Home Decisions

Decision 041/2026

Decision 041/2026:  Refusal to confirm or deny


Authority: The Chief Constable of the Police Service of Scotland
Case Ref: 202501136
 

Summary

The Applicant asked the Authority for statements made by two named persons in connection with a specified incident.  The Authority refused to confirm or deny whether the information existed or was held.  The Commissioner investigated and found that the Authority was entitled to refuse to confirm or deny whether the information existed or was held.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provisions as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions of “the data protection principles”, “data subject”, “personal data”, “processing” and “the UK GDPR” and (5A) (Personal information)); 47(1) and (2) (Application for decision by Commissioner). 

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to processing of personal data) and 6(1)(f) (Lawfulness of processing).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 11 October 2024, the Applicant made a request for information to the Authority.  He asked for statements made by two named persons in connection with a specified incident.
  2. The Authority responded on 15 November 2024.  It refused to confirm or deny whether it held the information requested or whether the information existed, relying on the exemption in section 18(1) of FOISA in conjunction with the exemption in section 38(1)(b).
  3. On 13 January 2025, the Applicant wrote to the Authority requesting a review of its decision.  He stated that he was dissatisfied with the decision because he disagreed that the exemptions in section 18(1) and 38(1)(b) of FOISA applied.  He set out his reasons for this, which included that he disagreed that he was seeking personal information and that the media had reported publicly on the trial connected to the incident specified in his request.
  4. The Authority notified the Applicant of the outcome of its review on 28 January 2025, which fully upheld its original decision.  It also informed the Applicant of his rights under the DPA 2018 to obtain his own personal data.
  5. On 15 July 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He stated that he was dissatisfied with the outcome of the Authority’s review, for the reasons set out in his requirement for review.

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 11 August 2025, the Authority was notified in writing that the Applicant had made a valid application.  The case was subsequently allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions. 

Commissioner’s analysis and findings

  1. The Commissioner has considered all the submissions made to him by the Applicant and the Authority. 

Section 18(1) – “neither confirm nor deny”

  1. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

  • a request has been made to the authority for information which may or may not be held by it; and

  • if the information existed and were held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

  • the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

  1. Section 18(1) of FOISA makes it clear that the authority must be able to give a refusal notice under section 16(1), on the basis that any relevant information it held would be exempt information under one or more of the listed exemptions.  It is not sufficient for the public authority to simply claim that one or more of the relevant exemptions applies.
  2. Where a public authority has chosen to rely on section 18(1) of FOISA, the Commissioner must first establish whether, if the information existed and was held by the public authority, the authority would be justified in refusing to disclose the information by virtue of any of the exemptions provided for by sections 28 to 35, 38, 39(1) or 41 of FOISA (including any relevant public interest test).  If so, he must then go on to establish whether the authority is justified in stating that to reveal whether the information exists or is held would be contrary to the public interest.
  3. Where section 18(1) of FOISA is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority.  This means he is unable to comment in any detail on the Authority’s reliance on any of the exemption referred to, or on other matters which could have the effect of indicating whether the information exists or is held by the Authority.
  4. In this case, the Authority submitted that any information falling within the scope of the Applicant’s request, if held by the Authority, would be exempt from disclosure under section 38(1)(b) of FOISA.
  5. The Commissioner must first consider whether, in relation to section 38(1)(b) of FOISA, the Authority could have given a refusal notice under section 16(1) of FOISA in relation to the information requested, if it existed and were held.

Section 38(1)(b) – Personal information

  1. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.

Would the information be personal data?

  1. "Personal data" is defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable living individual".  Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular with reference to –

    1. an identifier such as a name, an identification number, location data or an online identifier, or

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

  2. The Applicant’s request is framed with reference to statements made to the Authority by two named individuals in connection with a specified incident involving the Applicant.   He considered that he had not requested personal data and that he would not request any personal information as that would be “none of [his] business”.   However, the Authority argued that confirming or denying whether or not the named individuals had provided statements – let alone copies of any statements (if they existed and were held) – comprised their personal data.
  3. If the information requested existed and were held, the Commissioner acknowledges that elements of that information would, given the context set out in the preceding paragraph, be likely to comprise the Applicant’s own personal data.   He notes that the Authority’s review outcome advised the Applicant of his right under the DPA 2018 to submit a subject access request to obtain his own personal data.
  4. Disclosure under FOISA is disclosure to the world at large, not just to the Applicant.  In the circumstances, the Commissioner is satisfied that even the act of confirming or denying whether these statements existed or were held would, of itself, reveal something to the world-at large about the individuals named in the Applicant’s request (i.e. whether they provided statements in relation to the specified incident).
  5. Considering this, the Commissioner accepts that the information requested (if it existed and were held) would relate to the named individuals and thus would comprise their personal data, as defined in section 3(2) of the DPA 2018.
  6. The Commissioner acknowledges that information about incidents and individuals may sometimes be reported publicly.  However, the existence of media reporting does not, of itself, mean that a public authority can, under FOISA, lawfully disclose personal information or confirm or deny whether it exists and is held.

Would disclosure contravene one of the data protection principles?

  1. The Authority argued that disclosing the personal data, if it existed and were held, would breach the data protection principles.
  2. While there are six data protection principles, the only principle likely to be of relevance when considering whether to disclose personal data, if it existed and were held, in response to a FOISA request is the first principle.  This principle requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject" (Article 5(1)(a) of the UK GDPR).
  3. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available".  For the purposes of FOISA, personal data are processed when disclosed in response to a request.  This means that personal data could only be disclosed if disclosure would be both lawful (i.e. it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Article 6(1)(f) of the UK GDPR

  1. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data, if it existed and were held, to be disclosed.
  2. The Commissioner considers that condition (f) in Article 6(1) of the UK GDPR is the only one which could potentially apply, assuming the personal data existed and were held, and which could potentially allow disclosure of the personal data, if it existed and were held. This condition states that processing shall be lawful if it is "necessary for the purposes of the legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…"
  3. Although Article 6(1) of the UK GDPR states that condition (f) cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5)(a) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
  4. The tests which must be met before Article 6(1)(f) can be met are as follows:

    1. Would the Applicant have a legitimate interest in obtaining personal data, if held?

    2. If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    3. Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

  1. The Applicant explained his relationship to the incident referred to in his request and provided reasons as to why he had a legitimate interest in the obtaining the personal data, if it existed and were held. The Commissioner has fully considered these reasons, but he does not consider it necessary to summarise them in his decision notice.
  2. In the circumstances, the Commissioner accepts that the Applicant would, given his relationship to the incident referred to in his request and the reasons he provided, have a legitimate interest in obtaining the personal data, if it existed and were held.

Would disclosure be necessary?

  1. The next question is whether, if the personal data existed and were held, disclosure would be necessary to achieve that legitimate interest.  "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.
  2. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant's legitimate interests could reasonably be met by means which interfered less with the privacy of the data subjects.
  3. As stated above, the Authority’s review outcome advised the Applicant of his right under the DPA 2018 to submit a subject access request to obtain his own personal data.  It suggested that if the Applicant made a subject access request, then he might be satisfied that he no longer needed to pursue his FOI request.
  4. Given the right of access the Applicant has under the DPA 2018 to obtain his own personal data (to the extent it existed and were held), the Commissioner is not wholly persuaded that disclosure of the information in question, if it existed and were held, would be necessary. However, he notes that the Applicant appears to be interested in receiving the full content of the statements referred to in his request.
  5. In these circumstances, the Commissioner accepts, on balance, that disclosure of the personal data (if it existed and were held) would be necessary to more fully achieve the Applicant’s legitimate interest.

The interests or fundamental rights and freedoms of the data subjects (and balancing exercise)

  1. The Commissioner has concluded that the disclosure of the information (if in existence and held) would be necessary to achieve the Applicant's legitimate interest.  However, this must be balanced against the interests, fundamental rights and freedoms of the data subjects.  Only if the legitimate interests of the Applicant outweighed those of the data subjects could personal data be disclosed without breaching the first data protection principle.
  2. The Commissioner's guidance on section 38[1] of FOISA notes that, in carrying out the balancing exercise, much will depend on the reasonable expectations of the data subjects. Factors which will be relevant in determining reasonable expectations include:

    1. whether the information relates to an individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

    2. the potential harm or distress that may be caused by disclosure

    3. whether the individual objected to the disclosure.

  3. The Commissioner has considered the reasonable expectations of the data subjects in this case and the potential harm or distress that could be caused by disclosure of the personal data (if it existed and were held).   As stated above, disclosure under FOISA is disclosure to the world at large.
  4. The Commissioner’s view is that the information, if it existed and were held, would be information a person would generally expect to be kept confidential and only shared amongst limited individuals for specific purposes.  
  5. At the most general level, the Commissioner accepts that disclosing whether named individuals have provided a statement to the Authority in connection with an allegation of a criminal offence would be likely to impact on the reasonable expectations of the named individual and cause some degree of harm or distress.
  6. As stated above, the existence of media reporting does not, of itself, mean that a public authority can under FOISA lawfully disclose personal information or confirm or deny whether it exists and is held.
  7. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights and freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subjects in question in this case.
  8. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the personal data sought by the Applicant (assuming it existed and were held).

Fairness and transparency

  1. Given that the Commissioner has concluded that the processing of the personal data, if it existed and were held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subjects.

Conclusion on the data protection principles

  1. For the reasons set out above, the Commissioner is satisfied that disclosure of any relevant personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.
  2. Consequently, the Commissioner is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt by virtue of section 38(1)(b).

Section 18(1) – the public interest

  1. The Commissioner must now consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

The Applicant’s submissions

  1. The Applicant said that it was safe to assume that the Authority held the statements, so he could not understand why it felt the need to neither confirm nor deny their existence.
  2. The Applicant disagreed that it was contrary to the public interest for the Authority to reveal whether these statements existed or were held.  He submitted that the majority of the public would “be in support of getting to the truth in all matters”.  He said that disclosure of these statements would enable him to prove to his employer and others that allegations made against him were untrue, which he contended was in the public interest.
  3. The Commissioner has fully considered the other submissions provided by the Applicant to the extent that they are relevant to the public interest, but he does not consider it necessary to summarise them in his decision notice.

The Authority’s submissions

  1. The Authority considered that any response, other than in terms of section 18(1) of FOISA, would confirm whether the individuals named in the Applicant’s request had provided statements in connection with the specified incident.  It argued that confirmation of denial of even that simple fact, let alone copies of any such statements (if they existed and were held), would comprise the personal data of the named individuals.
  2. The Authority said that it considered the only persuasive factor in favour of the public interest to be the particular personal interest the Applicant had set out in his requirement for review and application to the Commissioner.  However, it considered the arguments in favour of maintaining reliance on section 18(1) of FOISA carried more weight.
  3. The Authority submitted that it could not be in the public interest for it to breach the trust and confidence that members of the public expect in respect of how it handles their personal data.  Outside of any associated criminal justice processes, it said that it would never disclose whether particular individuals had provided a witness statement. It argued that doing so would breach the individuals’ rights in terms of both the DPA 2018 and their right to privacy under the Human Rights Act 1998.

The Commissioner’s view

  1. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.  He has fully considered the arguments provided by both the Applicant and the Authority.
  2. Having done so, the Commissioner is satisfied, in all the circumstances of this case, that it would have been contrary to the public interest for the Authority to disclose whether the information requested by the Applicant existed or was held, given that this would have had the effect of revealing, through public disclosure, whether the named individuals had or had not had made statements to the Authority in relation to the specified incident.  This would, in the circumstances, lead to the Authority breaching its duties as data controller under data protection legislation.
  3. In the circumstances, the Commissioner does not consider the existence of media reporting to affect his conclusion in the preceding paragraph.  Confirmation or denial by the Authority of whether it held the information requested or whether that information existed would have the effect of officially confirming whether the named individuals provided statements in relation to the specified incident.  In that respect, this would represent a new and official disclosure to the world at large – regardless of what might have been reported elsewhere.
  4. In the circumstances, therefore, the Commissioner must find that it would have been contrary to the public interest for the Authority to reveal whether it held the information requested or whether that information existed.
  5. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

 

 

Euan McCulloch 

Head of Enforcement 


10 March 2026