Home Decisions

Decision 013/2026

Decision 013/2026:  Councillors and senior managers - council tax reminders


Authority: Highland Council
Case Ref: 202501157
 

Summary

The Applicant asked the Authority for the number of councillors and senior managers who had received council tax reminders and final notices.  The Authority withheld the information on the basis that it was third party personal data.  The Commissioner found that the Authority had wrongly withheld the information and required it to be disclosed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 38(1)(b) (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (definition of “personal data” (Definitions) and 5(1)(a) (Principles relating to processing of personal data). 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 5 May 2025, the Applicant made a request for information to the Authority.  
    He asked how many council tax reminders and final notices had been sent to councillors and members of the Authority’s senior management team in the last two years, from 5 May 2023 to 5 May 2025.
  2. The Authority responded on 12 June 2025.  It withheld the information under section 38(1)(b) (Personal information) of FOISA and stated that the low numbers involved could lead to the identification of individuals.  The Authority argued that the individuals’ right to privacy outweighed the public interest in publishing the information.
  3. On 25 June 2025, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because he did not believe the information could identify individuals, particularly as there were 74 councillors.  Furthermore, he argued that the public deserved to know if any councillors or senior managers had not paid their council tax on time.
  4. The Authority notified the Applicant of the outcome of its review on 16 July 2025, which fully upheld its original decision.
  5. On 17 July 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because there was a legitimate interest in disclosure of the information. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 15 August 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to why it believed the information constituted personal data. 

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 38(1)(b) – Personal information 

  1. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data“ (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.
  2. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test contained in section 2(1)(b).
  3. To rely on this exemption, the Authority must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR.

Is the withheld information personal data? 

  1. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018 i.e. any information relating to an identified or identifiable individual.  “Identified living individual” is defined in section 3(3) of the DPA 2018.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.)
  2. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland (C-582/14)[1].  The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified.  In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party.  However, there must be a realistic causal chain – if the risk of identification is "insignificant", the information will not be personal data.
  3. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply.  As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.
  4. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments.  It confirms that data should be considered anonymous (and therefore no longer subject to the UK GDPR) when the data subject(s) is/are no longer identifiable.

The Authority's comments on identifiability

  1. The Authority stated that it was concerned that, by disclosing the very low numbers which were requested, the identities of the individuals would be released indirectly, as a result of other information held by individuals in their communities.
  2. It argued that publicity was likely to arise from disclosure of the number and that this would increase the likelihood that members of the Authority and the wider community would be able to identify the individuals involved and that this information could be further distributed via social media.
  3. The Authority argued that although there were 74 councillors, this number was broken down into small wards with three or four members and that furthermore there were various sizes of political groupings.  Given this smaller breakdown, and the nature of local communities, and other people who would know individuals, the Authority argued that identification was very likely.
  4. The Authority also explained that its senior management structure for the relevant time period comprised 17 individuals (the total was 18 but one post was vacant).
  5. The Authority explained that it was not aware of any existing publicly available information which, when taken with the requested information, would identify individuals (other than information about the identities of its councillors and senior managers which was published on its website).  It stated that its concern related to people who knew the individuals through their personal or professional life, or their work with community groups and who were aware of their personal circumstances.

The Applicant's comments on identifiability

  1. The Applicant stated that there were 74 Highland councillors across a number of wards and the chances of individuals being identified were really low.
  2. In addition, he argued that a similar information request had been submitted to Moray Council in 2017 and he provided the text of this request.  (There were some differences between the requests, including that the earlier request had asked for councillors’ names.)
  3. The Applicant included a link to the previous request and Moray Council’s response[2] which included disclosure of the number of reminders and final notices issued for each of three separate years. (Names were withheld under section 38(1)(b) of FOISA.)
  4. The Applicant submitted that this was an example of another authority disclosing the same information he sought from this Authority in this case.  He commented that the other authority had fewer councillors (26), so, arguably, there was more chance of individuals being identified in that case, but it still disclosed the information.

The Commissioner's view 

  1. The Commissioner has carefully considered the submissions from both parties, together with the information withheld from the Applicant.
  2. The Commissioner’s guidance on section 38(1)(b) of FOISA[3] states that in most cases it will be easy to tell if information is personal data but in some cases it can be more difficult. Furthermore, the guidance states that it can be difficult to know whether disclosing numbers will lead to living people being identified.  Paragraph 24 of the guidance states: 

    “Public authorities responding to requests for numbers will therefore have to determine whether members of the public would be able to identify individuals from the statistics if they are disclosed.”
  3. The Commissioner does not consider that the Authority has successfully argued that the withheld number would identify living individuals.  While the Authority stated that individuals could be identified as a result of other information held by individuals in their communities, the Authority did not specify what sort of information it believed this to be nor how that information would lead to identification.  Moreover, it stated that it was not aware of any such information.
  4. The Commissioner therefore considers that the Authority’s arguments did not present specific arguments about, or examples of, situations where it believed identification was likely to arise.
  5. The Authority argued, as set out above, that the large grouping of 74 councillors was broken down into wards and into political groupings and that, given these smaller breakdowns and the nature of local communities, identification was very likely.  However, again, the Commissioner considers that the Authority has not made the link between these smaller groupings and the precise means by which it envisages individuals could be identified from the withheld number – particularly when the Applicant did not ask for any information about wards or political groupings.
  6. While there are fewer members of the senior management team (than councillors) the Commissioner’s view is that the Authority has failed to make the link between disclosure and identification in the same way as for councillors.
  7. Moreover, the Commissioner notes that the request was for the number of reminders and final notices issued, not for the number of individuals who received such reminders/notices.  He considers that the number of reminders or final notices issued over two years would not necessarily be the same as the number of individuals to which these related.
  8. The Commissioner considers that, given the pool of potential recipients for reminders and final demands and on the basis of the submissions received, it is unlikely that particular individuals could be identified from disclosure of the number of reminders and final demands issued in a two year period.  Personal knowledge of the individuals concerned, as alluded to by the Authority, might well facilitate identification, but the Commissioner cannot see how the information requested could add anything of substance to that picture.  He is of the view that the risk of identification is insignificant and, consequently, that the information requested would not be personal data.
  9. In all the circumstances of the case, therefore, the Commissioner does not agree that a realistic causal chain exists where a living individual could be identified as a direct result of disclosing the withheld information.  As such, he does not agree that this is personal data as defined in section 3(2) of the DPA 2018.
  10. The Commissioner would note that it is for the Authority to provide the required evidence of how such identification would be likely to occur, not for him to go out and find it or to make the case on behalf of the Authority.  Consequently, in this case, the Commissioner is not satisfied that the information requested was properly withheld under this exemption.
  11. The Commissioner must therefore find that the Authority was not entitled to withhold that information under section 38(1)(b) of FOISA.  He requires the Authority to disclose the withheld information to the Applicant.

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. 

The Commissioner finds that the Authority was not entitled to withhold the information as personal data and, by doing so, failed to comply with section 1(1) of FOISA.

The Commissioner therefore requires the Authority to disclose the requested information to the Applicant, by 12 March 2026.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

 

Euan McCulloch 

Head of Enforcement 


26 January 2026