Decision 267/2025:  Number of individuals’ pavement parking fines paid

Authority: Dundee City Council
Case Ref: 202500534
 

Summary

The Applicant asked the Authority for information about payment of fines issued to the most frequent pavement parking offenders.  The Authority withheld the information on the basis that it was third party personal information.  The Commissioner investigated and found that the Authority was correct to withhold the information.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 38(1)(b), (2A) and (5) (definitions of “data protection principles”,” data subject”, ”personal data” and “processing”, “the UK GDPR”) (Personal information) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”); 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of processing). 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), 4(d), (5), (10) and 14(a), (c) and (d) (Terms relating to the processing of personal data).

Background

1. On 11 March 2025, the Applicant made a request for information to the Authority.  He asked for information in relation to how many of the fines issued to the most frequent pavement parking offenders had been paid to date.
2. The Authority responded on 12 March 2025.  It withheld the information under section 38(1)(b) of FOISA on the grounds that the information was personal data.
3. On 12 March 2025, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the Authority’s response because he had previously been provided with information about the number of fines issued to drivers and he did not agree that disclosing how many of those fines had been paid constituted third party personal data.
4. The Authority notified the Applicant of the outcome of its review on 4 April 2025.  It fully upheld its original decision and explained that, while it accepted the Applicant may have a legitimate interest in obtaining the withheld data, it did not consider that the disclosure was necessary to achieve his legitimate interest and that even if it were, this would be overridden by the data subjects’ rights to privacy.
5. On 10 April 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he did not agree that the exemption applied, and he argued that no individual could be identified from the information requested.  Furthermore, he argued that disclosure of the data was important to allow public scrutiny of the enforcement of pavement parking rules.

Investigation

6. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
7. On 14 May 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was allocated to an investigating officer.
8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to the reasons it believed the information requested constituted personal data.

Commissioner’s analysis and findings

9. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.  

Section 38(1)(b) – personal information 

10. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
11. The exemption in section 38(1)(b) of FOISA applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means it is not subject to the public interest test in section 2(1)(b).
12. To rely on this exemption, the Authority must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR. 

Is the withheld information personal data? 

13. The first question the Commissioner must address is whether the information is personal data for the purposes of section 3(2) of the DPA 2018, i.e. any information relating to an identified or identifiable individual.  “Identifiable living individual” is defined in section 3(3) of the DPA 2018.  (This definition reflects the definition of personal data in Article 4(1) of the UK GDPR.) 

14. Information will "relate to" a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.  The Commissioner’s guidance on section 38(1)(b)[1] is clear that numbers or statistics can be personal data (although, of course, this will not always be the case).  Paragraphs 22 and 23 of this guidance state: 

    “The Court of Justice of the European Union looked at the question of identification in Breyer v Bundesrepublik Deutschland[2].  The Court said that the correct test to consider is whether there is a realistic prospect of someone being identified.  In deciding whether there is a realistic prospect of identification, account can be taken of information in the hands of a third party.  However, there must be a realistic causal chain – if the risk of identification is “insignificant”, the information won’t be personal data. 

    Although this decision was made before the GDPR, UK GDPR and the DPA 2018 came into force, the Commissioner expects that the same rules will apply.  Although no longer applicable in the UK, recital (26) of the GDPR bears this out – and confirms that data should be considered anonymous (and therefore no longer subject to the GDPR) when the data subject(s) is/are no longer identifiable.”

The Applicant’s comments on whether the information is personal data

15. The Applicant disagreed that this information would be the personal data of any individual.
16. The Applicant stated that the Authority had previously (under FOISA) supplied him with a list, of the most frequent pavement parking offenders in Dundee.  The detail supplied in response to that request included the make, model and colour of the car, and the locations at which the offenders had received tickets for pavement parking.
17. The Applicant submitted that the Authority then refused to confirm how many of the fines issued to each of the drivers of the cars listed had been paid, arguing that the information was personal data.
18. The Applicant argued that the information did not involve any names or registration numbers of the vehicles involved and he questioned why, if the Authority’s position was that the information could lead to the identification of an individual, it had provided the level of detail it did in the earlier request.  The Applicant commented that the information he had requested surely posed the same question around identifying individuals, and he argued that the request had not sought more personal information than had been previously disclosed.
19. Furthermore, the Applicant stated that no identifying factors would be disclosed, and there would be no context as to why some fines had not yet been paid.  He provided the example of a situation where someone did not pay due to their level of income and commented that this information would not be provided in the release of the data he had requested.

The Authority’s comments on whether the information is personal data

20. In its submissions to the Commissioner, the Authority referenced guidance from the UK Information Commissioner's Office[3] which acknowledged that even if additional information was needed to be able to identify someone, they may still be identifiable.
21. The Authority accepted that the previously disclosed information (on its own, even without further information being disclosed) could cause individuals to be identified.  It submitted that a car of a particular make and colour which parked regularly in a particular street, often on the pavement, could be identified by others living in or near to that street.
22. The Authority stated that the issuing of a PCN was a public event, in that the PCN was attached to a vehicle’s windscreen.  This meant that the owner of a particular car, known to park on the pavement and which had been issued with numerous PCNs, may already be known to those who were familiar with the car (because the PCN was visible to anyone who saw it on the vehicle before it was removed).  
23. The Authority argued that the question of whether or not a PCN was subsequently paid was not publicly visible in the way the issuing of a PCN was.
24. The Authority explained that (even though it considered that the previously disclosed information could be personal data) it had accepted that, in the case of that (previous) request, there was a public interest in the enforcement of pavement parking rules.  It stated that it had accordingly taken the view in relation to that information that the legitimate interest in the enforcement of pavement parking rules outweighed the individual's right to privacy, taking into account the fact that the issuing and display of a PCN took place in public.
25. The Authority commented that it did not consider that the prospect of individuals being identifiable was any greater in the event that the information relating to paid fines was disclosed than when the previously disclosed information was issued.  
    It argued that what was different in relation to this request was that the impact of the disclosure differed (because the type of personal information disclosed was different).
26. The Authority argued that, while any driver was liable to be issued with a PCN if they flouted parking rules and that the contravention and the issuing of the PCN was not dependent on or related to their financial standing, information about whether that PCN had been paid or not could indicate whether an individual could afford to pay that PCN, or their attitude towards debt.
27. The Authority stated that the data was not special category data.

The Commissioner’s view on whether the information is personal data

28. The Commissioner has considered all of the submissions from the Authority and the Applicant on whether the requested information was personal data.
29. The Commissioner acknowledges that the information requested does not include names or car registration numbers, that is, information which would directly identify a living individual.  However, as the UK ICO guidance[4] makes clear, identification may also be possible indirectly.
30. The Commissioner has taken into account the information that was disclosed previously under FOISA, and he accepts the Authority’s position that the identification of individuals in this case might be possible from that information.  He notes the Authority’s comments that the previous information it disclosed was also personal data, but that it concluded in that case that the data subjects’ right to privacy was overruled by the legitimate interest in the implementation and governance of the pavement parking regime.
31. The Commissioner’s view is that the requested information about fines which had been paid (or not paid) would, when considered alongside the previously disclosed information which revealed where these cars were parked, and listed their make and colour, comprise the personal data of living individuals.  He finds that it would potentially disclose an aspect of that individual’s finances, i.e. that the individual owed money, beyond the period of time immediately following the issue of the PCN, and he accepts that information about an identifiable living individual’s finances is their personal data.
32. The Commissioner is therefore satisfied that the withheld information is the personal data of identifiable individuals and, as such, is personal data in terms of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

33. The Authority reiterated the position it set out in its review outcome, where it found that disclosure would breach Article 5(1)(a) of the UK GDPR.
34. Article 5(1)(a) of the UK GDPR requires personal data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject.”
35. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.
36. The Commissioner must consider whether disclosure of the personal data would be lawful. In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
37. The Authority considered (and the Commissioner agrees) that condition (f) in Article 6(1) is the only condition which could potentially apply in the circumstances of this case.  

Article 6(1)(f) of the UK GDPR - legitimate interests

38. Condition (f) states that processing shall be lawful if it: “…is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”.
39. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
40. The three tests which must be fulfilled before Article 6(1)(f) can be relied on are as follows (see paragraph 18 of South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 551[5] – although this case was decided before the GDPR (and the UK GDPR) came into effect, the relevant tests are almost identical): 

    1. does the Applicant have a legitimate interest in the personal data? 

    2. if so, would the disclosure of the personal data be necessary to achieve that legitimate interest? 

    3. even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)? 

Does the Applicant have a legitimate interest in obtaining the personal data?

41. The Authority accepted that the Applicant would have a legitimate interest in the personal data in relation to the public scrutiny of the enforcement of pavement parking rules.  However it argued that there were many reasons why a PCN might not have been paid and that many of those reasons related to the recipients’ financial positions and were unrelated to the Authority’s approach to enforcement.
42. The Applicant argued that there was significant public interest in detailing how many of the fines issued were being paid, from the point of view of enforcing the rules and justice being done and he compared this to the way that information on sentences handed out in court were a matter of public record.
43. The Commissioner considers that the Applicant and the wider public both have a legitimate interest in the enforcement of the pavement parking ban.  To the extent that the information might reasonably be expected to contribute to understanding of that enforcement, the Commissioner accepts that the Applicant has a legitimate interest in obtaining the personal data.

Is disclosure of the personal data necessary?

44. The Applicant stated that without the level of information requested, the public was in the dark about how punitive the new pavement parking rules were and how well they were being enforced.
45. The Authority submitted that the information was an indication of an individual’s attitude towards debt and/or their financial standing and ability to pay and technically did not provide any information about what action the Authority had or had not taken to enforce that debt.
46. In its submissions to the Commissioner, the Authority stated that it was prepared to disclose statistical information about the percentage of PCNs which had been paid where this was not provided in relation to specific vehicles.
47. During the investigation the Applicant stated that he was seeking more detailed information and wanted to continue with his appeal.
48. While the Commissioner considers that the Applicant has a legitimate interest in the enforcement of pavement parking rules, he also notes that the Applicant specified in his comments that this interest related to how many of the fines were being paid (as set out in paragraph 42) from the point of view of enforcing the rules and justice being done.  The Commissioner does not consider that the Applicant has made the case that the personal information which he has requested is necessary to allow the Applicant to examine enforcement of the ban.
49. The Commissioner’s view is that the Applicant’s legitimate interests (in information which helped demonstrate the enforcement of and effectiveness of the pavement parking ban) could be met with overall figures or percentages showing how many fines had been paid and that the personal information about how many fines an individual had or had not paid, is not needed to meet these legitimate interests.  
50. In the Commissioner’s view, these interests could be met (without encroaching on the privacy of the data subjects) by the disclosure of statistics, whether at the level which had been suggested by the Authority in paragraph 46 or, potentially, in greater detail (but without identifying particular individuals).
51. The Commissioner’s view is that overall figures or statistics relating to payment rates would provide the information sought about the enforcement of pavement parking rules and meet the Applicant’s legitimate interests (at least in terms of the comments made by the Applicant) without disclosing personal information about individuals.
52. On balance, the Commissioner considers, in light of the arguments provided and in all the circumstances of this case, that disclosure is not necessary to meet the Applicant’s legitimate interests and that any such disclosure of the personal data would therefore be unlawful.
53. In the absence of a condition in Article 6 of the UK GDPR which would allow the specific numbers of unpaid individual fines to be disclosed lawfully, disclosure would breach Article 5 of the UK GDPR and these figures are, therefore, exempt from disclosure under section 38(1)(b) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

Euan McCulloch 

Head of Enforcement 

31 October 2025