Home Decisions

Decision 175/2025

Decision 175/2025:  Call recording data


Authority: Police Investigations and Review Commissioner
Case Ref: 202500125
 

Summary

The Applicant asked the Authority for the remainder of a transcript of a recorded call.  The Authority withheld the remainder of the call as third-party personal data. 

The Commissioner investigated and found that the Authority was entitled to withhold the information requested.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 38(1)(b), (2A) and (5) (definitions of “data protection principles”, “data subject”, “personal data” and “processing”) and (5A) (personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of processing).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3)(a) & (b), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 19 November 2024, the Applicant made a request for information to the Authority. He asked for the following in relation to a telephone call that he had with a member of staff from the Authority from 9 April 2024: 

    1. “Please provide the name of the third member of staff 

    2. A copy of the phone call that I had with [named staff member] (full transcription of the call, in particular the conversation of other staff members discussing my case with [named staff member and call handler])” 

  2. The Authority responded on 25 November 2024. The Authority withheld the name of the third staff member and also the remainder of the call under section 38(1)(b) of FOISA as it considered the information to be personal data.
  3. It should be noted that the Applicant made an earlier request for this information on 30 July 2024, the Authority responded under both the Data Protection Act 2018 (DPA) and FOISA, on 22 August 2024. Its response considered that most of the call transcript fell within the scope of the Applicants request and was their own personal data, up to the point where the Authority’s call handler believed the Applicant had hung up.  As such a transcript of most of the call was released to the Applicant.  The remainder of the call and the name of the staff member requested were then considered under FOISA and withheld under section 38(1)(b).

  4. On 25 November 2024, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because “the data in the document of the transcript is not fully enclosed, as it misses out the conversation of other staff members discussing my case with [call handler]”.

    The Applicant stated that there is a legitimate and public interest in the information being disclosed because the Authority are a public body.  That the staff members involved could reasonably expect to be recorded whilst undertaking their duties. That the information being withheld is the personal data of the Applicant.

  5. The Authority notified the Applicant of the outcome of its review on 19 December 2024.  The Authority upheld the initial response, withholding the information under section 38(1)(b).  The Authority reasoned that the name of the staff member as well as the voices of staff members heard on the call and opinions expressed in the recorded information fulfils the requirements set out in the DPA, under the definition of ‘personal data’ in section 3(2) and that disclosure in response to this request would contravene Article 5(1) of the UK GDPR.  
  6. On 20 January 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because the Authority did not disclose the information requested. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 4 February 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information, and the case was allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions. These related to the Authority’s consideration of personal data and its rationale for its application of section 38(1)(b). What the Authority’s policies are for recording phone calls, privacy notices held as well as details of the staff members involved.  The Commissioner required the Authority to give further details of its handling of legitimate interests under 38(1)(b) and to further explain its position, given it accepted the Applicant has legitimate interests in relation to the withheld information.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 38(1)(b) – Personal information

  1. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  2. The exemption in section 38(1)(b), applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test in section 2(1)(b).
  3. To rely on this exemption, the Authority must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR.
  4. The Commissioner must decide whether the Authority was correct to withhold some of the information covered by the Applicant’s request under section 38(1)(b) of FOISA.
Is the withheld information personal data?
  1. The first question the Commissioner must address is whether the specific information withheld by the Authority, and identified as personal data, is personal data for the purposes of section 3(2) of the DPA 2018.
  2. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, in particular by reference to –

    1. an identifier such as a name, an identification number, location data, or an online identifier, or

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

  3. The two main elements of personal data are that the information must “relate” to a living person, and that person must be identified – or identifiable – from the data, or from the data and other accessible information.
  4. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
  5. An individual is “identified” or “identifiable” if it is possible to distinguish them from other individuals.
  6. Having considered the information that the Authority is withholding under section 38(1)(b), the Commissioner notes that it contains names and personal opinions.  He accepts that this information relates to identifiable individuals.  The Commissioner is therefore satisfied that the withheld information is the personal data of identifiable individuals and, as such, is personal data in terms of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

  1. The Authority considered the first principle was applicable in this case.
  2. Article 5(1)(a) of the UK GDPR requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”
  3. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.
  4. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
  5. The Authority considers condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case. The Commissioner would agree.
Article 6(1)(f) of the UK GDPR - legitimate interests
  1. Condition (f) states that processing shall be lawful if it – “…is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”
  2. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

  3. The three tests which must be fulfilled before Article 6(1)(f) can be relied on are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[1] - although this case was decided before the GDPR (and the UK GDPR) came into effect, the relevant tests are almost identical).

    i.  does the Applicant have a legitimate interest in the personal data?

    ii.  if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    iii.  even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)?

Does the Applicant have a legitimate interest in obtaining the personal data?
  1. The Authority acknowledged that the Applicant has a legitimate interest in its response at review and its submissions.  The Applicant is considered to have a legitimate interest on a private and public level.
  2. The Applicant argued that part of the information withheld is also their personal data. They further added that the Authority as a public body should be held accountable for its actions thus there is also a public interest in the withheld information being disclosed. The Applicant argued that the staff members should expect their information to be disclosable in the course of their duties.
  3. The Authority’s review response and submissions were very clear.  The Authority recognised the legitimate interest and the public interest in the information but also recognised the rights and freedoms of its staff. Its comments referenced the idea that the balance of the public interest is weighed in relation to what would be in the public good and not simply of what is of interest to the public.
  4. The Commissioner has carefully reviewed these comments and agrees that the Applicant has a legitimate interest in the information. The Commissioner acknowledges that those interests are relevant to the Applicant on a personal and a public level, the information would allow the Applicant to pursue a complaint and or media coverage.  As such the Commissioner must now consider the second question of necessity.
Is disclosure of the personal data necessary?
  1. Having satisfied himself that the Applicant has a legitimate interest, the Commissioner must consider whether disclosure of the withheld information, the personal data, is necessary to achieve the legitimate interest in the information.  “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject(s).  The Applicant argued that it was in the interests of the public for the information to be made available.
  2. The Authority submitted that disclosure of the information was not considered necessary to fulfil the Applicant’s legitimate interest.  It was the Authority’s view that the Applicant’s legitimate interest in his complaint being reviewed and dealt with did not require disclosure of the information because the person reviewing the complaint was aware of the identity of the members of staff involved.
  3. The Commissioner has considered the withheld personal data.  Whilst he acknowledges the Applicant’s legitimate interest in accountability of the Authority, he is not persuaded that disclosure would meet those legitimate interests.  Nor is he satisfied that it is necessary for this information to be disclosed to fulfil the Applicant’s legitimate interests.
  4. The Commissioner is aware, from the submissions received from the Authority, that the Applicant pursued a complaint in relation to this matter, which the Authority responded to. This can be considered an alternative means of satisfying the Applicant’s legitimate interests in this case.  Given this, the Commissioner considers that disclosure of the personal data would not further serve the Applicant in their pursuit of a grievance and so is not necessary.
  5. As the Commissioner is not satisfied that disclosure of the withheld information is necessary to satisfy the Applicant’s legitimate interests, he is not required to go on to consider whether the legitimate interests of the Applicant outweigh the interests or fundamental rights and freedoms of the data subject(s).
  6. Having found that disclosure of the personal data would not be necessary to fulfil the Applicant’s legitimate interests, the Commissioner finds that condition (f) in Article 6(1) of the UK GDPR cannot be met in this case and that disclosure of the information in question would be unlawful.
Fairness and transparency
  1. Given that the Commissioner has concluded that the processing of the personal data, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject(s).
Conclusion on the data protection principles
  1. In all the circumstances, the Commissioner is satisfied, in the absence of a condition in Article 6 of the UK GDPR which would allow the data to be disclosed, that disclosure would be unlawful.  The personal data is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Given that the Authority correctly withheld personal data under section 38(1)(b), the Commissioner does not require the Authority to take any action in respect of this in response to the Applicant’s application.

The Commissioner wishes to make it clear that his decision is restricted to only considering the data requested under FOISA. Should the applicant wish to challenge the approach taken under DPA then they should raise that with the UK Information Commissioner.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 

David Hamilton

Scottish Information Commissioner

9 July 2025