Home Decisions

Decision 145/2025

Decision 145/2025: Information about an individual


Authority: University of Aberdeen 
Case Ref: 202500283
 

Summary

The Authority was asked for information regarding a named individual.  The Authority refused to confirm or deny whether the information existed or was held by it.  The Commissioner accepted that it was in the public interest for the Authority not to reveal whether the information existed or was held.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6)) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 18(1) (Further provision as respects responses to request); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information.

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 17 October 2024, the Applicant made a request for information to the Authority.  He alleged improper conduct by a named individual and asked for:

    1. the terms of engagement between the named individual and the Authority, and 

    2. the rules and regulations governing the engagement.

He specified that the timeframe for the request was from January to March 2023.

  1. The Authority responded on 29 October 2024.  The Authority refused to confirm or deny whether it held the information, relying on section 18 of FOISA, in conjunction with section 38(1)(b) of FOISA.
  2. On 27 November 2024, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the Authority’s decision to refuse to provide him with the information. He submitted that information about the named individual (and their affiliation to the Authority) had previously been published by the British Council and he asked the Authority to review its original response.
  3. The Authority notified the Applicant of the outcome of its review on 17 December 2024, upholding its initial response that section 18 of FOISA had been correctly applied.
  4. On 20 February 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated that he was dissatisfied with the outcome of the Authority’s review because it had refused to give him access to the information he had requested.  

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 7 March 2025 the Authority was notified in writing that the Applicant had made a valid application, and the case was allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions. 

Commissioner’s analysis and findings

  1. In coming to a decision on this matter, the Commissioner considered all the relevant submissions made to him by both the Applicant and the Authority.  He is satisfied that no matter of relevance has been overlooked.
  2. As mentioned above, the Authority are relying on section 18 of FOISA, read in conjunction with other exemptions, including section 38(1)(b) of FOISA.

Section 18(1) – Neither confirm nor deny

  1. Section 18(1) of FOISA allows public authorities to refuse to confirm or deny whether they hold information in the following limited circumstances:

    1. a request has been made to the authority for information, which may or may not be held by it;

    2. if the information existed and were held by the authority (and it need not be), it could give a refusal notice under section 16(1) of FOISA, on the basis that the information was exempt information by virtue of any of the exemptions in sections 28 to 35, 38, 39(1) or 41 of FOISA; and

    3. the authority considers that to reveal whether the information exists or is held by it would be contrary to the public interest.

  2. In any case where section 18(1) is under consideration, the Commissioner must ensure that his decision does not confirm one way or the other whether the information requested exists or is held by the authority.  This means he is unable to comment in any detail, in this case, on the Authority’s reliance on any of the exemptions referred to, or on other matters that could have the effect of indicating whether the information existed or was held by the Authority.
  3. In this case, the Authority submitted that, if it held any information falling within the scope of requests, it would be exempt from disclosure under section 38(1)(b) of FOISA.
  4. The Commissioner must first, therefore, consider whether the Authority could have given a refusal notice under section 16(1) of FOISA in relation to the information in question, if it existed and were held.

Section 38(1)(b) - Personal information

  1. Section 38(1)(b), read in conjunction with section 38(2A) (a) or (b), exempts information from disclosure if it is "personal data", as defined in section 3(2) of the Data Protection Act 2018 (the DPA) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.

Would the information be personal data?

  1. “Personal data" is defined in section 3(2) of the DPA as "any information relating to an identified or identifiable living individual". Section 3(3) of the DPA 2018 defines "identifiable living individual" as "a living individual who can be identified, directly or indirectly, in particular with reference to –

    1. an identifier such as a name, an identification number, location data or an online identifier, or

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual."

  2. Given that the information request is framed with reference to a named individual, and given the subject matter of the request, the Commissioner is satisfied that, if this information did exist and were held by the Authority, any information captured by the request would clearly relate to the named individual.

Would disclosure contravene one of the data protection principles?

  1. The Authority argued that disclosing the personal data, if it existed and were held, would breach the first data protection principle.  This requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject" (Article 5(1)(a) of the UK GDPR).
  2. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA) "disclosure by transmission, dissemination or otherwise making available".  
    For the purposes of FOISA, personal data are processed when disclosed in response to a request.  This means that personal data could only be disclosed if disclosure would be both lawful (i.e. it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Articles 6(1)(f) of the UK GDPR

  1. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data to be disclosed.
  2. This states that processing shall be lawful if it is "necessary for the purposes of the legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”
  3. Although Article 6(1) states that this condition cannot apply to processing by a public authority in performance of its tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
  4. The tests which must be met before Article 6(1)(f) can be met are as follows:

    1. Would the Applicant have a legitimate interest in obtaining personal data, if held?

    2. If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    3. Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Would the Applicant have a legitimate interest in obtaining the personal data, if held?

  1. The Authority argued that the Applicant did not have a legitimate interest in obtaining the data.  It noted that although the Applicant had alleged that the named individual may have committed an offence, it was not clear why he needed to know their terms of engagement with the Authority.  The Authority commented that if the Applicant considered that a crime had been committed, he could make a complaint to the Authority or to Police Scotland without the requested information.
  2. The Applicant argued that he required the information in order to make a complaint about the named individual’s alleged conduct.
  3. The Commissioner has considered the Authority’s views, and he finds that they do have some merit.  However, in the circumstances, the Commissioner is satisfied that the Applicant does have a legitimate interest in obtaining the information (if it existed and were held).

Would disclosure be necessary?

  1. Having accepted that the Applicant has a legitimate interest in the personal data (if it existed and were held), the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interests.  In doing so, he must consider whether those interests might reasonably be met by any alternative means.
  2. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  

    When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant's legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject.
  3. The Authority submitted that it was not necessary for the Applicant to be provided with information in order to submit a complaint to the Authority or to report his concerns to the police.
  4. The Commissioner agrees that the Applicant does not require the specific information he has requested in order to make a complaint to the Authority or to Police Scotland.  However, he notes that the Authority does not appear to have offered the Applicant any advice or guidance on how to make such a complaint. Given the seriousness of the allegations, the Commissioner is surprised that the Authority has not referred the Applicant to its complaint’s procedures or to Police Scotland directly.  The Commissioner notes that the Applicant does not live in Scotland and he is likely to be unfamiliar with the process of making such a complaint.  
  5. On balance, however, the Commissioner does not accept that disclosure through FOISA of the personal data sought in this case (if it existed and were held) would be necessary to fulfil the Applicant's legitimate interest.  He considers that the Applicant has the option of making a complaint to the Authority, or a report to the Police at this juncture, and to this end he does not require the Authority to disclose the information he has requested.
  6. In all the circumstances of this case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the personal data sought by the Applicant (assuming it existed and were held).

Conclusion on the data protection principles

  1. For the reasons set out above, the Commissioner is satisfied that disclosure of any relevant personal data, if it existed and were held, would breach the data protection principle in Article 5(1)(a) of the UK GDPR.
  2. In all the circumstances, the Commissioner is satisfied that such personal data would be exempt from disclosure under section 38(1)(b) of FOISA and that the Authority could give a refusal notice under section 16(1) of FOISA, on the basis that the information would be so exempt.
  3. Having accepted that the Authority could give a refusal notice under section 16(1) of FOISA on the basis that any relevant information would be exempt information by virtue of section 38(1)(b) of FOISA, the Commissioner is required by section 18(1) to go on to consider whether the Authority was entitled to conclude that it would be contrary to the public interest to reveal whether the information existed or was held.

Section 18(1) - The public interest

  1. The Applicant submitted that the information was required to guide his proper reporting of an alleged sexual assault, during a period when the named individual appeared to be affiliated to the Authority.
  2. He stated that the information was important to himself and his wife because they felt that the Authority, by denying their request for information, had categorically barred them from being heard on their complaint.
  3. The Applicant argued that if the facts on the named individual’s sexual behaviour were upheld, reporting them to the authorities would offer a measure of protection to the public, and would prevent the named individual from inflicting the same harm on other women.  He contended that this would be in the public interest.  The Applicant also reiterated his previous view that the information he had requested was not personal data, and he commented that much of the information was already published on the Authority’s website.
  4. The Authority argued that it was not in the public interest to confirm whether the requested information existed or not.  It stated that it does not, as a matter of policy, confirm whether or not a named individual is a student at the Authority, regardless of whether the information is sought as part of a complaint or as a FOI request.
  5. It noted that the Aplicant had made allegations in relation to a named individual under FOISA.  The Authority stated that while it was unable to consider the motive of the Applicant, it must be mindful of any potential consequences or harm which may arise, even by confirming or implying that an individual is or was a student at the Authority.  The Authority argued that, based on the information that has been provided, no public interest had been demonstrated, and it reiterated that if the Applicant wanted to take forward any form of complaint to the police or the Authority, he could do so without the Authority confirming or denying that the information exists and was held.
  6. It noted that while an individual could make a complaint to its Conduct Team, it was reluctant to refer the Applicant to its internal conduct mailbox, as it considered that any public interest in favour of the Applicant could be met by them reporting any alleged criminal conduct to Police Scotland.
  7. The Authority submitted that it must maintain a robust, fair and lawful complaints process, and it must process personal data lawfully and in compliance with the UK GDPR.  It argued that it was in the public interest for it to operate an effective complaints process, and that publicly disclosing personal data under FOISA would significantly undermine that process, as well as breaching the UK GDPR.
  8. The Authority submitted that if it confirmed that specific terms of engagement or rules/regulations applied to a named individual, this would reveal that an identifiable individual was affiliated to the University, and it would disclose the nature of their role.
  9. The Authority argued that it was common for third parties to seek confirmation as to whether an individual was a student at the University, often as part of a complaints process, and for the reasons outlined above, it was important that the Authority adhered to the UK GDPR and did not routinely disclose this information.  It submitted that it had many examples of where, on the face of it, disclosure would not appear to be unreasonable, but further information had highlighted that the individual would have been placed at considerable risk if the information had been disclosed.
  10. It added that further harm would be caused from disclosure of the information as individuals would no longer have confidence that the Authority was treating their information correctly and protecting details of whether or not they had a relationship with the Authority and, if so, what the terms were.
  11. The Authority commented that an analogy might be drawn by a local authority being asked to confirm that a named individual was a pupil at a specific secondary school and how long they had been at the school (where the requester had a photograph of the pupil on their social media channels or a media article referencing the child by name).  
    A public authority cannot fully predict what harm may arise from confirming that information is held or not (thereby disclosing by implication that they remain a pupil or not).

The Commissioner’s conclusions

  1. The test the Commissioner must consider is whether (having already concluded that the information, if it existed and was held, would be exempt from disclosure) it would have been contrary to the public interest to reveal whether the information existed or was held.
  2. Having considered the arguments submitted by both parties, the Commissioner is satisfied, in all the circumstances of this case, that it would have been contrary to the public interest for the Authority to disclose whether the information requested by the Applicant existed or was held, given that it would constitute a third party’s personal data and disclosure would breach that individual’s rights under the DPA 2018. (The Commissioner cannot accept, however, that it is possible to lay down rules of wholly general application as to whether it can ever be confirmed that an individual has been involved with this, or any other, Authority: it is of the essence of section 18(1) – and, for that matter, section 38(1)(b), assuming information did exist and were held – that each case must be considered on its own merits.)
  3. As a result, the Commissioner is satisfied that the Authority was entitled to refuse to confirm or deny, in accordance with section 18(1) of FOISA, whether it held the information requested by the Applicant or whether such information existed.

Decision

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Euan McCulloch 

Head of Enforcement 


12 June 2025