Decision Notice 064/2024: Accessibility Group emails
Authority: ScotRail Trains Ltd
Case Ref: 202200593
Summary
The Applicant asked the Authority for emails sent to/by the Accessibility Group over a 12 month period. The
Authority withheld the information on the basis that disclosure would, or would be likely to, inhibit
substantially the free and frank exchange of views, or that it comprised third party personal data, disclosure of
which would contravene data protection principles.
During the investigation, the Authority identified additional in-scope information and changed its position for
some of the information held. It disclosed some information to the Applicant, withholding the remainder under the
exemptions previously claimed.
Following an investigation, the Commissioner found that the Authority had failed to identify all in scope
information until during the investigation and had wrongly withheld some information. He also found, however,
that the Authority had correctly withheld some other information under the exemptions claimed and he was satisfied
that, by the end of the investigation, the Authority held no further relevant information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2), (4) and (6) (General entitlement); 2(1) and
(2)(e)(ii) (Effect of exemptions); 30(b)(ii) (Prejudice to effective conduct of public affairs); 38(1)(b), (2A),
(5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK
GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”)
(Definitions); 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of
processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating
to the processing of personal data)
Background
1. On 1 April 2022, the Applicant made a request for information to the Authority:
I understand that there's an "Accessibility Email Group" by which members of the rail industry communicate on
accessibility matters in service provision.
A FOI response at [here ] shows that the group includes [named individual] of the Rail Delivery Group, also
[named individual] of Govia Thameslink Railway and somebody at LNER.
"Attached to this correspondence are scripts of email chains sent from Rail Delivery Group to the Accessibility
Group, of which Northern is part."
The contents of said response suggests that this group may include accessibility-related staff at all train
operating companies and possibly station operators such as Network Rail.
Please supply all emails sent to/by this Accessibility Group over the previous 12 months.
2. The Authority responded on 27 April 2022. It informed the Applicant, in terms of section 17 of FOISA,
that it did not hold the information requested and that it was not aware of any other public authority that could
respond to the request.
3. On 27 April 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant
stated that he was dissatisfied with the decision, as he believed that the email Group in question included at
least one representative from every train operating company (TOC) who received all emails sent to the Group. The
Applicant believed that, in the Authority’s case, the emails would have been sent to the Authority’s Accessibility
and Integration Manager and so they would be in his email.
4. The Authority notified the Applicant of the outcome of its review on 20 May 2022. It informed the
Applicant that correspondence which had been provided in response to an earlier request (SRT 011 ) was not
included with its response. The Authority confirmed that, following a search, it had identified five emails
falling within scope which had been sent or copied to the Accessibility Group email address by a staff member. It
explained that the Accessibility Group email address was an email group with members from across the rail network,
and was mainly used to send “to” as a form of “distribution list”.
5. The Authority withheld the information identified. It considered some of the information comprised third
party personal data (names and contact details of individuals and companies) which was exempt from disclosure
under section 38(1)(b) of FOISA, as releasing it would contravene the data protection principles in the GDPR and
the DPA. The Authority stated that this information was not in the public domain, and that the roles of these
individuals were not sufficiently public-facing to expect their details to be disclosed.
6. The Authority also withheld some of the information under section 30(b)(ii) of FOISA, as it considered
disclosing the content of free and frank exchanges of views to/from the Accessibility Group email address would
inhibit the future exchange of views between TOCs, the Rail Delivery Group (RDG) and third parties in relation to
areas of future policy making. The Authority recognised the public interest in disclosing information as part of
open, transparent and accountable government, and to inform public debate. However, it believed this was
outweighed by the public interest in allowing a private thinking space to properly consider all options, based on
the best available advice, to take good policy decisions. The Authority stated that the email address was used as
a means of seeking views and opinions in a safe space and this enabled TOCs to develop and amend policies to meet
the needs of rail network users. In the Authority’s view, disclosure would undermine the quality of the decision-
making process, and this was not in the public interest.
7. The Authority considered the request to be open ended with no topic or area of focus.. It asked the
Applicant if he could refine his request to a specific topic or area, rather than a blanket request for all
correspondence to/from the Accessibility Group email address, so that it could review the information held and
consider disclosure.
8. On 20 May 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1)
of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because:
- He did not believe that the exemption in section 30(b)(ii) applied. In his view, the Authority had tried
to apply this as a class-based exemption to all of the information, based purely on its communication mechanism,
and had not considered its content.
- He believed the Authority had failed to conduct an adequate public interest test for section 30(b)(ii) and
he considered the public interest favoured disclosure.
- He believed the information disclosed in his previous request (SRT 011) would be caught by the request
under consideration here. Given that information had been disclosed previously, he did not believe it could be
exempt from disclosure under section 30(b)(ii).
- He queried why, if all the information was exempt under section 30(b)(ii), the Authority had asked him to
refine his request, so that it could review the information held and consider disclosure (again suggesting that
the Authority had failed to consider the content of the information).
- He disagreed that the exemption in section 38(1)(b) applied as many names and roles were in the public
domain.
- He disagreed with the Authority’s interpretation of his request. He argued that he had made no mention of
“Accessibility Group email address” and it was clear he was seeking emails sent by the Authority to, or received
by the Authority from, this “distribution list”. i.e. as a result of their membership of that list.
Investigation
9. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the
power to carry out an investigation.
10. On 12 July 2022, the Authority was notified in writing that the Applicant had made a valid application.
The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority
subsequently provided the information.
11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. On 21 July 2023, the Authority was asked to provide its initial comments on the application.
12. The Authority provided its initial comments on 16 August 2023 and the case was subsequently allocated to
an investigating officer.
13. Following consideration of the Authority’s initial comments, the Investigating Officer invited the
Authority to provide further comments and to answer specific questions. These focussed on the Authority’s
justification for withholding the information requested under the exemptions in section 30(b)(ii) and section
38(1)(b) of FOISA, the searches carried out to identify the information requested, whether the Authority held any
further information falling within scope (which it had not provided to the Applicant or withheld under a
provision/exemption in FOISA), and the Authority’s interpretation of the request.
14. The Applicant was also asked to provide further information in support of his application.
15. Both parties provided submissions to the Commissioner, as required, at various stages during the
investigation.
16. On 15 November 2023 and on 1 December 2023, the Authority confirmed that it held further information,
falling within the scope of the request. It informed the Commissioner that, for some of the information
previously withheld, this could be now be disclosed. The Authority disclosed this information to the Applicant on
14 December 2023.
17. On 20 December 2023, following the Authority’s further disclosure, the Applicant informed the Commissioner
that he wished to continue with his application for a decision as he remained dissatisfied that some information
continued to be withheld by the Authority, and he also believed that it held more information than had been
identified.
Commissioner’s analysis and findings
18. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
The Authority’s interpretation of the request
The Applicant’s submissions on the interpretation of the request
19. In his application to the Commissioner, the Applicant considered the Authority’s interpretation of his
request to be invalid. He submitted that his request was for the content of the information sent to, or by, the
email Group, and that he had made no mention of any “Accessibility Group email address”. He argued that it was
clear he was asking for emails sent by the Authority to, or received by the Authority from, this “distribution
list” as a result of their membership of the list.
20. In the Applicant’s view, the Authority’s implied claim (in its review outcome), that because emails sent
by TOCs to the distribution list did not have the distribution list’s email address in the “From” header, they
were not “caught” by his request, was semantic and specious. He believed that the Authority’s apparent reframing
of his request (to exclude, from the scope of his request, any incoming emails on the Group) was inappropriate.
21. In his later submissions to the Commissioner, the Applicant maintained that the Authority had
intentionally misinterpreted his request too narrowly. He explained that this was an email facility, run by RDG,
that allowed Group members to send emails that would automatically be delivered to all other Group members. As
such, he was seeking all emails that Group members had sent to that email facility, independent of how it
operated. The Applicant believed that a search of emails where the Accessibility Group email address was in the
“To” field would provide the information he requested.
22. The Applicant stated that, at the time of his request, he did not know how this email facility worked, but
he assumed that the Authority would be able to identify messages sent via this facility. From correspondence
previously disclosed by the Authority, it appeared (to the Applicant) that all emails it had received via this
facility would have “Accessibility Group” and/or “AccessiblityGroup@raildeliverygroup.com” in the “To” field.
23. The Applicant stated that his request was intended to be for all emails the Group members sent using the
Group email facility run by RDG. He understood that, when members posted to the Group using this email facility,
their email addresses were revealed to all recipients. Therefore, in his view, members could collate the
addresses of those who had emailed the Group and/or guess at other Group members, and email them directly.
However, he imagined that the only way to have reasonable surety that an email would go to all Group members would
be to use the Group email facility.
The Authority’s submissions on the interpretation of the request
24. In its initial submissions to the Commissioner, the Authority stated that it had interpreted the request
to mean all emails sent to and from the Accessibility Email Group. It explained that the email Group was a
distribution list created and maintained by RDG, and was a closed group made up of access and inclusion
representatives from TOCs (including the Authority). The purpose of the list was to communicate accessibility
matters to various individuals and allow these individuals to communicate and seek advice and views from each
other.
25. The Authority explained that it had no control over who was added, removed or unsubscribed from this Group
and that it did not hold the details of all individuals on the distribution list - this information was held and
managed by RDG. The Authority stated that the Applicant was previously advised of this by Transport for Wales
(TfW) in April 2022 in response to a similar FOI request . This point was subsequently accepted by the UK
Information Commissioner (UK ICO) in Decision IC-166544-K0D3 (paragraphs 16 19) which set out that it was not
possible to expand the Group email address to see the actual members and that TOCs were not privy to changes to
membership of the email Group.
26. In its later submissions, the Authority confirmed that Group members could not send emails from this email
address and would have to use their own work email addresses to send to Group members. It explained that the
Group email address was not expandable and, if it did not exist, members would only be able to email those whose
individual email addresses they knew. The Authority submitted that Group email address was created to provide an
easy way for Group members to contact each other for advice and assistance and for the dissemination of
information.
The Commissioner’s views on the Authority’s interpretation of the request
27. The Commissioner has carefully considered the submissions from both parties. He considers that, rather
than being an “interpretation” of the Applicant’s request, the Authority’s review outcome appears to have
explained the nature of the information that was held or not held. In the absence of any “topic” being described
(or any individual(s) specified) in the request, the Commissioner considers it reasonable for the Authority to
have searched for emails sent or copied to the Group email address.
28. The Commissioner accepts that the Group email address cannot be expanded to show Group members, and that
members do not know who is on the Group (or of any changes to membership, as this is managed by RDG). It is also
clear to him that emails cannot be sent from the Group email address and so cannot be identified in that way.
29. In the Commissioner’s view, therefore, the Authority interpreted the Applicant’s request correctly as it
would only be possible to identify emails sent or copied to the Accessibility Group email address. He can find no
failure, on the part of the Authority, to comply with FOISA in that respect.
Whether the Authority held any further information
30. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority
which holds it is entitled to be given that information by the public authority, subject to qualifications which,
by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for
it. The qualifications contained in section 1(6) are not applicable in this case.
31. The information to be given is that held by the Authority at the time the request is received, as defined
by section 1(4). This is not necessarily to be equated with information that an applicant believes the public
authority should hold.
32. The standard of proof to determine whether a Scottish public authority holds information is the civil
standard of the balance of probabilities. In determining where the balance of probabilities lies, the
Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public
authority. He also considers, where appropriate, any reason offered by the public authority to explain why it
does not hold the information. While it may be relevant as part of this exercise to explore expectations about
what information the authority should hold, ultimately the Commissioner's role is to determine what relevant
recorded information is (or was, at the time the request was received) actually held by the public authority.
The Applicant’s submissions on whether any information was held
33. In his application to the Commissioner, the Applicant argued that correspondence sent and received via the
email Group, which the Authority had disclosed to him in response to his previous FOI request (SRT 011), would
also be caught by the request under consideration here. He further submitted that other TOCs had also disclosed
these four emails and more in response to similar FOI requests. As rehearsed above, he also argued that the
Authority’s interpretation of his request had excluded any incoming emails sent via the Group email address.
34. In his later submissions, following the Authority’s disclosure of further information during the
investigation, the Applicant remained dissatisfied as he believed it had only supplied a small portion of the
information he had requested. He referred to an FOI request he had submitted to TfW at the same time as the
request under consideration here, where TfW had retrieved from its servers 556 emails from TfW, RDG and 18 other
member organisations, concerning RDG’s Accessibility and Inclusion email group over a stated 12 month period.
35. To support his view, he specifically referred to two emails provided by Northern Trains Ltd in response to
a similar FOI request he had made. He argued that these two emails were caught by the terms of the request under
consideration here but they had not been provided by the Authority.
36. The Applicant believed, from the Authority’s further disclosure, that its search mechanism consisted
solely of emailing its Accessibility and Inclusion Manager for copies of any relevant correspondence, who had
provided those which he still held. The Applicant compared this to TfW which, he submitted, had conducted an
electronic search of its email server for the same information and had identified hundreds more. In his view,
this did not add up.
The Authority’s submissions on whether any information was held
37. In its initial submissions to the Commissioner, the Authority explained that, at the time of the request,
only one member of its staff was a member of the Group. This staff member undertook the initial email search but
did not recover any emails sent to or from the Group. This search, the Authority explained, was undertaken during
the first two weeks of the Authority being subject to FOI legislation and staff were not fully conversant with the
methods for undertaking email searches. It stated that guidance had since been provided to staff to ensure full
searches were undertaken going forward.
38. Following the Applicant’s request for review, the Authority submitted, the FOI team provided additional
guidance to the staff member who had undertaken the initial search and supervised the search. This identified
five emails sent to the Group email address. The search identified no emails sent from the Group email address as
this was solely used as a distribution list where all emails were sent from an individual to the Group email
address, as previously highlighted. The Authority’s staff member was part of the distribution and thus received
the correspondence as part of this distribution list, and responded to the Group email address.
39. In its later submissions, the Authority accepted that the information disclosed in response to the
Applicant’s earlier request (SRT 011) fell within the scope of the request under consideration here. It confirmed
that the information provided in response to the Applicant’s previous request (SRT 011) comprised all emails held
that were relevant to that request, and it was unknown whether other TOCs held and disclosed additional
correspondence. The Authority confirmed it had identified no additional information, other than that previously
referenced or provided under SRT 011.
40. The Authority explained that the staff member who had carried out the searches at initial response and
review stages was the only Authority staff member of the Group and so it was determined he would be the only
individual who would hold any relevant correspondence. The searches carried out for emails sent or copied to the
Accessibility Group email address captured emails received by the Authority’s staff member on the Group who was
the sole staff member who would have received any such emails. As explained above, emails could not be sent from
the Group email address (or received from that email address, rather they would be received from the individual
Group member who had sent them). Therefore, to identify any email sent from Group members, a search would have to
be done for all individual Group members for any emails they had sent to the Group email address and received by
the Authority’s staff member on the Group. However, the Authority did not have a list of Group members (as this
information was held by RDG).
41. The Authority subsequently informed the Commissioner that it had uncovered further text in one of the
email chains which had been “invisible” as a result of having been formatted in white font against a white
background. It provided the Commissioner with a copy of this information.
42. Following its disclosure of some information to the Applicant during the investigation, the Authority
addressed the Applicant’s comments regarding the 556 emails retrieved by TfW in response to a similar FOI request.
It explained that, prior to 1 April 2022, the provision of “ScotRail” passenger rail services and associated
activities was not undertaken by the Authority, but by a private sector franchise operator, namely Abellio
Scotrail Limited (ASR). The Authority did not hold any correspondence sent or received by ASR and it had no
access to this information as all franchise-era email data had been transferred to ASR, including the email
journal in its entirety. The Authority submitted that ASR may hold further relevant information, but the
Authority could not access or provide this.
43. The Authority was satisfied that its searches were comprehensive and that these had identified every email
held relevant to the request. In addition to the searches previously described, it had asked its staff member on
the Group to search his individual work Onedrive storage for any relevant pre-April 2022 emails which he may have
copied to that storage. However, no further relevant emails were identified.
44. As the information identified, from the searches carried out, included correspondence within the email
chains pre-dating 1 April 2022, the Authority submitted that this demonstrated that its searches were
comprehensive and had not excluded any information held pre dating 1 April 2022 which formed part of subsequent
exchanges.
45. The Authority confirmed it did not hold the information disclosed by Northern Trains Ltd. It submitted
that this was either not received by the Authority, or had been deleted prior to receiving the Applicant’s
request. The Authority submitted that it could not be expected to know what other TOCs such as Northern Trains
Ltd or TfW held. While there may appear to be a significant discrepancy in the number of emails held, the
Authority submitted this was presumably due to differences in retention practices, and differences in operators
and the handover processes where operators had changed. Whatever the reason, the Authority was satisfied it had
conducted comprehensive and complete searches in response to the request.
The Commissioner’s views on whether the Authority held any further information
46. The Commissioner has considered all of the relevant submissions and the terms of the request (including
the Authority’s interpretation of the request which the Commissioner has already deemed satisfactory, as explained
previously).
47. The Commissioner is aware that some information, disclosed in response to the Applicant’s previous request
(SRT 011), was not provided to the Applicant at review stage or withheld under an exemption, and that some
additional text, in that same information, was not uncovered until during the investigation, having been
previously “invisible” as a result of having being formatted in white font against a white background. He notes
that, during the investigation, the Authority accepted that this information fell within scope of the Applicant’s
request.
48. The Commissioner has considered the Applicant’s belief that emails sent to the Accessibility Group email
address would reveal all members of the Group and that the Authority had excluded, from the scope of his request,
incoming emails originating from the Group email address. He has also considered the Authority’s submissions that
the Group email address was not expandable (i.e. to show all individual members), a point which was accepted by
the UK ICO in Decision IC-166544-K0D3. Accordingly, the Commissioner can see no feasible way of knowing who was
on the Group at the material time, and therefore searches of emails sent from each individual Group member to the
Group would not be possible (as this would have required further clarification from the Applicant, for example, by
specifying the individuals in the Group). The Commissioner also recognises that it is not possible to send an
email from the Accessibility Group email address. The Commissioner is therefore satisfied, on the balance of
probabilities, that the Authority does not hold any incoming emails originating from the Group email address.
49. The Commissioner has considered the Authority’s submissions in relation to additional correspondence
disclosed by other TOCs in response to similar requests which, the Applicant believed, would fall within the scope
of this request but which had not been identified by the Authority. He recognises that each organisation will
adopt different records retention practices and that the level of information held, on similar topics, would
undoubtedly differ from organisation to organisation through, for example, routine clearing of email
correspondence which had been dealt with and/or was no longer required. The Commissioner considers that the
searches carried out and the explanations provided by the Authority appeared sufficient and would be capable of
identifying this information, were it held. He accepts, on the balance of probabilities, that the Authority does
not hold this information.
50. Turning to the 556 emails identified by TfW in response to a similar FOI request made by the Applicant,
the Commissioner has considered the Authority’s submissions as to why it does not hold the same amount of
information, across a similar timeframe. As rehearsed above, the Commissioner can only consider the information
which an authority holds, and not that which an applicant believes it should hold. It is clear, from the
explanations provided, and the timeframes in the correspondence identified by the Authority, that it does not
hold, or have access to, earlier correspondence as a result of this having been transferred to the previous
franchise operator following the Authority’s takeover of passenger rail services from that operator on 1 April
2022. Again, the Commissioner considers that the searches carried out by the Authority would be capable of
identifying this information, if it was held. The Commissioner is therefore satisfied, on the balance of
probabilities, that the Authority does not hold this information.
51. In conclusion, the Commissioner is satisfied that, by the end of the investigation, the Authority had
taken adequate, proportionate steps to establish the extent of information held that was relevant to the request
and has fully explained why it does not hold any further relevant information.
52. However, the Commissioner considers that the information referred to at paragraphs 39 and 41 above should
clearly have been identified as falling within scope by the close of the Authority’s review, at the latest. In
failing to do this, the Authority failed to deal with the request fully in accordance with section 1(1) of FOISA.
The Commissioner notes that not only was this a breach of FOISA, but it resulted in avoidable delay for the
Applicant.
Section 30(b)(ii) – Prejudice to effective conduct of public affairs – free and frank exchange of views for the
purposes of deliberation
53. Section 30(b)(ii) of FOISA provides that information is exempt information if its disclosure would, or
would be likely to, inhibit substantially the free and frank exchange of views for the purposes of deliberation.
This exemption is subject to the public interest test in section 2(1)(b) of FOISA.
54. In applying the exemption in section 30(b)(ii), the chief consideration is not whether the information
constitutes opinion or views, but whether the disclosure of that information would, or would be likely to, inhibit
substantially the free and frank exchange of views. The inhibition must be substantial and therefore of real and
demonstrable significance.
55. Each request must be considered on a case by case basis, taking into account the effect (or likely effect)
of disclosure of that particular information on the future exchange of views. The content of the withheld
information will require to be considered, taking into account factors such as its nature, subject matter, manner
of expression, and also whether the timing of disclosure would have any bearing.
56. As with other exemptions involving a similar test, the Commissioner expects authorities to demonstrate or
explain why there is a real risk or likelihood that actual inhibition will occur at some time in the near future,
not simply a remote or hypothetical possibility.
57. In this case, the Authority relied on section 30(b)(ii) to withhold some information in the correspondence
requested.
The Applicant’s submissions on section 30(b)(ii)
58. In his application to the Commissioner, the Applicant submitted that the Authority had applied this
exemption to all of the information in a “class-based” manner, based on its communication mechanism (i.e. the
circumstances in which the information was created or communicated), and had not considered the actual content of
the information.
59. The Applicant submitted that the Authority had not explained why or how the exemption applied. He argued:
- The Authority had not explained how and why disclosure of the information would “likely” inhibit the
exchange of views. It had not explained the likelihood of, or the reasons for (or any evidence of), substantial
inhibition occurring, and had failed to show any genuine link between disclosure and inhibition. In his view, the
Authority had not given any indication that the claimed inhibition would be any more than hypothetical.
- The Authority had not justified that the supposed inhibition would be “substantial” , or would happen at
all. It had not explained how this inhibition would occur, at what level, why this may substantially prejudice
the exchange of views or why any such inhibition would cause any issues for any parties.
60. The Applicant further submitted that the Accessibility Group had a wide distribution (including the UK’s
TOCs, RDG and Network Rail) and was not a private means of communication. He stated that individual members of
the list did not have access to the list of members, and membership changed regularly as roles and personnel
changed. He argued that those communicating via this list did so entirely in their role within their company, as
part of their day-to-day professional functions.
61. The Accessibility Group, the Applicant stated, was not a discussion or policy-setting one, rather it was
primarily to disseminate information, policies and other material relevant to Group members’ roles and
accessibility on the railway. Much of the content and information on the Group had been sent from RDG to other
members without seeking any feedback, interaction or discussion. As the Group was ongoing, rather than having
been created or used to discuss any particular putative policy formulation or similar, in the Applicant’s view,
the timing of the information was not relevant.
62. The Applicant referred to the information disclosed in response to his previous request (SRT 011) which,
he argued, would be caught by the request under consideration here. He argued that these emails did not contain
views (“full or frank” or otherwise) or policy formulation discussions, rather they captured simple instructions
on the practical measures to be taken by TOCs in response to the likely impact of Storm Eunice on assisted travel,
and clarifications thereof. In his view, these emails (which, he stated, had been disclosed by other TOCs in
response to similar FOI requests) did not attract the S30(b)(ii) exemption.
63. Referring to the Authority’s review outcome where it claimed the request was “…open ended with no topic or
area of focus.”, the Applicant argued that it made no sense for the Authority to ask if he could refine his
request to a specific topic or area, rather than a blanket request for all correspondence to/from the
Accessibility Group email address, so that it would be able to review the information it held and consider
disclosure. In his view, if all the information was subject to section 30(b)(ii), he failed to see how a more
specific request for a sub-set of that information might result in disclosure. He believed that this further
highlighted that the Authority had failed to consider the content of the information, which was necessary for it
to be able to apply the exemption.
The Authority’s submissions on section 30(b)(ii)
64. In its initial submissions to the Commissioner, the Authority explained that the Group email address was
established as a means of removing siloed working, with all TOCs working towards the common good and improved
accessibility for all. This enabled all relevant individuals to be contacted with information and advice, to seek
views and to share guidance, and allowed members to seek advice and provide views on topics which RDG could then
use in the formulation of guidance and policy.
65. The Authority submitted that the exemption recognised the need for staff to have a private space within
which to exchange free and frank views and obtain advice between other TOCs, the RDG and third parties in relation
to accessibility issues. In its view, disclosure would lead to Group members being less likely to use this
address as a means of communication, for fear that these would be subject to disclosure. Furthermore, it would no
longer be a “safe space” in which to discuss matters in a candid non-attributable manner where optioneering and
appropriately robust challenge on evolving positions was possible.
66. The Authority believed that disclosure would therefore not only substantially inhibit the ability to
easily seek views and obtain advice and/or assistance on the development of policy and related processes and
procedures, but would also detrimentally impact the proactive development and improvement in accessibility across
TOCs.
67. The Authority commented that the request was open ended with no topic or area of focus, and thus appeared
to be a “fishing trip” with the aim of analysing each email exchanged over the Group, with no context of purpose.
As such, it believed disclosure would remove the opportunity for Group members to exchange views and advice
without fear that every email would be disclosed.
68. As explained above, during the investigation, the Authority changed its position for some of the
information originally withheld under section 30(b)(ii) and informed the Commissioner that this information could
now be disclosed. It confirmed that, following further review, it was now relying on section 30(b)(ii) to
withhold only specific pieces of information, particularly where sensitive views and advice were shared.
69. The Authority provided the Commissioner with specific submissions for each piece of information which it
continued to withhold under this exemption. Given the specificity of these submissions and how they relate to the
information, the Commissioner is limited in being able to describe these in any detail in this Decision Notice
without disclosing the content and nature of the information itself.
70. For the remainder of the information now being withheld under section 30(b)(ii), in addition to the
submissions provided in paragraphs 65 and 66 above, the Authority submitted that disclosure of the views and
opinions therein would engage the exemption due to a combination of factors, including the identity and status of
the authors/recipients, the circumstances in which the views were given, the content of those views and the way in
which they were expressed.
71. In these later submissions, the Authority explained that its suggestion to the Applicant - i.e. to refine
his request to a specific topic or area - was an attempt to assist the Applicant to frame future requests in a way
that was more likely to capture information held (as it only held a limited amount of information in respect of
emails shared by the Accessibility Group given that it did not have control over the Group or full visibility of
its members). In the Authority’s view, had the Applicant framed the request slightly differently (for example, by
requesting information on a specific topic), this may have allowed for a wider search as relevant information may
have existed in various other channels. Or, given that the Authority did not know all Group members, had the
Applicant asked for correspondence between it and RDG or a specific TOC, this could have been located and
considered for disclosure.
72. The Authority submitted that, in light of the amount of personal email addresses contained in the
correspondence, it did not seek the views of these individuals on disclosure. Furthermore, the only way to have
been able to seek views from all Group members would have been to email the Group email address, as individual
members were not known. The Authority stated that it had no way of knowing whether Group membership had changed
since these emails had been sent, and therefore whether doing so would reach all relevant individuals.
The Commissioner’s views on section 30(b)(ii)
73. The Commissioner has considered all of the relevant submissions from both parties, together with the
withheld information itself.
74. In assessing whether the exemption in section 30(b)(ii) applies, the Commissioner has taken account of a
number of factors, including the timing of the request. He must make his decision based on the Authority’s
position at the time it issued its review outcome.
75. As explained above, during the investigation, the Authority provided submissions to the effect that some
of the information, originally withheld under section 30(b)(ii), could now be disclosed. It disclosed this
information to the Applicant on 14 December 2023.
76. The Commissioner is particularly concerned that, at both review stage and early in the investigation, the
Authority clearly appeared to have applied the exemption in section 30(b)(ii) in a “blanket fashion”. It appears
to him that it was not until later in the investigation that the Authority gave full consideration to the actual
content of the correspondence falling within the scope of the request.
77. The Commissioner must also address the view of the Authority (in its review outcome) that the request was
“…open ended with no topic or area of focus.”, and its suggestion to the Applicant to refine his request to a
specific topic or area, rather than a blanket request for all correspondence to/from the Accessibility Group email
address, so that it would be able to review the information it held and consider disclosure.
78. The Commissioner concurs with the views of Applicant on this point. He fails to see how, if the exemption
in section 30(b)(ii) was engaged for all of the in-scope information (as claimed by the Authority at review
stage), a narrowing of the request would then allow the Authority to consider the content of the information. It
appears, to the Commissioner, that the Authority did, in fact, rely on the existence of the Group email address,
at review stage, as a “safe space” for section 30(b)(ii) to apply, and applied the exemption (erroneously) in a
“class-based” manner for all of that information. As stated above, it is evident that the Authority failed to
consider the actual content of the information at that time and applied the exemption in a “blanket-fashion”.
79. The Commissioner does not accept the Authority’s explanation of its reasons for making such a suggestion
to the Applicant. It is clear, from the review outcome, that the Authority was asking the Applicant to refine
this particular request so that it could then review the information and consider disclosure – action which it
should have already undertaken at that stage, particularly given the manageable amount of in-scope information
ultimately identified.
80. The Commissioner would urge not only the Authority, but indeed all Scottish public authorities, when
considering information for disclosure under non class-based exemptions such as section 30(b)(ii), that full
consideration is given to the actual content of the information falling within the scope of the request. He fails
to see how an Authority can come to a considered decision on whether an exemption is engaged or not, without doing
so. In his view, this is basic practice when considering any information for disclosure under FOISA.
81. In light of this, the Commissioner can only conclude that the Authority was not entitled to withhold that
information (i.e. the information previously withheld under section 30(b)(ii) which the Authority disclosed during
the investigation) at the time it dealt with the Applicant’s requirement for review. In doing so, it failed to
comply with section 1(1) of FOISA.
82. The Commissioner will now consider whether the Authority was entitled to withhold the remainder of the
information being withheld under section 30(b)(ii).
83. For this remaining information, which the Commissioner has fully considered, the Commissioner notes that
the information is sensitive, and sets out free and frank views which have clearly been shared and exchanged
through the safety of the Group email facility, thereby allowing only Group members to be privy to those views.
In the Commissioner’s view, disclosure of these particular views would, in all likelihood, lead to Group members
being less willing to provide such full and frank views in future, which would be to the detriment of open
discussion regarding decisions taken on operational matters, and with regard to their relevance to the future
formulation and development of policy and guidance.
84. The Commissioner accepts that there needs to be a safe space for Group members to be able to freely and
frankly exchange views without fear of inhibition as a result of those views likely being disclosed in future. He
would point out, however, that this exemption will not apply to all views exchanged – much is dependent on the
content of the information and the circumstances in which it is exchanged.
85. As such, the Commissioner is satisfied that the exemption in section 30(b)(ii) is engaged for the
remaining withheld information, in that its disclosure would, or would be likely to, inhibit substantially the
free and frank exchange of views for the purposes of deliberation, in the manner described by the Authority.
86. As the exemption in section 30(b)(ii) has been found to apply to the remaining withheld information, the
Commissioner is now required (for this information) to go on to consider the public interest test in section 2(1)
(b) of FOISA.
Public interest test – section 30(b)(ii)
87. As noted above, the exemption in section 30(b)(ii) is subject to the public interest test required by
section 2(1)(b) of FOISA. The Commissioner is therefore required to consider whether, in all the circumstances of
the case, the public interest in disclosing the remaining withheld information is outweighed by the public
interest in maintaining the exemption.
The Applicant’s submissions on the public interest - section 30(b)(ii)
88. In his application to the Commissioner, the Applicant commented that the Authority’s review response was
very brief in its consideration of the public interest test. In his view, the Authority had failed to conduct an
adequate public interest test and, were section 30(b)(ii) found to be engaged, he believed the information should
be disclosed.
89. The Applicant referred to the Authority’s arguments, in its review response, that disclosure would be
likely to reduce the use of this method of communication, and that this would negatively impact on the quality of
decision making. In his view, as the Authority had not, at that stage, considered the content of the information,
no public interest test could be applied to it.
90. The Applicant argued that the Authority had given no consideration to the impact of the age of the
information, at the time of his request. Rather, he submitted, the Authority had claimed that the public interest
in disclosure always favoured withholding the content of the correspondence sent via the Group, implying that this
was irrespective of when the information was created, and what it contained.
91. The Applicant also believed that the public interest arguments for disclosure put forward by the Authority
were very generic, and did not note the specific interests of disabled passengers in knowing what decisions had
been taken about aspects that may have affected their rights of assistance to travel.
92. The Applicant referred to the disclosure of information by the Authority in response to his earlier
request (SRT 011) which, he argued, had played a part in holding to account those responsible for cancelling all
disabled people’s assistance bookings for trains that continued to run across the country for two days in February
2022 during Storm Eunice. In his view, some other information exchanged across the email Group over the period of
his request would have a public interest in disclosure to a similar degree, but as the Authority had not
considered the content, this could not be known.
93. In the Applicant’s view, the Authority had not considered all relevant factors in favour of disclosure,
including whether disclosure would:
- enhance scrutiny of decision-making processes and thereby improve accountability and participation;
- ensure fairness in relation to applications or complaints, reveal malpractice or enable the correction of
misleading claims, and
- contribute to a debate on a matter of public interest.
94. The Applicant further argued that the Authority had failed to show how disclosure would likely undermine
full and frank discussion of issues between the parties involved and reduce this method of communication. In his
view, there was no evidence to suggest, show, document or prove that there was any likelihood of such an impact as
a result of disclosure.
The Authority’s submissions on the public interest - section 30(b)(ii)
95. In its initial submissions to the Commissioner, the Authority recognised the public interest in disclosure
as part of open, transparent and accountable government, and to inform public debate.
96. It believed, however, that there was a greater public interest in allowing a private space within which
TOCs, the RDG and third parties could exchange full and frank views, as part of the process of exploring and
refining policies to improve accessibility across the railway. The Authority submitted that this private thinking
space was essential to enable all options to be properly considered, based on the best available advice, so that
good policy decisions could be taken. In the Authority’s view, disclosure would likely undermine the full and
frank discussion of issues between these parties and reduce the use of this method of communication.
97. The Authority explained that the email address was used as a means of seeking views and opinions in a safe
space, with emails sent to the distribution list. By allowing discussion and debate, TOCs were able to develop
and amend policies to meet the needs of all using the rail network. Without this safe space, there was a risk of
siloed working, with less opportunity for discussion to develop the best policies for the public. It believed
that this, in turn, would undermine the quality of the decision-making process which would not be in the public
interest. In the Authority’s view, the content of emails should be classed as confidential so as to allow Group
members to exchange free and frank views and advice.
98. In its later submissions to the Commissioner (following its change of position for some of the information
being withheld under section 30(b)(ii)), the Authority recognised the public interest in knowing the topics being
discussed in relation to accessibility and the methods being used to tackle identified accessibility issues, thus
promoting and enabling better use of the railway by those affected by such issues. It submitted that this
demonstrated the open and transparent methods used to ensure decisions were taken with the best interests of
customers at heart.
99. The Authority believed, however that there was greater public interest in allowing a private space through
which TOCs, the RDG and third parties could exchange free and frank views and have debates as part of the process
of exploring and refining policies and decision-making, with a view to improving accessibility for all. It argued
that this private thinking space was essential to remove siloed working and to allow for cross-pollination of
ideas, with all opinions considered, based on the best available advice, thus making good policy decisions and
acting in the best interests of the public. By removing this safe space, with Group members knowing that even
their very frankly stated views may be disclosed, the Authority believed this would undoubtedly hinder the
creation of policies and the decision-making processes, thereby undermining what the email Group was created to
do. It submitted that this would not be in the public interest.
100. The Authority submitted, specifically in relation to information about the proper role and function of the
Office of Rail and Road (ORR) and TOCs in accessibility issues, that there was a public interest in the continued
existence of good working relationships between and among the ORR and TOCs on issues of accessibility. It argued
that the erosion of such relationship and the loss of a forum for accessibility professionals in the rail industry
to work together to improve accessibility for the benefit of all, was contrary to the public interest.
101. In the Authority’s view, there was no public interest in substantially inhibiting the ability of RDG and
TOCs to seek views and obtain advice/assistance from Group members (who have skill and knowledge in the
development of accessibility policy and related processes and procedures), which would ultimately affect the
public and customers that the Group was set up to help.
102. The Authority believed that the public were ultimately concerned with having an accessible railway. In
its view, hindering the exchange of views and returning to siloed working would be significantly detrimental to
the achievement of an accessible railway for all. On balance, the Authority believed that there was greater
public interest in allowing these discussions to take place uninhibited.
The Commissioner’s views on the public interest - section 30(b)(ii)
103. The Commissioner has considered carefully the public interest submissions made by both the Applicant and
the Authority, together with the remaining withheld information in question. He is required to balance the public
interest in disclosure of the information requested against the public interest in maintaining the exemption. In
the context of FOISA, the public interest should be considered as “something which is of serious concern and
benefit to the public”.
104. The Commissioner has given weight to the Applicant’s arguments that there is a public interest in disabled
passengers knowing what discussions took place that led to decisions being taken, and how these may have affected
their right of assistance to travel. He recognises that disclosure would, as argued by the Applicant, play a part
in holding those involved to account and would help inform public debate in that respect. In the Commissioner’s
view, this public interest has been satisfied, to some extent, by the Authority’s disclosure, during the
investigation, of the majority of the in-scope information previously withheld under section 30(b)(ii).
105. The Commissioner also recognises that, for the remaining withheld information, there is a strong public
interest in Group members being able to freely and frankly seek and exchange internal views in a private space in
relation to matters concerning accessibility on the railway, which would inform decision-making and have an effect
on future policy formulation. He acknowledges that the ability to do so, safe in the knowledge that information
will not routinely be publicly disclosed, will be required on occasion to enable open and frank exchanges to
support informed decision-making.
106. The Commissioner also recognises the public interest in maintaining good working relationships across the
various organisations represented by Group members which is enabled through Group members being able to safely
exchange their views concerning accessible travel freely and candidly.
107. In the Commissioner’s view, there is no public interest in disclosing information that would lead to Group
members being less willing to seek or share their views in a free and frank manner in future. This, the
Commissioner considers, would adversely impact the quality of decisions made and may lead to less-effective
policies being formulated in future. It may also impair the good working relationships established across the
Group.
108. As set out above, the Commissioner has already accepted that disclosure of the remaining information being
withheld under section 30(b)(ii) would, or would be likely to, inhibit substantially the free and frank exchange
of views for the purposes of deliberation. Having balanced the public interest arguments for and against
disclosure, he is satisfied that, on balance, the public interest in maintaining the exemption in section 30(b)
(ii) outweighs that in disclosure of the remaining withheld information.
109. The Commissioner therefore concludes that the Authority was entitled to withhold the remaining information
under the exemption in section 30(b)(ii) of FOISA.
Section 38(1)(b) – Personal information
110. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from
disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would
contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where
relevant) in the DPA 2018.
111. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an
absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of
FOISA.
112. To rely on this exemption, the Authority must show that the information withheld is personal data for the
purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of
disclosure under FOISA) would contravene one or more of the data protection principles to be found in Article 5(1)
of the UK GDPR.
113. The Commissioner must decide whether the Authority was correct to withhold some of the information
requested under section 38(1)(b) of FOISA.
The Authority’s change of position during the investigation – section 38(1)(b)
114. As explained above, during the investigation, the Authority disclosed some of the information, originally
withheld under section 38(1)(b), to the Applicant on 14 December 2023.
115. In light of this, the Commissioner can only conclude that the Authority was not entitled to withhold that
information at the time it dealt with the Applicant’s requirement for review. In doing so, it failed to comply
with section 1(1) of FOISA.
116. The Commissioner will now consider whether the Authority was entitled to withhold the remainder of the
information being withheld under section 38(1)(b).
Is the withheld information personal data?
117. The first question that the Commissioner must address is whether the withheld information is personal data
for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable
individual. "Identifiable living individual" is defined in section 3(3) of the DPA 2018 - see Appendix 1. (This
definition reflects the definition of personal data in Article 4(1) of the UK GDPR, also set out in in Appendix
1.)
118. Information which could identify individuals will only be personal data if it relates to those
individuals. Information will "relate to" a person if it is about them, linked to them, has biographical
significance for them, is used to inform decisions affecting them or has them as its main focus.
119. In both its review outcome and its initial submissions to the Commissioner, the Authority explained that
the information comprised the names and contact details of individuals and companies. It subsequently explained,
in later submissions, that the information comprised the names, job titles, contact email address and phone
numbers of individual staff members, who could be identified and contacted from that information, particularly
where only one person held that role.
120. Having considered the remaining withheld information, it is clear to the Commissioner that some of this
information comprises either statements which cannot be considered to be personal data, and the latter part of one
email address. The Commissioner must therefore find that the Authority was not entitled to withhold this
information under section 38(1)(b) as it does not constitute personal data, in that it is not capable of
identifying a living individual. As the Authority is not relying on any other exemption to withhold this
particular information, the Commissioner requires the Authority to disclose it to the Applicant. This will be
indicated to the Authority along with a copy of this Decision Notice.
121. The Commissioner considers it prudent to point out that information comprising the names and contact
details of companies cannot be accepted as constituting personal data, as initially claimed by the Authority,
unless (in certain circumstances) it relates to a sole trader.
122. For the remainder of the information being withheld as personal data, which comprises the names, job
titles and contact details of individuals, the Commissioner is satisfied that this “relates to” identifiable
living individuals.
123. The Commissioner therefore concludes that the remaining withheld information is personal data for the
purposes of section 3(2) of the DPA 2018.
Which of the data protection principles would be contravened by disclosure?
124. The Authority stated that disclosure of this personal data would contravene the first data protection
principle (Article 5(1)(a) of the UK GDPR). Article 5(1)(a) states that personal data shall be processed
lawfully, fairly and in a transparent manner in relation to the data subject.
125. In terms of section 3(4)(d) of the DPA 2018, disclosure is a form of processing. In the case of FOISA,
personal data is processed when it is disclosed in response to a request.
126. The Commissioner must now consider if disclosure of the personal data would be lawful (Article 5(1)(a)).
In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow
the data to be disclosed. The Commissioner considers that condition (f) in Article 6(1) is the only condition
which could potentially apply in the circumstances of this case.
Condition (f): legitimate interests
127. Although Article 6 states that condition (f) cannot apply to processing carried out by a public authority
in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities
can rely on Article 6(1)(f) when responding to requests under FOISA.
128. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Does the Applicant have a legitimate interest in obtaining the personal data?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by
the interests or fundamental rights and freedoms of the data subjects?
Does the Applicant have a legitimate interest in obtaining the personal data?
129. In his application to the Commissioner, the Applicant stated that he wanted the names and roles of those
on the list to be made public, in order to know the identities of the individuals responsible for the decisions
reflected or made, corporately or individually, which had a significant impact on disabled people’s travel on the
national rail network. He also stated he had a legitimate interest in scrutiny of the actions of the public
bodies concerned, the industry representative body and the licensed TOCs.
130. In its initial submissions to the Commissioner, the Authority believed it was in the public interest to
know which organisation the correspondence had been sent from, but not details of the individual senders.
131. In its later submissions, the Authority stated that it had not asked the Applicant to explain why he
wanted the information or what his legitimate interests were. However, with reference to Decision IC 166544 K0D3
issued by the UK ICO, the Authority understood his legitimate interest was in information regarding the rail
industry’s accessibility-related issues, and that he considered the public had a legitimate interest in knowing
who was making and receiving critical decisions on this matter.
132. The Authority did not consider that the Applicant had a legitimate interest in knowing what any
identifiable individual did or said in the Group, or who had provided or received the views in the correspondence.
While the Authority acknowledged that the Applicant may have a legitimate interest in knowing the content of the
contributions in the emails about the rail industry’s accessibility activities, and which organisation these were
made on behalf of, this did not extend to needing to know which individual in the Group made them. As such, the
Authority considered the Applicant had no legitimate interest in receiving the remaining withheld personal data.
133. Having considered the submissions from both parties, the Commissioner acknowledges that disclosure of the
remaining personal data would facilitate transparency and accountability to the Applicant (and the wider public)
regarding which individual (in which organisation) contributed and received views on matters relating to
accessibility in the rail industry. There is clearly a legitimate interest in the public being aware of such
matters where they relate to discussions that inform decisions taken and policies formulated on this important
topic. Consequently, the Commissioner accepts that the Applicant has a legitimate interest in disclosure of this
personal data.
Is disclosure of the personal data necessary?
134. Having accepted that the Applicant has a legitimate interest in the remaining personal data, the
Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate
interests. In doing so, he must consider whether these interests might reasonably be met by any alternative
means.
135. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South
Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 . In this case, the Supreme Court stated
(at paragraph 27):
A measure which interferes with a right protected by Community law must be the least restrictive for the
achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be
necessary if the legitimate aim could be achieved by something less.
136. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether
disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a
means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be
met by means which interfere less with the privacy of the data subject.
137. In his application to the Commissioner, the Applicant submitted that he had considered whether it would be
sufficient to have only the roles of the individuals concerned. However, as these roles were exclusively
individual, he believed disclosure of the individuals’ roles would, effectively, constitute disclosure of their
names. The Applicant argued, therefore, that disclosure of the individuals’ names was necessary to achieve his
legitimate interests.
138. In its submissions to the Commissioner, the Authority stated that it was in the public interest to know
the organisations the correspondence had originated from, but not the details of the individual members of staff.
139. As the Authority did not consider the Applicant had a legitimate interest in the personal data, it
believed, accordingly, that there was no requirement to consider necessity of disclosure to meet that interest.
The Authority stated, however, that should the Commissioner find that the Applicant did have a legitimate interest
in knowing which individual had provided or received the views in the emails, it would alternatively accept that
disclosure of the names and job titles would be necessary to achieve that legitimate interest, but not their
contact details.
140. In this case, the Commissioner must consider the information requested against the legitimate interest he
has identified (i.e. in relation to the scrutiny of the views exchanged in the emails by identifiable individuals
regarding accessibility in the rail industry), and whether disclosure of that information is necessary to achieve
the Applicant’s identified legitimate interest.
141. Having done so, the Commissioner accepts that, to some extent, disclosure of the information is necessary
in order to fulfil the Applicant’s legitimate interests. In the Commissioner’s view, disclosure of the names and
job titles of the individuals, as recorded in the withheld information, would provide the Applicant with
information which would aid his understanding of the level of involvement by the individuals named in the
correspondence.
142. However, the Commissioner does not share the same view for the contact details of the individuals in the
correspondence. He is satisfied that disclosure of their contact details is not necessary for the purposes of the
identified legitimate interests of the Applicant, and finds that the Authority properly withheld this particular
information under section 38(1)(b) of FOISA.
The data subjects' interests or fundamental rights and freedoms
143. The Commissioner must balance the legitimate interests in disclosure against the data subjects' interests
or fundamental rights and freedoms. In doing so, it is necessary for him to consider the impact of disclosure.
For example, if the data subjects would not reasonably expect that the information would be disclosed to the
public under FOISA in response to the request, or if such disclosure would cause unjustified harm, their interests
or rights are likely to override any legitimate interests in disclosure. Only if the legitimate interests of the
Applicant outweigh those of the data subjects can the information be disclosed without breaching the first data
protection principle.
144. The Commissioner's guidance on section 38 of FOISA notes factors that should be taken into account in
balancing the interests of parties. He notes that much will depend on the reasonable expectations of the data
subjects. These are some of the factors public authorities should consider:
- Does the information relate to an individual's public life (their work as a public official or employee)
or to their private life (their home, family, social life or finances)?
- Would the disclosure cause harm or distress?
- Whether the individual has objected to the disclosure.
Does the information relate to public or private life?
145. In its submissions to the Commissioner, the Authority explained that it took the approach that, where a
staff member was of seniority (e.g. an executive or head of service), they would expect their details (i.e.
name/role) to be released as it is those staff who are making decisions in relation to the running of the
Authority, and so it is in the public interest to understand who is making decisions.
146. The Authority stated that its staff member [on the Group] was not a senior manager and his role did not
carry the same level of accountability, nor would he expect his details to be released. In addition, the
Authority stated it was not aware of the seniority of the individuals of the other TOCs involved in the
correspondence.
147. The Authority further submitted that while the information may relate to the individuals’ work as public
authority employees (where the organisation was subject to FOI, as not all organisations on the Group were), it
did not know the role of each individual Group member within their respective organisation. In the Authority’s
view, members of the Group (including its own staff member) were not senior members of staff with roles carrying a
high level of public accountability, or who were subject to a level of public scrutiny that would warrant
disclosure of their details.
148. In his application to the Commissioner, the Applicant submitted that the information related solely to
communications sent by these individuals in their public lives, in their professional roles, rather than in their
private lives. He contended that they held senior positions with responsibility for their companies’ provision of
service to disabled people and the information was not private, nor did it pertain to family life.
149. The Commissioner acknowledges that the withheld information relates to the individuals' public lives, in
that it identifies them as staff in the Authority and other rail industry organisations, who were involved in the
work to which the information relates. However, he also acknowledges that, by association, the information also
relates to their private lives.
150. In the circumstances, the Commissioner concludes that the withheld information relates to both the private
and public lives of the data subjects.
Would disclosure cause harm or distress to the data subjects and have the individuals objected to the disclosure?
151. In its submissions to the Commissioner, the Authority stated that the individuals concerned did not expect
their personal details to be disclosed and that staff welfare was a priority.
152. The Authority explained that the Applicant was a disability activist with his own website. It drew
attention to the Applicant’s blog on which he referred to having received a letter from lawyers representing an
individual, following defamatory comments which the Applicant had made on his blog about that individual. The
individual’s personal details had been released in correspondence disclosed by another rail operator in response
to an earlier information request. The Authority submitted it was this behaviour it wished to protect those on
the Group from. In its view, disclosure could result in further unwarranted levels of interference with the
individuals’ personal rights, and lead to further harm and distress.
153. Furthermore, the Authority submitted that another individual had been the subject of a serious safety
incident as a result of his contact details having been disclosed online, resulting in that individual having to
remove himself and his family from social media in order to protect their safety and wellbeing. As the withheld
information included work email addresses and phone numbers, the Authority believed there was a risk that
disclosure would result in unwarranted conduct that could cause harm to that individual’s private life. In the
Authority’s view, the risk posed by releasing the personal data significantly outweighed any legitimate interest
in disclosing it.
154. The Authority submitted that disclosure of the personal data would go beyond what the individuals
concerned expected, and could have unjustified adverse effects on them, such as those set out above. It believed
there was a risk of disproportionate and unwarranted intrusion into the private and family lives of the
individuals involved, as a result of disclosure of their personal data.
155. The Authority was asked to explain what steps it had taken to ascertain which of the personal data was
already in the public domain. In response, the Authority submitted that although some of the names and job titles
of Accessibility Managers were available online, other personal data was not, notably their contact details and
membership of/participation in the Group, which the exemption was used to protect.
156. The Authority explained that searches were undertaken to ascertain whether individual membership of the
Group was in the public domain, but it had been unable to find a publicly-available list of Group members, or any
other information which would provide details as to membership of the Group.
157. Online searches carried out for its own Accessibility and Inclusion Manager identified instances where
that individual’s name and role appeared within public articles. The Authority explained, however, that these
were instances where that individual had given express permission for his name to be used, e.g. for a quote,
otherwise he would not expect his details to be released.
158. In conclusion, the Authority considered that the legitimate interests of the Applicant did not outweigh
the data subjects’ fundamental rights and freedoms and, as such, there was no lawful basis for disclosure.
159. In his submissions to the Commissioner, the Applicant could not see how disclosure of the personal data
would cause any significant harm or distress, and did not believe that it would increase the risk of fraud or pose
a security risk. He submitted that there was no evidence that the individuals concerned had objected to its
disclosure.
160. The Applicant argued that the Authority’s statement, in its review outcome that ”This information is not
in the public domain…” was not true. He argued that many of the individuals had put their own names and roles
into the public domain and, in other cases, their companies had. The Applicant submitted that a quick search of
Google for “accessibility inclusion manager (organisation name)” returned the identities of approximately 30
accessibility and inclusion managers across rail companies. Given these individuals and their organisations
proactively published their roles, and given that, in his view, they would be on the Accessibility Email Group,
their presence on the Group was almost axiomatic.
161. The Applicant believed that his legitimate interest outweighed the interests of the individuals involved
in the correspondence and that disclosure would not result in unwarranted privacy intrusion.
162. The Commissioner has considered the harm or distress that might be caused by disclosure. He notes that
disclosure of any information under FOISA – although in response to a request made by a specific Applicant –
effectively places that information into the public domain. As such, he must consider the effects of publicly
disclosing any personal data under FOISA.
163. The Commissioner has considered the relevant submissions from both parties, together with the personal
data withheld. He recognises that it records the involvement of those individuals in the information, in relation
to their expressed views.
164. The Commissioner acknowledges that some of these individuals’ personal data is publicly available through
online searches. He notes, however, that this is not in the context of being linked with the Accessibility Email
Group. As such, it is therefore still appropriate to consider what reasonable expectations these individuals
would have in relation to disclosure of their personal data in response to the request under consideration here.
165. The Commissioner also recognises that the role of the Authority’s own staff member is not considered
senior, and that the Authority is unable to verify the seniority of the roles of other Group members in other rail
industry organisations whose personal data is contained in the correspondence.
166. The Commissioner has also considered the Authority’s submissions about the risks to the welfare and safety
of staff, as a result of disclosure, and the supporting evidence provided on this. In this respect, he believes
that it is a fundamental right that the individuals involved in the correspondence can maintain control over who
can access their personal data, and therefore limit any future misuse, particularly as any information disclosed
under FOISA is essentially a disclosure “to the world”.
167. In the Commissioner’s view, all of these individuals would have a reasonable expectation that their
personal data, as contained in the withheld information, would remain confidential. He accepts, therefore, that
these individuals would have no expectation that their personal details (names and job titles) would be disclosed
into the public domain, in response to a request under FOISA.
Balance of legitimate interests
168. The Commissioner has carefully balanced the legitimate interests of the data subjects against those of the
Applicant. He has concluded that the legitimate interest in the remaining personal data is overridden by the
interests or fundamental rights and freedoms of the data subjects and that the requirements of condition (f)
cannot be met here. In the absence of a condition which would permit disclosure of the remaining withheld
personal data, the Commissioner must conclude that disclosure would be unlawful.
169. Given that the Commissioner has concluded that the processing of the remaining personal data would be
unlawful, he is not required to go on to consider whether disclosure of that personal data would otherwise be
fair.
Conclusion on the data protection principles
170. The Commissioner finds that disclosure of the personal data under consideration here would breach the
first data protection principle and that this information is therefore exempt from disclosure (and was properly
withheld) under section 38(1)(b) of FOISA.
Decision
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland)
Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that, by the conclusion of his investigation, the Authority complied with Part 1 in the
following respects:
- The Authority correctly interpreted the request and carried out relevant searches in line with that
interpretation.
- Other than the additional information identified during the investigation, the Commissioner was satisfied
that the Authority held no further information.
- The Authority correctly withheld some information at review stage under (variously) the exemptions in
section 30(b)(ii) and section 38(1)(b) of FOISA.
However, the Commissioner finds that, by the conclusion of his investigation, the Authority failed to comply with
Part 1 in the following respects:
- By failing to provide some in-scope information, or to withhold it under an exemption, at review stage,
the Authority failed to comply with section 1(1) of FOISA.
- The Authority wrongly withheld some information at review stage under (variously) the exemptions in
section 30(b)(ii) and section 38(1)(b) of FOISA.
As the Authority has already disclosed to the Applicant the additional in-scope information identified during the
investigation along with the majority of the information found to have been wrongly withheld at review stage under
the exemptions claimed, the Commissioner does not require the Authority to take any further action in respect of
the information already disclosed, in response to these failures.
However, for the remaining information which the Commissioner has found to have been wrongly withheld under
section 38(1)(b) of FOISA, and which has not yet been disclosed, the Commissioner requires the Authority to
disclose this to the Applicant, by 10 June 2024.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal
to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of
intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of
Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal
with the Authority as if it had committed a contempt of court.
David Hamilton
Scottish Information Commissioner
25 April 2024
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given
it by the authority.
(2) The person who makes such a request is in this Part and in Parts 2 and 7 referred to as the “applicant.”
…
(4) The information to be given by the authority is that held by it at the time the request is received,
except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the
receipt of the request, between that time and the time it gives the information may be made before the information
is given.
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to
the extent that –
(a) the provision does not confer absolute exemption; and
(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed
by that in maintaining the exemption.
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are
to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
…
30 Prejudice to effective conduct of public affairs
Information is exempt information if its disclosure under this Act-
…
(b) would, or would be likely to, inhibit substantially-
…
(ii) the free and frank exchange of views for the purposes of deliberation; or
…
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than
under this Act -
(a) would contravene any of the data protection principles, or
(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data
held by public authorities) were disregarded.
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see
section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)
of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the
UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be
read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public
authorities) were omitted.
…
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a
notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the
request for information to which the requirement relates has been dealt with in accordance with Part 1 of this
Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used
for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);
and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
...
UK General Data Protection Regulation
Article 4 Definitions
For the purpose of this Regulation:
1 ‘personal data’ means any information relating to an identified or identifiable natural person ('data
subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of
that natural person:
…
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject
(“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require the protection
of personal data, in particular where the data subject is a child.
…
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living
individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly
or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an
online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations
which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and
Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see
section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to
which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of
personal data to which Part 2, Part 3 or Part 4 applies.
…
