Home News

Enforcement action reminds authorities not to share a requester's identity

Enforcement action reminds authorities not to share a requester's identity

16 December 2021

The Scottish Information Commissioner has issued a formal Practice Recommendation to Aberdeenshire Council following concerns about the authority's handling of freedom of information (FOI) requests.

The Practice Recommendation focuses on the issue of alerting third parties to information requests, and requires the authority to take steps to ensure it handles requests in a way that is 'applicant (or requester) blind' - that is, not influenced by who made the request - and in particular, that it does not share the identity of a requester with other organisations except in very limited circumstances.

The issuing of a Practice Recommendation is relatively rare - this is just the third time one has been issued since FOI came into effect in Scotland, and the first by the current Commissioner, Daren Fitzhenry.

In this case, after an applicant had made a number of information requests to Aberdeenshire Council, a senior council officer wrote to the applicant's employer - which provides services to the council - expressing concern about the applicant's behaviour, with references to the particular requests. The communication suggested that the requests had led to a loss of trust between the two organisations, and identified potential consequences if the applicant's use of FOI in that context was not explained.

The Recommendation requires Aberdeenshire Council to take the following actions:

  • Ensure that all staff are adequately trained in understanding the 'applicant blind' principle and that the requester's identity (and matters relating to that identity) should only be shared with third parties in very limited circumstances.
  • Emphasise to senior managers the leadership they are expected to provide and the example they are expected to show, in this and all other aspects of the management of freedom of information across the council.
  • Report back to the Commissioner with details and evidence of training provided to all staff, including the more focused training for senior managers, by 28 February 2022.

The Commissioner believes that the action taken in this case will act as a reminder to all Scottish public authorities of the importance of maintaining an 'applicant blind' approach to handling information requests and not sharing applicants' identity with third parties, and that he is ready to use his enforcement powers whenever required.

He said:

"The importance of handling requests in an 'applicant blind' manner cannot be overstated, as it is a key principle underlying the effective exercise of freedom of information. Members of the public must not be put off exercising their statutory rights under FOI law by a concern that they will be adversely impacted as a result.

"My aim with this Practice Recommendation is not to single out the council, but ultimately to enable it and all authorities to learn lessons from this case and to encourage them to renew their focus on ensuring that good FOI practice is maintained at all times."

Download the Practice Recommendation.

Further information

This Practice Recommendation (001/2021) is issued under sections 43 and 44 of the Freedom of Information (Scotland) Act 2002 (FOISA). Section 43(1) requires the Commissioner to promote the following of good practice by Scottish public authorities, and in particular, adherence to FOISA itself and the codes of practice issued under sections 60 and 61 of FOISA. Section 44(1) allows the Commissioner to issue a practice recommendation if it appears that a Scottish public authority is not conforming with those codes of practice.

As required by section 44(2) of FOISA, the Commissioner has identified the following specific provisions of the Code of Practice on the Discharge of Functions by Scottish Public Authorities under FOISA and the Environmental Information (Scotland) Regulations 2004 (known as the Section 60 Code) with which the Commissioner believes the authority has failed to comply:

  • Paragraph 1.2.1: "Meeting the requirements of the legislation and bringing about a culture of openness depends significantly on leadership from the top."
  • Paragraph 1.2.3: "Senior managers should ... take responsibility and be accountable for FOI in their areas."
  • Paragraph 1.3.1: "Authorities should provide training to ensure that all staff have sufficient knowledge of the regimes."
  • Paragraph 7.5.2: "If the applicant is an individual their identity should almost always remain withheld from third parties as this is personal data and its disclosure is likely to be in breach of the Data Protection Principles. There may be occasions when the identity of the applicant is relevant to the request but it should not be shared with third parties unless permission is sought and granted, or the request was made in the public domain (e.g. via whatdotheyknow.com)."