Home Decisions

Decision 243/2025

Decision 243/2025:  Correspondence about the feeding of foxes 


Authority: Sanctuary Scotland Housing Association Ltd
Case Ref: 202401509
 

Summary

The Applicant asked the Authority for any communications with a councillor about the feeding of foxes in a specific area.  The Authority responded in terms of FOISA and withheld the information requested on the basis that it was third-party personal data.  The Commissioner investigated and found that the Authority was entitled to withhold some, but not all, of the information requested on the basis that it was third-party personal data.  He also found that the Authority had considered the request under the wrong legislation.  The requested information was environmental information, and the Authority should have considered the request under the EIRs.  He required the Authority to disclose certain information to the Applicant.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(b) (Effect of exemptions); 39(2) (Health, safety and the environment); 47(1) and (2) (Application for decision by Commissioner).

The Environmental Information (Scotland) Regulations 2004 (the EIRs) regulations 2(1) (definition of “the Act”, “applicant” and “the Commissioner”, “the data protection principles”, “data subject”, “personal data”, “the UK GDPR” and the definition of “environmental information”) (Interpretation); 5(1) and (2)(b) (Duty to make environmental information available on request); 10(3) (Exceptions from duty to make environmental information available); 11(2), (3A)(a) and (7) (Personal data); 17(1), (2)(a), (b) and (f) (Enforcement and appeal provisions).

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to processing of personal data) and 6(1)(f) (Lawfulness of processing).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 11 September 2024, the Applicant made a request for information to the Authority. She asked for copies of communication between the Authority and a specified councillor regarding feeding foxes within the area referred to in a letter dated 10 September 2024.
  2. By way of background, the letter above related to a communication sent by the Authority to all residents of a specified location asking them to refrain from feeding foxes as it was attracting vermin and causing destruction.
  3. The Authority responded on 3 October 2024 in terms of FOISA.  It withheld the requested information under the exemption in section 38(1)(b) of FOISA.
  4. Later that day, the Applicant wrote to the Authority requesting a review of its decision. She was dissatisfied because the information requested was not third-party information but the “content of the complaint”. She said that any information that identified a third party could be redacted.
  5. The Authority notified the Applicant of the outcome of its review on 30 October 2024, which fully upheld its original decision.  It also advised the Applicant that if she wished to obtain any of her own personal data in relation to herself or her tenancy then she could submit a subject access request under data protection legislation.
  6. On 18 November 2024, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  By virtue of regulation 17 of the EIRs, Part 4 of FOISA applies to the enforcement of the EIRs as it applies to the enforcement of FOISA, subject to specified modifications.  The Applicant stated that she was dissatisfied with the outcome of the Authority’s review for the reasons set out in her requirement for review.  She added that all third-party information could be redacted, except for any information that could potentially identify her within the content.

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 3 December 2024, the Authority was notified in writing that the Applicant had made a valid application, and it was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided this information, and the case was subsequently allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions, including whether it considered the information requested was environmental information, the searches it had carried out in response to the request and its reasons for withholding information on the basis it was third party personal data.
  4. As part of its submissions to the Commissioner, the Authority said that, on reflection, it could have provided the Applicant with copies of the requested correspondence with appropriate redactions to third party personal data.  It indicated it was prepared to provide the Applicant with the information requested on this basis.
  5. The investigating officer asked the Applicant whether she would accept the Authority’s above offer.  The Applicant declined and said that she wished the Commissioner to complete his investigation into the Authority’s compliance with the FOI legislation and to issue a decision notice.

Commissioner’s analysis and findings

  1. The Commissioner has considered all the submissions made to him by the Applicant and the Authority. 

FOISA or EIRS

  1. The relationship between FOISA and the EIRs was considered at length in Decision 218/2007[1].  Broadly, in the light of that decision, the Commissioner's general position is as follows:

    1. The definition of what constitutes environmental information should not be viewed narrowly.

    2. There are two separate statutory frameworks for access to environmental information and an authority is required to consider any request for environmental information under both FOISA and the EIRs.

    3. Any request for environmental information therefore must be handled under the EIRs.

    4. In responding to a request for environmental information under FOISA, an authority may claim the exemption in section 39(2).

    5. If the authority does not choose to claim the section 39(2) exemption, it must respond to the request fully under FOISA: by providing the information; withholding it under another exemption in Part 2; or claiming that it is not obliged to comply with the request by virtue of another provision in Part 1 (or a combination of these).

    6. Where the Commissioner considers a request for environmental information has not been handled under the EIRs, he is entitled (and indeed obliged) to consider how it should have been handled under that regime.

  2. Given the subject matter of the request (i.e. the feeding of foxes in a residential area and the associated “destruction” this feeding had caused), the Commissioner asked the Authority whether it considered the information requested to be environmental information, as defined in regulation 2(1) of the EIRs.
  3. In response, the Authority explained that it had reconsidered the Applicant’s request and thought, on balance, that it ought to have considered it under the EIRs.  While he understands why the Authority responded in terms of FOISA, the Commissioner agrees that it should have considered the request under the EIRs. It is clear to him from the subject matter of the request that information falling within the scope of the request would be environmental information, as defined in regulation 2(1) of the EIRs (particularly paragraphs (a), (b) and (f) of that definition).
  4. Given that the information requested is properly considered to be environmental information, the Authority has a duty to consider it in terms of regulation 5(1) of the EIRs.  In failing to do so, the Commissioner finds that the Authority failed to comply with regulation 5(1).

Section 39(2) – Environmental information

  1. The exemption in section 39(2) of FOISA provides, in effect, that environmental information (as defined by regulation 2(1) of the EIRs) is exempt from disclosure under FOISA, thereby allowing any such information to be considered solely in terms of the EIRs.
  2. The Commissioner finds that the Authority would have been entitled to apply this exemption to the request, given his conclusion that the information requested was properly classified as environmental information.
  3. As there is a separate statutory right of access to environmental information available to the Applicant, the Commissioner also accepts that, in this case, the public interest in maintaining this exemption and in handling the request in line with the requirements of the EIRs outweighs any public interest in disclosing the information under FOISA.

Regulation 5(1) – Duty to make available environmental information

  1. Regulation 5(1) of the EIRs requires a Scottish public authority which holds environmental information to make it available when requested to do so by any applicant.  This obligation relates to information that is held by the authority when it receives a request.
  2. On receipt of a request for environmental information, therefore, the authority must ascertain what information it holds falling within the scope of the request.  Having done so, regulation 5(1) of the EIRs requires the authority to provide that information to the requester, unless a qualification in regulations 6 to 12 applies (regulation 5(2)(b)).

Information falling within the scope of the request

  1. During the investigation, the Authority was asked how it had ensured that it had identified all the information falling within the Applicant's request.
  2. The Authority explained that the employee who dealt with the Applicant’s request was the same employee who would generally respond to correspondence from elected members.   It said that any formal correspondence with elected members would be typically received by email, which would be filed in the same location within the Authority’s document management system under the name of the elected member.  It added that it kept an enquiry log for enquiries from elected members, which tracked when these had been received and responded to.
  3. The Authority had carried out searches for correspondence within the document management system for the councillor by searching for all correspondence, including the councillor’s email address.  It said that relevant employees also searched their received and sent items in their email inboxes for any emails containing the councillor’s name.  It confirmed that it had provided all of the information it held falling within the scope of the request to the Commissioner.
  4. The standard of proof to determine whether a public authority holds information is the civil standard of the balance of probabilities.  In determining where the balance lies, the Commissioner considers the scope, quality and thoroughness and the results of searches carried out by the public authority.  He also considers, where appropriate, any reasons offered by the public authority to explain why it does not hold the information.
  5. Having considered the submissions it provided, the Commissioner is satisfied that the Authority carried out adequate searches, and that these were likely to identify all the information falling within the Applicant’s request.  In all of the circumstances, therefore, Commissioner is satisfied, on the balance of probabilities, that the Authority does not (and did not, on receipt of the request) hold any further information – other than that already identified – falling within the scope of the request.
  6. However, the Commissioner considers that the Authority has wrongly withheld some information as third party personal data when it does not in fact fall within the scope of the request.
  7. The request specifically asked for communication regarding the feeding of foxes.  While the withheld information comprises communications that mention the feeding of foxes, other matters were also raised as part of these communications.  As these matters do not specifically relate to the feeding of foxes, the Commissioner considers this information falls outwith the scope of the request.  He will therefore not consider this information further in his decision notice.
  8. The Commissioner will now go on to consider the information withheld as third party personal data that he considers does fall within the scope of the request.

Regulation 11(1) of the EIRS – Personal information

  1. Regulation 11(1) prohibits public authorities from making an applicant's personal data available in response to an EIRs request. This is because individuals have a separate right to make a request for their own personal data under the GDPR (or, as appropriate, under the DPA 2018).  This route is more appropriate for individuals accessing their personal data: while data disclosed in response to a SAR is made available to the data subject, any data disclosed under the EIRs is placed into the public domain.
  2. During the investigation, it became apparent that a small amount of the withheld information comprised the Applicant’s own personal data: she can be identified from the information and the information relates to her.  Consequently, the Commissioner is satisfied that the information is excepted from disclosure under regulation 11(1) of the EIRs.
  3. However, the Authority should have identified this information as being the Applicant’s own personal data by the date of the review outcome (at the latest) and advised her that this information was excepted from disclosure under regulation 11(1) of the EIRs.  By failing to do so, the Authority failed to comply with regulation 5(1) of the EIRs.
  4. The Commissioner notes that the Authority has already provided advice to the Applicant on how she can make a subject access request for her own personal data.

Regulation 11(2) of the EIRs – Personal information

  1. Regulation 10(3) of the EIRs provides that a Scottish public authority can only make personal data in environmental information available in accordance with regulation 11.
  2. Regulation 11(2) provides that personal data shall not be made available where the applicant is not the data subject and other specified conditions apply.  These include that disclosure would contravene any of the data protection principles in the UK GDPR or DPA 2018 (regulation 11(3A)(a)).
  3. The Authority submitted that the withheld information constituted personal data, disclosure of which in response to this request would contravene the first data protection principle in Article 5(1) of the UK GDPR (“lawfulness, fairness and transparency”).
  4. The withheld information falling within the scope of the request comprises two emails: an email from the councillor to the Authority and a response from the Authority. 

Is the withheld information personal data? 

  1. Personal data" are defined in section 3(2) of the DPA 2018 as "any information relating to an identified or identifiable individual".  Section 3(3) of the DPA 2018 defines "identifiable living individual" as a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
  2. Information will "relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.  An individual is "identified" or "identifiable" if it is possible to distinguish them from other individuals.
  3. Having carefully considered the withheld information, the Commissioner is satisfied that it comprises personal data.  He accepts that living individuals can be identified from the data and that, in the circumstances, the data relate to them.  He is therefore satisfied that the withheld information is personal data as defined in section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

  1. Article 5(1)(a) of the UK GDPR requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject".
  2. The definition of "processing" is wide and includes (section 3(4)(d) of the DPA 2018) "disclosure by transmission, dissemination or otherwise making available".  In the case of the EIRs, personal data are processed when disclosed in response to a request.  This means that personal data can only be made available if making the data available would be lawful (i.e. if it would meet one of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair. 

Lawful processing: Article 6(1)(f) of the UK GDPR

  1. The Commissioner will first consider if disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the personal data to be disclosed.
  2. The Commissioner considers that, in the circumstances, the only condition in Article 6(1) which could apply is condition (f) of Article 6(1) of the UK GDPR.

Condition (f): legitimate interests

  1. Condition (f) of Article 6(1) of the UK GDPR states that processing will be lawful if it is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of the personal data.
  2. Although Article 6 of the UK GDPR states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, regulation 11(7) of the EIRs makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under the EIRs.
  3. The tests which must be met before Article 6(1)(f) of the UK GDPR can be met are as follows:

  • Does the Applicant have a legitimate interest in obtaining the personal data?

  • If so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

  • Even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data? 

  1. There is no definition within the DPA 2018 of what constitutes a “legitimate interest”, but the Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive.
  2. The Authority stated that it was arguable whether the Applicant had a legitimate interest in the withheld information, given she stated in her requirement for review that she was interested in "the content of the complaint" and that content had already been summarised in the letter to residents of 10 September 2024.
  3. In her application to the Commissioner, the Applicant said that all third-party information could be redacted from the information requested, except for any information that could potentially identify her within the content.  During the investigation, she expressly stated that she had not asked for third party details and was “only interested in the context of the complaint”.
  4. In view of the above, the Commissioner does not consider that the Applicant has a legitimate interest in obtaining the name or contact details of the councillor or of any employees of the Authority, nor in any information that would identify who had raised concerns with the councillor.  The Commissioner will therefore not consider this information further in his decision notice.
  5. However, the Commissioner accepts, on balance and notwithstanding the information communicated in the letter of 10 September 2024, that the Applicant has a legitimate interest in obtaining a full understanding of the “the context of the complaint”.  He will now go on to consider this information further.

Is disclosure of the information necessary for the purposes of these legitimate interests?

  1. Having accepted that the Applicant has a legitimate interest in some of the withheld personal data, the Commissioner must consider whether disclosure of this personal data is necessary to meet that legitimate interest.
  2. "Necessary" means "reasonable" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities must consider whether disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subjects.
  3. The Authority stated that it did not consider the Applicant required the full content of the withheld information to understand that the Authority had accurately described the conduct being complained about.  It submitted that it did not consider the prejudice that would be caused by disclosure of this information would be outweighed by the Applicant’s interest in understanding the full background to the Authority’s letter to residents.
  4. While he acknowledges the Authority’s position that the Applicant has already received information that meets her legitimate interest, the Commissioner accepts that the Applicant wants to see the actual information that was communicated to the Authority.  There seems no other way to achieve a complete understanding of this information without full disclosure of the withheld personal data.
  5. Having considered all the circumstances, the Commissioner is satisfied, in relation to the personal data he has accepted the Applicant has a legitimate interest in, that disclosure of this information would be necessary to achieve that legitimate interest.  Consequently, he will go on to consider whether the interest in obtaining the personal data outweighs the rights and fundamental freedom of the data subjects. 

Interests and fundamental freedom of the data subjects

  1. The Commissioner must now balance the legitimate interests in disclosure against the data subjects' interests or fundamental rights and freedoms.  Only if the legitimate interests of the Applicant outweigh those of the data subjects can the information be disclosed.
  2. The Commissioner's guidance on regulation 11[2] of the EIRs notes some of the factors that should be taken into account in considering the interests of the data subjects and carrying out the balancing exercise.  He makes it clear that, in line with Recital (47) of the GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider:

    1. whether the information relates to the individual's public life (i.e. their work as a public official or employee) or their private life (e.g. their home, family, social life or finances);

    2. the potential harm or distress that may be caused by the disclosure;

    3. whether an individual objected to the disclosure.

  3. As stated above (at paragraphs 50 and 51), the Commissioner is only considering the withheld information to the extent that it relates to “the context of the complaint”.  The withheld information falling within the scope of the request comprises two emails: an email from the councillor to the Authority and a response from the Authority.  There are therefore two kinds of data subject for the Commissioner to consider:

    1. the councillor

    2. employees of the Authority

  4. The Authority acknowledged that the councillor was unlikely to have any expectation of privacy in the circumstances as he had communicated in an official capacity about third party complaints and third-party conduct.  The Commissioner agrees.
  5. The Authority did not provide any specific comments on the personal data of employees of the Authority.  The Commissioner must be careful to avoid revealing the content of the withheld information.  However, the employees of the Authority were corresponding (one recipient and one respondent) with the councillor when acting in a professional capacity and there is nothing in the correspondence that is sensitive or that would, if it were disclosed, appear at all likely to cause harm or distress.
  6. Having carefully balanced the legitimate interests of the Applicant against the interests or fundamental rights or freedoms of the councillor and the employees of the Authority, the Commissioner finds that the legitimate interests served by disclosure of this personal data would not be outweighed by any unwarranted prejudice that would result to the rights and freedoms and legitimate interests of these data subjects.  He finds that condition (f) in Article 6(1) of the UK GDPR can be met in relation to the personal data in question of these data subjects.
  7. The Commissioner must also consider whether disclosure would be fair.  He finds, for the same reasons as he finds that condition (f) in Article 6(1) of the UK GDPR can be met, that disclosure of the withheld information in question would be fair.
  8. In the absence of any reason for finding disclosure of this information to be unlawful other than a breach of Article 5(1)(a) of the UK GDPR and, given that the Commissioner is satisfied that condition (f) can be met, he must find that disclosure would be lawful in this case.  
  9. The Commissioner therefore finds that disclosure of this information would not breach the first data protection principle, and so the Authority was not entitled to withhold this information under the exception in regulation 11(2) of the EIRs.
  10. The Commissioner requires the Authority to disclose this information to the Applicant, by the compliance date stated below. He will provide the Authority with a marked-up copy of the information to be disclosed.

Decision 

The Commissioner finds that the Authority failed to comply with Part 1 of the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 (the EIRs) in responding to the information request made by the Applicant. 

Specifically, the Commissioner finds that:

  • in responding to the Applicant’s information request and requirement for review, the Authority failed to consider the request as a request for environmental information and thereby failed to comply with the requirements of regulation 5(1) of the EIRs

  • the Authority wrongly withheld the Applicant’s own personal data under the exception in regulation 11(2) of the EIRs and thereby failed to comply with the requirements of regulation 5(1) of the EIRs

  • the Authority wrongly withheld some other information under the exception in regulation 11(2) of the EIRs and thereby failed to comply with the requirements of regulation 5(1) of the EIRs.

As the Commissioner is satisfied that the Authority would have been entitled to withhold the Applicant’s own personal data under the exception in regulation 11(1) of the EIRs, he does not require the Authority to take any action in response to this failure in response to the Applicant’s application.

However, the Commissioner requires the Authority to disclose to the Applicant the other information he had found to have been wrongly withheld under the exception in regulation 11(2), by 24 November 2025.  

The Commissioner will provide the Authority with a marked-up copy of the information to be disclosed.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Enforcement 

If the Authority fails to comply with this decision, the Commissioner has the right to certify to the Court of Session that the Authority has failed to comply.  The Court has the right to inquire into the matter and may deal with the Authority as if it had committed a contempt of court.

 

Euan McCulloch 

Head of Enforcement 

 


8 October 2025