Home Decisions

Decision 150/2025

Decision 150/2025: Information relating to specified individuals


Authority: University of Dundee
Case Ref: 202500048
 

Summary

The Applicant made a multi-part request for information relating to specified individuals.  The Authority responded to part of the request under data protection legislation and withheld the remaining information under FOISA.  The Commissioner investigated and found that the Authority had failed to comply with FOISA in responding to the request. He required the Authority to reconsider the request and issue a revised review outcome.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 10(1) (Time for compliance); 16 (Refusal of request); 21 (Review by Scottish public authority); 38(1)(a) and (b), (2A)(i), (5) (definitions of “the data protection principles”, “data subject”, “personal data, “processing” and “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 31 July 2024, the Applicant made a multi-part request for information to the Authority under FOISA.
  2. The Authority responded to the request on 6 September 2024.
  3. On 11 September 2024, the Applicant refined part of their original 31 July 2024 request and repeated the remaining part of that request (via two emails to the Authority). They requested:

    1. Teams conversations between [the Applicant] and [a specified individual]

    2. Teams conversations involving [various individuals] regarding “the development team”

    3. all qualifications and certifications held by [a specified individual]

    4. records of [a specified individual’s] employment history at the Authority, including job titles and responsibilities

    5. any formal complaints brought up against [a specified individual]

    6. all emails, letters, memos, and other communications involving [a specified individual] related to [their] role and performance as a developer.

  4. The Authority responded on 11 October 2024, in the following terms:

  • for part (i), it responded under the DPA 2018 and refused to comply with the request on the basis it considered it to be manifestly unfounded and excessive

  • for part (ii), it responded under the DPA 2018 and refused to provide some information it considered exempt.  It also noted that the request did not comprise a subject access request (SAR) as it did not include a request for the Applicant’s own personal data  

  • for part (iii), it refused to disclose the personal qualifications of the specified individual on the basis that this information comprised third party personal data which was exempt from disclosure in terms of sections “40(2) and 13(2A)” of FOISA

  • for part (iv), it responded under FOISA and disclosed a copy of a job specification in relation to the individual specified.

  1. On 12 October 2024, the Applicant wrote to the Authority requesting a review of its decision. They stated that they were dissatisfied with the decision because they considered:

  • the Authority had failed to provide sufficient advice and assistance to enable them to narrow part (i) of their request

  • the third party personal data withheld related to the specified individual’s professional role and did not comprise sensitive personal data (and should therefore be disclosed).

  1. The Authority notified the Applicant of the outcome of its review on 23 December 2024, which upheld its original response without modification and advised the Applicant of their right of further appeal to the UK Information Commissioner’s Office (ICO).
  2. On 8 January 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  They stated that they were dissatisfied with the outcome of the Authority’s review for the reasons set out in their requirement for review.  During the investigation, they also stated that they were dissatisfied the Authority had:

  • responded to parts (i) and (ii) of their request under data protection legislation when their request had been made under FOISA

  • failed to respond to their request for information in a timely matter.

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 4 February 2025, and in line with section 49(3)(a) of FOISA, the Commissioner gave the Authority notice in writing of the application.
  3. The case was subsequently allocated to an investigating officer.  The Authority was invited to comment on this application and to answer specific questions. The Applicant was also invited to provide further comments.
  4. During the investigation, the Authority provided the Commissioner with the information withheld from the Applicant.
  5. The Commissioner's remit extends only to the consideration of whether a Scottish public authority has complied with Part 1 of FOISA in responding to a request.  He cannot comment on whether a Scottish public authority should provide information to an applicant under any other rights or legislation (e.g. data protection legislation) or whether an authority has complied with these other rights or legislation.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Handling of request – parts (i) and (ii)

  1. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.
  2. It is a matter of fact that the Authority responded to parts (i) and (ii) of the Applicant’s request of 11 September 2024 under the DPA 2018.
  3. The Authority submitted that parts (i) and (ii) of the Applicant’s request included requests for copies of their own personal data and it had, therefore, interpreted these parts of the request as a SAR in accordance with guidance from the UK Information Commissioner’s Office, which required this approach to be taken “even where the wrong legislation is quoted”. 

The Commissioner’s view on parts (i) and (ii) 

  1. The Commissioner has issued guidance on section 38 of FOISA[1], and, in particular, the actions that should be taken by a Scottish public authority when it receives a request where someone asks for their own personal data. His guidance is clear that, even if an authority considers a request is for the applicant's own personal data, it should issue a refusal notice in terms of section 16 of FOISA: failure to do so is a failure to comply with Part 1 of FOISA.
  2. Where the information requested is a mix of the requester’s personal data and the personal data of third parties, the Commissioner’s guidance states:

  3. “If the personal data is difficult to separate, the appropriate way forward is to consider the information under the exemption in section 38(1)(a) … Treating the request as a request under the UK GDPR … will allow the public authority to consider whether disclosing any of the third party’s personal data would adversely affect their rights and freedoms in line with Article 15(4) of the UK GDPR …”

  4. In this case, therefore, the Commissioner considers that parts (i) and (ii) of the Applicant’s request were valid requests under section 1(1) of FOISA for information held by the Authority.  Given that these parts of the request met all the requirements of section 8(1) of FOISA and sought information which had at least the potential to extend beyond the Applicant’s own personal data, the Authority had a duty to provide the Applicant with a response which complied with section 16 of FOISA.
  5. Section 16(1) of FOISA states that where an authority holds information which is subject to a request under section 1(1) of FOISA, and which it intends to withhold under any exemption, the authority must give the applicant notice in writing to the effect that the information is held and specify which exemption it considers applies to the information (with reasons).
  6. The Commissioner therefore finds that the Authority failed to comply with the technical requirements of section 16 of FOISA, as outlined above, in responding to parts (i) and (ii) of the Applicant’s request for information.
  7. In the circumstances, the Commissioner requires the Authority to issue a revised review outcome (in terms of section 21 of FOISA) in response to parts (i) and (ii) of the Applicant’s request.  In doing so, the Authority must carry out fresh searches (which must be adequate and proportionate) to ensure that it identifies all information relevant to parts (i) and (ii) of the Applicant’s request.
  8. For the avoidance of doubt, the Authority’s revised review outcome must give the Applicant notice in writing to the effect that the information is held and, if it intends to withhold it, to specify which exemption(s) it considers applies to the information (with reasons).
  9. If the Authority considers that the information falling within scope of parts (i) and (ii) of the Applicant’s request is exempt, either in whole or in part, under section 38(1)(a) of FOISA on the basis it is the Applicant’s own personal data, it should provide them with advice and assistance, in line with section 15 of FOISA, on how to make a SAR under the UK GDPR/DPA 2018 for that information.

Handling of request – parts (iii) to (vi)

  1. Parts (iii) to (vi) of the Applicant’s request dated 11 September 2024 comprised requests for the personal data of a specified individual.  The Authority responded to these parts of the Applicant’s request under FOISA and disclosed some information while it withheld other information it considered to be third party personal data.  In what follows, the Commissioner will consider the Authority’s interpretation of parts (iii) to (vi) of the Applicant’s request and how it responded in terms of the requirements of FOISA.

The Applicant’s submissions on parts (iii) to (vi)

  1. The Applicant considered that they had made one request for information dated 31 July 2024, parts (iii) to (vi) of which they had subsequently refined on 11 September 2024. However, they did not consider these refinements had changed the scope of their original request dated 31 July 2024.
The Authority’s submissions on parts (iii) to (vi)
  1. During his investigation, the Commissioner asked the Authority to explain why its response to the Applicant’s request dated 11 September 2024 provided some information (and withheld other information) falling within the scope of parts (iii) and (iv) of the request but failed to fully address parts (iii) to (vi) of the request.
  2. The Authority submitted that the Applicant had made a number of distinct requests in their separate emails to the Authority dated 11 September 2024, but that each of these requests had been responded to in its single response dated 11 October 2024.
  3. The Authority was also asked to explain why, given that an email from the Applicant dated 11 September 2024 appeared to express dissatisfaction with its earlier decision to withhold third party data in response to parts (iii) to (vi) of their original 31 July 2024 request, it had treated that 11 September email as a fresh request for information instead of a requirement for a review of its earlier response to parts (iii) to (vi).
  4. The Authority stated that the Applicant’s email of 11 September relating to the personal data of a specified third party had not been identified as a request for review.

The Commissioner’s view on parts (iii) to (vi)

  1. The Commissioner recognises that the Applicant made a multi-part request on 31 July 2024 and that they submitted various emails to the Authority in respect of that request thereafter.
  2. Given the specific content of the Applicant’s email of 11 September 2024, the Commissioner considers that it would have been more reasonable for the Authority to have interpreted it as a requirement for review of the Authority’s earlier response to parts (iii) to (vi) of the Applicant’s request.
  3. The Authority did not do this and instead considered that the Applicant’s email of 11 September 2024, in respect of the personal data of a specified third party, comprised a fresh request for information.  The Applicant appears to have also accepted this, given that they subsequently sought a review the Authority’s response to that request on 12 October 2024.
  4. In the circumstances, the Commissioner will consider the Applicant’s email dated 11 September 2024 as a new request for information in what follows.
  5. However, the Commissioner must note that he has decided to do so on the basis that it enables him to consider in this decision notice, to the fullest extent possible, each of the grounds of dissatisfaction set out by the Applicant.  He still considers it would have been more reasonable for the Authority to have treated the Applicant’s email dated 11 September 2024 as a requirement for review – its decision not to has unnecessarily complicated matters, as has the Authority’s handling of the request more generally.
  6. Having accepted, in the circumstances, that the Applicant’s email dated 11 September 2024 comprised a fresh request for information, the Commissioner considers, given the language of that email and the context of their earlier request, the Applicant intended that email to encapsulate the entirety of parts (iii) to (vi) of their original 31 July 2024 request.
  7. On 11 October 2024, as rehearsed earlier, the Authority responded to parts of the Applicant’s original request (withholding some third party personal data (part (iii)) and disclosing a copy of a job specification (part (iv)) but it did not respond to the remaining parts of that request at (iii) to (vi).
  8. As such, the Commissioner considers that the Authority’s interpretation of parts (iii) to (vi) of the Applicant’s request dated 11 September 2024 was too narrow for the following reasons: 

  • for part (iii) of the request, it withheld a specified individual’s “qualifications” under section 38(1)(b) of FOISA when the request sought that individual’s “qualifications and certifications”.  (The Commissioner considers should be interpreted more widely than qualifications attained through formal study.)

  • for part (iv) of the request, it provided a single job specification when the request sought “records of [a specified individual’s] employment history including jobs titles and responsibilities”.  (It is clear from the Authority’s submissions that the individual specified has held more than one post.)

  • it did not engage with (or respond to) those parts of the Applicant’s request which sought any formal complaints against a specified individual (part (v) of the request) or communications relating to that individual in their role and performance as a developer (part (vi) of the request).

  1. The Commissioner cannot, therefore, be satisfied that the Authority has identified all relevant information falling within the scope of these parts of the Applicant’s request.
  2. In the circumstances, the Commissioner finds that the Authority failed to comply with section 1(1) of FOISA.  He requires the Authority to carry out fresh searches for information relevant to parts (iii) to (vi) of the Applicant’s request, to reach a decision on the basis of those searches and notify the Applicant of the outcome (all in terms of section 21 of FOISA).

Section 38(1)(b) – Personal information (part (iii))

  1. While the Commissioner is not satisfied that the Authority fully responded to part (iii) of the Applicant’s request, he will consider the information it withheld under section 38(1)(b) of FOISA in response to this part of their request.
  2. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  3. In this case, the Authority applied the exemption in section 38(1)(b) of FOISA, as read with section 38(2A)(a), to information falling with part (iii) of the Applicant’s request that it considered to be personal data (i.e. the qualifications of a specified Authority employee). 

Is the information personal data?

  1. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a living individual who can be identified, directly or indirectly, in particular with reference to –

    1. an identifier such as a name, an identification number, location data or an online identifier, or

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”

  2. The Commissioner is satisfied that the information being withheld under section 38(1)(b) is personal data: the data withheld relates to the qualifications of a specified individual.  A living individual is identifiable from this information and the information clearly relates to that individual. 

Would disclosure contravene one of the data protection principles?

  1. The Authority argued that disclosure would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”.
  2. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed when disclosed in response to a request.  This means that the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

Lawful processing: Article 6(1)(f) of the UK GDPR

  1. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data to be disclosed.
  2. The Commissioner considers that condition (f) is the only condition which could potentially apply.  This states that processing shall be lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...”.
  3. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
  4. The tests which must be met before Article 6(1)(f) can be met are as follows:

    1. Does the Applicant have a legitimate interest in obtaining personal data?

    2. If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    3. Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject?

Does the Applicant have a legitimate interest in obtaining the personal data?

  1. The Applicant submitted that they had a specific interest in the information withheld for personal, employment-related purposes (which they specified in submissions to the Commissioner).  They further considered that there was a strong public interest in disclosure of the information more broadly, for the purposes of transparency and accountability, given the specified individual’s management role within the Authority.
  2. The Authority recognised the personal, employment-related purposes for which the Applicant had requested the data but submitted that the Applicant did not have a legitimate interest in the information withheld.
  3. In the circumstances, the Commissioner accepts that the Applicant has a legitimate interest in obtaining the personal data.

Is disclosure necessary?

  1. The next question is whether disclosure would be necessary to achieve the legitimate interest in the information.  “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interest could reasonably be met by means which interfered less with the privacy of the data subject.
  2. The Applicant submitted that disclosure of the information was the only means by which they could identify the specified individual’s qualifications and experience, which was directly relevant to the employment-related purposes they had specified.
  3. The Authority submitted that disclosure of the withheld information was not necessary to satisfy the Applicant’s legitimate interest, given the Applicant could address their concerns through an employment-related route (which it considered the most appropriate).
  4. In the circumstances, the Commissioner accepts that disclosure of the remaining personal data is necessary to achieve the Applicant's legitimate interests.

The data subject’s interests or fundamental rights and freedoms (and balancing exercise)

  1. The Commissioner has concluded, on balance, that the disclosure of the information requested would be necessary to achieve the Applicant’s legitimate interests.  However, this must be balanced against the fundamental rights and freedoms of the named individual.  Only if the legitimate interests of the Applicant outweighed those of the data subject could personal data be disclosed without breaching the first data protection principle.
  2. The Commissioner has considered the submissions from both parties carefully, in the light of the decision by the Supreme Court in South Lanarkshire Authority v Scottish Information Commissioner [2013] UKSC 55[2].
  3. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject.  Factors which will be relevant in determining reasonable expectations include:

    1. whether the information relates to the individual’s public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family, social life or finances)

    2. the potential harm or distress that may be caused by disclosure

    3. whether the individual objected to the disclosure.

  4. The Applicant recognised that sensitive personal data might rightly be withheld under the exemption but argued that the Authority had been wrong to withhold the information in this case, given it related to the specified individual in their professional capacity.  They further argued that the information should be disclosed given it related to accountability, conduct and decision-making in a publicly funded role.
  5. The Authority accepted that disclosure of personal data may be permitted where an employee made major policy decisions or decisions relating to the expenditure of public funds, but submitted that this did not apply in this case.  It also noted, however, that information relating to the individual specified in parts (iii) to (vi) of the Applicant’s request was publicly available on the Authority’s website.
  6. Having carefully balanced the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subject, the Commissioner finds that the legitimate interests served by disclosure of the personal data would not be outweighed by any unwarranted prejudice that would result to the rights and freedoms and legitimate interests of the data subject.
  7. The Commissioner does not accept, considering the information publicly available on the Authority’s website, that distress or harm would be caused by disclosure of the withheld information in this case.  He cannot accept that the rights and freedoms of the specified individual outweigh the legitimate interests of the Applicant.
  8. In the circumstances of this particular case, the Commissioner finds that condition (f) in Article 6(1) of the UK GDPR can be met in relation to the withheld personal data.

Fairness 

  1. The Commissioner must also consider whether disclosure would be fair.  He finds, for the same reasons as he finds that condition (f) in Article 6(1) can be met, that disclosure of the withheld information would be fair.

Conclusions on the data protection principles

  1. In the absence of any reason for finding disclosure to be unlawful other than a breach of Article 5(1)(a) and given that the Commissioner is satisfied that condition (f) can be met, he must find that disclosure would be lawful in this case.  He therefore finds that disclosure of the withheld information would not breach the first data protection principle, and so the Authority was not entitled to withhold this information under the exemption in section 38(1)(b) of FOISA.
  2. The Commissioner requires the Authority to disclose to the Applicant the information presently withheld in relation to part (iv) of their request.

Statutory timescales

  1. Given he has accepted that the Applicant made a request for information on 11 September 2024 the Commissioner is restricted, here, to coming to a decision on the Authority’s compliance with statutory timescales as they relate to that request of 11 September 2024, solely.
  2. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the request to comply with a request for information.  This is subject to qualifications which are not relevant in this case.  
  3. It is a matter of fact that the Authority did not provide a response to the Applicant’s request for information dated 11 September 2024 within 20 working days, so the Commissioner finds that it failed to comply with section 10(1) of FOISA.
  4. Section 21(1) of FOISA gives Scottish public authorities a maximum of 20 working days following the date of receipt of the requirement to comply with a requirement for review. Again, this is subject to qualifications which are not relevant in this case.
  5. It is a matter of fact that the Authority did not provide a response to the Applicant’s requirement for review dated 12 October 2024 within 20 working days so the Commissioner finds that it failed to comply with section 21(1) of FOISA.

Handling matters

  1. In the circumstances, the Commissioner must comment further on the Authority’s handling of the request.  While he acknowledges that the request in this case was not straightforward to respond to, the Authority’s handling of it has unnecessarily complicated matters.
  2. Requesters are entitled to clear and rational responses to requests for information. In this case, the Authority has, at points, conflated (and confused) different provisions of FOISA, data protection legislation with FOISA, and FOISA with the Freedom of Information Act 2000 (FOIA).  This is unacceptable.
  3. The Commissioner also notes that the Authority’s review outcome dated 23 December 2024 failed to provide the Applicant with particulars of their rights of application to the Commissioner and of appeal to the Court of Session in relation to the parts of the Applicant’s request it considered fell to be responded to in terms of FOISA, as required by section 21(10).
  4. The Commissioner requires the Authority, when completing its revised review outcome, to pay particular attention to his guidance on the content of notices[3] to ensure that its revised review outcome meets the requirements of FOISA and is otherwise clear and rational.
  5. As stated above, the Commissioner’s remit extends only to the consideration of whether a Scottish public authority has complied with Part 1 of FOISA in responding to a request.  He cannot, therefore, consider whether the Authority was entitled to refuse to comply with part (i) of the request under the UK GDPR/DPA 2018 on the basis it was manifestly excessive.
  6. However, in general terms, the Commissioner would note that the Applicant made efforts from 31 July 2024 onwards to refine part (i) of their request to allow the Authority to respond to it.  Under FOISA, if the Authority received a request that it considered to comply would either exceed the upper cost limit, or be vexatious in terms of the significant burden imposed or the manifestly unreasonable nature of the request, the Commissioner would expect the Authority to be able to clearly demonstrate that it had provided adequate advice and assistance to enable the requester to refine their request to allow the Authority to respond to it.

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. 

Specifically, the Commissioner finds that the Authority failed to comply with section 1(1) of FOISA in the following respects:

  • it failed to issue a compliant refusal notice in terms of section 16 of FOISA for parts (i) and (ii) of the Applicant’s request

  • it failed to fully respond to parts (iii) to (vi) of the Applicant’s request 

  • it was not entitled to withhold personal data under section 38(1)(b) of FOISA in response to part (iii) of the Applicant’s request

  • it failed to respond to the Applicant’s request for information and requirement for review within the timescales laid down by sections 10(1) and 21(1) of FOISA

  • it failed to provide particulars about the Applicant’s rights of application to the Commissioner and of appeal to the Court of Session, as required by section 21(10) of FOISA.

The Commissioner therefore requires the Authority to:

  • disclose to the Applicant the information wrongly withheld under section 38(1)(b) of FOISA in response to part (iii) of the Applicant’s request

  • carry out fresh, adequate, proportionate searches for information falling within the scope of the Applicant’s request (at parts (i) to (vi)), reach a decision on the basis of these searches and notify the Applicant of the outcome by way of a revised review outcome (all in terms of section 21 of FOISA)

  • ensure that the revised review outcome gives the Applicant notice in writing to the effect that the information is held and, if it intends to withhold it, to specify which exemption(s) it considers applies, with reasons (including) citing section 38(1)(a) of FOISA where that exemption is being applied to information comprising the personal data of the Applicant

  • provide the Applicant with advice and assistance, in line with section 15 of FOISA, on how to make a SAR under the UK GDPR/DPA 2018 for their own personal data, if it considers that any information falling within scope of the Applicant’s request is exempt, either in whole or in part, under section 38(1)(a) of FOISA.

The Authority is required to comply by 28 July 2025.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement 

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

Euan McCulloch 

Head of Enforcement 


13 June 2025