Request for updated information held relating to DESC

O Sayers made this Freedom of Information request to Scottish Government as part of a batch sent to 5 authorities Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

Waiting for an internal review by Scottish Government of their handling of this request.

Dear Scottish Government,

It is some considerable time since I requested information relating to the DESC programme, initiated into a Pilot phase in early 2023 and I beleive it is therefore reasonable to make a further request now.

I would be grateful if you could provide the following information:

In the previously provided/published DPIA's, emails and supporting documentation for the DESC service, you or your partners provided information which indicated that personal data would be processed only within the United Kingdom in Microsoft Data Centres.

In the ICO's email to the DESC partners of 9th December 2022 they identified that use of servives supported from outside of the UK would constitute an international transfer, and that the contract terms may not adhere to S.59(5) of the DPA 2018.
The ICO also indicated that they would provide written guidance to the DESC partners.

I am interested to learn what clarifications, confirmations or new information may have been received since December 2022 wrt the above specifically.

I would be grateful therefore if you could provide me with the following information:

1 - A copy of any documents, emails, analysis conducted by yourself or other DESC party, or similar information in your possession which indicates or evidences that Microsoft and Axon shall not process any personal data outside of the UK - including any transfers conducted for support purposes, or as a function of their provided software and services.

OR Conversely;

2 - A copy of any documents, emails, analysis conducted by the ICO or other party, or similar information in your possession which indicates or evidences that Microsoft and Axon may process personal data outside of the UK - or conduct transfers for support purposes or as a function of their provided software and services.

NOTE: Since only one of those conditions can logically apply I am content to receive a response to either Element 1 or 2 - not both of them.

AND

3 - A copy of any guidance or communication received from the ICO wrt the DESC programme as referred to in their letter of 9th December, or other infomraiton received from them which indicates or clarifies the legal position of the DESC programme under the Data Protection Act 2018 Part 3 specifically.

Yours faithfully,

Owen Sayers

Scottish Government

Our Reference: 202400401414
Your Reference: Freedom of Information request - Request for updated
information held relating to DESC

Dear Owen Sayers,

Thank you for your correspondence received on 27/02/2024. Your query will
be passed to the relevant area for consideration and has been given a
reference number of 202400401414. Please quote this number in all
correspondence. The Scottish Government aim to respond, where necessary,
as quickly as possible and within the stated timescale as indicated on our
website
(http://www.gov.scot/about/contact-inform...).

Yours sincerely
MiCase
Correspondence system for SG and partner agencies
The Scottish Government takes your privacy seriously. You may have written
to us because you have a question or want to make a complaint. Our privacy
notice
(https://beta.gov.scot/publications/conta...),
available on our website, sets out how we use your personal data, and your
rights when communicating with us. It is made under Article 13 of the
General Data Protection Regulation (GDPR).
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************
 

Scottish Government

1 Attachment

Please find attached a response to your correspondence.
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************
 

Dear Fiona,

Thank you for your letter of 19th inst., I apologise for my delay in responding - I was travelling Thursday and Friday of last week.

I must admit to being surprised that only on the 15th working day after submitting my request, and a mere 5 working days prior to the point at which I should have expected a full response, only now do you wish to seek clarification.

I do recognise that this is a valid interim response and that under S.10(1)(b) the period for fulfilment of the request commences only after completion of the clarification phase; however I would seek to bring to your attention that a request for clarification under S.10(1)(b) can itself only be relied upon or invoked if the clarification request is itself a valid one under S.1(3):

"(3) If the authority—
(a) requires further information in order to identify and locate the requested information; and
(b) has told the applicant so (specifying what the requirement for further information is),
then, provided that the requirement is reasonable, the authority is not obliged to give the requested information until it has the further information."

I wish to contest the reasonableness of your request for clarification, since I beleive the original request is sufficiently clear to enable you to fully respond without recourse to S.10(1)(b).

Your request for clarification states:
"In order to identify correctly identify the information that you have asked for we need some further information from you. Could you clarify please whether your request relates solely to data processed further to Part 3 of the Data Protection Act 2018, or whether your request relates also to data processed under the UK GDPR."

I respond to this as follows:

1 - In my original request I expressly refer to DESC in the request title, and then do so a further 7 times in the body text.
The DESC system only processes personal data under the terms of Part 3 of the Data Protection Act 2018 - comprising the data of victims, witnesses, suspects, offenders, and the professional identities of Police Officers and Staff whilst they are legitimately engaged in a Law Enforcement activity.

As a result, the only reason for any personal data to be held or processed within DESC is to fulfil a Law Enforcement purpose, and without that purpose no personal data (including any information relating to the system users professional identities) would, or legally could, be contained within DESC.
As a result there is no clear basis whereby the Scottish Government shouuld have inferred the request scope might extend to UK GDPR.

2 - In the original request, I referred to S.59(5) of the DPA 2018 as being within my specific area of interest.
S.59(5) falls within Part 3 of the legislation relating to processing conducted for Law Enforcement purposes only.
As a result there is no basis in this part of my request to reasonably infer the request scope might extend to UK GDPR.

3 - For element 3 of my original request I reiterated that I am referring to information that relates to the DPA 2018 Part 3 specifically.
As a result there is no basis in that part of my request to reasonably infer the request scope might extend to the UK GDPR.

Overall therefore, I cannot see any legitimate basis for your clarification - or why the Scottish Government would have reasonably considered any form of UK GDPR processing to at any point be in scope for this request.
The nature and scope of the requested data and the relevant legislation applicable should be reasonably obvious to any reader applying normal English language.
As a result no examination of possible UK GDPR processing should have come into your scope for consideration and I do not accept that you have a reasonable basis for this clarification under S.1(3).

This would have been a true condition even had your clarification been issued immediately after receipt, but when made on the 15th working day, and attended with an intimation that you intend to apply a full 20 working day period for the fulfilment of the request after the receipt of my response, I can only interpret this as an attempt to prevaricate and delay the process.

I wish also to raise a concern I have relating to the receipt of an essentially identical request for clarification from Police Scotland on the same date as your letter..

For clarity I sent the same broad FOISA request on 27th February to all of the DESC participants as individual requests. The reasoning for doing so is simple:

a) Each participant operates as a distinct legal entity and each has a different relationship to both the DESC system and the applicable Data Protection legislation.
b) Some of the DESC participants are legally unable to use any processor operating outside of the UK under
S.73(4)(b) of the Act.
c) Others may be able to transfer data outside of the UK, but only by following a complex set of conditions and obligations laid down in S. 77 of the Act.
d) One particular DESC participant (the Scottish Government), fulfils a wholly peripheral role to the processing itself and is not a Controller, Processor, or have any other obvious applicable DPA 2018 Part 3 status.

The Scottish Government awarded the DESC contract, but has no other legal relevance under UK Data Protection law and should therefore not be reasonably expected not to play any key role in the determination of processing or adherence to the legal obligations of the other parties who do have legal obligations and individual accountability.

It was therefore both necessary and proper for each to be contacted individually, and for them to respond to the request in the context of their own individual status wrt DESC and the DPA 2018 Part 3, and disclosing the information that each may hold.

I was therefore suprised to receive two essentially identical but notionally separate responses from two individual organisations - Scottish Government and Police Scotland.
The Police Scotland request for clarification sought to apply the same clarification as yourselves, an dI have written to explain its inapplicability in the same manner as laid out above.

It is however concerning to me that this almost verbatim clarification was send on the same date as your own letter.
Whilst it is impossible for me to evidence from this alone that you are in communication with PSOS relating to my request; the nature of the clarification, the apparent specific choice of interpretation of the request being identical, the similar wording, and the date of receipt - both being on the 15th working day after receipt - are highly suggestive that this may have resulted from communication and even collaboration between the two parties.

I wish to make clear that - outside of the limited communications which may be reasonable and legitimate between you all given the multi-party nature of DESC - I do expect each participant to answer the request severally.
The different circumstances and legal obligations each of you may (or in the case of the Scottish Government may not) face under the DPA 2018 makes this paramount.

In addition, I expect you to observe and adhere to applicable UK Data Protection rules wrt the sharing of my information between the parties if and when you do have a legitimate basis to communicate.

This specific FOISA request is for the information held by the Scottish Government not for a combined agreed position or collaborative answer across the parties.
Whilst I currently have no indications that the discussions may extend beyond Scottish Government and Police Scotland, (no others have responded thus far in these terms), I do now feel it necessary to write to each of the the other FOISA DESC request participants to make clear to each of them that I expect individual responses, and that any collaboration between the parties to discuss my requests or to reach a uniform collective answer would be most improper.

Whilst I cannot prevent the Scottish Government from pursuing a new 20 day timescale from my request from the receipt of this email, I am personally only willing to allow an additional 3 working days to the original timeline.
This will reasonably allow for this email exchange, taking into account my delay in responding and the weekend, during which time I am sure you shall not have done any work to progress my request.

With public holidays now fast approaching I expect this request to now fall due on or around the 4th April.
After 4th April I shall consider this request to be overdue.

Whilst you may of course elect to apply a new timeline from todays date relying on S.10(1) - resulting in a new due date of 23rd April 2024 under FOISA rules - I reserve the right to contest that delay as being illegitimate on the grounds above.

I wish to remind you at this point that the FOISA obligation of a public authority is to facilitate in the lawful disclosure of information with an overarching expectation of transparency.
At this point the actions of the Scottish Government appear to be skewed more towards seeking opportunities to prevaricate and delay a response.

Whilst I do suspect that you shall ultimately seek to refuse disclosure of my requested information on any available pretext of exemption that can be claimed, I do hope that I shall be proven wrong and that you shall fulfil this request moving forward in both the spirit and to the letter of FOISA.

If not we shall inevitably enter a long process of internal reviews and appeals to the Scottish ICO, after which time I remain confident that the information I have requested shall be provided in full, but further cost to the Scottish Taxpayer shall have been unnecessarily incurred.
I do hope you shall bear that consideration in mind in the onward fulfilment of this request.

Yours sincerely,

Owen Sayers

O Sayers left an annotation ()

Two responses to two different requests - this one and one to the Police Service of Scotland - containing almost verbatim clarification requests were received on exactly the same day.
Whilst it has become an established practice in Policing to consolidate FOI response units and to send conjoined or single responses to individual requests - a very poor practice indeed, and a legally questionable one - for this request the individuality of the requests is important.

Some of the participating parties in DESC may face legal penalties if they do not comply with the law.
The Scottish Government would not - but could be deeply embarrassed if it ultimately transpires that the contract they have let would facilitate or require illegal processing by the DESC partners.
In such a case the potential for unhealthy collaboration should be self-evident.

Scottish Government

1 Attachment

Please find attached a response to your correspondence.
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************
 

Dear Scottish Government (Fiona),

Thank you for your letter of 5th inst.

I acknowledge the basis on which you chose to make the clarification request - thank you for explaining that - but still feel the clarification itself was essentially groundless.
I suspect we could discuss for some time whether an FOISA request should rest on what is actually written, or upon any specific inferences applied by the recipient - or in this case apparently through collaborative discussion of different recipients - of what the request might extend to.

I acknowledge and am grateful for your confirmation that the response from the Scottish Government shall be theirs and their alone, but do feel that actual discussion of the requests made individually to DESC participants - to the extent where this may have expanded to consider the need for clarifications across the different parties - lies somewhat beyond what the Scottish Ministers Code of Practice on the discharge of function by Scottish Public Authorities under the FOI (Scotland) Act 2002 [the Code], considers appropriate.

I don't however intend to expand that line any further presently, since it would be of little value to either of us at this time to do so, and consume valuable time unnecessarily.

I do however generally note your assertion that my request to SG for the information you hold relating to the offshoring of Microsoft services related to DESC is both complex and needed consultation across multiple parties.
Having reviewed the Code, I am still of the view that the consultation was not strictly necessary and might even have been contra-indicated due to the close long term collaboration on DESC itself, and previous FOI requests made.

I do nonethless recognise ithat t is within the Scottish Government's power to consult with other parties where they can justify it and adhere to the code of practice, and without adversely affecting the FOISA request.
I am however disappointed that this third party consultation has in fact adversely impacted the timeline for the request fulfilment, and may well ask the Scottish ICO to consider if sufficient and appropriate consideration was given to the overarching requirement of Section 7 of the Code to ensure that statutory timelines should take precedence over any consultation.

I should also admit that I am additionally disappointed that the ongoing delay might now be partly based on your own unavailability due to annual leave and a lack of prioritisation of the request since its receipt.
An individual persons availability really ought not to have any bearing on the adherence to the legislative timeline or process.
The request was made to the Scottish Government and I do not believe the resources of the Government are such that its ability to respond should realistically be limited only to one individual.

I am however grateful for your inclusion of the text from the ICO received on 2nd April.
Since this data is after the period of my FOISA request, and thus is not covered by it, I assume this is not part of the response.

As a result I feel I can comment on the content to the extent that I am most surprised by it, the significant ommissions of other Sections from S.73-S77 which have direct bearing on DESC participants, and that I cannot fathom why the ICO would suggest adoption or application of SCC's written under the terms of the UK GDPR for a Part 3 requirement - which as you know has its roots in a wholly different EU Directive and quite a different scope.

I shall write to the ICO directly to ask them for a copy of the letter and the diligence information which informed its creation. Thank you for bringinh this to my attention to enable me to do so, I am indeed grateful.

In the meantime I await the Scottish Government's ultimate response to the FOI request, after receipt of which I shall determine the next staps I wish to take.

Yours sincerely,

Owen

Owen Sayers

Scottish Government

1 Attachment

Please find attached a response to your correspondence.
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************
 

Dear Scottish Government (Ms Cameron),

Thank you for your email of 23rd inst.

Given the long delays in handling this request, and the emails to and fro thus far, I regret I cannot accept your determination that you are awaiting further consultation outputs prior to responding to this request as a valid basis not to respond to it fully.

My initial request of 27th February has already been delayed as a result of your clarification, upon which I have already commented, and even taking the clock reset initiated under this step into account I should have received a full response to my request under the Act by 23rd April.

The S.60 Code of Practice (Para 7.4.1) is clear that :
"Meeting the statutory deadline for responding to a request must always take priority over consulting third parties.
This will often mean that an authority can only allow third parties a short time to respond; this time should not be extended if that will prevent authorities responding on time.
If the authority does not identify the need to consult third parties until near the deadline, instead of consulting, they should just notify third parties at the same time as they respond to the applicant."

The statutory timeline has not been met, and the grounds for this (i.e. continued consultation before you can consider the request), are contrary to the expectations of the Code of Practice.

I therefore believe it is not unreasonable that I ask you to provide me with your formal FOISA response within 1 working day of your receipt of this email, or initiate the Scottish Government internal review process for the handling of this request in its entirety.

Some of the DESC participants have met their individual FOISA obligations and have now responded.
I regrettably feel however that it is only through the use of such mechanisms of escalation as are available to me under the Act that I shall achieve closure of the remaining requests from those parties yet to fulfil their statutory responsibilities.

Yours faithfully,

Owen Sayers

Scottish Government

1 Attachment

Please find attached a response to your correspondence.
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************
 

Dear Scottish Government,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Scottish Government's handling of my FOISA request 'Request for updated information held relating to DESC'.

The basis of my request is two-fold:

FIRSTLY that the request took an unfeasibly and unacceptably long time to receive a response.
The request being made on 27th February 2024 ought to have been responded to by 26th March (based on the SICO on-line calculator).
A late request for clarification - which was itself made on a dubious basis (see correspondence for details of this) was lodged on 19th March, and responded to on 25th March.
This had the effect of resetting the clock for FOISA fulfilment to 23rd April.
On 23rd April I received another holding response, and it was only after I challenged this and required SG to provide me with a final response that this was received on 26th April.

I would like you to specifically consider the following in this area:

1 - The overall time taken for fulfiment of this request, including the periods of handling delay which appear to have been specifically linked to a single individual taking leave.
I do not believe it is right and proper that a statutory timeline for FOISA response should operate under the weight of a single respondents availability, and whilst I fully accept that the respondent wished to retain control over the request and quite likely also how it was answered, I find it hardly credible that the entirety of the resources available to the Scottish Government made this necessary.
On the contrary, I am deeply surprised that the programme manager of the application was herself allowed to fully handle the FOISA request and determine the applicability (or otherwise) of FOISA exemptions.

I would have expected this activity to have been undertaken by an Information Management and FOISA specialist from within the Scottish Government. Fulfilment of FOISA requests by any other means invites both misuse and misapplication of the FOISA terms and potential for sanction of the Government for poor FOISA handling.

2 - The Scottish Ministers code of practice on the handling of FOI requests, with specific regard to the interactions of the Scottish Government respondent and the other DESC partners (Section 7 of the Code), appears on the face of it not to have been well complied with.
Section 7.2.2 requires that a consultation is necessary, and it is not clear that this 'necessity' has been in any way evidenced in the FOISA response.
Whilst I fully accept that it was convenient to discuss the request (which of their own volition the SG respondent has made clear was done), I would like your review to establish evidence to your satisfactions that this consultation was indeed NECESSARY.
Section 7.3 lays out circvumstances where a consultation is contra-indicated, one of which being where the positions of 3rd parties wrt disclosure is already known.
I believe this to have been the case for DESC partners already, and thus I question why a consultation on impact of release was required, other than to potentially develop a "common position" on the responses.

I cannot at this point fail to consider that to have been a likely objective, since I received two essentially identical requests form clarification from PSoS and SG on the same date after these meetings had been held. That is hard to write off as a mere coincidence.

Section 7.4 is clear that consultations must not in any event delay a FOISA response:
"Meeting the statutory deadline for responding to a request must always take priority over consulting third parties. This will often mean that an authority can only allow third parties a short time to respond; this time should not be extended if that will prevent authorities responding on time. If the authority does not identify the need to consult third parties until near the deadline, instead of consulting, they should just notify third parties at the same time as they respond to the applicant."

In this case, the discussions appear to have contributed to the protracted delay in responses being made, achieving the polar opposite of the requirements of the code wrt 3rd party consultations.
Even on 23rd April, the SG respondent sought to continue to apply more time to the FOISA request to await information from a 3rd party.
S.7.7.1 of the code is clear that - "The fact that the third party has not responded to consultation does not relieve the public authority of its duty to make information available, or its duty to reply within the statutory timescales."
Since the code is explicit that consultation with a third party must never be used as basis for, or result in, delay to a statutory timescale for responses, I wish to understand why this was not properly considered, or has failed to be respected by the respondent in this case.

SECONDLY, in the final response of 26th April, I believe the respondent seeks to rely on exemptions which may have no sound basis, and that in doing so the SG respondent has also made no effort to explain the basis of the exemptions and the specific nature of information to which they have been applied.
As a result I believe they have failed in their obligation under S.15 of the Act to assist in the re-definition of a request to enable release of information.

I cannot fail to identify her eonce again that the mechanism applied within SG for this case - i.e. that the Programme Manager was permitted to fully handle the request without clear involvement of a FOISA specialist - may have contributed to that outcome.

My argument for mis-application of the FOISA exemptions is as follows:

In the response of 36th April, the SG respondent has confirmed that as of the date of my request there was no information held for Element 3 - communications with the ICO.
I fully accept that statement.

With respect to the other two elements - which are an either/or question as follows:

" 1. A copy of any documents, emails, analysis conducted by yourself or other DESC party, or similar information in your possession which indicates or evidences that Microsoft and Axon shall not process any personal data outside of the UK - including any transfers conducted for support purposes, or as a function of their provided software and services.
OR Conversely;
2. A copy of any documents, emails, analysis conducted by the ICO or other party, or similar information in your possession which indicates or evidences that Microsoft and Axon may process personal data outside of the UK - or conduct transfers for support purposes or as a function of their provided software and services."

The SG respondent has attached a position paper on considerations of US legislation, and of GDPR.
This has no direct bearing on my request, other than to demonstrate that the DESC ROG are in fact applying consideration of the wrong UK Data Protection legislation (GDPR) to a Law Enforcement Processing requirement (Data Protection Act 2018 Part 3.
Whilst this is not a position unique to SG or DESC, and confirms evidence obtained previously to this effect, it falls far short of being information directly relevant to my request.

For the totality of the remainder of possible information that might be disclosable, and which I have good reason to believe from previous FOISA requests may run into many hundreds of documents, emails and other materials, the SG respondent has sought to apply 2 (two) exemptions (S.36(1) and S.33(1)) in a wide ranging and potentially blanket fashion.

S.36(1) Exemption:
There is no indication as to what information the S.36(1) exemption has been applied to, other than the following statement:
"An exemption under section 36(1) of FOISA applies to some of the information you have requested. This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption."

I do fully expect that SOME of the totality of the potential information releasable in response to this request may well have a justificable requirement to maintain confidentiality.
It cannot however be applied in a blanket fashion as this text appears to indicate may have been the case.

If there is information justifiably exempt on the grounds of confidentiality, and which viably passes a public interest test, I do not expect it to be released; however in this case I beleive this exemption has been misapplied and would be grateful if you would:
a) examine the information to which the respondent has applied this blanket exemption and
b) provide me with an indication of exactly how much of it is exemptable, and/or the basis on which it must all be considered confidential.

Section 33(§) Exemption:
The SG respondent has indicated that:
"An exemption under section 33(1)(b) of FOISA applies to some of the information you have requested. This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption.
Section 33(1)(b) applies if disclosure would, or would be likely to, prejudice substantially the commercial interests of any person. “Person” includes a public authority, company and partnership, in this case Axon Public Safety (UK) Ltd and the wider Axon company group.
We recognise that there is some public interest in release because disclosure could contribute to ensuring the Scottish Government is effectively discharging its responsibilities as a data controller in relation to the Data Protection Act 2018. However, in this case, this is outweighed by the public interest in maintaining a robust and fair public procurement process."

Once again I note the use of the term 'some', and acknowledge my understanding that some of the information may well be commercially sensitive to the extent that the exemption is valid. I do not however beleive that this will extend to very much of the totality of information held, and transparency of commercial dealings of the Government has further reduced the basis on which a confidentiality of this type can be applied.

I note that the Code does make clear (S.7) that "Authorities should ensure that third parties which supply them with information are aware of the authority’s duty to comply with the regimes and that information will have to be disclosed upon request unless an exemption under FOISA or an exception under the EIRs applies. For example, tenderers must be aware of authorities’ duties under the regimes and the process of answering requests in advance of any requests being received."

I therefore submnit that any vendor to the Socttish Government should expect that - overall - there is an obligation to disclose information, and that only material which is genuinely commercially sensitive (such as IPR) is reasonably withholdable.

I therefore wish to challenge the bases applied for public interest tests to this exemption, viz. that the interests of future procurements or the commercial position of a supplier should be placed above disclosure of information which would confirm (or otherwise) to the public that the Scottish Government and its suppliers and parterns are processing personal data of Scotissh Citizens in compliance with the terms of the Data Protection Act 2018.

The level of public interest in the legal and lawful operation of the Government must - I submit - take precedence over the commercial interests of a supplier,. If they do not, the Scottish Government opens itself to the potential insinuation that it is hiding material it would simply rather not disclose due to the optics of its release.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/r...

this should provide sufficient information to assist you in your determinations, and should you require any futher information please do not hesitate to let me know.

Yours faithfully,

Owen Sayers

Scottish Government

Our Reference: 202400417098

Dear Owen Sayers,

Thank you for your correspondence sent on 03/06/2024. Your query will be
passed to the relevant area for consideration and has been given a
reference number of 202400417098. Please quote this number in all
correspondence. The Scottish Government aim to respond, where necessary,
as quickly as possible and within the stated timescale as indicated on our
website
(http://www.gov.scot/about/contact-inform...).

Yours sincerely
MiCase
Correspondence system for SG and partner agencies
The Scottish Government takes your privacy seriously. You may have written
to us because you have a question or want to make a complaint. Our privacy
notice
(https://beta.gov.scot/publications/conta...),
available on our website, sets out how we use your personal data, and your
rights when communicating with us. It is made under Article 13 of the
General Data Protection Regulation (GDPR).
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************
 

Scottish Government

1 Attachment

Please find attached a response to your correspondence. I apologise for
the delay in replying.
********************************************************************** 
This e-mail (and any files or other attachments transmitted with it) is
intended solely for the attention of the addressee(s). Unauthorised use,
disclosure, storage, copying or distribution of any part of this e-mail is
not permitted. If you are not the intended recipient please destroy the
email, remove any copies from your system and inform the sender
immediately by return.
Communications with the Scottish Government may be monitored or recorded
in order to secure the effective operation of the system and for other
lawful purposes. The views or opinions contained within this e-mail may
not necessarily reflect those of the Scottish Government.
**********************************************************************