Where a Scottish public authority (including Registered Social Landlords (RSLs)) receives a Freedom of Information (FOI) request relating to one of their ‘FOI functions’; such information must be provided, except where an exemption applies under The Freedom of Information (Scotland) Act 2002 (FOISA). FOI requests often contain elements of third-party personal data, meaning that RSLs must consider their legal obligations under FOISA, together with the UK GDPR and the Data Protection Act 2018 (DPA).

Section 38(1) of FOISA provides for exemptions of personal data specifically if it constitutes personal data of which the applicant is the data subject; personal census information; or a deceased person’s health record. Additionally, Section 38(1)(b) of FOISA provides for an exemption to be applied, where any one of the following conditions apply:

• Disclosure of the personal data would be in contravention of the data protection principles; or would do so where the manual unstructured data held by public authorities’ exemptions were disregarded (Section 24(1) of the Data Protection Act 2018)

FOISA provides that where disclosure of the personal data would contravene any of the data protection principles, then the personal data is exempt from disclosure. FOISA provides that Article 5(1) of the UK GDPR and Section 34(1) of the DPA are to be considered, and whilst there are several data protection principles, the principle that personal data shall be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’ is noted by SIC as likely the only relevant principle. When considering this principle, the following three factors should be considered:

1. Article 6 of the UK GDPR states that processing will only be lawful is one of the several justifications apply, including where consent has been given by the data subject. However, the Scottish Information Commissioner (SIC) advised that given the narrow interpretation attributed to consent, the lawful reasoning often used in practice is that ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’ The last point involves a balancing exercise between the rights of the requester and the rights and freedoms of the data subject.

2. Personal data should be processed fairly. The Information Commissioner’s Office (ICO) have provided guidance which provides that personal data should only be handled in ways which people would reasonably expect, and to not use it in ways that would have unjustified effects on them. SIC provides a number of factors to take into consideration here, including (amongst others) whether the personal data relates to public or private life; the seniority of a data subjects role within their profession; whether disclosure would cause distress or harm to the data subject; and whether the data subject has objected to the disclosure. No one factor should be decisive, rather they should be considered together.

3. If there are no conditions which would allow the personal data to be processed, the disclosure of the data will be unlawful.

•  Contravention of Article 21 of the UK GDPR

Where a data subject has objected to an RSL processing their personal data under Article 21 of the UK GDPR, an RSL must firstly consider whether a valid objection has been made in accordance with the requirements of the UK GDPR. If yes, an RSL must consider the rights, freedoms and interests of the data subject against the public interest in disclosure. If the public interest is more compelling the information should be disclosed. The SIC suggests that the public interest does not mean what is of interest to the public but rather what is in the interest of the public.

• Where the data subject would not be entitled to the personal data if they made a Subject Access Request under the UK GDPR or the Data Protection Act 2018.

Where the data subject would not be entitled to the personal data under a Subject Access Request (due to various exemptions under data protection law) and the public interest test is applied in favour of withholding the personal data, then it is exempt from disclosure.  RSLs should keep in mind that there are additional considerations to take into account where a FOI request is seeking the disclosure of the personal data of the person making the request (generally that this information will likely be exempt under s.38(1)(a) of FOISA but deemed to be a Subject Access Request and should be handled accordingly).

It should also be noted that an RSL may neither confirm nor deny whether requested information is held, under a Section 18 FOISA notice. This is possible where one of the above conditions apply, and where the RSL considers that to reveal whether the information exists would be contrary to the public interest.

Given that non-compliance of both FOISA and data protection law could result in enforcement action being taken against an RSL it is important for RSLs to fully consider FOI requests concerning personal data on a case-by-case basis, in line with the above considerations.

We have an experienced team that are able to advise on all issues relating to data protection and FOI. Please contact our team here if you would like more information or advice.