Home Decisions

Decision 188/2025

Decision 188/2025:  Email correspondence of specified individual


Authority: General Teaching Council for Scotland
Case Ref: 202200902
 

Summary

The Applicant asked the Authority for email correspondence relating to a specified individual.  The Authority disclosed some information and withheld the remainder on the grounds it was personal data or would otherwise inhibit substantially the free and frank exchange of views.  During the investigation, the Authority withdrew its reliance on these exemptions for some information and argued that other information it had originally exempted from disclosure was instead out of scope of the Applicant’s request.  The Commissioner investigated and found that the Authority partially complied with FOISA in responding to the request.  He required the Authority to disclose some information it had wrongly withheld.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1) and (2)(e)(ii) (Effect of exemptions); 30(b)(ii) (Prejudice to the effect conduct of public affairs); 38(1)(b), (2A), (5) (definitions of “the data protection principles”, “data subject”, “personal data” and “processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of processing). 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 16 March 2022, the Applicant made a request for information to the Authority.  They requested:

    1. all emails sent to, from and forwarded on from [specified individual] related to GTCS matters in 2020 

    2. all emails sent to, from and forwarded on from [specified individual] related to GTCS matters in 2021 

    3. all emails sent to, from and forwarded on from [specified individual] related to GTCS matters for 2022 to the date of their request.

  2. The Authority responded on 13 April 2022, in the following terms:

  • for parts (i) and (ii), it issued the Applicant with a notice, in terms of section 17(1) of FOISA, that it did not hold emails prior to March 2021 (in accordance with its email retention policy)

  • for the information it held from March 2021 onwards which fell within the scope of parts (ii) and (iii), it disclosed three redacted documents, withholding some information under the exemptions in sections 38(1)(b) and 30(b)(ii) of FOISA

  • it stated that it had withheld “any further information … which may fall within scope of [the Applicant’s] request” under the exemption in section 38(1)(b) of FOISA.

  1. On 14 April 2022, the Applicant wrote to the Authority clarifying that their request related to the specified individual “in relation to [their] GTCS role” and explained their legitimate interest in the information requested.
  2. Later that same day, the Applicant wrote to the Authority requesting a review of its decision. They stated that they were dissatisfied with the decision for the following reasons:

  • they considered that all of the information requested should be disclosed

  • the Authority had “clearly” withheld some documentation in full which should be disclosed, subject to necessary redactions.

  1. The Authority notified the Applicant of the outcome of its review on 13 May 2022, which upheld its original response.  It also provided the Applicant with two fully redacted copies of documents that it had withheld in their entirety. It explained that it was not required to provide these copies to the Applicant, but it had done so to be of assistance.  
  2. On 16 August 2022, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  They stated that they were dissatisfied with the outcome of the Authority’s review for the reasons set out in their requirement for review. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 13 March 2025, the Authority was notified in writing that the Applicant had made a valid application.  The case was allocated to an investigating officer.  The Authority was also asked to send the Commissioner the information withheld from the Applicant, which it provided.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  The Applicant was also invited to provide further comments.

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 1(1) – General entitlement

  1. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

The Authority’s change of position during the investigation

  1. During the investigation, the Authority changed its position in relation to some of the withheld information.  It withdrew its reliance on the exemption in section 30(b)(ii) of FOISA entirely and withdrew its reliance on the exemption in section 38(1)(b) in relation to some of the withheld information.
  2. The Commissioner welcomes the Authority’s decision to reconsider its position in relation to the withheld information. However, the effect of the Authority’s change of position is that it has withheld information from the Applicant to which it is no longer applying an exemption in FOISA.
  3. In the absence of an explanation from the Authority as to why that information was considered exempt from disclosure when the Authority responded to the Applicant’s request and requirement for review but was no longer exempt and therefore now able to be disclosed, the Commissioner must find that the Authority failed to comply with section 1(1) of FOISA.  He requires the Authority to disclose that information to the Applicant.
  4. As the Authority is no longer relying on the exemption in section 30(b)(ii) of FOISA to withhold any information from the Applicant, the Commissioner will therefore not consider that exemption further in his decision.  However, his decision will later consider the information that the Authority has continued to withhold under the exemption in section 38(1)(b) of FOISA.

Interpretation of request

  1. When responding to the Applicant’s requirement for review, the Authority disclosed two wholly redacted documents (comprising 96 pages in total) to the Applicant, withholding all information therein under various exemptions in FOISA.
  2. During the investigation, the Authority revised its position and stated that these documents (“Documents 4 and 5”) instead fell outwith the scope of the Applicant’s request.
  3. The Authority was asked to provide submissions as to why Documents 4 and 5 did not fall within the scope of the Applicant’s request. The Authority did so.

The Authority’s submissions

  1. The Authority referred to the Applicant’s email of 14 April 2022, which clarified that their request related to the specified individual in relation to “[their] GTCS role given the public interest which is associated with such a role”.
  2. The Authority submitted that Documents 1, 2 and 3 related to the specified individual in their role as a GTCS Council member but argued that Documents 4 and 5 specifically related to that individual in their professional capacity and specific job role within another Scottish public authority (which it identified).
  3. On reflection, the Authority acknowledged that its review response was “unfortunately incorrect” in giving the impression that Documents 4 and 5 were within scope of the Applicant’s request.
The Commissioner’s view
  1. The Commissioner has closely considered the terms of the Applicant’s original request and their subsequent clarification, the withheld information and the specified role and remit of a GTCS Council Member[1].
  2. Read plainly, the Commissioner considers that the Applicant’s original request related to the specified individual in the context of “GTCS matters” (which would have required a broader interpretation). However, he notes that the Applicant subsequently explained (prior to submitting his requirement for review) that he was specifically interested in correspondence relating to that individual in their role as a GTCS Council member.
  3. In view of this, the Commissioner is satisfied that the information withheld within Documents 4 and 5 does not relate to that individual in their capacity as a GTCS Council Member and therefore did not fall within the scope of the Applicant’s request.
  4. Given he is satisfied that Documents 4 and 5 fell outwith the scope of the Applicant’s request, the Commissioner will not consider further any exemptions applied to that information at the time the Authority responded to the Applicant’s requirement for review. 

Section 38(1)(b) – Personal information

  1. In this case, the Authority continues to rely on the exemption in section 38(1)(b) of FOISA to withhold some information falling within the scope of the Applicant’s request.
  2. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  3. The exemption in section 38(1)(b), applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test in section 2(1)(b).
  4. To rely on this exemption, the Authority must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR.
  5. The Commissioner must determine whether the Authority was correct to withhold some information covered by the Applicant’s request under section 38(1)(b) of FOISA.

Is the withheld information personal data?

  1. The first question the Commissioner must address is whether the specific information withheld by the Authority, and identified as personal data, is personal data for the purposes of section 3(2) of the DPA 2018.
  2. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, in particular by reference to –

    1. an identifier such as a name, an identification number, location data, or an online identifier, or

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

  3. The two main elements of personal data are that the information must “relate” to a living person, and that person must be identified – or identifiable – from the data, or from the data and other accessible information.
  4. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.  An individual is “identified” or “identifiable” if it is possible to distinguish them from other individuals.
  5. Having considered the information that the Authority has continued to withhold under the exemption in section 38(1)(b) of FOISA, the Commissioner notes that it principally comprises the names, contact details and job titles of individuals.  He is satisfied that this information is the personal data of identifiable individuals and, as such, is personal data in terms of section 3(2) of the DPA 2018.
  6. The withheld information contains a small amount of information relating to the personal circumstances of an individual.  Given the nature of that information and the relatively small pool of individuals to whom it could relate, the Commissioner is satisfied that there is a reasonable likelihood that an individual could be identified from that information.  Consequently, he is satisfied that this information is also personal data in terms of section 3(2) of the DPA 2018.
  7. The Commissioner also notes that a small amount of the withheld personal data reveals information about an individual’s health status and must therefore be considered special category health data.
  8. However, the Commissioner is not satisfied that a small amount of the information withheld by the Authority under the exemption in section 38(1)(b) of FOISA is personal data. This is because he does not consider that disclosure of that information would lead to a realistic causal chain of identification of living individuals.  Specifically, he does not consider the following information is personal data:

  • the name of an organisation and its postal address within an individual piece of correspondence 

  • a business email address which does not identify a living individual 

  • email address suffixes (e.g. “...@exampledomain.com”).

  1. The Commissioner’s guidance on section 38 of FOISA[2] (at paragraph 87) states that:

    “… it’s important to keep redactions to the minimum necessary to remove the risk of identification. This is particularly relevant where valuable context would be lost otherwise – consider, for example, whether the full email address needs to be redacted or just that part with the employee’s name (the rest is still likely to help the requester understand where the communications in question originated and were sent to).”

  2. The Commissioner must therefore find that the Authority was not entitled to withhold the specific information identified at paragraph 38 under section 38(1)(b) of FOISA.  He requires the Authority to disclose that information to the Applicant.
  3. For the information he is satisfied is personal data, the Commissioner considers this further below.

Would disclosure contravene one of the data protection principles?

  1. The Authority considered that disclosing the withheld personal data would breach the first data protection principle.  The first data protection principle in Article 5(1)(a) of the UK GDPR requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”
  2. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.
Special category personal data
  1. The Commissioner will first consider whether it is lawful and fair to disclose the special category personal data that he has identified.
  2. The Commissioner’s guidance on section 38(1)(b) notes (at paragraphs 70 to 72) that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances.
  3. Although Schedule 1 to the DPA 2018 contains a wide range of conditions which allow authorities to process special category data, for the purposes of FOISA, the only situation where it is likely to be lawful to disclose third party special category data in response to an information request is where, in line with Article 9(2)(e) of the UK GDPR, the personal data has manifestly been made public by the data subject.   Any public authority relying on this condition must be certain that the data subject made the disclosure with the intention of making the special category data public.
  4. In this case, there is nothing to suggest that disclosing information that would reveal the health status of an individual would comply with Article 9(2)(e) of the UK GDPR.  
  5. Consequently, the Commissioner is satisfied that it would be unlawful for the Authority to disclose that information as to do so would breach the first data protection principle.  He therefore finds the small amount of special category data he has identified to be exempt from disclosure under section 38(1)(b) of FOISA.

Non-special category personal data

  1. The Commissioner must now consider the remaining personal data which has been withheld and decide whether disclosing it would breach the first data protection principle.

Article 6(1)(f) of the UK GDPR - legitimate interests

  1. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
  2. The Commissioner considers that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.  This states that processing shall be lawful if it “is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”.
  3. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
  4. The three tests which must be fulfilled before Article 6(1)(f) can be relied on are as follows:

  5. (i)   does the Applicant have a legitimate interest in the personal data?

    (ii)   if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    (Iiii) even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject(s) which require protection of personal data (in particular where the data subject is a child)?

Does the Applicant have a legitimate interest in obtaining the personal data?

  1. The Applicant submitted that they had a specific interest in the information withheld for personal purposes (which they specified in submissions to the Commissioner). They further considered that there was a strong public interest in disclosure of the information more broadly, for the purposes of transparency and accountability, on the basis that:

  • their request underpinned research regarding “child protection gaps”

  • they considered that the Authority had misled Parliament (and others) regarding child protection and safeguarding

  • the information would highlight covering up and mishandling of child protection and safeguarding matters

  • the information would, if disclosed, support improvements to child safeguarding.

  1. The Authority recognised that the Applicant had a legitimate interest but did not consider that this was “particularly” strong, characterising that interest as “speculative” and based on a general public interest associated with the role of an Authority board member.  It further submitted that, from the information available, it appeared that the Applicant’s interest was a matter of individual interest, rather than of interest to the broader public.
  2. In the circumstances, the Commissioner accepts, on balance, that the Applicant has a legitimate interest in obtaining the personal data.

Is disclosure necessary?

  1. Having satisfied himself that the Applicant has a legitimate interest, the Commissioner must consider whether disclosure of the withheld information, the personal data, is necessary to achieve the legitimate interest in the information.  
  2. “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.  When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject(s).
  3. The Applicant argued that it was in the interests of the public for the information to be made available, for the reasons previously set out in paragraph 54.
  4. The Authority noted that the withheld information comprised the names and contact information of junior individuals and individuals outwith the Authority. It submitted that disclosure of that information was not necessary to fulfil the Applicant’s legitimate interest.
  5. The Authority also argued the Applicant’s request was broad and speculative and described it as a “fishing expedition” targeting a named individual.  It recognised that individuals holding public office had a public profile but submitted that it did not follow that this required all communications relating to that role to be placed in the public domain.

The Commissioner’s view on whether disclosure is necessary

  1. The Commissioner has carefully considered the arguments in relation to legitimate interests and, in particular, the Applicant’s comments on why he believes the information should be disclosed.
  2. While he acknowledges the Applicant’s legitimate interest in the accountability of the Authority (and the further personal context the Applicant set out), he is not persuaded that disclosure of the specific information withheld would serve the Applicant in their pursuit of those legitimate interests in any way.  He is not, therefore, satisfied that it is necessary for that information to be disclosed to fulfil the Applicant’s legitimate interests.
  3. As the Commissioner is not satisfied that disclosure of the withheld information is necessary to satisfy the Applicant’s legitimate interests, he is not required to go on to consider whether the legitimate interests of the Applicant outweigh the interests or fundamental rights and freedoms of the data subject(s).
  4. Having found that disclosure of the personal data would not be necessary to fulfil the Applicant’s legitimate interests, the Commissioner finds that condition (f) in Article 6(1) of the UK GDPR cannot be met in this case and that disclosure of the information in question would be unlawful.

Fairness and transparency

  1. Given that the Commissioner has concluded that the processing of the personal data, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject(s).

Conclusion on the data protection principles

  1. In all the circumstances, the Commissioner is satisfied, in the absence of a condition in Article 6 of the UK GDPR which would allow the data to be disclosed, that disclosure would be unlawful.  The personal data is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Decision 

The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant. 

The Commissioner finds that by relying on the exemption in section 38(1)(b) to withhold certain information, the Authority complied with Part 1 of FOISA.

However, the Commissioner finds that the Authority failed to comply with Part 1 of FOISA by wrongly withholding some information under the exemptions in sections 30(b)(ii) and 38(1)(b) of FOISA (including the information to which it was no longer applying either exemption).

The Commissioner therefore requires the Authority to disclose to the Applicant the information it wrongly withheld, by 15 September 2025.  He will provide the Authority with a marked-up copy of the information to be disclosed.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement 

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

Euan McCulloch 

Head of Enforcement 

 

30 July 2025