Decision Notice. Decision 083/2018: Ms L and Edinburgh College

Similar documents
Decision 192/2006 Mr David Sharpe and the Chief Constable of Strathclyde Police

Decision 073/2014 Mr Derek Cooney and the Scottish Court Service

Decision 254/2013 Mr Peter Mortimer and Glasgow City Council

Decision 106/2012 Dr Nick McKerrell and Glasgow Caledonian University

Decision Notice. Decision 139/2016: Mr H and the Scottish Prison Service. Policy and procedures. Reference No: Decision Date: 28 June 2016

Decision Notice. Decision 005/2015: Mr M and the Chief Constable of the Police Service of Scotland

Decision 063/2012 Mr Drew Cochrane of the Largs and Millport News and the Chief Constable of Strathclyde Police

Decision 202/2011 Ms Geraldine Bell and Glasgow City Council

Decision 177/2010 Ms Matilda Gifford and the Chief Constable of Strathclyde Police

Decision 087/2009 Mr Murdo Gordon and the Scottish Court Service

Applicant: Ms Suzi Eskandari Authority: Scottish Children s Reporter Administration Case No: and Decision Date: 31 October 2007

Decision 031/2009 Mr L and the Scottish Prison Service. Policy relating to Asperger s syndrome. Reference No: Decision Date: 18 March 2009

Decision 024/2007 Mr Charles Traynor and the Chief Constable of Strathclyde Police

Decision Notice. Decision 181/2018: Mr G and Community Safety Glasgow

Decision Notice. Decision 047/2018: James Donnelly and the Chief Constable of the Police Service of Scotland

Decision Notice. Decision 106/2018: Mr C and the Chief Constable of the Police Service of Scotland. Detention of an individual

2. In July 2013, prior to the Colleges merger, Mr K submitted a complaint to the then Clydebank College.

Decision Notice. Decision 176/2016: Mr Roy Mackay and Scottish Borders Council. Archiving of s

Decision 287/2013 Mr Stewart V. Mackenzie and Perth and Kinross Council

Decision 120/2007 Mr Russell Findlay and the Chief Constable of Fife Constabulary

Decision 257/2013 Mr N and Perth and Kinross Council. Breadalbane Academy Secondary School fund

Decision 267/2013 Mr Jonathan Flynn and Perth and Kinross Council

Decision 207/2013 Mr and Mrs B and the Scottish Court Service

Decision 076/ Mr David Laing and the Chief Constable of Fife Constabulary

Decision 021/2005 Mr Michael Collie and the Common Services Agency for the Scottish Health Service

Decision 019/2011 Mr Allan Clark and Glasgow City Council. Names and addresses of Glasgow s Community Councillors

Decision 156/2011 Mr Ralph Lucas and the University of Glasgow

Decision 100/2013 Mr Alistair Sloan and the Scottish Ministers. Refusal to confirm or deny whether information is held

Decision 103/2010 Ms Jane Saren and City of Edinburgh Council

Decision 198/2014: Mr Michael McGovern and Glasgow City Council

Decision Notice. Decision 206/2018: Mr M and Aberdeenshire Council

Decision 055/2009 Mr N and South Lanarkshire Council. Inspection report and telephone note. Reference No: Decision Date: 18 May 2009

Decision 273/2013 Mr Colin McLeod and Dundee City Council. Marchbanks recycling centre. Reference No: Decision Date: 3 December 2013

Decision 100/2010 Mr John McClelland and City of Edinburgh Council

Decision 122/2010 Mr Kevin McIntyre and Clackmannanshire Council

Decision 070/2005 Ms R and the Scottish Tourist Board (operating as VisitScotland)

Psychometric tests used during Sex Offender Treatment Programme

Decision 166/2013 Mr David Scott and Historic Scotland. Old Beacon, North Ronaldsay. Reference No: Decision Date: 9 August 2013

Applicant: Mr Norman Brown Authority: The Chief Constable of Strathclyde Police Case No: and Decision Date: 26 July 2007

Decision 009/2009 Ms Jean Kesson and Glasgow City Council. Workforce Pay and Benefits Review. Reference No: Decision Date: 6 February 2009

Decision 012/2008 Councillor Paul Welsh and North Lanarkshire Council

Decision 136/2009 Fauldhouse Community Council and West Lothian Council. Submission to a legal adviser regarding a right of way dispute

Decision 053/2011 Mr George Green and East Lothian Council. Purchase of audio-visual equipment. Reference No: Decision Date: 14 March 2011

Decision 215/2013 Mr Nigel Dale and Aberdeen City Council. Social work policies and procedures. Reference No: Decision Date: 2 October 2013

Decision 059/2011 Ms Agnes McWhinnie and City of Edinburgh Council

Decision 208/2006 Ms X and Scottish Borders Council

Decision 067/2006 Mr George Harper & Perth and Kinross Council

Decision 025/2010 Mr Peter Petersen and Grampian Joint Police Board

Decision 010/2011 Mr Keith Knowles and the Scottish Court Service

Statistical information on complications and injuries associated with forceps delivery

DISCLOSURE POLICY. 3.1 The Board of the Commission approved this policy on 19 December 2014.

Decision 119/2007 Ms N and the Common Services Agency for the Scottish Health Service

Decision 092/2010 Mr N and South Lanarkshire Council. Whether request vexatious. Reference No: Decision Date: 14 June 2010

Decision 120/2009 Mr Graeme Cassie and Midlothian Council. Procurement and conversion of Parkhead Lodge, Penicuik

Decision 221/2010 Mr Gavin Catto and Aberdeen City Council. Failure to respond to a request and request for review

Decision 036/2007 Ms Sandra Uttley and the Chief Constable of Central Scotland Police

Failure to respond to request and request for a review within timescales

Section 25: Information otherwise accessible Exemption Briefing

Information exempt from the subject access right (section 40(4) and

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (Section 50) Decision Notice

Freedom of Information Act 2000 (Section 50) Decision Notice

Freedom of Information Act 2000 (Section 50) Environmental Information Regulations Decision Notice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

FREEDOM OF INFORMATION ACT 2000 (SECTION 50) DECISION NOTICE. Dated 5 June Public Authority: Newry and Mourne Health and Social Services Trust

Environmental Information Regulations Decision Notice

The Campaign for Freedom of Information

I refer to your recent request for information which has been handled in accordance with the Freedom of Information (Scotland) Act 2002.

Decision 096/2006 Mr George Waddell and South Lanarkshire Council

Port Glasgow St Andrew s Data Protection Policy

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Freedom of Information Act 2000 (Section 50) Decision Notice

Data Protection Bill [HL]

Data Protection Policy

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act Environmental Information Regulations 2004 (EIR) Decision notice

Data Protection Policy

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

- and - OPINION. Reasons

Freedom of Information Act 2000 (Section 50) Decision Notice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

Freedom of Information Act Environmental Information Regulations 2004 (EIR) Decision notice

Refusing a request under the EIR

Freedom of Information Act 2000 (FOIA) Decision notice

Data Protection Bill [HL]

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

CCTV CODE OF PRACTICE

Saturday, 7 November 15

Freedom of Information

European College of Business and Management Data Protection Policy

SCOTTISH AMBULANCE SERVICE CODE OF CORPORATE GOVERNANCE. Approved: Scottish Ambulance Service Board Date January Review Date: January 2016

CSCU9Q5. Data Protection and Freedom of Information Acts

2013 No. POLICE. The Police Service of Scotland (Conduct) Regulations 2013

Transcription:

Decision Notice Decision 083/2018: Ms L and Edinburgh College Students on the Sex Offenders Register Reference No: 201800285 Decision Date: 13 June 2018

Summary The College was asked for statistical information about students who were enrolled at the College while on the Sex Offenders Register. The College withheld the requested information, considering it to be personal data exempt from disclosure. The Commissioner accepted that the withheld information was exempt from disclosure for the reasons given by the College. Relevant statutory provisions Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information) Data Protection Act 1998 (the DPA 1998) sections 1(1) (Basic interpretative provision) (definition of personal data); Schedules 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data (conditions 1 and 5)) Data Protection Act 2018 (the DPA 2018) Schedule 20 (Transitional provision etc - paragraph 56) The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision. Background 1. On 27 November 2017, Ms L made a request for information to Edinburgh College (the College). The information requested was: How many students have you enrolled in your college in the following academic years, in the knowledge that they were listed on the Sex Offenders Register at that time? - 2015-16 - 2016-17 - 2017-18 (to date) How many of these students were subject to a MAPPA (Multi-Agency Public Protection Arrangements) plan or similar conditions? How many of these students failed to adhere to the conditions applied? How many of these students attained the qualification they were seeking? 2. The College responded on 21 December 2017. It gave notice that it did not hold some of the information, in line with section 17(1) of FOISA. It stated that, as individuals could be identified from the information alongside other available information, the remaining information was exempt from disclosure under section 38(1)(b) of FOISA (Personal information). Page 1

3. On 21 December 2017, Ms L emailed the College requesting a review of its decision. She questioned why some of the information was not held and, in relation to the withheld information, she considered that, due to the large number of students enrolled at the college, risk of identification from such statistical information would be virtually nil. 4. The College notified Ms L of the outcome of its review on 30 January 2018. It modified its position and stated that all of the requested information was exempt under section 38(1)(b) of FOISA. 5. On 10 February 2018, Ms L applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Ms L did not agree that the exemption had been correctly applied, and reiterated the points she had made in her request for review. Investigation 6. The application was accepted as valid. The Commissioner confirmed that Ms L made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision. 7. On 14 March 2018, the College was notified in writing that Ms L had made a valid application. The College was asked to send the Commissioner the information withheld from Ms L. The College provided the information and the case was allocated to an investigating officer. 8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The College was invited to comment on this application and answer specific questions including justifying its reliance on any provisions of FOISA it considered applicable to the information requested. It responded on 28 May 2018. 9. Ms L was asked for her comments on her legitimate interest in obtaining the withheld personal data; she did not respond. Commissioner s analysis and findings 10. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both Ms L and the College. He is satisfied that no matter of relevance has been overlooked. Data Protection Act 2018 (Transitional provisions) 11. On 25 May 2018, the DPA 1998 was repealed by the DPA 2018. Amongst many other things, the DPA 2018 amended section 38 of FOISA. It also introduced a set of transitional provisions which set out what should happen where a public authority dealt with an information request before FOISA was amended on 25 May 2018, but where the matter is being considered by the Commissioner after that date. 12. In line with paragraph 56 of Schedule 20 to the DPA 2018 (see Appendix 1), if an information request was dealt with before 25 May 2018 (as is the case here), the Commissioner must consider the law as it was before 25 May 2018 when determining whether the authority dealt with the request in accordance with Part 1 of FOISA. Page 2

13. Paragraph 56 of Schedule 20 goes on to say that, if the Commissioner concludes that the request was not dealt with in accordance with Part 1 of FOISA (as it stood before 25 May 2018), he cannot require the authority to take steps which it would not be required to take in order to comply with Part 1 of FOISA on or after 25 May 2018. 14. The Commissioner will therefore consider whether the College was entitled to apply the exemption in section 38(1)(b) of FOISA under the old law. If he finds that the College was not entitled to withhold the information under the old law, he will only order the College to disclose the information if disclosure would not now be contrary to the new law. Section 38(1)(b) of FOISA (Personal information) 15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or, as appropriate, section 38(2)(b), exempts information from disclosure if it is "personal data" (as defined in section 1(1) of the DPA 1998) and its disclosure would contravene one or more of the data protection principles set out in Schedule 1 to the DPA 1998. 16. The exemption in section 38(1)(b) of FOISA is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA. 17. In order to rely on this exemption, the College must show that the information being withheld is personal data for the purposes of the DPA 1998 and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA 1998. The College considered disclosure of the information would breach the first data protection principle. Is the withheld information personal data? 18. Personal data are defined in section 1(1) of the DPA 1998 as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in Appendix 1). 19. The College submitted that disclosure of the withheld information would identify living individuals. The College stated that, as the numbers are extremely low, it would be possible to combine this information with other information to identify the individual or individuals. 20. The College believed there was an extremely high risk of the student(s) being identified if the statistical information was disclosed. It provided detailed submissions to explain how the individuals could be identified. (These submissions are not replicated here, as to do so could have the effect of identifying any individual(s) concerned, but they were detailed and persuasive.) 21. Having considered the submissions received from the College and the withheld information, the Commissioner accepts the arguments put forward by the College, and is satisfied that it would be possible for a determined individual to identify living individual(s) covered by the request, if the requested information was combined with other information likely to be accessible to Ms L (and others). The withheld information clearly relates to one or more living individuals. Consequently, the Commissioner accepts that the information is personal data, as defined by section 1(1) of the DPA 1998. Page 3

Is the information under consideration sensitive personal data? 22. The College submitted that the withheld information constituted sensitive personal data. The College provided reasons, and referred to the definition of sensitive personal data within section 2 of the DPA 1998. 23. In this case, the Commissioner is satisfied that all of the withheld personal data falls into the category of sensitive personal data listed in section 2(g) of the DPA 1998 (see Appendix 1). Would disclosure of the personal data contravene the first data protection principle? 24. In its submissions, the College argued that disclosure of the withheld personal data would contravene the first data protection principle, which requires that personal data are processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA 1998 is met. In the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DPA 1998 must also be met. The processing in this case would comprise making the information publicly available in response to Ms L s request. 25. Given the additional restrictions surrounding the disclosure of sensitive personal data, it is necessary in this case to consider whether there are any conditions in Schedule 3 which would permit the data to be disclosed, before considering the Schedule 2 conditions. 26. The conditions listed in Schedule 3 to the DPA 1998 have been considered by the Commissioner, as have additional conditions for processing sensitive personal data contained in legislation such as the Data Protection (Processing of Sensitive Personal Data) Order 2000. The Commissioner has not identified any of these additional conditions as potentially applicable in this case. 27. The Commissioner s guidance on section 38(1)(b) 1 of FOISA notes that the conditions in Schedule 3 are very restrictive in nature and that, generally, only the first and fifth conditions are likely to be relevant when considering a request for sensitive personal data under FOISA. 28. Condition 1 allows processing where the data subject has given explicit (and fully informed) consent to the processing (which in this case would be disclosure into the public domain in response to Ms L's request). Condition 5 allows processing where information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. 29. The Commissioner has concluded that it would not be reasonable or appropriate to seek consent from the data subject(s) for disclosure of the personal data, and that condition 1 could not be met in this case. He is also satisfied that none of the information under consideration has been made public as a result of steps deliberately taken by the data subject(s), and so condition 5 could not be met in this case. 30. Having reached these conclusions, and also having concluded that no other condition in Schedule 3 (or any other legislation) applies in the circumstances of this case, the Commissioner finds that there are no conditions which would allow the sensitive personal data to be disclosed. 31. In the absence of a condition in Schedule 3 permitting the sensitive personal data to be disclosed, the Commissioner must find that disclosure would be unfair. In the absence of such a condition, disclosure would also be unlawful. Consequently, disclosure of the 1 http://www.itspublicknowledge.info/law/foisa-eirsguidance/section38/section38.aspx Page 4

sensitive personal data would contravene the first data protection principle. The Commissioner therefore finds that the College was correct to withhold the information requested by Ms L, as it was exempt from disclosure under section 38(1)(b) of FOISA. Transitional provisions 32. Given that the Commissioner has found that the College complied with Part 1 of FOISA (as it stood before 25 May 2018) in responding to the request by Ms L, he is not required to go on to consider whether disclosure would breach Part 1 of FOISA as it currently stands. Decision The Commissioner finds that the College complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Ms L. Appeal Should either Ms L or the College wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision. Margaret Keyse Head of Enforcement 13 June 2018 Page 5

Appendix 1: Relevant statutory provisions Freedom of Information (Scotland) Act 2002 1 General entitlement (1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority. (4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given. (6) This section is subject to sections 2, 9, 12 and 14. 2 Effect of exemptions (1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that (a) the provision does not confer absolute exemption; and (2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption (e) in subsection (1) of section 38 (ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section. 38 Personal information (1) Information is exempt information if it constitutes- (b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied; Page 6

(2) The first condition is- (a) (b) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene- (i) (5) In this section- any of the data protection principles; or in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded. "the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act; "data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act; Data Protection Act 1998 1 Basic interpretative provisions (1) In this Act, unless the context otherwise requires personal data means data which relate to a living individual who can be identified (a) (b) from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; 2 Sensitive personal data In this Act sensitive personal data means personal data consisting of information as to- (g) the commission or alleged commission by [the data subject] of any offence, or Page 7

Schedule 1 The data protection principles Part I The principles 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) (b) at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Schedule 3 Conditions relevant for purposes of the first principle: processing of sensitive personal data 1. The data subject has given his explicit consent to the processing of the personal data. 5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. Data Protection Act 2018 Schedule 2 Transitional provision etc 56 Freedom of Information (Scotland) Act 2002 (1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 ( the 2002 Act ) before the relevant time. (2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 10 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act. (3) To the extent that the request was dealt with before the relevant time (a) (b) the amendments of the 2002 Act in Schedule 19 to this Act do not have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act as amended by Schedule 19 to this Act, but the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 19 to this Act. (4) In this paragraph - Scottish public authority has the same meaning as in the 2002 Act; the relevant time means the time when the amendments of the 2002 Act in Schedule 19 to this Act come into force. Page 8

Scottish Information Commissioner Kinburn Castle Doubledykes Road St Andrews, Fife KY16 9DS t 01334 464610 f 01334 464611 enquiries@itspublicknowledge.info www.itspublicknowledge.info

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback