Decision 212/2024: Staffing issues at a named facility
Authority: High Life Highland
Case Ref: 202400490
Summary
The Applicant asked the Authority for a report on staffing issues and related statistics at a named facility run by the Authority. The Authority withheld the report on the basis that it related to the obtaining of information from confidential sources, and it withheld the statistics as it considered them third party personal data. The Commissioner investigated and found that the Authority was not entitled to withhold the report under the exemption claimed, but it was entitled to withhold the statistics as third party personal data. The Commissioner required the Authority to carry out a fresh review in relation to the report.
Relevant statutory provisions
Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 34(3)(Investigations by Scottish public authorities); 38(1)(b), (2A), (5) (definitions of "data protection principles", "data subject", "personal data", "processing" and “UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner)
United Kingdom General Data Protection Regulation (the UK GDPR) articles 5(1)(a) and (f) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing); 9(1) and (2)(e) (Processing of special categories of personal data)
Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5) and (10) (Terms relating to the processing of personal data)
Background
1. On 20 February 2024, the Applicant made a request for information to the Authority. The Applicant asked for:
1) A copy of the report produced by [an employee of the Authority] in 2023 detailing staffing issues.
2) A copy of other reports produced by [the Authority] in 2023 detailing staffing issues.
3) The number of employees at [the Authority’s] East Caithness facility on sick leave periods exceeding 7 days throughout 2023.
4) The number of employees subject to suspensions at [the Authority’s] East Caithness facility throughout 2023.
5) The number of employees subject to any form of disciplinary action at [the Authority’s] East Caithness facility throughout 2023.
2. The Authority responded on 19 March 2024, in the following terms:
- for question 1, it withheld the information requested under the exemption in section 34(3) of FOISA
- for question 2, the Authority confirmed that it did not hold any other reports
- for questions 3, 4 and 5, it withheld the information requested under the exemption in section 38(1)(b) of FOISA.
3. On 25 March 2024, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because he considered the Authority had wrongly withheld the information requested.
4. The Authority notified the Applicant of the outcome of its review on 3 April 2024, fully upholding its original response.
5. On 4 April 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he considered it had wrongly withheld the information requested.
Investigation
6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 17 April 2024, the Authority was notified in writing that the Applicant had made a valid application. The Authority was asked to send the Commissioner the information withheld from the Applicant. The Authority provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Authority was invited to comment on this application and to answer specific questions.
9. The Applicant confirmed that he was satisfied with the Authority’s response to question 2, so the Commissioner has not considered this further in his decision notice.
Commissioner’s analysis and findings
10. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
Section 34(3) – Investigations by Scottish public authorities
11. The Authority withheld information falling within the scope of question 1 under the exemption in section 34(3) of FOISA. This exemption has four strands, each of which must be satisfied for it to apply in any case:
(i) The information must have been obtained or recorded for the purposes of an investigation;
(ii) The investigation must have been carried out by virtue of his Majesty’s prerogative or under statutory powers;
(iii) The investigation must have been carried for one or more of the purposes listed in section 35(2) of FOISA; and
(iv) The information must relate to the obtaining of information from confidential sources.
12. Although sometimes treated as two separate exemptions, the exemption in section 34(3) of FOISA is in fact a single exemption. Sections 34(3)(a) and (b) must be read together.
13. The Authority confirmed that the information in question was gathered for the purposes of an internal investigation that it held following feedback it had received in relation to its East Caithness facility. However, in its submissions, the Authority confirmed that:
- it had not conducted the internal investigation under any statutory power, or under his Majesty’s prerogative
- it had not identified any purpose listed under section 35(2) of FOISA relevant to the internal investigation.
14. As the Authority has not evidenced that it has met the requirements for section 34(3)(a) of FOISA to apply, the Commissioner must conclude that the information in question was not properly withheld under section 34(3).
15. Given that he has found the section 34(3) exemption in FOISA does not apply, the Commissioner is not required to go on to consider the public interest test in section 2(1)(b) of FOISA in relation to this exemption.
Section 38(1)(b) – Personal Information
16. Section 38(1)(b), read in conjunction with section 38(2A)(a) (or (b)), exempts information from disclosure if it is “personal data”, as defined in section 3(2) of the DPA 2018 and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the GDPR.
Is the withheld information personal data?
17. The withheld information in question relates to questions 3, 4 and 5 of the Applicant’s request.
18. The first question the Commissioner must address is whether the information withheld by the Authority under this exemption is personal data for the purposes of section 3(2) of the DPA 2018, i.e. “any information relating to an identified or identifiable living individual”.
19. Section 3(3) of the DPA 2018 defines “identifiable living individual” as “a living individual who can be identified, directly or indirectly, in particular with reference to –
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
20. The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland. The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified. In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party. However, there must be a realistic causal chain – if the risk of identification is "insignificant", the information will not be personal data.
21. Although this decision was made before the UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply. As set out in Recital (26) of the GDPR (the source of the UK GDPR), the determination of whether a natural person is identifiable should take account of all means reasonably likely to be used to identify the person, directly or indirectly.
22. In considering what is reasonably likely, the Recital states that all objective factors should be taken into account, such as the costs and amount of time required for identification, the available technology at the time of processing and technological developments. It confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when data subjects are no longer identifiable.
23. Public authorities responding to requests for numbers will therefore have to determine whether members of the public would be able (realistically) to identify individuals from the numbers, if they are disclosed.
24. The Authority submitted that, given the size of the community in which the facility is based, it would be possible to identify individuals from the disclosure of the high-level statistics requested by the Applicant.
25. The Authority also explained that the personal information in question 3 may be special category personal information, as described in Article 9 of the GDPR, as it could lead to the identification of individuals with health problems.
26. The Applicant argued that the information being withheld was management information, which could not be personal information.
27. In this case, due to the size of the community, further stratified by a small number of employees at the facility in question and information likely already known to, or accessible by, the Applicant, the Commissioner is satisfied, on balance, that there would be a realistic prospect of individuals being identified if the information were disclosed.
28. The Commissioner therefore concludes that the information withheld in response to questions 3-5 of the Applicant’s request is personal data for the purposes of section 3(2) of the DPA 2018.
29. Having agreed it would be personal data, the Commissioner concludes that the information requested in question 3 would be special category health data.
Would disclosure contravene one of the data protection principles?
30. The Authority argued that disclosing the personal data would breach the first and sixth data protection principles:
- The first data protection principle requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a) of the GDPR)
- The sixth data protection principle requires personal data to be processed in a manner that “ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (Article 5(1)(f) of the GDPR).
31. The definition of “processing” is wide and includes (section 3(4)(d) of the DPA 2018), “disclosure by transmission, dissemination or otherwise making available”. For the purposes of FOISA, personal data are processed when disclosed in response to a request.
32. As noted above, some of the information which has been redacted by the Authority is special category personal data. The Commissioner’s guidance on section 38(1)(b) notes (at paragraphs 70 to 72) that Article 9 of the UK GDPR only allows special category personal data to be processed in very limited circumstances
33. Although Schedule 1 to the DPA 2018 contains a wide range of conditions which allow authorities to process special category data, for the purposes of FOISA, the only situation where it is likely to be lawful to disclose third party special category data in response to an information request is where, in line with Article 9(2)(e) of the UK GDPR, the personal data has manifestly been made public by the data subject. Any public authority relying on this condition must be certain that the data subject made the disclosure with the intention of making the special category data public.
34. In this case, there is nothing to suggest that disclosing information relating to the health of employees of the Authority’s facility would comply with Article 9(2)(e) of the UK GDPR.
35. Consequently, the Commissioner is satisfied that it would be unlawful for the Authority to disclose this information. Disclosing the special category data would breach the first data protection principle. It is therefore exempt from disclosure under section 38(1)(b) of FOISA.
Non-special category personal data
36. The Commissioner must now consider the remaining personal data which has been withheld and decide whether disclosing it would breach the first data protection principle.
Lawful processing: Article 6(1)(f) of the UK GDPR
37. In considering lawfulness, the Commissioner must consider whether any of the conditions in Article 6(1) of the UK GDPR would allow the personal data to be disclosed.
38. The Commissioner considers that condition (f) is the only one condition which could potentially apply. This states that processing shall be lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ...”
39. Although Article 6(1) states that this condition cannot apply to processing carried out by a public authority in performance of its tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
40. The tests which must be met before Article 6(1)(f) can be met are as follows:
(i) Would the Applicant have a legitimate interest in obtaining personal data?
(ii) If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?
(iii) Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subject(s)?
Does the Applicant have a legitimate interest in obtaining the personal data?
41. The Applicant explained that he considered there to be a public interest in this information as the facility is publicly funded.
42. The Authority did not consider that the Applicant had a legitimate interest in the requested information.
43. The Commissioner accepts that the Applicant has a legitimate interest in the management of a publicly funded facility and agrees that the withheld information would provide some insight into these matters.
Is disclosure necessary to achieve that legitimate interest?
44. The next question is whether disclosure of the personal data would be necessary to achieve the legitimate interest in the information. “Necessary” means “reasonably” rather than “absolutely” or “strictly” necessary.
45. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interest could reasonably be met by means which interfered less with the privacy of the data subject.
46. The Commissioner is not aware of any less restrictive means by which the Applicant’s legitimate interest could be met. The Applicant would not be able to obtain this information in any other way, and it is not information which is obviously in the public domain. In all the circumstances, the Commissioner agrees that disclosure would be necessary to achieve the Applicant’s legitimate interest in this case
47. The Commissioner will now consider whether the Applicant’s legitimate interest in obtaining the withheld information outweighs the rights and freedoms of the data subject(s).
The data subject(s) interests or fundamental rights and freedoms (and balancing exercise)
48. The Commissioner has concluded that the disclosure of the information would be necessary to achieve the Applicant’s legitimate interest. However, this must be balanced against the fundamental rights and freedoms of the staff in question. Only if the legitimate interest of the Applicant outweighed those of the data subject(s) could personal data be disclosed without breaching the first data protection principle.
49. The Commissioner has considered the submissions from both parties carefully. In carrying out the balancing exercise, much will depend on the reasonable expectations of the data subject(s).
50. The Authority noted that the withheld information relates to performance and disciplinary matters concerning its employees and that it only processed this information for the purposes of their employment. The Commissioner is satisfied that the information is information a person would not expect to be shared with the general public, which would be the effect of disclosure under FOISA.
51. After carefully balancing the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the data subject(s), the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the individual(s) in question in this case.
52. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the withheld personal data.
Fairness and transparency
53. Given that the Commissioner has concluded that the processing of the personal data, would be unlawful, he is not required to go on to consider whether disclosure of such personal data would otherwise be fair and transparent in relation to the data subject(s).
Conclusion on the data protection principles
54. For the reasons set out above, the Commissioner is satisfied that disclosure of the withheld personal data would breach the data protection principle in Article 5(1)(a) of the UK GDPR. Having reached this conclusion, he need not go on to consider whether disclosure would also breach the data protection principle in Article 5(1)(f) of the UK GDPR.
55. Given that disclosing the withheld personal data would contravene Article 5(1)(a) of the UK GDPR, the Commissioner is satisfied that the withheld personal data is exempt from disclosure under section 38(1)(b) of FOISA.
Decision
The Commissioner finds that the Authority partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.
The Commissioner finds that by appropriately withholding personal information under section 38(1)(b) of FOISA, the Authority complied with Part 1.
However, the Commissioner finds that Authority failed to comply with Part 1 of FOISA by wrongly withholding information under the exemption in section 34(3) in relation to question 1 of the Applicant’s request.
The Commissioner therefore requires the Authority, in relation to question 1 of the Applicant’s request, to issue a revised review response to the Applicant, otherwise than in terms of section 34(3) of FOISA, by 15 November 2024.
Appeal
Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.
Enforcement
If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply. The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.
Euan McCulloch
Head of Enforcement
1 October 2024