Home Decisions

Decision 230/2024

Decision 230/2024: Information relating to resignation of Chief Executive

Authority: Scottish National Investment Bank
Case Ref: 202200603

Summary

The Applicant asked the Authority for information relating to the resignation of its Chief Executive.  The Authority disclosed some information, and withheld the remainder under various exemptions in FOISA.  The Commissioner investigated and found that the Authority had generally complied with FOISA, but required it to disclose further information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (b) and (2)(c) and (e)(ii) (Effect of exemptions); 30(c) (Prejudice to the effective conduct of public affairs); 36(2) (Confidentiality); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to processing of personal data).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10), (14)(a), (c) and (d) (Terms relating to the processing of personal data)

Background

1. The Authority is an investment bank established and funded by the Scottish Government, which launched in November 2020.  On 25 February 2022, the Authority announced the resignation of its first Chief Executive (CEO), with immediate effect.

2. On 3 March 2022, the Applicant made a request for information to the Authority.  They asked for:

1) any emails, memos, briefings or external and internal correspondence, including letters, on the topic of the resignation of the CEO of the Authority

2) any correspondence with the Scottish Government on the issue.

3. On 4 March 2022, the former CEO issued a statement to the media confirming that their resignation was “ultimately for personal reasons”.

4. On 31 March 2022, the Authority asked the Applicant to narrow the scope of part 1 of their request (as it considered it to be excessively broad) and informed them that its response to part 2 of their request would be late.  The Authority also directed the Applicant to its evidence to the Scottish Parliament’s Economy and Fair Work Committee regarding the former CEO’s resignation.

5. The Applicant subsequently restricted the scope of part 1 of their request to the period 1 January 2022 to 3 March 2022.

6. The Authority responded to the Applicant’s request on 7 April 2022.  The Authority stated that it had withheld one document in its entirety under the exemption in section 38(1)(b) of FOISA and disclosed two documents in full and 18 redacted documents, variously withholding information under the exemptions in sections 30(b)(ii), 36(2) and 38(1)(b).

7. On the same day, the Applicant wrote to the Authority requesting a review of its decision.  The Applicant stated that they were dissatisfied with the decision because they did not accept the Authority’s reasons for applying the exemptions specified and that they considered the public interest favoured disclosure of the information.  In particular, the Applicant considered that:

  • the former CEO’s high-profile public position meant there was a significant public interest in the disclosure of the reasons for their departure
  • the information requested was unlikely to be so sensitive that the former CEO’s right to privacy would outweigh the public interest in its disclosure.

8. The Authority notified the Applicant of the outcome of its review on 10 May 2022.  The Authority upheld its original response, with minor modifications.  The Authority, having considered the request afresh, took the following steps:

  • disclosed an additional document it identified as falling within scope of the request
  • disclosed specific “administrative sentences”, or information otherwise in the public domain, previously withheld in their entirety under sections 36(2) or 38(1)(b) of FOISA
  • withdrew its reliance on section 30(b)(ii) of FOISA in relation to a small amount of further information, which it disclosed
  • confirmed that the former CEO was not subject to a non-disclosure agreement (NDA)
  • disclosed two documents omitted in error from its original response.  

9. On 25 May 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that they were dissatisfied with the outcome of the Authority’s review for the following reasons:

  • the exemption in section 36(2) of FOISA did not apply to the withheld information and, in any case, the public interest favoured disclosure
  • for the information withheld under the exemption in section 38(1)(b) of FOISA, the public’s legitimate interest in understanding the former CEO’s reasons for resigning overrode their right to privacy

10. The Applicant did not challenge the Authority withholding junior officials’ personal information under the exemption in section 38(1)(b) of FOISA.  The Commissioner will therefore not consider this information in his decision.  

Investigation

11. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.

12. On 17 June 2022, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information, and the case was subsequently allocated to an investigating officer.

13. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.

14. The Authority was invited to comment on this application and to answer specific questions.  These primarily focused on the Authority’s justification for applying the exemptions in sections 36(2) and 38(1)(b) of FOISA and its consideration regarding the public interest test.

15. The Applicant was also invited to comment on why they considered it was in the public interest for the requested information to be disclosed and their legitimate interest in the withheld personal information.

16. During the investigation, the Authority changed position for some of the withheld information:

(i) it withdrew reliance on the exemptions in sections 36(2) and 38(1)(b) of FOISA in relation to a small amount of information, and confirmed that it wished to rely on the exemption in section 30(c) instead

(ii) it withdrew reliance on the exemption in section 38(1)(b) in relation to a small amount of information relating to names, titles and work email addresses of senior Scottish Government officials

(iii) for unspecified reasons in some instances and in others due to the passage of time, it indicated that it was prepared to release a small amount of information previously withheld from the Applicant (variously under the exemptions in sections 36(2) and 38(1)(b) of FOISA)

17. While the Authority indicated at point (iii) above that it was prepared to disclose further information to the Applicant, the Commissioner’s decision must consider whether the Authority was correct to withhold this information at the time that it carried out the review.

Commissioner’s analysis and findings

18. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

19. As stated in previous decisions, in Scottish Ministers v Scottish Information Commissioner [2006] CSIH 8, at paragraph [18], the Court of Session recognised that:

"in giving reasons for his decision, [the Commissioner] is necessarily restrained by the need to avoid, deliberately or accidentally, disclosing information which ought not to be disclosed."

20. In this decision notice, the Commissioner has endeavoured to give as full account of his reasoning as he can, but, by necessity, in this case the comments of the Court of Session are applicable to some aspects.

Section 1(1) – General entitlement

21. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

Interpretation of request

22. During the investigation, the Authority identified to the Commissioner a small amount of information that it had originally withheld from the Applicant, under one or more exemptions in FOISA, but which it now considered fell outwith the scope of the request.

23. The Authority explained that the information did not, in its view, relate to the topic of the resignation of the former CEO and it was, therefore, outwith the scope of the request.  

24. However, the Authority submitted that if the Commissioner considered the information fell within scope of the request, then it wished to variously rely on the exemptions in sections 36(2) and 38(1)(b) of FOISA  to withhold the information in question.

25. Having considered the information identified by the Authority, alongside the strict terms of the request, the Commissioner considers, in the absence of persuasive submissions from the Authority to the contrary, that it falls within the scope of the request.

26. The Commissioner will therefore consider whether the Authority was entitled to withhold this information, which he has found to be within scope, in what follows.

Section 36(2) - Confidentiality

27. The Authority withheld information in 11 documents under the exemption in section 36(2) of FOISA.

28. Section 36(2) of FOISA provides that information is exempt from disclosure if it was obtained by a Scottish public authority from another person (including another such authority) and its disclosure, by the authority obtaining it, to the public (otherwise than under FOISA) would constitute a breach of confidence actionable by that person or any other person.  

29. Section 36(2) is an absolute exemption and is not, therefore, subject to the public interest test in section 2(1)(b) of FOISA.  However, it is generally accepted in common law that an obligation of confidence will not be enforced to restrain disclosure of information which is necessary in the public interest.

Information obtained from another person

30. Section 36(2) therefore contains a two-stage test, both parts of which must be fulfilled before the exemption can be relied upon.  The first is that the information must have been obtained by a Scottish public authority from another person.  “Person” is defined widely and means another individual, another Scottish public authority or any other legal entity, such as a company or partnership.

31. The Authority explained that the withheld information had been provided to it by the former CEO in correspondence and in the context of resigning from their post.  In this specific context, the Authority submitted that the former CEO was acting as private individual in their own right – separate to, and not on behalf of, the Authority.  In support of this, the Authority noted that the former CEO had (barring initial correspondence) corresponded with it on this matter via their personal, not their employee, 
email address.

32. The Authority also submitted that certain internal correspondence in which the former CEO was not a participant effectively repeated information which had been obtained in confidence from them.

33. The Authority argued that the Decision 166/2007 of the Commissioner, which found that, for the purposes of section 36(2) of FOISA, evidence provided by employees in a grievance procedure was “obtained from another person”, could reasonably be read as applying equally to information provided by individuals going through a resignation process.

34. Having viewed the withheld information, the Commissioner is satisfied that (with two exceptions) it was reasonable, in the circumstances, for the Authority to consider the information provided by the former CEO (either personally or where correspondence repeated information provided by them) as having been “obtained from another person”.

35. Consequently, the Commissioner is satisfied that the first limb of the test for the application of the exemption in section 36(2) of FOISA is met (with two exceptions) for the information withheld under that exemption.

36. The two exceptions relate to two specific passages of text withheld under the exemption in section 36(2) of FOISA.  Having reviewed those passages, the Commissioner accepts that it relates to the former CEO’s resignation but he does not accept that it was obtained from another person.  Unlike the other information withheld under the exemption in section 36(2), the two specific passages of text in question were not provided by the former CEO, nor do they repeat information provided by them in confidence.  

37. Consequently, the Commissioner does not consider that the first limb of the test for the application of the exemption in section 36(2) of FOISA is met for those two specific passages of text.  As the Authority also relied on the exemption in section 38(1)(b) of FOISA to withhold this information, the Commissioner will consider this later in his decision.

Actionable breach of confidence

38. The second part of the test is that disclosure of the information by a public authority must constitute a breach of confidence actionable either by the person who gave the information to the public authority or by any other person.  The Commissioner takes the view that “actionable” means that the basic requirements for a successful action must appear to be fulfilled.

39. There are three main requirements which must be met before a claim for breach of confidence can be established to satisfy the second element to this test. These are:

(i) The information must have the necessary quality of confidence;

(ii) The public authority must have received the information in circumstances which imposed an obligation on it to maintain confidentiality; and

(iii) Unauthorised disclosure must be to the detriment of the person who communicated the information.

40. The Applicant stated that in the absence of any confidentiality agreement between the former CEO and the Authority, there existed (were the information disclosed) no serious risk of an actionable breach of confidence.  The Applicant also disputed that the correspondence withheld contained anything which the former CEO would consider substantively private.

Necessary quality of confidence

41. The Authority claimed that the information had the necessary quality of confidence.  

42. The Authority explained that while the fact of the former CEO’s resignation was public knowledge at the time of the request, more specific details of this were not (which remained the case).

43. Having considered the withheld information and the Authority’s submissions, the Commissioner is satisfied, having also conducted his own searches, that the withheld information fulfils the criteria of having the necessary quality of confidence.  The information is not common knowledge and could not readily be obtained by the Applicant through any other means.

Obligation to maintain confidentiality

44. The Authority explained that the information had been received in the context of an employee-employer relationship which it considered conferred an overarching relationship of mutual trust and confidence.  

45. The Authority further submitted that the information was received in circumstances which imposed an obligation on the Authority to maintain confidentiality.  The Authority considered this obligation was in part explicit (noting that the former CEO had marked emails as “confidential” and almost entirely carried out correspondence via a personal account) and in part, given the nature of the withheld information, implicit.

46. The Authority considered that the former CEO would not have shared the information with the Authority had they thought it might be disclosed into the public domain at any time in the future.  The Authority noted that the former CEO had confirmed this to be the case during the Commissioner’s investigation.

47. The Authority explained that the fact the information had been shared internally amongst a small group of individuals solely further attested to the sensitivity and confidentiality of this information.  The Authority referred to the judgment in Coco v A N Clark (Engineers) Limited [1968] FSR 415 which it considered to be relevant in this case:

“… if the circumstances are such that any reasonable man standing in the shoes of the recipient of the information would have realised, that upon reasonable grounds the information was being given to him in confidence then this should suffice to impose upon him the equitable obligation of confidence.”

48. In summary, the Authority submitted that, notwithstanding the absence of a confidentiality agreement, the former CEO entered into dialogue in the full expectation that confidentiality would be maintained in perpetuity.

49. Having considered the circumstances, and the source and content of the withheld information, the Commissioner is satisfied that the information withheld was received in circumstances that implied an obligation to maintain confidentiality.  He therefore accepts that there was an obligation to maintain confidentiality.

Unauthorised disclosure would cause detriment

50. The third requirement is that unauthorised disclosure of the information must be to the detriment of the person who communicated it.  The damage need not be substantial and indeed could follow from the mere fact of unauthorised use or disclosure in breach of confidence.  

51. In that respect, the test of detriment is different to establishing whether, for example, disclosure would prejudice substantially the commercial interests of any person when considering the exemption in section 33(1)(b) of FOISA.

52. The Authority stated that the former CEO had not authorised disclosure of the withheld information in this case.  Disclosure would therefore have been unauthorised.  

53. The Authority also provided submissions detailing why disclosure of the withheld information into the public domain, which is the effect of disclosure under FOISA, would cause detriment to the former CEO.  

54. As rehearsed earlier, the Commissioner is restrained from setting out a full account of his reasoning (or that of the Authority).  However, he is satisfied that the former CEO provided the information (which is being withheld) in the expectation that it would be treated confidentially and not disclosed in the public domain in response to an information request under FOISA.

55. The Commissioner is therefore satisfied that the tests for an actionable breach of confidence are met in this case, in relation to the information being withheld under section 36(2) of FOISA (other than the two exceptions in paragraph 36).

The Commissioner’s view

56. In all the circumstances, the Commissioner is satisfied that (other than two exceptions in paragraph 36) all the tests for an actionable breach of confidence are met in this case.

57. Having found that (other than the exceptions in paragraph 36) the tests for the exemption in section 36(2) of FOISA have been met, and the exemption is properly engaged, the Commissioner must now go on to consider where the balance of public interest lies in relation to disclosure of the information.

Public interest defence – section 36(2)

58. As noted above, the exemption in section 36(2) of FOISA is an absolute exemption in terms of section 2(2) of FOISA and not subject to the public interest test in section 2(1)(b). However, the law of confidence recognises that, in certain circumstances, the strong public interest in maintaining confidences may be outweighed by the public interest in disclosure of the information.  In deciding whether to enforce an obligation of confidentiality, the courts are required to balance these competing interests, but there is no presumption in favour of disclosure.  This is generally known as the public interest defence.

59. The courts have identified a relevant public interest defence in cases where withholding information would cover up serious wrongdoing, and where it would lead to the public being misled on, or would unjustifiably inhibit public scrutiny of, a matter of genuine public concern.

The Applicant’s submissions

60. The Applicant argued that the former CEO occupied a position of significant public interest given the level of public investment in the Authority and its significant role in Scottish policy and politics more generally.  

61. The Applicant speculated that the former CEO’s reasons for resigning were “embarrassing” to the Scottish Government and/or the Authority, which was why the information requested was being withheld.  

62. The Applicant submitted that the Authority’s refusal to fully disclose the former CEO’s reasons for resigning inhibited accountability and transparency, and that the public interest favoured disclosure of the information to ensure the maintenance of public trust in the Authority.

The Authority’s submissions

63. The Authority acknowledged that a public interest defence may be relevant in certain cases (e.g. where withholding information would cover up serious wrongdoing, lead to the public being misled on or would unjustifiably inhibit public scrutiny of, a matter of genuine public concern).  However, the Authority submitted that it did not 
consider this to be the case here.

64. The Authority further submitted that the former CEO had a reasonable expectation of privacy in relation to the withheld information, given the subject matter (in terms of Article 8 of the European Convention on Human Rights) and since they had provided no further public update following their media statement of 4 March 2022.

65. The Authority also referred the Commissioner to guidance issued by the UK Information Commissioner’s Office in relation to information provided in confidence, which it had considered when evaluating the public interest in this case (specifically paragraph 84):

“… in cases where the duty of confidence protects a person’s private interests, it is hard to envisage circumstances where the public interest in transparency and accountability alone, would be sufficient to override the public interest in maintaining that individual’s privacy.”

66. On balance, the Authority concluded that the public interest lay in favour of upholding the exemption as it considered there was no public interest defence to disclosure of the information.

The Commissioner’s view on the public interest defence

67. The Commissioner has taken account of the public interest defence submissions made by the Authority and the submissions made by the Applicant on the public interest in disclosure of the information.  He has also taken account of the content of the withheld information itself.

68. The Commissioner recognises that there is clearly a strong public interest defence in transparency to allow effective scrutiny of information relating to matters of genuine public concern.  On the other hand, he accepts that there is also a strong public interest in the maintenance of confidences where information has been shared in such circumstances.

69. While the Commissioner accepts the circumstances of, and reasons for, the former CEO’s resignation are a matter of genuine public concern, he does not consider that there is a reasonable argument in this case for the disclosure of confidential information on public interest grounds.

70. Consequently, the Commissioner finds that the Authority was correct to withhold the information requested under section 36(2) of FOISA (other than the two exceptions in paragraph 36).

71. Having reached this conclusion, the Commissioner is not required to go on to consider whether the exemption in section 38(1)(b) of FOISA applies to the information he has found is exempt under section 36(2).

72. However, the Commissioner will go on to consider whether the exemption in section 38(1)(b) of FOISA applies to the information to which he concluded section 36(2) does not apply and to the information the Authority withheld solely under the exemption in section 38(1)(b).

Section 38(1)(b) – Personal Information

73. Section 38(1)(b), read in conjunction with section 38(2A)(a), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018, and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.

74. As rehearsed earlier (at paragraph 16), the Authority withdrew its reliance on the exemption in section 38(1)(b) of FOISA in relation to the names, titles and work email addresses of senior Scottish Government officials.

75. The Commissioner must therefore find that the Authority failed to comply with section 1(1) of FOISA with respect to this information.  He requires the Authority to disclose this information to the Applicant.

76. In their application to the Commissioner, the Applicant did not express dissatisfaction that the Authority had withheld the personal information of junior officials of the Authority and the Scottish Government officials under the exemption in section 38(1)(b) of FOISA.  The Commissioner will therefore not consider this information further in his decision.  

77. In this case, the Authority applied the exemption in section 38(1)(b) of FOISA, as read with section 38(2A)(a), to information that it considered to be personal data within 17 documents.

Is the withheld information personal data?

78. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018.

79. The two main elements of personal data are that:

  • the information must “relate to” a living person; and
  • the living individual must be identifiable.

80. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.

81. An “identifiable living individual” is one who can be identified, directly or indirectly, by reference to an identifier (such as a name) or one or more factors specific to the individual (see section 3(3) of the DPA 2018).

82. The Commissioner is satisfied that the information being withheld under section 38(1)(b) is personal data: the data withheld comprises names of individuals (including the former CEO), their contact details (e.g. email addresses) and actions relating to and deriving from the former CEO’s resignation.  Living individuals are identifiable from this information and the information clearly relates to those individuals.

Would disclosure contravene one of the data protection principles?

83. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”.

84. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.

85. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.

86. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.

Condition (f) – legitimate interests

87. Condition (f) states that processing shall be lawful if it is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

88. Though Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

89. The three tests which must be met before Article 6(1)(f) can be met are as follows:

  • Does the Applicant have a legitimate interest in the personal data?
  • If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
  • Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data 
    subjects which require protection of personal data?
Does the Applicant have a legitimate interest in obtaining the personal data?

90. The Applicant explained that the Authority’s role in controlling large amounts of public money (and concomitant taxpayer exposure) meant that the reasons for the former CEO’s departure should be made public as much as possible.

91. The Authority accepted that the Applicant had a legitimate interest in understanding the former CEO’s reasons for departure as a member of the public, but also as a journalist scrutinising the use of public funds.

92. The Commissioner agrees that the Applicant has a legitimate interest in the information for the same reasons as those given by the Authority.

Is disclosure of the personal data necessary?

93. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of that personal data is necessary for the Applicant's legitimate interest.  In doing so, he must consider whether that legitimate interest might be reasonably be met by any alternative means.

94. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

95. While it recognised the Applicant’s legitimate interest in the withheld information, the Authority considered this interest had been fully satisfied given the former CEO had resigned, that it was a matter of public record that they did so for “personal reasons” and the Authority had made public the financial implications of the former CEO’s resignation.  

96. The Authority also submitted that disclosure of the personal data of third parties (including but not limited to names, personal email addresses and phone numbers), where incidental to the former CEO’s resignation, was not necessary to satisfy the Applicant’s legitimate interest.

97. In all the circumstances, the Authority did not consider that disclosure of the specific details of the personal reasons for the former CEO’s resignation to the Applicant, or to the wider public, was necessary to satisfy the legitimate interest it had identified.

98. The Applicant argued that disclosure via FOISA was the only way in which the public could understand the specific reasons for the former CEO’s resignation, given that the Authority and the Scottish Government had refused provide such detail.

99. The Commissioner does not consider that disclosure of some personal data of third parties, where the information is incidental to or would provide no insight into the former CEO’s resignation, would be necessary to satisfy the Applicant’s legitimate interest.

100. However, the Commissioner accepts that disclosure of personal data of third parties, where the information is directly relevant to the former CEO’s resignation, would be necessary to satisfy the Applicant’s legitimate interest.  He can identify no other viable means of meeting the Applicant’s legitimate interest than providing this withheld information.

Interests of the data subject

101. The Commissioner has acknowledged that disclosure of the information in question would be necessary to achieve the Applicant’s legitimate interests.  This must be balanced against the interests or fundamental rights and freedoms of the third party.  Only if the legitimate interests of the Applicant outweigh those of the data subject could personal data be disclosed without breaching the first data protection principle.

102. The Commissioner’s guidance on section 38 of FOISA lists certain factors that should be taken into account in balancing the interests of the parties.  He makes it clear that much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

(i) whether the information relates to an individual's public life (their work as a public official or employee, wherein their seniority and whether their role is public-facing is a factor) or to their private life (their home, family, social life or finances)

(ii) whether the individual objected to the disclosure

(iii) the potential harm or distress that may be caused by disclosure.

103. The Commissioner is satisfied that, where he considers disclosure of the information withheld necessary to satisfy the legitimate interest of the Applicant, this information identifies and relates to the former CEO in all instances.

104. The Authority considered that the interests and fundamental rights and freedoms of the data subject (the former CEO) outweigh the interests of the Applicant for the following (non-exhaustive) reasons:

  • while the former CEO was a senior employee, it did not automatically follow that all information about them should be disclosed in response to a FOISA request
  • the information withheld was information an employee would not expect to be disclosed into the public domain (which the former CEO’s resignation from the Authority did not change)
  • the former CEO had not consented to disclosure of the information and considered that it remained confidential
  • in all the circumstances, disclosure of the former CEO’s personal reasons for resigning from the Authority would not be proportionate.
The Commissioner’s view

105. The Commissioner acknowledges that the withheld information relates to the former CEO’s public life in that it identifies them as a (former) senior employee of the Authority and relates to them in that capacity.  However, he recognises that the withheld information also clearly relates to the former CEO’s private life.

106. A disclosure under FOISA is not simply disclosure to the person requesting the information; information disclosed under FOISA is effectively placed into the public domain.  This must always be borne in mind when considering the effects of disclosure.

107. The Commissioner has considered the circumstances, the source and content of the withheld information and carefully balanced the legitimate interests of the former CEO against those of the Applicant.  Having done so, the Commissioner finds that legitimate interest served by disclosure of the withheld personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the former CEO.

108. Having found that the legitimate interest served by disclosure of the personal data are outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the former CEO, the Commissioner finds that condition (f) in Article 6(1) of the GDPR cannot be met and that disclosure of the information in question would be unlawful.

109. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider whether disclosure of the personal data would otherwise be fair and transparent in relation to the former CEO.

110. The Commissioner is satisfied, in the absence of a condition in Article 6 of the UK GDPR which would allow the data to be disclosed, that disclosure would be unlawful.  The personal data is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Section 30(c) - Prejudice to effective conduct of public affairs

111. The Authority withheld a small amount of information within one document under the exemption in section 30(c) of FOISA.

112. Section 30(c) of FOISA exempts information if its disclosure "would otherwise prejudice substantially, or be likely to prejudice substantially, the effective conduct of public affairs". The use of the word "otherwise" distinguishes the harm required from that envisaged by the exemptions in sections 30(a) and (b).  

113. Section 30(c) of FOISA is a broad exemption and the Commissioner expects any public authority citing it to show what specific harm would (or would be likely to) be caused to the conduct of public affairs by disclosure of the information, and how that harm would be expected to follow from disclosure.  This exemption is subject to the public interest test in section 2(1)(b) of FOISA.

114. The standard to be met in applying the tests contained in section 30(c) is high: the prejudice in question must be substantial and therefore of real and demonstrable significance.  The Commissioner expects authorities to demonstrate a real risk or likelihood of substantial prejudice at some time in the near (certainly foreseeable) future, not simply that such prejudice is a remote or hypothetical possibility.  Each request should be considered on a case by case basis, taking into consideration the content of the information and all other relevant circumstances (which may include the timing of the request).

The Authority’s submissions

115. The Authority explained that the withheld information (which formed part of an email exchange) related to a communication regarding the former CEO’s resignation.  

116. The Authority submitted that the passage of time had not diminished the sensitivity of the information in question and disclosure would substantially prejudice the ability of senior officers to discuss important employee matters relating to senior personnel, plan meetings and communications (relating to these) and exercise good corporate governance (given these senior officers would be less likely to exchange such correspondence in future).  

117. The Authority stated that it therefore considered that disclosure of the information in question would, or would be likely to, prejudice substantially the effective conduct of public affairs.

The Commissioner’s view

118. Having fully considered the information withheld under the exemption in section 30(c) of FOISA, together with the Authority’s submissions, the Commissioner is unable to accept that the exemption is engaged.

119. Having done so, the Commissioner notes that the withheld information in question relates, in part, to information the Authority has already disclosed to the Applicant.  He does not consider the information to otherwise be sensitive and he cannot see how the prejudice claimed by the Authority would, or would be likely to, result from disclosure of the information.

120. For these reasons, the Commissioner cannot agree that disclosure of the withheld information in question would, or would be likely to, prejudice substantially the effective conduct of public affairs.

121. As the Commissioner is not satisfied that the Authority was entitled to rely on the exemption in section 30(c) of FOISA to withhold the information in question, he is not required to go on to consider the public interest test in section 2(1)(b) of FOISA.

Decision

The Commissioner finds that the Authority generally complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.  

The Commissioner finds that by relying on the exemptions in sections 36(2) and 38(1)(b) of FOISA for withholding certain information from the Applicant, the Authority complied with Part 1.

However, by applying the exemption in section 30(c) of FOISA to withhold certain information and relying on the exemption in section 38(1)(b) to withhold the personal information of senior Scottish Government officials, the Authority failed to comply with Part 1.  

The Commissioner therefore requires the Authority to disclose the information wrongly withheld by 6 December 2024.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

David Hamilton
Scottish Information Commissioner

22 October 2024