Decision 186/2021: Independent inquiry into NHS Tayside mental health services

Public authority: Scottish Ministers
Case Ref: 202100517

Summary

The Ministers were asked for all correspondence between NHS Tayside, NHS Scotland and the Scottish Government on the commissioning of the 2018 Independent Inquiry into NHS Tayside Mental Health services.

The Ministers provided copies of the correspondence with personal data redacted but, during the Commissioner's investigation, they disclosed most of the personal data to the Applicant.

The Commissioner investigated and found that the Ministers had partially breached FOISA in responding to the request. This was because they withheld information which they later disclosed.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(b), (2A)(a), (5) (definitions of "the data protection principles", "data subject", "personal data", "processing" and "the UK GDPR") and (5A) (Personal information)

United Kingdom General Data Protection Regulation (the UK GDPR) Articles 4(1) (Definitions); 5(1)(a) (Principles relating to processing of personal data); 6(1)(f) (Lawfulness of processing)

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (5), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 16 February 2021, the Applicant made a request for information to the Scottish Ministers (the Ministers). The information requested was copies of all correspondence between NHS Tayside, NHS Scotland and the Scottish Government on the matters pertaining to the commissioning of the 2018 Independent Inquiry into NHS Tayside Mental Health services.

2. The Ministers responded on 16 March 2021. They provided the Applicant with the correspondence, but with some information redacted as it was either outwith the scope of his request or comprised personal data which they considered to be exempt from disclosure under section 38 of FOISA.

3. On 18 March 2021, the Applicant wrote to Ministers requesting a review of their decision on the basis that he needed access to the redacted names. He argued that it was in the public interest that public funded or public sector staff were named.

4. The Ministers notified the Applicant of the outcome of their review on 14 April 2021. They confirmed that they had withheld staff names under section 38(1)(b) of FOISA, and they explained that the names of junior staff were protected by data protection legislation. The Ministers provided the Applicant with the names of four senior members of staff that they had originally withheld.

5. On 22 April 2021, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA. The Applicant stated he was dissatisfied with the outcome of the Ministers' review because he wanted all of the information contained in the correspondence, including all public sector or contractor staff names.

Investigation

6. The application was accepted as valid. The Commissioner confirmed that the Applicant made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to him for a decision.

7. On 6 May 2021, the Ministers were notified in writing that the Applicant had made a valid application. The Ministers were asked to send the Commissioner the information withheld from the Applicant. The Ministers provided the information and the case was allocated to an investigating officer.

8. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. The Ministers were invited to comment on this application and to answer specific questions. These related to its reasons for withholding staff names under section 38(1)(b) of FOISA.

Commissioner's analysis and findings

9. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to him by both the Applicant and the Ministers. He is satisfied that no matter of relevance has been overlooked.

Information disclosed during the investigation

10. During the investigation, the Ministers disclosed all of the names that had been redacted from the correspondence, apart from two individuals who they deemed to be junior members of staff without a public role or profile.

11. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it. The qualifications contained in section 1(6) are not applicable in this case.

12. As the Ministers have now disclosed information to the Applicant that was originally withheld, the Commissioner must conclude that, in the absence of submissions to the contrary, the Ministers wrongly withheld some names under section 38(1)(b) of FOISA at the time of the request. Therefore, the Commissioner finds that the Ministers failed to respond to the information request in line with section 1(1) of FOISA.

Withheld information

13. The Commissioner will now consider whether the Ministers are correctly withholding the names and contact details of two junior members of staff, along with the mobile phone number of a senior member of NHS Tayside staff, under section 38(1)(b) of FOISA.

Section 38(1)(b) of FOISA

14. The Ministers are withholding the names of two members of staff, and the mobile phone number of a member of NHS Tayside staff, under section 38(1)(b) of FOISA, on the grounds that it comprises third party personal data, and its disclosure would breach the provisions of the UK GDPR.

15. Section 38(1)(b) of FOISA, read in conjunction with section 38(2A), exempts information from disclosure if it is "personal data" (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR or (where relevant) in the DPA 2018.

16. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption. This means that it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

17. To rely on the exemption in section 38(1)(b) of FOISA, the Ministers must show that the information is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles in Article 5(1) of the UK GDPR.

Is the withheld information personal data?

18. The first question the Commissioner must address is whether the information withheld is personal data for the purposes of section 3(2) of the DPA 2018 - see the definition in Appendix 1.

19. The Ministers have withheld the names and contact details of two Scottish Government employees (one is now a former employee) along with the mobile phone number of an individual within NHS Tayside. Having considered the information withheld from the Applicant under section 38(1)(b), the Commissioner is satisfied that it is personal data: it relates to identified or identifiable individuals.

Would disclosure contravene one of the data protection principles?

20. The Ministers argued that disclosure of this data would breach Article 5(1)(a) of the UK GDPR, which requires personal data to be processed "lawfully, fairly and in a transparent manner in relation to the data subject". The definition of "processing" is wide and includes "disclosure by transmission, dissemination or otherwise making available" (section 3(4)(d) of the DPA 2018). In the case of FOISA, personal data are processed when disclosed in response to a request. Personal data can only be disclosed if disclosure would be both lawful (i.e. if it would meet one or more of the conditions of lawful processing listed in Article 6(1) of the UK GDPR) and fair.

21. The Commissioner will first consider whether any of the conditions in Article 6(1) can be met. The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstance of this case.

Condition (f): legitimate interests

22. Condition (f) states that processing will be lawful if it "…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject …"

23. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA (see Appendix 1) makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.

24. The tests which must be met before Article 6(1)(f) can be met are as follows:

(i) Does the Applicant have a legitimate interest in obtaining the personal data?

(ii) If so, is the disclosure of the personal data necessary to achieve that legitimate interest?

(iii) Even if the processing is necessary to achieve the legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

25. There is no presumption in favour of the disclosure of personal data under the general obligation laid down by section 1(1) of FOISA. Accordingly, the legitimate interests of the Applicant must outweigh the rights and freedoms or legitimate interests of the data subjects before condition (f) will permit the data to be disclosed. If the two are evenly balanced, the Commissioner must find that the Ministers were correct to refuse to disclose the personal data to the Applicant.

26. The Ministers submitted that they were not aware of any legitimate reason that the Applicant would have in seeing the names or contact details, nor did they accept that identifying the individuals would aid the Applicant's understanding of the matters pertaining to the commissioning of the 2018 "Independent" Inquiry into NHS Tayside Mental Health services. The Ministers noted that, even if the Applicant did have legitimate interests in this information, they did not believe these would outweigh the individuals' interests in protecting their privacy.

27. The Applicant argued that no mental health expert was appointed to run the "Independent Inquiry" and he contended that the public interest required the full names of all those involved to be disclosed. The Applicant referred to the failings of NHS Tayside Mental Health Services that led to the Inquiry being implemented and he provided background information which indicated he had a stake in ensuring that such an Inquiry would be carried out thoroughly and effectively.

28. Having considered the nature of the request and the Applicant's concerns, the Commissioner accepts that the Applicant has a legitimate interest in the individuals who were involved in the correspondence that led to the establishment of the "Independent Inquiry", and he is entitled to know whether the redactions made by the Ministers under section 38(1)(b) of FOISA are reasonable.

29. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure of those personal data is necessary for the Applicant's legitimate interests. In doing so, he must consider whether these interests might be reasonably be met by any alternative means.

30. The Commissioner has considered this carefully in light of the decision by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55[1]. In this case, the Supreme Court stated (at paragraph 27):

A measure which interferes with a right protected by Community law must be the least restrictive for the achievement of a legitimate aim. Indeed, in ordinary language we would understand that a measure would not be necessary if the legitimate aim could be achieved by something less.

31. "Necessary" means "reasonably" rather than "absolutely" or "strictly" necessary. When considering whether disclosure would be necessary, public authorities should consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the requester's legitimate interests can be met by means which interfere less with the privacy of the data subject.

32. The Commissioner notes that, during the investigation, the Ministers provided the Applicant with the names of every individual who was involved in the correspondence/discussions captured by his request with the exception of the two Scottish Government employees. The Commissioner also notes that the only personal data being withheld from the Applicant is that relating to these two junior members of staff (one of whom has since left the employ of the Scottish Government) along with the mobile phone number of a senior member of NHS Tayside staff (their name and other contact details have been provided). Having reviewed the information disclosed to the Applicant in this case, the Commissioner is satisfied that the Applicant's legitimate interests have been satisfied by the provision of this information. Consequently, the Commissioner does not consider it necessary to disclose the personal data of junior employees (or the mobile phone number of a senior member of NHS Tayside staff) to satisfy the legitimate interests identified.

33. In the circumstances of this case, as the Applicant's legitimate interests have been satisfied by the information provided, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR cannot be met in relation to the withheld personal data. Disclosure would therefore be unlawful.

Fairness and transparency

34. Given the Commissioner's finding that processing would be unlawful, he is not required to go on to consider separately whether disclosure of the personal data would otherwise be fair or transparent in relation to the data subjects.

Outcome

35. The Commissioner, therefore, finds no condition in Article 6(1) of the UK GDPR can be met and disclosure of the information requested would contravene Article 5(1)(a) of the UK GDPR. The information was therefore properly withheld under section 38(1)(b) of FOISA.

Decision

The Commissioner finds that the Scottish Ministers (the Ministers) partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

The Commissioner finds that by correctly withholding the names of two junior members of staff and the mobile phone number of a member of NHS Tayside staff, under section 38(1)(b) of FOISA, the Ministers complied with Part 1.

However, by wrongfully withholding the names and contact details of more senior staff and those with a public profile, under section 38(1)(b) of FOISA, the Ministers failed to comply with section 1(1) of FOISA.

Given that the Applicant has been provided with the information that was wrongfully withheld from him during the investigation, the Commissioner does not require the Ministers to take any action in respect of this failure in response to the Applicant's application.

Appeal

Should either the Applicant or the Ministers wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement
16 November 2021

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied.

38 Personal information

(1) Information is exempt information if it constitutes-

(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A);

(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act -

(a) would contravene any of the data protection principles, or

(5) In this section-

"the data protection principles" means the principles set out in -

(a) Article 5(1) of the UK GDPR, and

(b) section 34(1) of the Data Protection Act 2018;

"data subject" has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

"personal data" and "processing" have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

"the UK GDPR" has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the UK GDPR would be contravened by the disclosure of information, Article 6(1) of the UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

UK General Data Protection Regulation

Article 4 Definitions

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 5 Principles relating to processing of personal data

1 Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency")

Article 6 Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Data Protection Act 2018

3 Terms relating to the processing of personal data

(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to -

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) "Processing", in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as -

(d) disclosure by transmission, dissemination or otherwise making available,

(10) "The UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

(14) In Parts 5 to 7, except where otherwise provided -

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(c) references to personal data, and the processing of personal data, are to personal data and processing to which Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Part 2, Part 3 or Part 4 applies.



Link to PDF of Decision 186/2021 (189 KB)

Back to Top