Decision 096/2024 | Scottish Information Commissioner

Home Decisions

Decision 096/2024

Decision Notice 096/2024: Grants paid for installation of heat pump and solar panels

Authority: Scottish Ministers
Case Ref: 202201458

Summary

The Applicant asked the Authority for information relating to whether grant funding had been provided to a

specific address for the installation of a heat pump and solar panels. The Commissioner found that the Authority

was entitled to refuse to confirm nor deny whether it held the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)

(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5)

(definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, and “the UK

GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) Article 5(1)(a) (Principles relating to processing

of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5), (10) and (14)(a), (c) and (d) (Terms

relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The

Appendix forms part of this decision.

Background

1. On 30 May 2022, the Applicant made a request for information to the Authority. She asked for the

following information about a neighbouring property:

Has the owner of the property received any type of funding for the planning, purchase, and/or installation of (a) an ASHP and (b) Solar Panels?
If yes, what is the name of the funding scheme(s)?
When did they receive the funding?
How much have they received for the ASHP and how much have they received for the Solar Panels?

2. The Authority responded on 30 June 2022. The Authority applied section 18 of FOISA, in conjunction with

section 38(1)(b) (Personal information), and refused to confirm nor deny whether the requested information existed

or was held.

3. On 13 July 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant

stated that she was dissatisfied with the decision because she believed her case was exceptional. The Applicant

stated that she did not understand how and why revealing the information would be contrary to the public interest.

4. The Applicant further submitted that she required the information requested in order to supplement her

complaint to the Scottish Public Services Ombudsman (SPSO). In particular, the Applicant stated that a yes or no

answer to her first question would allow her to prove that the local council had dealt with her case “with

negligence and discrimination”.

5. The Authority notified the Applicant of the outcome of its review on 1 August 2022, fully upholding its

original decision. The Authority concluded that to reveal whether the information requested existed, or was held,

would be contrary to the public interest.

6. On 22 December 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section

47(1) of FOISA. The Applicant stated that she was dissatisfied with the outcome of the Authority’s review for the

following reasons:

she did not agree that the information sought was “personal data” in terms of the DPA 2018
disclosure of the information requested was necessary in order to assist with her complaint against the local council
she had the right to know how tax revenues were spent and how much care goes into checking the fulfilment of projects to which budgets are dedicated.

Investigation

7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the

power to carry out an investigation.

8. On 11 January 2023, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice

in writing of the application and invited its comments which were provided.

9. The case was subsequently allocated to an investigating officer.

10. Further submissions were sought and received from the Applicant relating to the public interest test.

Commissioner’s analysis and findings

11. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.

Section 18(1) – “neither confirm nor deny”

12. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold

information in the following limited circumstances:

a request has been made to the authority for information which may or may not be held by it; and
if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and
the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest

13. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not

confirm one way or the other whether the information requested actually exists or is held by the authority. This

means he is unable to comment in any detail on the Authority’s reliance on any of the exemption referred to, or on

other matters which could have the effect of indicating whether the information exists or is held by the Authority.

Section 38(1)(b) – Personal information

14. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure

if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or

more of the data protection principles set out in Article 5(1) of the GDPR.

Would the information be personal data?

15. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified

or identifiable living individual”. Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a

living individual who can be identified, directly or indirectly, in particular

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or

social identity of the individual.”

16. Given that the information request is framed with reference to a living individual (as it is linked to

their private home address) the Commissioner is satisfied that, if this information did exist and was held by the

Authority, any information captured by the request would be personal data as defined in section 3(2) of the DPA

2018.

Would disclosure contravene one of the data protection principles?

17. The Authority argued that disclosing the personal data, if it existed and were held, would breach the

first data protection principle. This requires personal data to be processed “lawfully, fairly and in a

transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR)

18. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by

transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed

when disclosed in response to a request. This means that, if it existed and were held, the personal data could

only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful

processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Article 6(1)(f) of the UK GDPR

19. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of

the UK GDPR would allow the personal data, if it existed and were held, to be disclosed.

20. The Commissioner considers that, if the information existed and was held, condition (f) is the only

condition which could potentially apply. This states that processing shall be lawful if it is “necessary for the

purposes of the legitimate interests pursued by the controller or by a third party, except where such interests

are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of

personal data ...”

21. Although Article 6(1) states that this condition cannot apply to processing carried out by a public

authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public

authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

22. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Would the Applicant have a legitimate interest in obtaining personal data, if held?

(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be

overridden by the interests or fundamental rights and freedoms of the data subject?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

23. The Authority did not consider that the Applicant had a legitimate interest in the personal data (if it

existed and were held). The Authority noted that the Applicant had asked for the information to support her

complaint relating to the noise of the equipment installed. In the Authority’s view, there was no connection

between how the installation was funded and the Applicant’s complaint about noise caused.

24. The Commissioner notes the Authority’s comments but considers that the Applicant has provided persuasive

arguments as to her legitimate interest in the personal data, if it existed and were held. The Commissioner is

therefore satisfied that, if it existed and were held, the Applicant would have a legitimate interest in obtaining

the personal data.

Would disclosure be necessary?

25. The next question is whether, if the personal data existed, disclosure would be necessary to achieve the

legitimate interest in the information. “Necessary” means “reasonably” rather than “absolutely” or “strictly”

necessary. When considering whether disclosure would be necessary, public authorities must consider whether the

disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the

Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the

data subject.

26. The Authority accepted that disclosure would be necessary should the Applicant have a legitimate interest

in the information.

27. If the Applicant’s legitimate interest was limited to supplementing her complaint to the SPSO, the

Commissioner would not be persuaded that disclosure of the information would be necessary to achieve that

interest. This is because, for the purposes of its investigations, the SPSO has the same powers as the Court of

Session in respect of the production of documents.

28. However, the Applicant appears to have a broader legitimate interest in the information. That is, the

Applicant wants to challenge the authenticity of documentation used by installers, installation companies and

Certification Bodies.

29. On balance, the Commissioner therefore accepts that disclosure of the information requested, if it existed

and was held, would be necessary for the Applicant’s legitimate interests.

The data subject’s interests or fundamental rights and freedoms (and balancing exercise)

30. The Commissioner has concluded that the disclosure of the information (if existing and held) would be

necessary to achieve the Applicant’s legitimate interests. However, this must be balanced against the fundamental

rights and freedoms of the owner of the property. Only if the legitimate interests of the Applicant outweighed

those of the data subject could personal data be disclosed without breaching the first data protection principle.

31. The Commissioner has considered the submissions from both parties carefully, in the light of the decision

by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 551 .

32. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data

subject. Factors which will be relevant in determining reasonable expectations include:

(i) whether the information relates to the individual’s public life (i.e. their work as a

public official or employee) or their private life (i.e. their home, family, social life or

finances)

(ii) the potential harm or distress that may be caused by disclosure

(iii) whether the individual objected to the disclosure.

33. The Authority considered that if an application had been made to the scheme by the owner of the property,

the data subject would have no expectation that information on the source of funding for the installation of solar

panels at their property would be made available to anyone. The Authority concluded that even if the Applicant

did have a legitimate interest in the information, if it existed and was held, the rights and freedoms of the data

subject would outweigh this interest.

34. The Commissioner agrees with the Authority that the information (if it existed and was held) would be

information a person would generally expect to be kept confidential and only shared amongst limited individuals

for specific purposes. It is important to bear in mind that disclosure under FOISA is disclosure to the world at

large and not just to the person who asks for the information.

35. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental

rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure

of any information held would be outweighed by the unwarranted prejudice that would result to the rights and

freedoms or legitimate interests of the data subject in this case.

36. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article

6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it exists and is held).

Fairness and transparency

37. Given that the Commissioner has concluded that the processing of the personal data, if existing and held,

would be unlawful, he is not required to go on to consider whether disclosure of such personal data would

otherwise be fair and transparent in relation to the data subject.

Conclusion on the data protection principles

38. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if it

existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.

Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of

FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the

information would be exempt by virtue of section 38(1)(b).

Section 18(1) – The public interest

39. The Commissioner must now consider whether the Authority was entitled to conclude that it would be

contrary to the public interest to reveal whether the information existed or was held.

The Applicant’s submissions

40. The Applicant considered that it was in the public interest for the public to know whether the information

she asked for existed, particularly as public money is used to pay for the installation and use of air source heat

pumps.

41. The Applicant believed that the public interest would be served by revealing whether the information

existed or was held because transparency would stop installers, installation companies and the Certification

Bodies to provide fabricated documents.

The Authority’s submissions

42. The Authority explained that to disclose whether the information exists, or not, would in effect disclose

the position in relation to any potential funding awarded (or not) which would lead to the Authority breaching its

duties as a data controller under data protection legislation.

43. The Authority stated that it therefore did not consider it to be in the public interest to reveal whether

the information existed or was held.

The Commissioner’s conclusions

44. The test the Commissioner must consider is whether (having already concluded that the information, if it

existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal

whether the information existed or was held.

45. The Commissioner has fully considered the submissions from the Applicant and appreciates that, where

public funds are being used for the provision of goods or services, there should be scope for scrutiny as to how

those funds are utilised.

46. However, the Commissioner is aware, that the action of confirming or denying whether the information

existed or was held, would have the effect of revealing whether the property owner did or did not receive funding.

Doing so would, of itself, lead to the Authority breaching its duties as a data controller under data protection

legislation.

47. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny,

whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.

Decision

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002

in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal

to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of

intimation of this decision.

David Hamilton
Scottish Information Commissioner

21 May 2024

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given

it by the authority.
…

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to

the extent that –

(a) the provision does not confer absolute exemption; and

(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed

by that in maintaining the exemption.

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are

to be regarded as conferring absolute exemption –
…

(e) in subsection (1) of section 38 –
…

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

18 Further provision as respects responses to request

(1) Where, if information existed and was held by a Scottish public authority, the authority could give a

refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of

sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is

so held would be contrary to the public interest, it may (whether or not the information does exist and is held by

it) give the applicant a refusal notice by virtue of this section.

38 Personal information

(1) Information is exempt information if it constitutes-
…

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than

under this Act -

(a) would contravene any of the data protection principles, or
…

(5) In this section-

"the data protection principles" means the principles set out in –

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

…

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see

section 3(2), (4) and (14) of that Act);

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)

of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the

UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be

read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public

authorities) were omitted.

47 Application for decision by Commissioner

(1) A person who is dissatisfied with -

(a) a notice under section 21(5) or (9); or

(b) the failure of a Scottish public authority to which a requirement for review was made to give such a

notice.

may make application to the Commissioner for a decision whether, in any respect specified in that application, the

request for information to which the requirement relates has been dealt with in accordance with Part 1 of this

Act.

(2) An application under subsection (1) must -

(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used

for subsequent reference (as, for example, a recording made on audio or video tape);

(b) state the name of the applicant and an address for correspondence; and

(i) the request for information to which the requirement for review relates;

(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);

and

(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).

UK General Data Protection Regulation

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

a. processed lawfully, fairly and in a transparent manner in relation to the data subject

(“lawfulness, fairness and transparency”)

…

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

…

f. processing is necessary for the purposes of the legitimate interests pursued by the

controller or by a third party, except where such interests are overridden by the

interests or fundamental rights and freedoms of the data subject which require the protection

of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

…

(2) “Personal data” means any information relating to an identified or identifiable living

individual (subject to subsection (14)(c)).

(3) “Identifiable living individual” means a living individual who can be identified, directly

or indirectly, in particular by reference to –

(a) an identifier such as a name, an identification number, location data or an
online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of the individual.

(4) “Processing”, in relation to information, means an operation or set of operations

which is performed on information, or on sets of information, such as –
…

(d) disclosure by transmission, dissemination or otherwise making available,

…

(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Authority of 27 April

2016 on the protection of natural persons with regard to the processing of personal data and on the free movement

of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and

Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see

section 205(4)).
…

(14) In Parts 5 to 7, except where otherwise provided –

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

…

which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of

personal data to which Part 2, Part 3 or Part 4 applies.