Decision Notice 096/2024: Grants paid for installation of heat pump and solar panels
Authority: Scottish Ministers
Case Ref: 202201458
Summary
The Applicant asked the Authority for information relating to whether grant funding had been provided to a
specific address for the installation of a heat pump and solar panels. The Commissioner found that the Authority
was entitled to refuse to confirm nor deny whether it held the information.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement); 2(1)(a) and (2)(e)
(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5)
(definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, and “the UK
GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) Article 5(1)(a) (Principles relating to processing
of personal data); 6(1)(f) (Lawfulness of processing)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d) and (5), (10) and (14)(a), (c) and (d) (Terms
relating to the processing of personal data)
The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The
Appendix forms part of this decision.
Background
1. On 30 May 2022, the Applicant made a request for information to the Authority. She asked for the
following information about a neighbouring property:
- Has the owner of the property received any type of funding for the planning, purchase, and/or installation of (a) an ASHP and (b) Solar Panels?
- If yes, what is the name of the funding scheme(s)?
- When did they receive the funding?
- How much have they received for the ASHP and how much have they received for the Solar Panels?
2. The Authority responded on 30 June 2022. The Authority applied section 18 of FOISA, in conjunction with
section 38(1)(b) (Personal information), and refused to confirm nor deny whether the requested information existed
or was held.
3. On 13 July 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant
stated that she was dissatisfied with the decision because she believed her case was exceptional. The Applicant
stated that she did not understand how and why revealing the information would be contrary to the public interest.
4. The Applicant further submitted that she required the information requested in order to supplement her
complaint to the Scottish Public Services Ombudsman (SPSO). In particular, the Applicant stated that a yes or no
answer to her first question would allow her to prove that the local council had dealt with her case “with
negligence and discrimination”.
5. The Authority notified the Applicant of the outcome of its review on 1 August 2022, fully upholding its
original decision. The Authority concluded that to reveal whether the information requested existed, or was held,
would be contrary to the public interest.
6. On 22 December 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section
47(1) of FOISA. The Applicant stated that she was dissatisfied with the outcome of the Authority’s review for the
following reasons:
- she did not agree that the information sought was “personal data” in terms of the DPA 2018
- disclosure of the information requested was necessary in order to assist with her complaint against the local council
- she had the right to know how tax revenues were spent and how much care goes into checking the fulfilment of projects to which budgets are dedicated.
Investigation
7. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the
power to carry out an investigation.
8. On 11 January 2023, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice
in writing of the application and invited its comments which were provided.
9. The case was subsequently allocated to an investigating officer.
10. Further submissions were sought and received from the Applicant relating to the public interest test.
Commissioner’s analysis and findings
11. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 18(1) – “neither confirm nor deny”
12. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold
information in the following limited circumstances:
- a request has been made to the authority for information which may or may not be held by it; and
- if the information existed and was held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and
- the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest
13. Where section 18(1) is under consideration, the Commissioner must ensure that his decision notice does not
confirm one way or the other whether the information requested actually exists or is held by the authority. This
means he is unable to comment in any detail on the Authority’s reliance on any of the exemption referred to, or on
other matters which could have the effect of indicating whether the information exists or is held by the Authority.
Section 38(1)(b) – Personal information
14. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure
if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or
more of the data protection principles set out in Article 5(1) of the GDPR.
Would the information be personal data?
15. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified
or identifiable living individual”. Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a
living individual who can be identified, directly or indirectly, in particular
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of the individual.”
16. Given that the information request is framed with reference to a living individual (as it is linked to
their private home address) the Commissioner is satisfied that, if this information did exist and was held by the
Authority, any information captured by the request would be personal data as defined in section 3(2) of the DPA
2018.
Would disclosure contravene one of the data protection principles?
17. The Authority argued that disclosing the personal data, if it existed and were held, would breach the
first data protection principle. This requires personal data to be processed “lawfully, fairly and in a
transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR)
18. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by
transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed
when disclosed in response to a request. This means that, if it existed and were held, the personal data could
only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful
processing listed in Article 6(1) of the UK GDPR) and fair.
Lawful processing: Article 6(1)(f) of the UK GDPR
19. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of
the UK GDPR would allow the personal data, if it existed and were held, to be disclosed.
20. The Commissioner considers that, if the information existed and was held, condition (f) is the only
condition which could potentially apply. This states that processing shall be lawful if it is “necessary for the
purposes of the legitimate interests pursued by the controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of
personal data ...”
21. Although Article 6(1) states that this condition cannot apply to processing carried out by a public
authority in performance of its tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public
authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
22. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Would the Applicant have a legitimate interest in obtaining personal data, if held?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be
overridden by the interests or fundamental rights and freedoms of the data subject?
Would the Applicant have a legitimate interest in obtaining the personal data, if held?
23. The Authority did not consider that the Applicant had a legitimate interest in the personal data (if it
existed and were held). The Authority noted that the Applicant had asked for the information to support her
complaint relating to the noise of the equipment installed. In the Authority’s view, there was no connection
between how the installation was funded and the Applicant’s complaint about noise caused.
24. The Commissioner notes the Authority’s comments but considers that the Applicant has provided persuasive
arguments as to her legitimate interest in the personal data, if it existed and were held. The Commissioner is
therefore satisfied that, if it existed and were held, the Applicant would have a legitimate interest in obtaining
the personal data.
Would disclosure be necessary?
25. The next question is whether, if the personal data existed, disclosure would be necessary to achieve the
legitimate interest in the information. “Necessary” means “reasonably” rather than “absolutely” or “strictly”
necessary. When considering whether disclosure would be necessary, public authorities must consider whether the
disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the
Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the
data subject.
26. The Authority accepted that disclosure would be necessary should the Applicant have a legitimate interest
in the information.
27. If the Applicant’s legitimate interest was limited to supplementing her complaint to the SPSO, the
Commissioner would not be persuaded that disclosure of the information would be necessary to achieve that
interest. This is because, for the purposes of its investigations, the SPSO has the same powers as the Court of
Session in respect of the production of documents.
28. However, the Applicant appears to have a broader legitimate interest in the information. That is, the
Applicant wants to challenge the authenticity of documentation used by installers, installation companies and
Certification Bodies.
29. On balance, the Commissioner therefore accepts that disclosure of the information requested, if it existed
and was held, would be necessary for the Applicant’s legitimate interests.
The data subject’s interests or fundamental rights and freedoms (and balancing exercise)
30. The Commissioner has concluded that the disclosure of the information (if existing and held) would be
necessary to achieve the Applicant’s legitimate interests. However, this must be balanced against the fundamental
rights and freedoms of the owner of the property. Only if the legitimate interests of the Applicant outweighed
those of the data subject could personal data be disclosed without breaching the first data protection principle.
31. The Commissioner has considered the submissions from both parties carefully, in the light of the decision
by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 551 .
32. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data
subject. Factors which will be relevant in determining reasonable expectations include:
(i) whether the information relates to the individual’s public life (i.e. their work as a
public official or employee) or their private life (i.e. their home, family, social life or
finances)
(ii) the potential harm or distress that may be caused by disclosure
(iii) whether the individual objected to the disclosure.
33. The Authority considered that if an application had been made to the scheme by the owner of the property,
the data subject would have no expectation that information on the source of funding for the installation of solar
panels at their property would be made available to anyone. The Authority concluded that even if the Applicant
did have a legitimate interest in the information, if it existed and was held, the rights and freedoms of the data
subject would outweigh this interest.
34. The Commissioner agrees with the Authority that the information (if it existed and was held) would be
information a person would generally expect to be kept confidential and only shared amongst limited individuals
for specific purposes. It is important to bear in mind that disclosure under FOISA is disclosure to the world at
large and not just to the person who asks for the information.
35. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental
rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure
of any information held would be outweighed by the unwarranted prejudice that would result to the rights and
freedoms or legitimate interests of the data subject in this case.
36. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article
6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it exists and is held).
Fairness and transparency
37. Given that the Commissioner has concluded that the processing of the personal data, if existing and held,
would be unlawful, he is not required to go on to consider whether disclosure of such personal data would
otherwise be fair and transparent in relation to the data subject.
Conclusion on the data protection principles
38. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if it
existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.
Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of
FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the
information would be exempt by virtue of section 38(1)(b).
Section 18(1) – The public interest
39. The Commissioner must now consider whether the Authority was entitled to conclude that it would be
contrary to the public interest to reveal whether the information existed or was held.
The Applicant’s submissions
40. The Applicant considered that it was in the public interest for the public to know whether the information
she asked for existed, particularly as public money is used to pay for the installation and use of air source heat
pumps.
41. The Applicant believed that the public interest would be served by revealing whether the information
existed or was held because transparency would stop installers, installation companies and the Certification
Bodies to provide fabricated documents.
The Authority’s submissions
42. The Authority explained that to disclose whether the information exists, or not, would in effect disclose
the position in relation to any potential funding awarded (or not) which would lead to the Authority breaching its
duties as a data controller under data protection legislation.
43. The Authority stated that it therefore did not consider it to be in the public interest to reveal whether
the information existed or was held.
The Commissioner’s conclusions
44. The test the Commissioner must consider is whether (having already concluded that the information, if it
existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal
whether the information existed or was held.
45. The Commissioner has fully considered the submissions from the Applicant and appreciates that, where
public funds are being used for the provision of goods or services, there should be scope for scrutiny as to how
those funds are utilised.
46. However, the Commissioner is aware, that the action of confirming or denying whether the information
existed or was held, would have the effect of revealing whether the property owner did or did not receive funding.
Doing so would, of itself, lead to the Authority breaching its duties as a data controller under data protection
legislation.
47. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny,
whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.
Decision
The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002
in responding to the information request made by the Applicant.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal
to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of
intimation of this decision.
David Hamilton
Scottish Information Commissioner
21 May 2024
Appendix 1: Relevant statutory provisions
Freedom of Information (Scotland) Act 2002
1 General entitlement
(1) A person who requests information from a Scottish public authority which holds it is entitled to be given
it by the authority.
…
(6) This section is subject to sections 2, 9, 12 and 14.
2 Effect of exemptions
(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to
the extent that –
(a) the provision does not confer absolute exemption; and
(b) in all the circumstances of the case, the public interest in disclosing the information is not outweighed
by that in maintaining the exemption.
(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are
to be regarded as conferring absolute exemption –
…
(e) in subsection (1) of section 38 –
…
(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.
18 Further provision as respects responses to request
(1) Where, if information existed and was held by a Scottish public authority, the authority could give a
refusal notice under section 16(1) on the basis that the information was exempt information by virtue of any of
sections 28 to 35, 38, 39(1) or 41 but the authority considers that to reveal whether the information exists or is
so held would be contrary to the public interest, it may (whether or not the information does exist and is held by
it) give the applicant a refusal notice by virtue of this section.
38 Personal information
(1) Information is exempt information if it constitutes-
…
(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);
…
(2A) The first condition is that the disclosure of the information to a member of the public otherwise than
under this Act -
(a) would contravene any of the data protection principles, or
…
(5) In this section-
"the data protection principles" means the principles set out in –
(a) Article 5(1) of the UK GDPR, and
(b) section 34(1) of the Data Protection Act 2018;
"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
…
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see
section 3(2), (4) and (14) of that Act);
“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14)
of that Act).
(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the
UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be
read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public
authorities) were omitted.
47 Application for decision by Commissioner
(1) A person who is dissatisfied with -
(a) a notice under section 21(5) or (9); or
(b) the failure of a Scottish public authority to which a requirement for review was made to give such a
notice.
may make application to the Commissioner for a decision whether, in any respect specified in that application, the
request for information to which the requirement relates has been dealt with in accordance with Part 1 of this
Act.
(2) An application under subsection (1) must -
(a) be in writing or in another form which, by reason of its having some permanency, is capable of being used
for subsequent reference (as, for example, a recording made on audio or video tape);
(b) state the name of the applicant and an address for correspondence; and
(c) specify –
(i) the request for information to which the requirement for review relates;
(ii) the matter which was specified under sub-paragraph (ii) of section 20(3)(c);
and
(iii) the matter which gives rise to the dissatisfaction mentioned in subsection (1).
UK General Data Protection Regulation
Article 5 Principles relating to processing of personal data
1 Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject
(“lawfulness, fairness and transparency”)
…
Article 6 Lawfulness of processing
1 Processing shall be lawful only if and to the extent that at least one of the following applies:
…
f. processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require the protection
of personal data, in particular where the data subject is a child.
Data Protection Act 2018
3 Terms relating to the processing of personal data
…
(2) “Personal data” means any information relating to an identified or identifiable living
individual (subject to subsection (14)(c)).
(3) “Identifiable living individual” means a living individual who can be identified, directly
or indirectly, in particular by reference to –
(a) an identifier such as a name, an identification number, location data or an
online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of the individual.
(4) “Processing”, in relation to information, means an operation or set of operations
which is performed on information, or on sets of information, such as –
…
(d) disclosure by transmission, dissemination or otherwise making available,
…
(10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Authority of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement
of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and
Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see
section 205(4)).
…
(14) In Parts 5 to 7, except where otherwise provided –
(a) references to the UK GDPR are to the UK GDPR read with Part 2;
…
(c) references to personal data, and the processing of personal data, are to personal data and processing to
which Part 2, Part 3 or Part 4 applies;
(d) references to a controller or processor are to a controller or processor in relation to the processing of
personal data to which Part 2, Part 3 or Part 4 applies.