Home Decisions

Decision 301/2025

Decision 301/2025:  Complaint in relation to a specified sequestration


Authority: Accountant in Bankruptcy
Case Ref: 202501080
 

Summary

The Applicant asked the Authority for details of a complaint made to the Institute of Chartered Accountants of Scotland by the Authority.  The Authority withheld the information as third party personal data.  The Commissioner investigated and found that the Authority was entitled to withhold the information requested. 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and 2(e)(ii) (Effect of exemptions); 38(1)(b), (2A) and (5) (definitions of “data protection principles”, “data subject”, “personal data” and “processing”) and (5A) (personal information); 47(1) and (2) (Application for decision by Commissioner). 

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 5(1)(a) (Principles relating to the processing of personal data) and 6(1)(f) (Lawfulness of processing). 

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3)(a) & (b), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data).

Background

  1. On 30 April 2025, the Applicant made a request for information to the Authority.  He asked for details of any complaint made by the Authority’s Policy and Compliance Team to the Institute of Chartered Accountants of Scotland (ICAS) in relation to a specified sequestration. He said that he was not requesting personal information about the Insolvency Practitioner (the Trustee) concerned, but the Compliance Team’s views and any complaint about the Trustee’s handling of the sequestration.
  2. The Authority responded on 2 June 2025.  It withheld the information requested under the exemption in section 38(1)(b) of FOISA.
  3. On the same date, the Applicant wrote to the Authority requesting a review of its decision. He stated that he was dissatisfied with the decision because he did not agree that the exemption in section 38(1)(b) of FOISA applied to the information requested.   
  4. The Authority notified the Applicant of the outcome of its review on 10 June 2025, which fully upheld its original response.
  5. On 5 July 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  He stated that he was dissatisfied with the outcome of the Authority’s review, for the reason set out in his requirement for review.    

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 20 August 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information, and the case was subsequently allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and answer specific questions, relating to its application of the exemption in section 38(1)(b) of FOISA to the information requested. 

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority. 

Section 38(1)(b) – Personal information

  1. Section 38(1)(b), read in conjunction with section 38(2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  2. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test in section 2(1)(b).
  3. To rely on this exemption, the Authority must show that the withheld information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles found in Article 5(1) of the UK GDPR.
  4. The Commissioner must decide whether the Authority was correct to withhold the information covered by the Applicant’s request under section 38(1)(b) of FOISA.

Is the withheld information personal data? 

  1. The first question the Commissioner must address is whether the specific information withheld by the Authority, and identified as personal data, is personal data for the purposes of section 3(2) of the DPA 2018.
  2. “Personal data” is defined in section 3(2) of the DPA 2018 as “any information relating to an identified or identifiable living individual”.  Section 3(3) of the DPA 2018 defines “identifiable living individual” as a living individual who can be identified, directly or indirectly, in particular by reference to – 

    1. an identifier such as a name, an identification number, location data, or an online identifier, or 

    2. one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

  3. The two main elements of personal data are that the information must “relate” to a living person, and that person must be identified – or identifiable – from the data, or from the data and other accessible information.
  4. Information will “relate to” a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
  5. An individual is “identified” or “identifiable” if it is possible to distinguish them from other individuals.
  6. Having considered the withheld information, the Commissioner accepts that it clearly relates to a complaint about an identifiable individual (i.e. the Trustee named in the request).  While the Applicant said that he did not wish to receive personal information about the Trustee, the Commissioner considers that the complaint is inextricably linked to this individual and that it would therefore not be possible to meaningfully anonymise the withheld information.
  7. The Commissioner is therefore satisfied that the withheld information relates to an identifiable individual and, as such, is personal data in terms of section 3(2) of the DPA 2018.

Would disclosure contravene one of the data protection principles?

  1. The Authority considered that disclosure would breach the data protection principle (Article 5(1)(a) of the UK GDPR).  Article 5(1)(a) of the UK GDPR states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.
  2. "Processing" of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmission, dissemination or otherwise making available personal data.  The definition therefore covers disclosing information into the public domain in response to a FOISA request.
  3. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions in Article 6 of the UK GDPR would allow the data to be disclosed.
  4. The Commissioner considers that condition (f) in Article 6(1) of the UK GDPR is the only condition which could potentially apply in the circumstances of this case

Condition (f) – legitimate interests

  1. Condition (f) states that processing shall be lawful if it – “…is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data...”
  2. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

  3. The three tests which must be fulfilled before Article 6(1)(f) can be relied on are as follows: 

    i) does the Applicant have a legitimate interest in the personal data? 

    ii) if so, would the disclosure of the personal data be necessary to achieve that legitimate interest?

    iii) even if the processing would be necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data (in particular where the data subject is a child)?

  4. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA.  Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the data subject before condition (f) will permit the data to be disclosed.  If the two are evenly balanced, the Commissioner must find that the Authority was correct to refuse to disclose the personal data to the Applicant.

Does the Applicant have a legitimate interest in obtaining the personal data?

  1. The Applicant explained that he was seeking information about the findings of an investigation and complaint made by the Authority to ICAS in a sequestration case where his son was a creditor.
  2. The Applicant provided a number of emails and documents which, whilst being helpful in understanding the background and context of this Application to the Commissioner, are not directly relevant to whether the Authority was entitled to withhold the information requested under the exemption in section 38(1)(b) of FOISA.  The Commissioner has fully considered this information, but he has not reproduced it in his decision notice.
  3. Broadly speaking, the Applicant considered that he had a legitimate interest in the withheld information as he (as his son’s representative) and his son were both severely financially impacted by the “Trustee’s mishandling of the sequestration”.  He explained that he was requesting information about the investigations completed by the Authority in its duties “of policing the actions of the Trustee” and that he had every right to be told of any complaint sent to ICAS by the Authority.
  4. The Applicant did not consider that that any information relating to the Trustee constituted third party information.   However, he said that he would be happy for the Authority to redact the names of staff members and only name the organisation of insolvency practitioners.  He also said that the details of the information requested would not be shown to the general public, but only to him and his son.
  5. The Authority argued that the Applicant did not have a legitimate interest in obtaining the information requested.  It advised that the Applicant had been provided with full responses to the complaints he made directly to the Authority.
  6. The Authority submitted that the Applicant had already exercised his right to make a complaint directly to the relevant professional body in relation to the sequestration where his son was a creditor.
  7. The Authority also explained that the Applicant (as an interested person) had a right under section 50(7) of the Bankruptcy (Scotland) Act 2016 to make an application to the court if he was dissatisfied with any act, omission or decision of the Trustee and request the Sheriff, under section 50(8), confirm, revoke, or modify the decision in question, confirm or annul the act in question, or give the Trustee directions or make such order as the Sheriff thinks fit.
  8. The Authority submitted that the content of the complaint would not be required for the Applicant to take any action referred to in the preceding paragraph.  It therefore considered that there was no legitimate interest on the part of the Applicant to gain the information as it would not assist him in any action he may wish to take in relation to this case.
  9. The Commissioner ha carefully considered the submissions from both parties.  In the circumstances, he accepts that the Applicant does have a legitimate interest in obtaining the withheld information. 

Is disclosure of the personal data necessary to achieve that legitimate interest?

  1. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of the personal data is necessary for the Applicant's legitimate interest.  In doing so, he must consider whether those interests might reasonably be met by any alternative means.
  2. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary.  When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant's legitimate interests could reasonably be met by means which interfered less with the privacy of the data subject.
  3. While the Authority did not accept the Applicant had a legitimate interest in disclosure of the withheld information, it accepted that – if the Commissioner found that he did have a legitimate interest – then disclosure would be necessary to achieve that interest.  This was because, while the Applicant had been provided with related information in the form of responses to the complaints he had made directly to the Authority, it had not disclosed any information on any complaints made by the Authority to ICAS.
  4. The Commissioner can identify no viable means of fully meeting the Applicant's legitimate interest which would interfere less with the privacy of the data subjects than providing the withheld information.  In all of the circumstances, therefore, the Commissioner is satisfied that disclosure of the withheld information is necessary for the purposes of the Applicant's legitimate interest.

The data subject’s interests or fundamental rights and freedoms (and balancing exercise)

  1. The Commissioner has concluded that the disclosure of the information would be necessary to achieve the Applicant’s legitimate interests.  However, this must be balanced against the fundamental rights and freedoms of the data subjects.  Only if the legitimate interests of the Applicant outweighed those of the data subject could the information be disclosed without breaching the first data protection principle.
  2. The Commissioner’s guidance on section 38 of FOISA[1] list certain factors that should be taken into account in balancing the interests of the parties.  He makes it clear that, in line with Recital (47) of the UK-GDPR, much will depend on the reasonable expectations of the data subjects and that these are some of the factors public authorities should consider.

    1. Does the information relate to an individual's public life (their work as a public official or employee) or to their private life (their home, family, social life or finances)? 

    2. Would the disclosure cause harm or distress? 

    3. Whether the individual has objected to the disclosure.

  3. The withheld information relates to the Trustee’s public life (i.e. to their professional conduct).  The Commissioner’s position is that there is generally a greater expectation of disclosure for information relating to an individual’s public life than their private life.
  4. Given the complaint relates to the conduct of the Trustee when acting in their professional capacity in a regulated profession, the Commissioner accepts that the withheld information relates to the Trustee’s public life.  However, he does not consider that the Trustee would reasonably have expected their personal data to be made public in response to an information request under FOISA.
  5. The Commissioner notes the Applicant’s position that he would only share the withheld information, if disclosed, between himself and his son.  However, the effect of disclosure under FOISA is disclosure to the world-at-large.  In other words, disclosure under FOISA has the effect of placing information into the public domain – regardless of the intended use of that information by the requester.
  6. In addition to considering the reasonable expectations of the data subject in this case, the Commissioner has considered the potential harm or distress that could be caused by disclosure of their personal data.  He notes that the complaint relating to the Trustee was dismissed.  Had it not been, the outcome of any decision made to sanction the Trustee would have been published by the Insolvency Service.
  7. In the circumstances, the Commissioner considers that disclosure of the withheld information would reopen scrutiny of the Trustee in relation to a complaint that was dismissed and in relation to information that they would have no reasonable expectation would be disclosed to the world-at-large in response to a FOISA request.
  8. After carefully balancing the legitimate interest of the Applicant against the interests or fundamental rights or freedoms of the data subject, the Commissioner finds that the legitimate interest served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject.
  9. Having found that the legitimate interest served by disclosure of the personal data is outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subject, the Commissioner finds that condition (f) in Article 6(1) of the UK GDPR cannot be met in this case and that disclosure of the information in question would be unlawful.
  10. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider whether disclosure of the personal data would otherwise be fair and transparent in relation to the data subject.
  11. The Commissioner is satisfied, in the absence of a condition in Article 6 of the UK GDPR which would allow the data to be disclosed, that disclosure would be unlawful.  He therefore finds that the withheld personal data is therefore exempt from disclosure under section 38(1)(b) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only.  Any such appeal must be made within 42 days after the date of intimation of this decision.

 

Euan McCulloch 

Head of Enforcement 


16 December 2025