Common Services Agency v Scottish Information Commissioner (Scotland)

I have had the advantage of reading in draft the speech of my noble and learned friend Lord Hope of Craighead. For the reasons he gives, with which I agree, I too would allow this appeal.

This case raises important questions about the interaction between provisions of the Data Protection Act 1998 (" DPA 1998") on the one hand and provisions of the Freedom of Information (Scotland) Act 2002 ("FOISA 2002") on the other. The corresponding provisions of the Freedom of Information Act 2000 ("FOIA 2000"), which extends to the whole of the United Kingdom and applies to UK public authorities located in Scotland, are not engaged directly. The appellant, the Common Services Agency ("the Agency"), is a special Health Board the regulation of whose functions is a matter for the Scottish Parliament: see FOIA 2000, section 80. But much of the wording of section 38 of FOISA 2002, which addresses the overlap between rights of access under that Act and rights of access under DPA 1998, is reproduced in section 40 of FOIA 2000, which addresses the same problem. Section 38(2)(a) of FOISA, in particular, is in exactly the same terms as section 40(3)(a) of FOIA 2000. So resolution of these questions will have a bearing on the interaction between DPA 1998 and freedom of information legislation throughout the United Kingdom.

Unlike DPA 1998, which was designed to implement Council Directive 95/46/EC of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, neither FOIA 2000 nor FOISA 2002 were enacted to give effect to the United Kingdom's obligations under community law. But there had been increasing pressure for the enactment of legislation of this kind, reflecting concern about the lack of openness on the part of the executive. The US Freedom of Information Act 1966 was an important landmark, as was the introduction, following Declaration No 17 to the Treaty of Maastricht 1992 that openness is an essential aspect of democracy, in 1994 of a provision giving freedom of information rights to any citizen of the EU enforceable against institutions of the European Community: article 255 EC. The Labour Party came to power in 1997 with a manifesto commitment to introduce a Freedom of Information Act.FOIA 2000 was the product of that commitment. In November 1999, within six months of the commencement of the Scotland Act 1998, the Scottish Executive published a consultation document called "An Open Scotland". This was followed by the publication in March 2001 of a draft Freedom of Information (Scotland) Bill.Section 1(1) of FOISA 2002 resulted from these initiatives. It sets out a general entitlement on the part of any applicant for information from a Scottish public authority which holds it to be given that information. But the general entitlement to that information is qualified by the reference in section 2 to exemptions. An annotation in Current Law Statutes describes section 2 as probably the most structurally significant section of the Act.

There is much force in Lord Marnoch's observation in the Inner House that, as the whole purpose of FOISA is the release of information, it should be construed in as liberal a manner as possible: [2006] CSIH 58, 2007 SC 231, para 32. But that proposition must not be applied too widely, without regard to the way the Act was designed to operate in conjunction with DPA 1998. It is obvious that not all government can be completely open, and special consideration also had to be given to the release of personal information relating to individuals. So while the entitlement to information is expressed initially in the broadest terms that are imaginable, it is qualified in respects that are equally significant and to which appropriate weight must also be given. The scope and nature of the various exemptions plays a key role within the Act's complex analytical framework.

Section 2(1) FOISA 2002 distinguishes between exemptions which are absolute and those which are not. A provision which confers absolute exemption is not subject to a public interest test. Other exemptions are. Among the absolute exemptions is that for "personal data" within the meaning given to that expression by section 1(1) of DPA 1998: FOISA 2002, section 38. According to the Explanatory Notes, p 6, this section is intended to ensure that FOISA does not interfere with DPA 1998. Any information which constitutes personal data of which the applicant is the data subject is exempt from the obligation which section 1 FOISA 2002 imposes on the public authority: section 38(1)(a). The right of the data subject to obtain access to that information is confined to that which the individual is given by sections 7 to 9 DPA 1998. Any information which constitutes personal data other than that of which the applicant is the data subject is also exempt if it satisfies one or other of two conditions which are designed to preserve the application of DPA 1998 to that information. This is the effect of section 38(1)(b), section 38(2) and section 38(3).

Section 38(1)(b) FOISA 2002 provides:

"Information is exempt information if it constitutes -

(b) personal data and either the condition mentioned in subsection (2) (the 'first condition') or that mentioned in subsection (3) (the 'second condition') is satisfied."

The second condition mentioned in section 38(3) is not relevant to this case. The first condition mentioned in section 38(2) takes one or other of two alternative forms, of which the one relevant to this case is set out in section 38(2)(a) (i) as follows:

"The first condition is -

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of 'data' in section 1(1) of the Data Protection Act 1998 (c 29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene -

(i) any of the data protection principles."

The data protection principles are set out in Schedule 1 DPA 1998. The first principle is in para 1 of Schedule 1, which provides:

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."

In my opinion there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The references which that Act makes to provisions of DPA 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data: see recital 2 of the preamble to, and article 1(1) of, the Directive. Recital 34 and article 8(1) recognise that some categories of data require particularly careful treatment.Section 2 DPA 1998, which defines the expression "sensitive personal data", must be understood in the light of this background.

The request and how it was dealt with

Among the functions which the Agency performs under the powers that have been given to it by the National Health Service (Functions of the Common Services Agency) (Scotland) Order 1974 (SI 1974/467), as amended, is the collection and dissemination of epidemiological information from other Health Boards. It was with that in mind that on 11 January 2005 Mr Collie, acting on behalf of Chris Ballance who was then a member of the Scottish Parliament, asked the Agency to supply him with details of all incidents of childhood leukaemia for both sexes by year from 1990 to 2003 for all the DG (Dumfries and Galloway) postal area by census ward. There is no doubt that there was, and still is, a genuine public interest in the disclosure of this information. For many years concern has been expressed about risks to public health in the area arising from operations at the MOD's Dundrennan firing range, the now decommissioned nuclear reactor at Chapelcross and the nuclear processing facilities at Sellafield. But the Agency refused Mr Collie's request. He was told that the Agency did not hold these details for 2002 or 2003 as the data relating to these years was still incomplete. As for the earlier years, there was a significant risk of the indirect identification of living individuals due to the low numbers resulting from the combination of the rare diagnosis, the specified age group and the small geographic area. As a result it was personal data within the meaning of section 1(1) of DPA and was exempt information for the purposes of FOISA 2002. The Agency also maintained that it owed a duty of confidence equivalent to that of the clinicians to whom the information had originally been made available.

Mr Collie then applied to the Commissioner under section 47 FOISA 2002 for a...