns.

46. Having reviewed the withheld information, and noting that it is unlikely the Applicant could have obtained

the information requested via the individual holding a power of attorney for their relative, the Commissioner does

not accept that the Applicant’s requests were entirely satisfied by the information provided verbally at the

meeting on 15 February 2022 and considers disclosure would be necessary to fully satisfy those legitimate

interests.

47. The Commissioner therefore considers that disclosure would be necessary, in relation to each request, for the

Applicant’s legitimate interests.

The data subject’s interests or fundamental rights and freedoms (and balancing exercise)

48. Having determined that disclosure would be necessary, the Commissioner must balance the legitimate

interests in disclosure of the information, against the data subjects’ interests or fundamental rights and

freedoms.

49. In doing so, it is necessary for the Commissioner to consider the impact of such a disclosure. For

example, if a data subject would not reasonably expect that the information would be disclosed to the public under

FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights

are likely to override any legitimate interests in disclosure. Only if the legitimate interests of the Applicant

outweigh those of the data subjects could the information, be disclosed without breaching the first data

protection principle.

50. The Commissioner has considered the submissions from both parties carefully, in the light of the decision

by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55.

51. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data

subject. Factors which will be relevant in determining reasonable expectations include:

(i) whether the information relates to an individual's public life (their work as a public official or

employee) or to their private life (their home, family, social life or finances)

(ii) whether the individual objected to the disclosure

(iii) the potential harm or distress that may be caused by disclosure.

52. For request (ii), the Applicant explained that they were not requesting any personal data of the member of

staff concerned that was not directly related to the discharge of their responsibilities. The Applicant further

considered it a convention, or norm, that public service officials’ qualifications be disclosed (e.g. members of

the medical profession).

53. The Authority noted that request (ii) sought the qualifications held by the named member of staff, and not

merely those required for the post. The Authority explained that the individual concerned was in a junior role

(Social Care Assistant), provided their qualifications to the Authority solely for the purposes of their

application for employment and therefore would not reasonably expect their qualifications to be released publicly.

54. For the remaining requests, the Applicant explained that they were linked less to their personal interest

in their relative’s care and more to a wider public interest in confirming the Authority was fulfilling its

statutory duties with regard to its investigation and handling of the care of an individual about whom a concern

had been reported.

55. The Authority explained that those requests sought information relating to care provided to a living

individual and provided evidence to support why the individual was not in a position to provide consent to the

disclosure. The Authority further noted that the Applicant did not possess legal rights to access the information

(e.g. through a power of attorney, which is held by someone else in relation to the individual).

56. While the Authority acknowledged both the Applicant’s personal interest and a wider public interest in

ensuring that it was carrying out its duties correctly, it considered care and care arrangements relating to the

data subject to be a private matter.

57. The Authority submitted that those factors meant any legitimate interest the Applicant had in receiving

written information would be overridden by the interests and fundamental rights of the data subject; specifically,

the imperative to ensure personal data held for the purpose of that individual’s private care was not released

into the public domain.

58. As a starting point, the Commissioner notes that disclosure under FOISA is disclosure to the public at

large.

59. For request (ii), the Commissioner acknowledges the Applicant’s interest in ensuring an individual

involved in assessing their relative’s care arrangements was suitably qualified to do so.

60. Given the skills, experience and ‘bandwidth’ of qualifications required for the role are detailed in the

job role profile provided to the Applicant and the junior nature of that role, the Commissioner finds, on balance,

that the staff member concerned would not reasonably expect the information requested to be disclosed to the

public.

61. Consequently, the Commissioner considers the Applicant’s legitimate interests are outweighed by the

prejudice to the rights and freedoms of the member of staff that would result from disclosure. The requirements

of condition 6(f) cannot be met here.

62. For the remaining requests, the Commissioner recognises – and has given appropriate weight to – the

Applicant’s legitimate interest in scrutinising the actions of a public body in relation to its assessment and

provision of care to an individual about whom they had raised a concern.

63. However, taking all of the above into consideration, the Commissioner finds, on balance, that the

Applicant’s legitimate interest is outweighed by the prejudice to the rights and freedoms of the data subjects

that would result from disclosure.

64. The Commissioner’s view is that it cannot be the case that personal data relating to the care of an

individual – a private matter – can be disclosed to a third-party via FOISA unless an overwhelming legitimate

interest is demonstrated. This is not the case here, and the requirements of condition 6(f) cannot be met for the

remaining requests, either.

Fairness and transparency

65. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he

is not required to go on to consider whether disclosure of such personal data would otherwise be fair and

transparent in relation to the data subject.

The Commissioner’s view on the data protection principles

66. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data sought

in each of the requests would breach the data protection principle in Article 5(1)(a) of the UK GDPR.

67. Consequently, the Commissioner is satisfied that the personal data was correctly withheld under section

38(1)(b) of FOISA.

Decision

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002

(FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of

intimation of this decision.

David Hamilton
Scottish Information Commissioner

14 May 2024

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given

it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

…

(4) The information to be given by the authority is that held by it at the time the request is received,

except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the

receipt of the request, between that time and the time it gives the information may be made before the information

is given.
…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to

the extent that –

(a) the provision does not confer absolute exemption; and

…

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are

to be regarded as conferring absolute exemption –
…

(e) in subsection (1) of section 38 –
…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

17 Notice that information is not held

(1) Where-

(a) a Scottish public authority receives a request which would require it either-

(i) to comply with section 1(1); or

(ii) to determine any question arising by virtue of paragraph (a) or (b) of section 2(1),

if it held the information to which the request relates; but

(b) the authority does not hold that information,

it must, within the time allowed by or by virtue of section 10 for complying with the request, give the applicant

notice in writing that it does not hold it.

…

20 Requirement for review of refusal etc.

(1) An applicant who is dissatisfied with the way in which a Scottish public authority has dealt with a

request for information made under this Part of this Act may require the authority to review its actions and

decisions in relation to that request.

…

(3) A requirement for review must-

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(i) the request for information to which the requirement for review relates; and

(ii) the matter which gives rise to the applicant's dissatisfaction mentioned in subsection (1).

…

(5) Subject to subsection (6), a requirement for review must be made by not later than the fortieth working

day after-

(a) the expiry of the time allowed by or by virtue of section 10 for complying with the request; or

(b) in a case where the authority purports under this Act-

(i) to comply with a request for information; or

(ii) to give the applicant a fees notice, a refusal notice or a notice under section 17(1) that information is

not held,

but does so outwith that time, the receipt by the applicant of the information provided or, as the case may be,

the notice.

(6) A Scottish public authority may comply with a requirement for review made after the expiry of the time

allowed by subsection (5) for making such a requirement if it considers it appropriate to do so.

…

38 Personal information

(1) Information is exempt information if it constitutes-

…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than

under this Act -

(a) would contravene any of the data protection principles, or

...

(5) In this section-

"the data protection principles" means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

…

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see

section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)

of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the

UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be

read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public

authorities) were omitted.
…

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a

notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the

request for information to which the requirement relates has been dealt with in accordance with Part 1 of this

Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(i) the request for information to which the requirement for review relates;

(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c); and

(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject

(“lawfulness, fairness and transparency”)
…

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…

f. processing is necessary for the purposes of the legitimate interests pursued by the

controller or by a third party, except where such interests are overridden by the

interests or fundamental rights and freedoms of the data subject which require the protection

of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) “Personal data” means any information relating to an identified or identifiable living

individual (subject to subsection (14)(c)).

(3) “Identifiable living individual” means a living individual who can be identified, directly

or indirectly, in particular by reference to –

(a) an identifier such as a name, an identification number, location data or an

online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of the individual.

(4) “Processing”, in relation to information, means an operation or set of operations

which is performed on information, or on sets of information, such as –

…

(d) disclosure by transmission, dissemination or otherwise making available,

…

(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

…

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons with regard to the processing of personal data and on the free movement

of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and

Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see

section 205(4)).

…

(14) In Parts 5 to 7, except where otherwise provided –

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

…

which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of

personal data to which Part 2, Part 3 or Part 4 applies.