Decision 126/2021: Number of staff with data protection qualifications

Public authority: Tayside Health Board
Case Ref: 202100295


NHS Tayside was asked how many of its employees, for the last six years, held a data protection qualification. NHS Tayside considered that extracting the information for the request would cost more than £600 and, therefore, it was not obliged to comply with the request. The Commissioner agreed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (4) and (6) (General entitlement); 12(1) (Excessive cost of compliance); 15 (Duty to provide advice and assistance)

The Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 (the Fees Regulations) regulations 3 (Projected costs) and 5 (Excessive cost - prescribed amount)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.


1. On 28 January 2021, the Applicant made a request for information to Tayside Health Board (NHS Tayside). He asked for the number of people employed by NHS Tayside for the past six years and how many of these employees hold a qualification in data protection.

2. NHS Tayside responded on 3 February 2021. It supplied the number of employees for each of the last six years. For the rest of the information (number of employees with a qualification in data protection), NHS Tayside explained that it did not hold staff qualifications information in a central record on qualifications. Any qualifications held by staff, that NHS Tayside was informed of, would be held within individual staff records. To collate this information would involve a review of the records of all staff in the period specified, followed by manual collation and analysis of the resultant figures. This exercise would require the allocation of resources that NHS Tayside said it did not have, and to comply with the request would also result in excessive cost.

3. The Applicant wrote to NHS Tayside on the same day, requesting a review of its decision. In his view, NHS Tayside, being subject to data protection legislation, should be able to tell him how many of its staff members hold data protection qualifications. He argued that the information should be held centrally and not in the personnel files of individual staff members.

4. NHS Tayside notified the Applicant of the outcome of its review on 3 March 2021. NHS Tayside stated that it did not hold the information on number of employees with a data protection qualification in a central register and to collate and provide the information would exceed the limit of £600 set by FOISA. NHS Tayside explained that there were likely to be staff who hold such qualifications, but who have not undertaken the training in respect of a work-related capacity (e.g. self-development of staff wanting to move into data protection and undertaking study themselves to facilitate that). In order to provide the information, NHS Tayside said it would have to check with every individual member of staff to see if they hold any qualifications of this nature. This action in itself would exceed the cost limit in retrieving and compiling this information.

5. On the same day, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of NHS Tayside's review. He believed that NHS Tayside was attempting to conceal the fact that it had no suitably qualified staff within the team responsible for information governance.


6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Tayside was invited to comment on this application and to answer specific questions on how it had assessed that to respond to the request would exceed the limit imposed by section 12 of FOISA.

Commissioner's analysis and findings

8. In coming to a decision on this matter, the Commissioner considered all the relevant submissions, or parts of submissions, made to him by both the Applicant and NHS Tayside. He is satisfied that no matter of relevance has been overlooked.

Section 12(1) - Excessive cost of compliance

9. Section 12(1) of FOISA provides that a Scottish public authority is not obliged to comply with a request for information where the estimated cost of doing so would exceed the amount prescribed in the Fees Regulations. This amount is currently set at £600 (regulation 5). Consequently, the Commissioner has no power to require an authority to disclose information should he find that the cost of responding to a request for information would exceed that sum.

10. The projected costs the authority can take into account in relation to a request for information are, according to regulation 3 of the Fees Regulations, the total costs, whether direct or indirect, which the authority reasonably estimates it is likely to incur in locating, retrieving and providing the information requested in accordance with Part 1 of FOISA.

11. The authority may not charge for the cost of determining whether it:

(i) actually holds the information requested or

(ii) should provide the information.

12. The maximum rate a Scottish public authority can charge for staff time is £15 per hour.

Submissions from NHS Tayside

13. NHS Tayside was asked how it had estimated the cost of complying with the Applicant's request would exceed the £600 statutory limit.

14. NHS Tayside said that it has approximately 12,000 staff and that it does not hold a central database listing the qualifications of each individual staff member. To collate this information, NHS Tayside would need to consult the individual Human Resources record of approximately 12,000 staff. At an estimated time of five minutes a record, to do so would, according to NHS Tayside, cost £15,000 to review and collate this information.

15. However, NHS Tayside was concerned that, even if it undertook this exercise, the fact that a staff member may hold such a qualification might not be recorded on their record. Therefore, a further exercise, asking all staff to disclose such qualifications would have to be undertaken to ensure the information was accurate and robust. This would result in further unquantifiable time and cost to NHS Tayside, assuming all staff consented to disclosing this information if it were not relevant to their role.

Submissions from the Applicant

16. As stated above, the Applicant believed that section 12 did not apply. His reasons were that he thought this section was being used by NHS Tayside without justification.

17. The Applicant submitted that NHS Tayside should have the information available on request in line with data protection legislation and good information governance, particularly given that it is a publicly funded body.

The Commissioner's findings

18. The Commissioner is satisfied that NHS Tayside has taken a reasonable interpretation of the Applicant's request. He also accepts that the cost of complying with the request would exceed £600. He therefore finds, in line with section 12(1) of FOISA, that NHS Tayside was not obliged to comply with this request.

19. Although not specified exactly, a qualification in Data Protection would be information that showed that a staff member had undertaken some form of study or course that entitled the person to be regarded as qualified in some aspect of the law relating to Data Protection. This would be the ordinary and reasonable meaning of the request.

20. The Commissioner accepts as accurate and reasonable NHS Tayside's description of how it would locate information about such qualifications and agrees that it would most likely be held within the personnel file of a member of staff. It would have been unwarranted, given the breadth of the request, for NHS Tayside to have restricted the scope of its searches to the personnel folders of certain staff (e.g. those involved in information governance). It is very possible that other staff within the authority could hold what could be regarded as a qualification in data protection.

21. As NHS Tayside commented, it is possible that staff may hold a data protection qualification but that the qualification is not recorded in the staff member's personnel file. To the extent that this information is held by NHS Tayside (and it may not be), this would require NHS Tayside to carry out searches beyond the personnel files.

22. In the absence of a centralised database with qualifications of staff, especially one that is searchable, the Commissioner accepts that the only way to obtain the information is to search within the recorded qualifications of all the staff to assess how many hold a qualification in data protection. To do so for a public authority with staff numbers such as NHS Tayside would certainly exceed the statutory limit in section 12 of FOISA.

23. The Applicant suggested that he should be able to obtain a blueprint of NHS Tayside's data protection structure and accountable people. This may well be a justified expectation, but this is not what the Applicant's request was for.

24. Therefore, taking account of all the above circumstances, including the extent of the request and how the authority holds the information, the Commissioner is satisfied, on the balance of probabilities, that the cost of complying with the Applicant's request would exceed £600 and, in line with section 12(1) of FOISA, that NHS Tayside was not obliged to comply with the request.

Section 15 - Duty to advise and assist

25. Section 15(1) requires a Scottish public authority, so far as reasonable to expect it to do so, to provide advice and assistance to a person who has made, or proposes to make, a request for information to it. Section 15(2) states that a Scottish public authority which, in relation to the provision of advice and assistance in any case, conforms to the Scottish Ministers' Code of Practice on the discharge of functions by Scottish public authorities under FOISA and the Environmental Information (Scotland) Regulations 2004 (the Section 60 Code), is taken to comply with the duty to provide reasonable advice and assistance in section 15(1).

26. The Section 60 Code provides guidance to Scottish public authorities on the practice which Scottish Ministers consider desirable for authorities to follow in connection with the discharge of their functions under FOISA. The Section 60 Code, provides (at 9.4.3)[1]:

"When refusing a request on cost grounds, it is good practice for the authority's response to provide clear advice on how the applicant could submit a new, narrower request within the cost limit. In giving advice you may wish to take account of how much the cost limit has been exceeded. Any narrowed request would be a separate new request and should be responded to accordingly."

27. When asked how it had advised and assisted the Applicant, NHS Tayside replied that at the time of making this request and before, the Applicant had already submitted a number of other information requests. NHS Tayside said that the Applicant regularly contacted members of the Information Governance team and they had attempted to advise and assist the Applicant. NHS Tayside said that, during a call about this request, it had explained that this particular request was very broad and would benefit from being refined to cover a smaller part of the employee pool of NHS Tayside. A subsequent request was received from the Applicant requesting the same information for one specific team, which NHS Tayside said it had answered. However, this original request was not withdrawn.

28. The Commissioner acknowledges that NHS Tayside assisted the Applicant. Whilst it would be better to have stated explicitly in its response or review that a refined request may fall within the cost limit of FOISA, it would appear that the Applicant was aware or was made aware of this fact.

29. In the circumstances, the Commissioner accepts that the advice and assistance in NHS Tayside's review response was sufficient to discharge its obligation under section 15 of FOISA.


The Commissioner finds that Tayside Health Board (NHS Tayside) complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by the Applicant.


Should either the Applicant or NHS Tayside wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
25 August 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

(6) This section is subject to sections 2, 9, 12 and 14.

12 Excessive cost of compliance

(1) Section 1(1) does not oblige a Scottish public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed such amount as may be prescribed in regulations made by the Scottish Ministers; and different amounts may be so prescribed in relation to different cases.

15 Duty to provide advice and assistance

(1) A Scottish public authority must, so far as it is reasonable to expect it to do so, provide advice and assistance to a person who proposes to make, or has made, a request for information to it.

(2) A Scottish public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice issued under section 60 is, as respects that case, to be taken to comply with the duty imposed by subsection (1).

Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004

3 Projected costs

(1) In these Regulations, "projected costs" in relation to a request for information means the total costs, whether direct or indirect, which a Scottish public authority reasonably estimates in accordance with this regulation that it is likely to incur in locating, retrieving and providing such information in accordance with the Act.

(2) In estimating projected costs-

(a) no account shall be taken of costs incurred in determining-

(i) whether the authority holds the information specified in the request; or

(ii) whether the person seeking the information is entitled to receive the requested information or, if not so entitled, should nevertheless be provided with it or should be refused it; and

(b) any estimate of the cost of staff time in locating, retrieving or providing the information shall not exceed £15 per hour per member of staff.

5 Excessive cost - prescribed amount

The amount prescribed for the purposes of section 12(1) of the Act (excessive cost of compliance) is £600.

Link to PDF of Decision 126/2021 (163 KB)

Back to Top