Home Decisions

Decision 096/2025

Decision 096/2025: Complaints against specified employees


Authority: East Lothian Council
Case Ref: 202300329
 

Summary

The Applicant asked the Authority for the number of complaints made against three specified employees.  The Authority refused to confirm nor deny whether it held the information requested. The Commissioner investigated and found that the Authority was entitled to refuse to confirm nor deny whether it held the information requested.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6)) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information); 47(1) and (2) Application for a decision by the Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to processing of personal data) and 6(1)(f) (Lawfulness of processing). 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

 

Background

  1. On 8 February 2023, the Applicant made a request for information to the Authority.  They asked for the number of complaints registered against three specified individuals.
  2. The Authority responded on 2 March 2023.  It refused to confirm or deny whether it held the requested information, relying on section 18 of FOISA, in conjunction with section 38(1)(b) of FOISA.
  3. On 6 March 2023, the Applicant wrote to the Authority requesting a review of its decision. They stated that they were dissatisfied with the decision because they considered that the Authority held the information requested and the public interest favoured disclosure of that information.
  4. The Authority notified the Applicant of the outcome of its review on 15 March 2023, which fully upheld its original decision.
  5. On 16 March 2023, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  They stated that they were dissatisfied with the outcome of the Authority’s review because they considered the individuals specified were employees of a public body and therefore the public interest favoured disclosure of the information requested. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 17 March 2023, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application and invited its comments.  The Authority provided its comments.
  3. The case was subsequently allocated to an investigating officer.
  4. Further submissions were also sought and obtained from the Applicant.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 18(1) - Neither confirm nor deny

  1. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

    • a request has been made to the authority for information, which may or may not be held by it; and

      • if the information existed and were held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

      • the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

  2. Where section 18(1) of FOISA is under consideration, the Commissioner must ensure that his decision notice does not confirm one way or the other whether the information requested actually exists or is held by the authority.  This means he is unable to comment in any detail on the Authority’s reliance on any of the exemptions referred to, or on other matters which could have the effect of indicating whether the information exists or is held by the Authority.
  3. In this case, the Authority submitted that, if it held any information falling within scope of the Applicant’s request, it would be exempt from disclosure under section 38(1)(b) of FOISA.
  4. It is not sufficient to claim that one or more of the relevant exemptions applies. Section 18(1) makes it clear that the authority must be able to give a refusal notice under section 16(1), on the basis that any relevant information (if it existed and were held) would be exempt information under one or more of the listed exemptions.
  5. The Commissioner must first, therefore, consider whether the Authority could have given a refusal notice under section 16(1) in relation to the information in question, if it existed and were held.

Section 38(1)(b) – Personal information

  1. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR. 

Would the information be personal data?

  1. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a living individual who can be identified, directly or indirectly, in particular with reference to –

    1. an identifier such as a name, an identification number, location data or an online identifier, or

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

  2. Given that the information request is framed with reference to named individuals, and given the subject matter of the request, the Commissioner is satisfied that, if this information did exist and were held by the Authority, any information captured by the request would clearly relate to the named individuals. 

Would disclosure contravene one of the data protection principles?

  1. The Authority argued that disclosing the personal data, if it existed and were held, would breach the first data protection principle.  This requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a) of the UK GDPR).
  2. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed when disclosed in response to a request.  This means that, if it existed and were held, the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Article 6(1)(f) of the UK GDPR

  1. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data, if it existed and were held, to be disclosed.
  2. The Commissioner considers that, if the information existed and were held, condition (f) is the only condition which could potentially apply.  This states that processing shall be lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...”.
  3. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
  4. The tests which must be met before Article 6(1)(f) can be met are as follows:

    1. Would the Applicant have a legitimate interest in obtaining personal data, if held?

    2. If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    3. Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

  1. The Applicant stated that the conduct of the specified Authority employees had been deficient and argued that the Authority was obliged to disclose the information requested, given it was a public body.
  2. The Authority explained that it had engaged with the Applicant in relation to various matters over an approximately 20-year period and that the Applicant had, over that period, made unfounded allegations about various officers – including the three individuals specified in their request.
  3. The Authority noted it was possible that the Applicant might have a legitimate interest in obtaining generalised information about complaints made against employees of the Authority, for the purpose of scrutinising the actions of the Authority. However, it said it was difficult to see how disclosure of the information requested (if it existed and were held) would satisfy this wider aim or otherwise benefit the Applicant or the wider public.
  4. On balance, the Commissioner accepts that, if it existed and were held, the Applicant would have a legitimate interest in obtaining the personal data. 

Would disclosure be necessary?

  1. The next question is whether, if the personal data existed and were held, disclosure would be necessary to achieve the legitimate interest in the information.  “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the data subjects.
  2. The Applicant considered that “numerous people” had made complaints against two of the individuals specified in their request and that the information requested should be available to the public to “protect” them.
  3. The Authority submitted that it could not accept that disclosure of information relating to three specific individuals (if the information existed and were held) would satisfy a generalised interest in scrutiny of the Authority and its actions or would otherwise benefit the Applicant or the wider public.
  4. The Authority further submitted that it did not consider, given the Applicant’s history of contact and pattern of repeated, unfounded, accusations, that their request had been made with the genuine intention of obtaining information.
  5. Notwithstanding the submissions provided by the Authority (and noting that he is not being asked to consider whether the request was vexatious), the Commissioner considers that the only way the Applicant’s legitimate interest in the particular circumstances of this case could be met would be by viewing the information requested (assuming it existed and were held).

The data subjects’ interests or fundamental rights and freedoms (and balancing exercise)

  1. The Commissioner has concluded, on balance, that the disclosure of the information requested (if it existed and were held) would be necessary to achieve the Applicant’s legitimate interests.  However, this must be balanced against the fundamental rights and freedoms of the named individuals.  Only if the legitimate interests of the Applicant outweighed those of the data subjects could personal data be disclosed without breaching the first data protection principle.
  2. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Authority v Scottish Information Commissioner [2013] UKSC 55[1].
  3. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject.  Factors which will be relevant in determining reasonable expectations include:

    1. whether the information relates to the individual’s public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

    2. the potential harm or distress that may be caused by disclosure

    3. whether the individual objected to the disclosure.

  4. The Authority submitted that disclosure of the information requested (if it existed and were held) would cause distress as it would constitute a breach of trust.  It considered that the data subjects (none of whom had held senior office within the Authority) would have no expectation that any information (if it existed and was held) would be disclosed into the public domain, which is the effect of information being disclosed in response to an FOI request.
  5. The Commissioner agrees with the Authority that the information (if it existed and were held) would be information a person would generally expect to be kept confidential and only shared amongst limited individuals for specific purposes.
  6. The Commissioner has also considered the potential harm or distress that could be caused by disclosure of the information (if it existed and were held).  As stated above, disclosure under FOISA is a public disclosure.  At the most general level, disclosing or alleging some workplace impropriety may have taken place is likely to cause some reputational damage to the named individuals (without the protections afforded by a proper forum for considering any relevant claims or allegations).
  7. After carefully balancing the legitimate interests (to the extent that they provided submissions on this point) of the Applicant against the interests or fundamental rights or freedoms of the data subjects, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individuals in question in this case.
  8. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data (if it existed and were held).

Fairness and transparency

  1. Given that the Commissioner has concluded that the processing of the personal data, if existing and held, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subjects.

Conclusion on the data protection principles

  1. For the reasons set out above, the Commissioner is satisfied that disclosure of any personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be exempt by virtue of section 38(1)(b).

Section 18(1) – The public interest

  1. The Commissioner must now consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

The Applicant’s submissions

  1. The Applicant’s submissions on the public interest were set out earlier (at paragraphs 25 and 30).  The Commissioner will not reproduce those submissions here, but he will fully consider them in what follows.

The Authority’s submissions 

  1. The Authority acknowledged the public interest in the transparent operations of public authorities and in identifying instances of misconduct.  However, it noted that as some of the individuals specified in the request were no longer employed by the Authority it could not envisage how disclosure of the information requested (if it existed and were held) would have any bearing on current or recent service delivery.
  2. Overall, the Authority considered that the individuals specified in the request had a reasonable expectation of privacy in relation to their personal data (which, where applicable, was not diminished by certain individuals having left the employment of the Authority) and that disclosure of the information requested (if it existed and were held) would directly prejudice the protection of that privacy.
  3. The Authority concluded, therefore, that publicly confirming or denying whether the information requested existed or was held would damage the duty of trust between the Authority and its employees, breach its data protection obligations, and potentially expose the specified individuals to harm or distress – all of which would be contrary to the public interest.

The Commissioner's conclusions

  1. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and were held, would be exempt from disclosure) it would be contrary to the public interest to reveal whether the information existed or was held.
  2. The Commissioner has fully considered the submissions from the Applicant and the Authority.
  3. Having done so, he is satisfied, in all the circumstances of this case, that the action of confirming or denying whether the information existed or was held would have had the effect of revealing, through public disclosure, whether the named individuals were the subject of complaints in the course of their employment.  Doing so, would, of itself, lead to the Authority breaching its duties as data controller under data protection legislation.
  4. In the circumstances, therefore, the Commissioner must find that it would have been contrary to the public interest for the Authority to reveal whether it held the information requested or whether that information existed.
  5. Consequently, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny whether the information requested by the Applicant existed or was held, in accordance with section 18(1) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002  in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Euan McCulloch 

Head of Enforcement 


25 April 2025