Home Decisions

Decision 093/2024

Decision 093/2024: Correspondence regarding an employment tribunal application

Authority: Scottish Parliamentary Corporate Body
Case Ref: 202200388


Summary

The Applicant asked the Authority for information regarding an employment tribunal application connected to the former Ethical Standards Commissioner.   The Authority refused to confirm or deny whether the information existed or was 
held by them.  The Commissioner accepted that it was in the public interest for the Authority not to reveal whether the information existed or was held.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b) and 2(2)(e)(ii) (Effect of exemptions; 18(1) (Further provisions as respects responses to request); 38(1)(b), (2A)(a), (5) 
(definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 28 January 2022, the Applicant made a request for information to the Authority.  He asked for:

Any correspondence submitted to the SPCB or to parliamentary officials around an employment tribunal application - including the application itself or a summary of an application - connected to the Commissioner for Ethical Standards in Public Life received or sent in 2020 or 2021.

2. The Authority responded on 24 February 2022, that it was applying section 18(1) of FOISA and it refused to confirm or deny whether the requested information existed or was held by it.  The Authority also stated that, if the information did exist or was held, an exemption under section 38(1)(b) of FOISA would apply.

3. On 1 March 2022, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant stated that he was dissatisfied with the decision because the public interest and legitimate interest favoured disclosure

4. The Authority notified the Applicant of the outcome of its review on 24 March 2022, in which it explained that its review had upheld its original reliance on section 18(1) of FOISA.

5. On 1 April 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that he was dissatisfied with the outcome of the Authority’s review because he 
considered there was a clear and legitimate interest in disclosure of the personal data he had requested.  The Applicant also considered the public interest in disclosure to be overwhelming due to the basic principles of accountability and transparency.

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

7. On 5 May 2022, the Authority was notified in writing that the Applicant had made a valid application.  The case was then allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions.

9. Further submissions were also sought and obtained from the Applicant.

Commissioner’s analysis and findings

10. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to him by both the Applicant and the Authority.  He is satisfied that no matter of relevance has been overlooked.

Section 18(1) – “neither confirm nor deny”

11. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:
 

  • a request has been made to the authority for information which may or may not be held by it; and

     

  • if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

     

  • the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.


12. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority.  This means he is unable to comment in any detail on the Authority’s reliance on any of the exemption referred to, or on other matters which could have the effect of indicating whether the information exists or is held by the Authority.

13. In this case, the Authority submitted that, if it held any information falling within scope of the Applicant’s request, it would be exempt from disclosure under section 38(1)(b) of FOISA.

14. It is not sufficient to claim that one or more of the relevant exemptions applies.  Section 18(1) makes it clear that the authority must be able to give a refusal notice under section 16(1), on the basis that any relevant 
information (if it existed and were held) would be exempt information under one or more of the listed exemptions.  

15. The Commissioner must first, therefore, consider whether the Authority could have given a refusal notice under section 16(1) in relation to the information in question, if it existed and were held.

Section 38(1)(b) – Personal information

16. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.  

Would the information be personal data?

17. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a living 
individual who can be identified, directly or indirectly, in particular with reference to –

(i) an identifier such as a name, an identification number, location data or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

18. Given that the information request is framed with reference to a named person, and given the subject matter of the request, the Commissioner is satisfied that, if this information did exist and was held by the Authority, any 
information captured by the request would clearly relate to the named individual.  Furthermore, the Commissioner notes that the Applicant has requested correspondence to either the Authority or parliamentary officials.   The Commissioner considers it likely that if any correspondence existed, and was held, it would comprise the personal data of the individuals who sent and received the correspondence.  The Commissioner therefore accepts that, if it existed and was held, the information would be personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

19. The Authority argued that disclosing the personal data, if it existed and were held, would breach the first data protection principle.  This requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR).

20. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by transmission, dissemination or otherwise making available”.  In the case of FOISA, personal data are processed when disclosed in response to a request.  This means that, if it existed and was held, the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Article 6(1)(f) of the UK GDPR

21. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data, if it existed and was held, to be disclosed.

22. The Commissioner considers that, if the information existed and was held, condition (f) is the only condition which could potentially apply.  This states that processing shall be lawful if it is “necessary for the purposes of 
the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...”

23. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely 
on Article 6(1)(f) when responding to requests under FOISA.

24. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Would the Applicant have a legitimate interest in obtaining personal data, if held?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

25. There is no definition within the DPA 2018 of what constitutes a “legitimate interest”, but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be 
distinguished from matters about which he or she is simply inquisitive.  The Commissioner’s published guidance on section 38(1)(b)  of FOISA states:

In some cases, the legitimate interest might be personal to the applicant, e.g. he or she might want the information in order to bring legal proceedings.  With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety,

26. The Authority recognised the legitimate interest of the applicant in seeking the information in the course of his work as a journalist and for the purposes of accountability and scrutiny of the office of the Commissioner.

27. Having considered the nature of the information covered by the request, if it existed and was held, the Commissioner agrees with the Authority that the Applicant is pursuing a legitimate interest in obtaining the personal data (if it existed and was held).

Would disclosure be necessary?

28. Having accepted that the Applicant has a legitimate interest in the personal data (if it existed and were held), the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's 
legitimate interests.  In doing so, he must consider whether these interests might be reasonably be met by any alternative means.

29. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subjects.

30.    The Authority submitted that it did not consider disclosure of the data, it if existed and was held, necessary to achieve those legitimate interests.  It argued that the information requested went beyond the former Ethical 
Standards Commissioner public-facing role.

31. The Authority explained that there were additional, robust scrutiny processes already underway within Parliament at the time of the request to which the former Ethical Standards Commissioner was ultimately accountable.  It referred to audit reports which were already in the public domain and which detailed concerns and outlined recommendations for future improvement.

32. The Authority argued that the requester’s legitimate interests could – and would, in due course – be met by means which would interfere less with the privacy of the data subjects than disclosure of the information requested, if it existed and was held.

33. The Applicant submitted that disclosure of the information, if it existed and was held, was the only way to achieve his legitimate interest in holding the actions of a parliamentary officeholder and the Scottish Parliament 
itself to account.

34. In the Commissioner’s view, the only way the Applicant’s legitimate interest in the particular circumstances of this case could be met would be by viewing the information requested (assuming it exists and is held).  The 
Commissioner notes the Authority’s reference to audit reports and scrutiny processes, but he does not consider that either of those options will meet the Applicant’s legitimate interests.  He accepts that disclosure of any information held would be necessary for the Applicant’s legitimate interests.

35. Consequently, he will go on to consider whether the interest in obtaining the personal data (if it exists and is held) outweighs the rights and fundamental freedoms of the data subjects.  

The data subject’s interests or fundamental rights and freedoms (and balancing exercise)

36. The Commissioner has concluded that the disclosure of the information (if existing and held) would be necessary to achieve the Applicant’s legitimate interests.  However, this must be balanced against the fundamental rights and 
freedoms of the data subjects.  Only if the legitimate interests of the Applicant outweighed those of the data subjects could personal data be disclosed without breaching the first data protection principle.

37. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55.  

38. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject.  Factors which will be relevant in determining reasonable expectations include:

(i) whether the information relates to the individual’s public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

(ii) the potential harm or distress that may be caused by disclosure

(iii) whether the individual objected to the disclosure.

39. The Authority referred to article 6(1)(f) UK GDPR, and argued that the legitimate interests of the Applicant as a journalist was outweighed by the fundamental rights and freedoms of the data subjects.   It maintained that 
disclosure of the information, if it existed and was held, was not necessary to meet the Applicant’s legitimate interests, and that there were other processes which offered an alternative means of “holding the Officeholder and the SPCB to account”.

40. The Authority argued that as the body that sets their terms and conditions of appointment, it has a duty of care to its officeholders (the former Ethical Standards Commissioner being one of them).  It stated that the legitimate interests of the Applicant to receive this information was, and is overridden, by the rights and freedoms of the former Ethical Standards Commissioner as data subject

41. The Commissioner is satisfied that the requested information (if it existed and was held) would be information a person would generally expect to be kept confidential and only shared amongst limited individuals for specific purposes.

42. The Commissioner has also considered the potential harm or distress that could be caused by disclosure of the information (if it existed and was held).  Hypothetically, the Commissioner considers that there is a strong 
expectation that if an employee (or an officeholder) wanted to, they should be able to make a claim to an employment tribunal without the fact of that claim being made public, at least (in the case of where a claim has been made) until the Hearing itself has taken place.  Premature disclosure of the fact that a claim has or has not been made to the Employment Tribunal, before it has been resolved, could cause harm to the individual, particularly if the individual was still working for the organisation against whom the claim was raised.  The Commissioner notes that, at the time of the request, the former Ethical Standards Commissioner was still in post, although she was on long term leave and another individual was “Acting” in her stead.

43. The Commissioner has also considered the personal data of any officials who may have been involved in any of the requested correspondence (if it existed and was held).  He considers that anyone that was party to such 
communications, would be likely to hold a more junior post and would have a reasonable expectation that their personal data (names and contact details) would not be disclosed into the public domain in response to a FOI request.  

44. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question in this case.

45. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it exists and is held).

Fairness and transparency

46. Given that the Commissioner has concluded that the processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

47. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he is 
satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt by virtue of section 38(1)(b).

Section 18(1) – The public interest

48. The Commissioner must now consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

The Applicant’s submissions

49. The Applicant argued that it was important to recognise the importance of the public-facing role of the former Ethical Standards Commissioner and the way in which that role relates to public life and standards in public life.

50. He submitted that it was public knowledge that the former Ethical Standards Commissioner was paid significant money for “extended leave” and her actions damaged the way the standards system, which protects Scotland's democracy by acting as a watchdog of those elected or appointed to public office, operated so badly that it was subject to a scathing report by the Auditor General.

51. He argued that publishing the information, should it exist, would demonstrate how the Parliament, and Scottish democracy more broadly, could protect itself from individuals who seek to undermine existing processes which are 
themselves there to protect democracy.  Not only would this publication aid transparency, but he submitted that it would shine a much-needed light on the processes that went wrong, significantly aiding accountability and allowing lessons to be fully learned with the public's full knowledge.

The Authority’s submissions

52. The Authority stated that its refusal to confirm or deny the existence of the information was based purely on public interest considerations regarding data protection, confidentiality, and due process and was not an attempt to avoid transparency.

The Commissioner’s conclusions

53. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.

54. The Commissioner has fully considered the submissions from the Applicant and appreciates that, where a parliamentary officeholder has been on extended leave, and where the organisation they represent has received a critical report from Audit Scotland, that there is a significant public interest in fully understanding the circumstances of such events.

55. However, the Commissioner is aware that the action of confirming or denying whether the information existed or was held would have the effect of revealing whether the named individual had raised a claim with the Employment Tribunal.  Doing so, would, of itself, lead to the Authority breaching its duties as a data controller under data protection legislation.  In the circumstances, the Commissioner must find that it would be contrary to the public interest for the Authority to reveal whether it held the requested information, or whether the information existed.

56. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny, whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.

Decision

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

David Hamilton
Scottish Information Commissioner

20 May 2024 

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that –

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption –

(e) in subsection (1) of section 38 –

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request


(1) Where, if information existed and was held by a Scottish public authority, the authority could give a refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of sections 28 to 
35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is so held would be contrary to the public interest, it may (whether or not the information does exist and is held by it) give the 
applicant a refusal notice by virtue of this section.

(2) Neither paragraph (a) of subsection (1) of section 16 nor subsection (2) of that section applies as respects a refusal notice given by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as 
if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the request for information to which the requirement relates has been dealt with in accordance with Part 1 of this Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(c) specify –

(i)   the request for information to which the requirement for review relates;

(ii)   the matter which was specified under sub-paragraph (ii) of section 20(3)(c);

and

(iii)  the matter which gives rise to the dissatisfaction mentioned in subsection (1).
 

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1    Personal data shall be:

    a. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

    …

 

Article 6 Lawfulness of processing

1    Processing shall be lawful only if and to the extent that at least one of the following applies:

    …

    f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the 
data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3    Terms relating to the processing of personal data

    …

    (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

    (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to –

        (a) an identifier such as a name, an identification number, location data or an online identifier, or

        (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

    (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as –

        …

        (d) disclosure by transmission, dissemination or otherwise making available,

    
(5) “Data subject” means the identified or identifiable living individual to whom personal data relates.…

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such 
data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided –

    (a) references to the UK GDPR are to the UK GDPR read with Part 2;

    …

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.