APPEAL UNDER SECTION 56 OF THE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 BY DAVID GILROY AGAINST THE SCOTTISH INFORMATION COMMISSIONER AND THE CHIEF CONSTABLE OF POLICE SCOTLAND
FIRST DIVISION, INNER HOUSE, COURT OF SESSION
[2016] CSIH 18
XA11/15
Lord President
Lady Smith
Lady Clark of Calton
OPINION OF THE COURT
delivered by LORD CARLOWAY, the LORD PRESIDENT
in the appeal under
SECTION 56 OF THE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002
by
DAVID GILROY
Appellant;
against
THE SCOTTISH INFORMATION COMMISSIONER
First Respondent;
THE CHIEF CONSTABLE OF POLICE SCOTLAND
Second Respondent:
Act: Party
Alt (First Respondent): Johnston QC; Anderson Strathern
Alt (Second Respondent): MacGregor; Clyde & Co
17 February 2016
Introduction
[1] This is an appeal against the decision of the first respondent, dated 8 January 2015, which found that the second respondent was entitled to withhold the requested information on the ground that it was personal data and exempt from disclosure under section 38(1)(a) of the Freedom of Information (Scotland) Act 2002. The point raised is essentially a short one. It is whether a list of CCTV images, compiled during a police investigation of the appellant for the murder of Suzanne Pilley, is “personal data” for the purpose of section 1 of the Data Protection Act 1998. At the root of the appeal, however, is a broader contention from the appellant that there exists, or existed, CCTV images which could somehow undermine his conviction. Just what these images might show is not at all clear.
Background
[2] On 20 May 2014, the appellant wrote to the second respondent requesting:
“a copy of the comprehensive list of the CCTV which was recovered by the Police, as part of their in[ve]stigations into my case. The CCTV ... is that which was detailed in the BBC documentary ….
I am seeking the full list of recovered CCTV with the date it was obtained by the police, the details of when the images occurred, and the location to which it refers, as detailed in each ‘Lothian & Borders Police Certificate in terms of section 283 of the criminal procedure (Scotland) act 1995’”.
The request appears to presuppose the existence of a physical list, compiled during the course of the investigation. However, at the hearing, it was not clear whether there was such a list. Rather, what the appellant really wanted was for someone to compile such a list.
[3] The second respondent initially advised the appellant that a list had already been disclosed to his legal representative. The appellant wrote again requesting a review of that decision, but, it was said, the letter had not been received. On 30 July 2014, the appellant applied to the first respondent for a review of the second respondent’s refusal. On 15 August 2014, the second respondent reviewed the request and refused to disclose the information.
[4] The appellant was not satisfied with that response. He applied to the first respondent for a decision under section 47(1) of the 2002 Act. The second respondent argued that he had classified the information as personal data, which was governed by the DPA, and thus exempt from disclosure in terms of section 38(1)(a). As the information had also formed part of a criminal investigation, it was also exempt under section 34(1)(c). The first respondent upheld the decision of the second respondent under section 34(1)(a). She did not go on to consider whether the information was exempt under section 34(1)(c).
[5] The appellant made a data subject access request to the second respondent, under the DPA, for the same information as he had sought under the 2002 Act. As a consequence, a list of CCTV locations was disclosed to him. The appellant is not satisfied that this list is comprehensive. He maintains that it shows locations not previously disclosed and does not reveal all possible locations, some of which, from other information, he knows to exist.
Submissions
Appellant
[6] The appellant submitted that the decision of the first respondent to classify the information sought as personal data was not rational. He accepted that he had been able to secure certain data under the DPA, but it was not clear whether all of it was material which he would have recovered had his 2002 Act application been properly processed. Under reference to Durant v Financial Services Authority [2004] FSR 28, Common Services Agency v Scottish Information Commissioner 2008 SC (HL) 184, South Lanarkshire Council v Scottish Information Commissioner 2014 SC (UKSC) 1, and Craigdale Housing Association v Scottish Information Commissioner 2010 SLT 655, he maintained that the information was not personal data, or if it was, it could be anonymised. Furthermore, the appellant maintained that he was seeking information, contained on CCTV, which showed not only himself, but others, including Suzanne Pilley.
First Respondent
[7] The first respondent submitted, first, that the characterisation of the request as one relating to personal data was correct. It was consistent with the terms of section 1 of the DPA, the underlying European Directive 95/46/EC and the relevant case law. The information requested was a list of CCTV images recovered. The images had been recovered for the purposes of the police investigation into the appellant; the information related to the appellant’s activities; and the appellant’s case had been reported widely in the media. The information was biographical in a significant sense. Its focus was not incidental to him, but was directed on his activities. It related to his conviction (see Durant v Financial Services Authority (supra) at paras [27]-[28]). Even if the information alone did not constitute personal data, it did when taken together with the widely known information about the case (Common Services Agency v Scottish Information Commissioner (supra) at paras [24] – [25]). It was not possible to anonymise the information, since it related specifically to the appellant. It was legitimate to take into account the means likely to be used to identify the individual, for example by an investigative journalist, to determine whether or not the information did constitute personal data (Craigdale Housing Association v Scottish Information Commissioner (supra) at para [24]).
[8] Secondly, it was submitted that the use of the 2002 Act to obtain personal data was not a legitimate course. The appropriate route for the appellant to obtain the information had always been through a subject access request under the DPA (Common Services Agency v Scottish Information Commissioner (supra) at para [63]). This method ensured that appropriate and necessary protection was given to personal data. The appellant had submitted a request to the second respondent as a data subject, and had received a list of CCTV locations. The appeal was thus academic, although it was accepted that the court may still feel constrained to determine the points raised (see Beggs v Scottish Information Commissioner 2015 SC 520). If the appellant were concerned about the completeness of the list, that would be an issue of whether the second respondent had complied with the requirements of the DPA. Compliance with the DPA did not fall within the jurisdiction of the first respondent.
Second Respondent
[9] The second respondent submitted, first, that the appeal was academic, as the appellant had obtained the list through a subject access request. The court ought not to determine academic issues (R (the Howard League for Penal Reform) v Secretary of State for the Home Department [2003] 1 FLR 484). Secondly, an appeal to the court was on a point of law only and this appeal did not identify any error of law. The determination of whether the information was “personal data” was one of fact (Craigdale Housing Association v Scottish Information Commissioner (supra) at para [28], following the Common Services Agency v Scottish Information Commissioner (supra) at paras [27] and [87] and the South Lanarkshire Council v Scottish Information Commissioner (supra) at para [31]).
[10] Thirdly, the term “personal data” was wide and general. It covered all information held relating to an individual. The two key elements were that the information had to relate to an individual, and the individual had to be identifiable. All data will be personal, where the processing of it had an impact on the individual or was obviously about an individual. The context of the request was relevant. This appellant could be readily identified from the information, which was directly concerned with his activities and the criminal case against him. It was used to inform the decisions affecting him. It influenced the decision to initiate proceedings and had been used at his criminal trial.
[11] Fourthly, in any event, the information had formed part of the criminal investigation and had correctly been determined to be exempt from disclosure under section 34(1)(c) of the 2002 Act.
Decision
[12] This appeal appears to be substantially academic. The request made by the appellant was for “the comprehensive list of the CCTV” recovered as part of the police investigation. After his request under the 2002 Act had been refused on the basis that the information was personal data, and thus exempt from disclosure under section 38(1)(a) of that Act, the appellant made a subject access request for the same information under section 7 of the DPA. He obtained that information in the form of an extensive list of CCTV images, although he maintains that it is not complete. The response to the subject access request was not, however, a feature of the decision of the first respondent which is appealed. In these circumstances, the appellant is entitled to a decision on this appeal (cf Beggs v Scottish Information Commissioner 2015 SC 520).
[13] The short point in the appeal remains one of whether the list of CCTV, that presumably being a list of CCTV images recovered, the camera locations and the times of the recordings, constituted personal data. In terms of section 1(1) of the DPA, such data is data “which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of ... the data controller”.
[14] The first respondents’ decision explains why, on the facts, she regarded the information as personal data. It was information specifically requested in the context of the investigation into the appellant. It would be straightforward for a person with a reasonable awareness of the appellant’s case to conclude that it had been ingathered in relation to his activities; that is to say, he could be identified as the subject-matter of the information. It was, in any event, information relating to him. There is no identifiable error of law in the first respondent’s conclusion of fact that the data was exempt because it was personal data relating to the appellant.
[15] It is important in this context that personal data continues to be controlled by the DPA, rather than the 2002 Act, so that there is appropriate protection of the right to privacy. Of course, if data relates to the applicant, he may be able to obtain it by means of a subject access request under the DPA regime. This appeal is essentially an application to this court to review an assessment of fact made by the first respondent. The court is not satisfied that there is a point of law to be considered. If the appellant is dissatisfied with the DPA response to his subject access request, then he may, of course, have alternative remedies available to pursue that matter.
[16] Finally, on the face of it, it is also the case that section 34(1)(c) may be applicable to the present circumstances. However, as that matter was not considered by the first respondent, the court will reserve its position.
[17] This appeal is refused.