Home Decisions

Decision 214/2025

Decision 214/2025: Information relating to the processing and outcome of an investigation


Authority: General Teaching Council for Scotland
Case Ref: 202500186
 

Summary

The Applicant asked the Authority for information in a multi-part request relating to how a complaint had been handled.  The Authority identified some information that it withheld as third party personal information and stated it did not hold recorded information falling within the remainder of the Applicant’s request.  The Commissioner investigated and found that the information had been correctly withheld, and he was satisfied the Authority did not hold the other information requested.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 17(1) (Notice that information is not held); 38(1)(b), (2A) and (5) (definitions of “data protection principles”,” data subject”, ”personal data” and “processing”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data” (Definitions); 5(1)(a) (principles relating to processing of personal data).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), 4(d), (5) and (10) (Terms relating to the processing of personal data).

Background

  1. On 28 November 2024, the Applicant made a request for information to the Authority. He asked, in relation to a statement received by the Applicant from the Authority - “You have made an allegation about a senior member of [Authority] staff which I will progress through internal processes”, for:

  • The internal processes that were used by the Authority to progress the matter,

and:

  1. Copies of all internal correspondence demonstrating that the matter was appropriately investigated

  2. Copies of any document or correspondence demonstrating that any conclusion was reached regarding what the Authority referred to as “an allegation” through its progression of the matter

  3. Copies of any document or correspondence demonstrating a need for improvement in GTCS processes was found as a result of its progression of the matter

  4. Copies of any document or correspondence demonstrating that any irregularity or failing was found in the actions of any individual(s) as a result of the Authority’s progression of the matter

  5. Copies of any document or correspondence demonstrating that any learning or improvement resulted from the Authority’s progression of the matter

He asked for any personal information to be redacted, and also for redaction ” where other exemptions are required, but without applying exemptions in a blanket fashion within a document or piece of correspondence.”   

  1. The Authority responded on 24 December 2024.  It informed the Applicant that the information requested in parts (i), (ii) and (iv) of the request would be considered confidential and applied the exemption in section 38(1)(b) of FOISA.  In relation to parts (iii) and (v) the Authority responded in terms of section 17, on the basis that no information was held.
  2. On 30 December 2024, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because:

  • He considered he should have received at least the information he would have done had his complaint been dealt with through the complaint procedure.  He stated that it was a normal part of any complaint process that providing a response to the complaint will involve disclosing some personal information about staff.  He also considered that staff could expect that in working for an organisation where they are subject to the complaints procedure, limited personal information may be disclosed if a complaint is made.

  • Where the Authority applied an exemption, he believed it was possible to largely comply with the request through appropriate redactions or summarisation to keep personal information private while respecting the public’s right to know.

  • He believed the response contained a contradiction as an exemption cannot be applied to information unless it has been determined that the information exists. Therefore, on points (i), (ii) and (iv) the Authority indicated that information existed.  The Applicant questioned whether it was reasonable to say that information existed which demonstrated that an irregularity or failing was found while also saying that there was no document or correspondence which demonstrated that a need for improvement in the Authority’s processes was found.

  1. The Authority notified the Applicant of the outcome of its review on 29 January 2025.  The Authority explained that its initial application of section 38(1)(b) to parts (i), (ii) and (iv) of the request was made in order to confirm that it considered the request to be inherently relating to personal data.   It went on to say that the response was not intended to, nor did it confirm, that information was held.  The Authority considered that the response provided to the Applicant had been incomplete and that in its review of the information, given the nature of the information requested, section 18(1) of FOISA ought to have been applied to the whole request.  Following its review, the Authority upheld its reliance on section 38(1)(b) in relation to part (i) of the request and responded in terms of section 17 to parts (ii) and (iv).  It upheld its response in terms of section 17 to parts (iii) and (v) of the request.
  2. On 3 February 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he was not confident that the responses given were correct, and whether any information did exist where an exemption had been applied.  He disagreed with the application of section 38(1)(b). The Applicant also questioned the Authority’s mention of section 18(1) of FOISA and that it had not addressed the first part of his request (noted in paragraph 1 above but not numbered).
  3. As the Authority did not rely on section 18(1) of FOISA in its review outcome the Commissioner will not consider it in this decision (although he would observe that it is not apparent to him how the reference was intended to add anything of value to its handling of the request).  Also, as the Applicant did not raise the Authority’s failure to address the first part of his request in his requirement for review, the Commissioner cannot consider that matter in this Decision. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 19 February 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information, and the case was allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to the searches it had carried out to determine what information was held falling with the scope of the request, and its reasons for relying on section 38(1)(b) of FOISA for withholding information from the Applicant.  
  4. The Applicant was asked for any comments he wished the Commissioner to consider, which he provided. 

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Background

  1. The Applicant had raised a concern with the Authority about a senior member of staff.  The Authority had responded informing the Applicant that this did not meet the scope of its service complaints procedure but that it would be progressed through internal processes.   

Information falling within the scope of the request

  1. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.  The qualifications contained in section 1(6) are not applicable in this case.
  2. The information to be given is that held by the Authority at the time the request is received, as defined by section 1(4).  This is not necessarily to be equated with information that an applicant believes the public authority should hold.  If no such information is held by the public authority, section 17(1) of FOISA requires the authority to give the applicant notice in writing to that effect.
  3. The standard of proof to determine whether a Scottish public authority holds information is the civil standard of the balance of probabilities.  In determining where the balance of probabilities lies, the Commissioner considers the scope, quality, thoroughness and results of the searches carried out by the public authority.  He also considers, where appropriate any reasons offered by the public authority to explain why it does not hold the information.  While it may be relevant as part of this exercise to explore expectations about what information the authority should hold, ultimately the Commissioner’s role is to determine what relevant recorded information is (or was, at the time the request was received) actually held by the public authority.   

The Authority's submissions 

  1. The Authority identified information that fell within the scope of part (i) of the Applicant’s request that it withheld in full, relying on section 38(1)(b) of FOISA. It maintained that it held no recorded information falling within the scope of parts (ii), (iii), (iv) and (v) of the request.
  2. The Authority explained that given the nature of the request, her knowledge of the matter and her seniority, the process of locating information falling within the scope of the request was dealt with directly by the Chief Executive.  She was aware of the recorded information that was held and of discussions that had taken place via a routine Teams call for which no recorded information was held.   

The Applicant's submissions about the exemption/exception

  1. The Applicant questioned whether information falling within the scope of his request, i.e. information that demonstrated that the matter he had raised had been appropriately investigated, was actually held by the Authority.  His view being that if information did not exist, then an exemption could not be applied.
  2. The Applicant, in his submissions, referred to Decision 155/2019[1], and considered it relevant when considering the Authority’s response in this case.   

The Commissioner's view 

  1. The Commissioner has fully considered the submissions from both the Applicant and Authority as well as the withheld information.  He has considered the explanations and supporting evidence provided by the Authority setting out its position in relation to the request and the information held.
  2. The Applicant has placed an emphasis on the fact that his request focused on information held by the Authority that demonstrated that his concern had been appropriately investigated.  The Authority identified some information it considered to fall within scope of part (i) of his request but argued that it held no information for parts (ii) to (v) of the request.   
  3. The Commissioner is satisfied, on the balance of probabilities, given the nature of the request and the level of seniority of those involved that the steps taken by the Authority to determine what recorded information was held falling within the scope of the request were adequate and were capable of identifying any recorded information held relevant to the request.
  4. The Commissioner notes the Applicant’s emphasis on his request seeking information that shows his concern was “appropriately” investigated, and whether it was entitled to apply an exemption.  The Authority described the searches it carried out to establish the recorded information it held and considered to fall within the scope of the Applicant’s request.
  5. The Commissioner has considered Decision 155/2019, referred to by the Applicant. This Decision related to whether an authority was entitled to say it held information falling within the scope of an applicant’s request or whether it should have responded in terms of section 17.
  6. In that case, the Commissioner found that the  authority did not in fact hold any of the information that had been requested as the allegations made by the applicant in that case were quite distinct and the information the authority deemed to be within the scope of the request did not, in the Commissioner’s view, comprise or include such information.
  7. The Commissioner considers this decision is relevant in that the circumstances and underlying principle are similar.  It differs, in that in this case no documented investigative process has been followed, given that the Authority determined that the Applicant’s concern did not meet the scope of its service complaint procedure.
  8. Whether the investigation was appropriate or not would involve a subjective view.  The Applicant may have a different view to the Authority on what is “appropriate”.   The Commissioner is not in a position to form a view on this matter.  He is, however, satisfied that the information identified by the Authority as meeting the requirements of part (i) of the Applicant’s request is sufficiently related to the subject matter of the request to fall within scope.
  9. The Commissioner therefore finds that, on the balance of probabilities, the Authority was correct to give notice, in terms of section 17(1) of FOISA, that it did not hold recorded information which would fulfil parts (ii) to (v) of the request, but that it did hold recorded information falling within the scope of part (i) of the request.  In reaching that conclusion on what it held, the Commissioner is satisfied that the Authority addressed the request as a whole.
  10. As the Authority has relied on the exemption in section 38(1)(b) of FOISA for withholding the information which falls within scope of part (i) of the request the Commissioner will go on to consider that now.

Section 38(1)(b) – personal information

  1. Section 38(1)(b) read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  2. The exemption in section 38(1)(b) of FOISA applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means it is not subject to the public interest test in section 2(1)(b).
  3. To rely on this exemption, the Authority must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR. 

Is the withheld information personal data

  1. The first question the Commissioner must address is whether the information being withheld under this exemption is personal data for the purposes of section 3(2) of the DPA 2018.
  2. Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, in particular by reference to – 

(i)   an identifier, such as a name, an identification number, location data, or an online identifier, or

(ii)  one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

  1. The two main elements of personal data are that the information must “relate” to a living individual, and that individual must be identified – or identifiable – from the data, or from the data and other accessible information.
  2. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
  3. An individual is “identified” or “identifiable” if it is possible to distinguish them from other individuals.
  4. The Authority submitted that the information contained in the withheld information was personal data because it identified living individuals and was related to them.
  5. Having considered the information the Authority is withholding, the Commissioner notes that it contains the names of and details of an exchange between individuals and he accepts that it relates to identifiable individuals.  He is therefore satisfied that the withheld information is the personal data of identifiable individuals and, as such, is personal data in terms of section 3(2) of the DPA 2018.
  6. Notwithstanding that the Applicant appears to have been clear in his original request that he was not seeking personal data, the Commissioner will (for the sake of completeness) go on to consider the Authority’s application of the section 38(1)(b) exemption in this case.

Would disclosure contravene one of the data protection principles?

  1. The Authority considered that disclosure would contravene the first data protection principle in Article 5(1) of the UK GDPR, namely that “personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”.
  2. The definition of processing is wide and includes (section 3(4)(d) of the DPA 2018) “disclosure by transmission, dissemination or otherwise making available”. In the case of FOISA, personal data are processed when disclosed in relation to a request.  This means that, the personal data could only be disclosed if disclosure would be both lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair. 

Fairness

  1. Article 5(1) of the UK GDPR requires processing to be fair as well as lawful, so fairness needs to considered separately.
  2. Guidance from the UK ICO[2] in relation to the UK GDPR states that fairness means that personal data should only be handled in ways that people would reasonably expect and not used in ways that would have unjustified adverse effects on them.
  3. The following issues should therefore be considered when looking at fairness: 

  • Whether the individual expects their role to be subject to public scrutiny.  Consideration should be given to the person’s seniority, whether they have a public profile and whether their role requires a significant level of personal judgement and individual responsibility. 

  • Whether any distress or damage would be caused to the data subject as a result of the disclosure. 

  • Any express refusal by the data subject. 

  • Whether the information relates to the data subject’s public or private life.  A person’s private life is likely to deserve more protection.

  1. The Authority considered that disclosure of the requested information into the public domain would be unfair to the individuals to whom the data related as it concerned a serious and, in its view, unfounded allegation against a member of the Authority’s staff.  It did not accept a suggestion from the Applicant that staff working in an organisation where they are subject to a complaints procedure could expect that limited personal data may be disclosed if a complaint were made.
  2. The Authority considered that there was no expectation, nor was it a reasonable expectation that at any time someone could make a complaint about a member of staff and the fact of the complaint and their identity as the person complained about could be put into the public domain, together with any other personal data, limited or not.  Its view was that such disclosure of information into the public domain by an employer would be unfair.
  3. It further commented that disclosure into the public domain of allegations that it considered were unfounded would likely cause damage and distress to the individual to whom they related.  The Authority also noted that damage to reputation was recognised as a form of non-material damage in the UK DPA and that as a data controller it had a duty to take steps to avoid such damage, which would compound the unfairness of a disclosure of the withheld information.
  4. The Applicant’s view was that organisations have complaint procedures, and employees can expect that if a complaint is received the complainant will receive information about the investigation. He referenced the Authority’s own complaint procedure that made clear that complaints can be about “the conduct of a specific member our staff” and that complainants will receive a “full response”.  
  5. To support his view, the Applicant, in his submissions, provided the Commissioner with copies of responses he had received from the Authority to previous, unrelated complaints that had been through its documented Complaint Process.  The Applicant also referred to (and provided) information he had received in relation to a previous FOI request that related to complaints that had resulted in the involvement of an Independent Reviewer.
  6. The Applicant stated that the responses provided to him as part of the Complaint Process contained limited personal information, and that the information he received in response to an FOI request had minimal redactions.  He considered that this demonstrated that it was normal for the Authority to put complaint investigation reports into the public domain if requested.
  7. The Commissioner has considered the arguments from both the Applicant and Authority as well as the withheld information.  He must, of course, consider all aspects of fairness, including the data subject’s reasonable expectations, objectively: while expectations set by the employer will generally be relevant, they cannot be presumed reasonable in all circumstances.
  8. The information in question does relate to the data subjects’ public life, and these individuals could well expect there to be level of public scrutiny given their positions within a publicly funded organisation.
  9. The Commissioner acknowledges the Applicant’s point that someone who raises a concern might reasonably expect to receive feedback on what happened as the result of any investigation, and that any employee complained about might reasonably expect this too.  The previous complaint information provided to the Commissioner by the Applicant during the investigation would seem to support this position.  He notes, however, that disclosure under FOISA is not just disclosure to the Applicant but rather to the public at large and considers that an employee may not have a reasonable expectation of this occurring.
  10. The information previously provided to the Applicant in response to an FOI request, the Commissioner notes, did not contain any personal information that would identify either the complainant or any Authority staff.  The Commissioner has also taken into consideration the Authority’s stated position to the Applicant, that the matter in question here was not being considered under the Complaint Process.
  11. The Commissioner also notes the Authority’s submission with regards to distress and damage and comes back to the difference between disclosure of information to a complainant in relation to the outcome of their complaint and disclosure into the public domain.
  12. The Commissioner has given careful consideration to all of the submissions and considers that disclosure of the withheld information would be unfair.  Given that processing of the personal data would not be fair, then disclosure would contravene Article 5(1) of the UK GDPR.
  13. In the circumstances, the Commissioner finds that the Authority was correct to withhold the information under section 38(1)(b) of FOISA.  In other words, taking account of the expectations and other arguments advanced by both parties, he has found it possible to determine this case on the basis of fairness alone.  He does not, therefore, need to consider the question of lawfulness in this case.
  14. That said, he would urge the Authority not to draw too much of universal application from this conclusion.  He is aware that the Authority has more general issues with the Commissioner’s approach to section 38(1)(b), but he is not convinced that this is the place to address them.
  15. In any event, each case must be considered on its own facts and circumstances.  Here, the Commissioner is satisfied that it is possible to consider all relevant factors through consideration of fairness alone, but this will not necessarily always be the case.  He is, after all, called upon in considering this exemption to determine whether the right of access to information in section 1(1) of FOISA can be reconciled with the protections afforded to data subjects in the UK GDPR (a process envisaged in the original GDPR and not one he is aware of legislators in any part of the UK intending to depart from since).  In such a reconciliation, it will generally be appropriate, not to say necessary, to take into account the interests of the applicant (and, potentially, those of the wider public) – and that may legitimately entail consideration of other aspects of the principle in article 5(1)(a), including lawfulness.

Could the information be anonymised?

  1. The Applicant in his application and comments to the Commissioner questioned whether the information could be redacted to remove personal information.  He did not think this had been considered.
  2. The Authority did not consider it was possible to partially redact the information in order to disclose some information into the public domain under FOISA.  This was because of the scope of the request and the recorded information that it captured.  Its view was that even with the removal of names, the individuals would still be identifiable indirectly from other identifiers and the small number of individuals involved, and that the data would continue to relate to them.
  3. The Commissioner has given careful consideration to the points raised by both the Applicant and the Authority along with the withheld information.  Although there are times when redacting information would allow the remainder of the information to be disclosed (as the result would be that the information had ceased to be personal data), in this case, due to the nature of the information (even with names removed), the Commissioner agrees that the remainder would still constitute personal data.  Therefore, in the circumstances, he accepts that there was no practicable alternative to withholding the information in full under section 38(1)(b) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Euan McCulloch 

Head of Enforcement 

 

4 September 2025