Home Decisions

Decision 095/2025

Decision 095/2025: Renewal dates for software licences

Authority: Glasgow City Council
Case Ref: 202401647
 

Summary

The Applicant asked the Authority for the renewal dates of various software licences relating to its CCTV surveillance system.  The Authority stated that it did not hold the information requested. The Commissioner investigated and was satisfied that the Authority did not hold the information requested.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (4) (General entitlement); 3(2) (Scottish public authorities); 17(1) (Notice that information is not held); 47(1) and (2) (Application for decision by Commissioner); 73 (Interpretation) (definition of "information").

Background

  1. On 10 October 2024, the Applicant made a request for information to the Authority.  She asked the Authority to confirm the date when six specified software licences were due for renewal.
  2. The Authority responded on 4 November 2024.  It issued the Applicant with a notice, in terms of section 17(1) of FOISA, that it did not hold the information requested and explained why.
  3. On 15 November 2024, the Applicant wrote to the Authority requesting a review of its decision. She stated that she was dissatisfied with the decision because she did not agree that the Authority did not hold the information requested.
  4. The Authority notified the Applicant of the outcome of its review on 13 December 2024, which fully upheld its original decision.
  5. On 17 December 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  She stated that she was dissatisfied with the outcome of the Authority’s review because she did not agree that it did not hold the information requested. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 9 January 2025, the Authority was notified in writing that the Applicant had made a valid application.  The case was allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to how it established that it did not hold the information requested.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 17(1) of FOISA – Notice that information is not held

  1. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the public authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.  The qualifications contained in section 1(6) are not applicable in this case.
  2. The information to be given is that held by the Authority at the time the request is received, as defined by section 1(4).  This is not necessarily to be equated with information that an applicant believes the public authority should hold.  If no such information is held by the public authority, section 17(1) of FOISA requires the authority to give the applicant notice in writing to that effect.
  3. Section 3(2) of FOISA defines the circumstances in which information is considered to be held by a Scottish public authority.  There is no suggestion that section 3(2)(a) of FOISA applies so, for the purposes of this decision, information will be held by the Authority if it is held by the subcontractor on behalf of the Authority.

The Applicant’s submissions

  1. The Applicant stated that the Authority outsources all ICT services to a single external company, CGI IT UK Limited (CGI). CGI, in turn, subcontracts to another company called Qognify which provides and manages the applications and software that run the surveillance systems in the city.
  2. The Applicant referred to the following excerpts from guidance provided by the UK Information Commissioner’s Office[1]:

  • “The main principle behind freedom of information legislation is that people have a right to know about the activities of public authorities unless there is a good reason for them not to.”

  • “The Act covers all recorded information held by a public authority.  It is not limited to official documents, and it covers, for example, drafts, emails, notes, recordings of telephone conversations and CCTV recordings.”

  • “Where you subcontract public services to an external company, that company may then hold information on your behalf, depending on the type of information and your contract with them.  Some of the information held by the external company may be covered by the Act if you receive a freedom of information request.”

  1. The Applicant submitted that the fact the Authority currently outsourced all ICT services to CGI did not absolve the Authority of its responsibility for the delivery of these services.
  2. The Applicant disputed the Authority’s position that it did not hold the information requested. Specifically, she queried that there were no records that documented when the licences for “the suite of software and applications required for a functioning surveillance system” were due to expire.
  3. The Applicant noted that the CGI contract was being extended in March 2025 and that this extension would be until at least 2018.  She considered there would be rigorous procedures in place to understand the impact of this extension.  She assumed there would be audits and other scrutiny processes ongoing, looking at all of the third party contracts on which service delivery depends.
  4. If there was no record of the licence renewal date as part of this, the Applicant considered that a simple question from the Authority to CGI (who would know the date within their contract with Qognify) would allow the date to be ascertained.
  5. In summary, the Applicant considered that the disclosure of the information requested was “covered” by FOISA.
  6. In terms of the “NICE applications”, the Applicant had been advised that these operated within a “secure and closed network within the operations centre”. Therefore, the Applicant expected that “the information within this would have details on the licence and its expiry date”.

The Authority’s submissions

  1. The Authority confirmed that it had outsourced the provision of ICT services to an external company, CGI.  It described the contract for these ICT services as “an output-based contract”, meaning that “the focus is on the outcomes rather than the specific processes or inputs that the supplier uses to achieve them”.
  2. By using Output-Based Specifications, the Authority had outlined its business requirements in a clear, measurable way, allowing the supplier to determine the best approach to deliver on those requirements.  This approach resulted in the Authority stating what the end result should be, not how the work should be done.  CGI had control (and risk) in relation to the design of the solution implemented to meet each set of outputs.
  3. The Authority noted that it advised the Applicant in its initial response that it had entered into a seven-year contract for the provision of ICT services with CGI.  These services were provided as part of an overall service package with CGI and, as such, the Authority was not a direct party to these contracts and so did not hold the information requested.
  4. The Authority further explained that it was aware that its previous ICT provider had a contract with Qognify in connection with various elements of CCTV control software and that this contract was novated to CGI at the start of the CGI contract. Given that it is not a party to the contract, the Authority stated there was no reason why it would hold a copy of it.
  5. However, the Authority explained that it nevertheless asked relevant staff within the team that manages the relationship with CGI and management within the Operations Centre (where the software is used) were asked to confirm that they did not hold a copy of the contract.  It explained it did not consider it necessary to conduct further searches.
  6. The Authority confirmed that the contract it entered into with CGI stated that CGI were responsible for obtaining and maintaining all licences it may require, and which are necessary for the provision of the ICT services it was contracted to provide.  It also confirmed that the contract did not state that CGI held the information requested on behalf of the Authority.  While the contract contained provisions relating to the supplying of certain information to the Authority, this information did not include that requested by the Applicant.
  7. The Authority was asked whether it considered the suggestion by the Applicant that it could simply ask CGI to provide the information requested.  It considered that doing so would simply lead to further requests and that doing so would effectively be creating new information.
  8. The Authority was also asked to consider the Applicant’s suggestion that the information requested would be held within secure and closed network within the operations centre. It reiterated that there was never any requirement for it to hold the information requested and that its position remained the same.  It explained that employees in the Operations Centre knew how to operate the systems they used but had no particular knowledge of what those systems were, who they were supplied by or the contractual terms under which CGI acquired them.
  9. The Authority further noted that searches in response to FOI requests must be adequate and proportionate.  It explained that it felt confident maintaining its position that it did not hold the information requested without interrogating every system or asking every member of staff within the Operations Centre or within its Strategic Information, Innovation and Technology Team.  It considered that doing so would be cost-excessive and would, in practical terms, have precisely no likelihood of locating the information requested.

The Commissioner’s view

  1. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities.  In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.
  2. The Commissioner also considers, where appropriate, any reason offered by the public authority to explain why it does not hold the information.  While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner's role is to determine what relevant recorded information is (or was, at the time the request was received) held by the public authority.
  3. Given the explanations and submissions provided, the Commissioner considers that the Authority took adequate and proportionate steps in the circumstances to establish if the information was held and he is satisfied that it does not (and did not, on receipt of the request) physically hold the information requested by the Applicant.
  4. The Commissioner also must consider whether CGI holds the requested information on behalf of the Authority by virtue of section 3(2)(b) of FOISA.
  5. The Commissioner considers that the closer the outsourced service is to the public authority’s core functions, the more likely it is that information about that service is held on behalf of the authority.  While he accepts that ICT services are critical to the ability of the Authority to perform its core functions, he is not persuaded that the specific information requested (i.e. the dates when specified software licences are due for renewal) is sufficiently related to a core function of the Authority.
  6. Given the explanations and submissions provided, the Commissioner accepts that CGI does not hold the requested information on behalf of the Authority.  He understands why the Applicant believed and expected the information requested to be held by the Authority.  However, whether a public authority should hold information which it does not hold is not a matter for the Commissioner to decide.
  7. The Commissioner considered the Applicant’s suggestion that the Authority could simply have asked CGI to provide the information requested.  "Information" is defined in section 73 of FOISA as "information recorded in any form".  Given this definition, FOISA does not require a public authority to create recorded information to respond to a request, or to obtain and provide information which it does not itself hold in recorded form.
  8. The Commissioner therefore accepts that the Authority was not obliged to ask CGI to provide it with the information requested.  He also accepts that the contract the Authority entered with CGI does not contain any provisions which would oblige CGI to provide the Authority with the information requested.
  9. In all the circumstances, the Commissioner concludes that the Authority was correct to give the Applicant notice, in terms of section 17(1) of FOISA, that it did not hold the information requested.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Euan McCulloch 

Head of Enforcement 


25 April 2025