The Scottish Information Commissioner - It's Public Knowledge
Share this Page
Tweet this page:
Text Size Icon

- Text Size Up | Down

Decision 152/2015: Mr B and Lothian Health Board

Specialist assessment

Reference No: 201500838
Decision Date: 30 September 2015

Summary

On 21 January 2015, Mr Basked Lothian Health Board (NHS Lothian) for information relating to a named doctor, in the context of a particular specialist assessment.

NHS Lothian refused to provide the information, claiming it was personal data. Following a review, Mr B remained dissatisfied and applied to the Commissioner for a decision.

The Commissioner investigated and found that NHS Lothian had properly responded to Mr B's request for information in accordance with Part 1 of FOISA. She was satisfied that the information was personal data, which NHS Lothian was entitled to withhold under section 38(1)(a) and (b) of FOISA.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (6) (General entitlement) 2(1)(a) and (2)(e) (Effect of exemptions); 38(1)(a) and (b), (2)(a)(i), (2)(b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) sections 1(1) (Basic interpretative provisions) (definition of "personal data"); Schedule 1 (The data protection principles, Part 1 - the principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (condition 6)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 21 January 2015, Mr B made a request for information to NHS Lothian. He sought information relating to a specialist assessment, specifically correspondence that had passed between HMP Glenochil and NHS Lothian relating to this assessment and whether the named doctor met the criteria to conduct the assessment.

2. NHS Lothian responded on 25 February 2015. It withheld information, quoting section 38(1)(d) of FOISA.

3. On 2 March 2015, Mr B wrote to NHS Lothian requesting a review of its decision on the basis that he did not accept the application of section 38(1)(d).

4. NHS Lothian notified Mr B of the outcome of its review on 27 March 2015. NHS Lothian accepted that section 38(1)(d) did not apply, but instead sought to rely on sections 38(1)(a) and 38(1)(b) of FOISA.

5. On 6 May 2015, Mr B wrote to the Commissioner. He applied to the Commissioner for a decision in terms of section 47(1) of FOISA. Mr B did not accept that section 38 of FOISA had been applied correctly.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that Mr B made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

7. On 21 May 2015, NHS Lothian was notified in writing that Mr B had made a valid application. The case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Lothian was invited to comment on this application and answer specific questions, focusing on its application of section 38 of FOISA.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the relevant submissions, or parts of submissions, made to her by both Mr Band NHS Lothian. She is satisfied that no matter of relevance has been overlooked.

Section 38(1)(a) of FOISA

10. Mr B's request fell into two categories. The first element of his request sought confirmation whether the named doctor was contacted by HMP Glenochil during June or July 2014 and, if so, the correspondence relating to this.

11. NHS Lothian sought to rely on section 38(1)(a) in relation to this information. NHS Lothian explained that the information would only be contained within the medical file of the individual to whom the specialist assessment related. In this case, that was Mr Robertson.

12. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which the applicant is the data subject. The fact that it is absolute means that it is not subject to the public interest test in section 2(1)(b) of FOISA.

13. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data (commonly known as a "subject access request") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to their own personal data, and govern the exercise of that right. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

14. "Personal data" are defined in section 1(1) of the DPA as data which relate to a living individual who can be identified:

(i) From those data, or

(ii) From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (the full definition is set out in Appendix 1).

15. Given the explanations provided by NHS Lothian, the Commissioner is satisfied that the information covered by this part of the request can only be Mr B's own personal data. NHS Lothian was therefore correct to withhold the information under section 38(1)(a) of FOISA.

Section 38(1)(b) of FOISA

16. NHS Lothian sought to rely on section 38(1)(b) of FOISA in relation to the remainder of Mr B's request. This related to the qualifications of the named doctor, which NHS Lothian stated could only be accessed through the individual's personnel file.

17. In order to rely on this exemption, NHS Lothian must show that the information being withheld is personal data for the purposes of the DPA and that its disclosure into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles to be found in Schedule 1 to the DPA.

Is the information under consideration personal data?

18. The definition of personal data is set out in the paragraphs above. The Commissioner is satisfied that the information requested comprises personal data, in line with part a) of the definition in section 1(1) of the DPA. A living individual (i.e. the named doctor) can be identified from the information. Given that Mr B is seeking confirmation of the named individual's qualifications, the Commissioner is satisfied that the data relate to them.

Would disclosure of the personal data contravene the first data protection principle?

19. NHS Lothian argued that making this information available would breach the first data protection principle. This states that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. The processing in this case would be making the information publicly available in response to Mr B's request.

20. If the data were sensitive personal data, as defined in section 2 of the DPA, a condition in Schedule 3 to the DPA would also need to be met. In this case, the Commissioner is satisfied that the data under consideration are not sensitive personal data.

Can any of the conditions in schedule 2 be met?

21. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[1], that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

22. It appears to the Commissioner that condition 6 in Schedule 2 is the only one which might permit disclosure to Mr B.

23. Condition 6 allows personal data to be processed if that processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

24. There are, therefore, a number of tests which must be met before condition 6 can apply. These are:

(i) Does Mr B have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balances as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subject?

(iii) Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the above judgement, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mr B must outweigh the rights and freedoms or legitimate interest of the data subject before condition 6 will permit the personal data to be disclosed.

Does Mr B have a legitimate interest in obtaining the personal data?

25. There is no definition in the DPA of what constitutes a "legitimate interest." The Commissioner takes the view that the term indicates that matters in which an individual properly has an interest should be distinguished from matters about which he or she is simply inquisitive. The Commissioner's guidance on section 38 of FOISA[2] states:

In some cases, the legitimate interest might be personal to the applicant - e.g. he or she might want the information in order to bring legal proceedings. With most requests, however, there are likely to be wider legitimate interests, such as the scrutiny of the actions of public bodies or public safety.

26. NHS Lothian did not identify any legitimate interests on Mr B's part. Mr B provided some comments on why he was seeking the information.

27. In the Commissioner's view, Mr B has a legitimate interest in obtaining the information. The information relates to a tender exercise carried out by the Scottish Prison Service to appoint a suitably qualified professional to carry out a specialist assessment of Mr B. Clearly, this is a matter of considerable interest and concern to Mr B.

Is disclosure necessary to achieve those legitimate interests?

28. Having concluded that Mr B has a legitimate interest in obtaining the personal data under consideration, the Commissioner must now consider whether disclosure of the personal data is necessary to achieve those legitimate aims. In doing so, she must consider whether these interests might reasonably be met by any alternative means.

29. Having considered the submissions, the Commissioner cannot identify any other viable means of meeting Mr B's interests which would interfere less with the privacy of the data subject than providing the withheld personal data. For this reason, the Commissioner is satisfied that disclosure of the information is necessary for the purposes of Mr B's legitimate interests.

Would disclosure cause unwarranted prejudice to the rights and freedoms of legitimate interests of the data subject?

30. The Commissioner is satisfied that disclosure of the withheld personal data is necessary to fulfil Mr B's legitimate interests, but must now consider whether that disclosure would still cause unwarranted prejudice to the rights and freedoms or legitimate interests of the data subject. As noted above, this involves a balancing exercise between the legitimate interests of Mr B and those of the data subject. Only if the legitimate interests of Mr B outweigh those of the data subject can the information be disclosed without breaching the first data protection principle.

31. In the Commissioner's briefing on the personal information exemption, she notes a number of factors which should be taken into account in carrying out the balancing exercise. These include:

(i) Whether the information relates to an individual's public life (i.e. their work as a public official or employee) or their private life (i.e. their home, family , social life or finances)

(ii) The potential harm or distress that may be caused by disclosure

(iii) Whether the individual objected to the disclosure

(iv) The reasonable expectations of the individual as to whether the information should be disclosed.

32. NHS Lothian indicated that the data subject would have no expectation that their personal data would be disclosed into the public domain. NHS Lothian stated that the individual no longer worked for NHS Lothian and the information was only held by virtue of it being in their personnel file.

33. In Mr B's view, the information under consideration related to a professional in their professional practice. As the individual's identity was already known to him, he argued disclosure would be fair.

34. The Commissioner has considered all of the submissions made by Mr B and NHS Lothian when balancing the legitimate interests in this case. In this case, the Commissioner agrees with NHS Lothian that there would be no expectation of the part of the data subject that their personal data would be disclosed into the public domain. The Commissioner acknowledges that some of the information relating to the individual's professional qualifications may already be in the public domain, but information on their involvement (or potential involvement) in this specialist assessment is not publicly available.

35. The Commissioner has concluded, on balance, that disclosure would be disproportionately intrusive. She finds that disclosure would cause unwarranted prejudice to the rights, freedoms and legitimate interests of the data subject. Consequently, she finds that condition 6 in Schedule 2 to the DPA is not met.

36. For the reasons given above, the Commissioner also finds that disclosure would be unfair. In addition, since the Commissioner has found that no condition in Schedule 2 can be met, she would consider disclosure to be unlawful. It therefore follows that disclosure of the personal data under consideration would breach the first data protection principle. Accordingly, the Commissioner accepts that this information is exempt from disclosure, and that NHS Lothian was entitled to withhold it, under section 38(1)(b) of FOISA.

 Decision

The Commissioner finds that Lothian Health Board complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mr B.

Appeal

Should either Mr B or Lothian Health Board wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

30 September 2015

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(6) This section is subject to sections 2, 9, 12 and 14.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(i) paragraphs (a), (c) and (d); and

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles;

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.


[1] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm

[2] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.aspx

PDF IconLink to PDF file of decision 152/2015 (200 kb)

Back to Top